Closed npatel1981 closed 3 years ago
Hi there! Thanks for the reproduction code. While I see if I can reproduce the problem, I'd recommend double-checking that you're authorized to call the KMS GenerateDataKey and Decrypt operations: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/direct-kms-provider.html
Having the same issue.
Fixed this by accessing the protected botocore session within your session variable:
session = boto3.Session(aws_access_key_id='xxxxxxxxxxxxxxxxxxxx', aws_secret_access_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', region_name='ca-central-1')
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id, botocore_session=session._session)
@tjmac21 you hit the nail on the head.
I saw the same general shape as our example in your code, @npatel1981, and incorrectly assumed that the rest of it was our example. I missed where you created a custom boto3 session.
The issue here is that your DDB resource and the KMS client are using different credentials.
When you created a custom boto3 session with custom credentials:
session = boto3.Session(...)
Internally, that creates a custom botocore
session, which is what contains the credentials.
When you then created the cryptographic materials provider without specifying a botocore session:
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(...)
internally it created a default botocore session using whatever credentials are discovered in your environment[1].
The best solution to use the same credentials with both is to create a custom botocore session and use that for both the DDB resource and the AWS KMS crypto materials manager.
I do not recommend referencing the botocore session in the boto3 session as in @tjmac21's snippet because that relies on a _
-prefixed variable, which is not part of the public API contract for boto3 sessions.
botocore_session = botocore.session.Session()
botocore_session.set_credentials(access_key="...", secret_key="...")
ddb_resource = boto3.session.Session(
botocore_session=botocore_session,
region_name="...",
)
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(
key_id="...",
botocore_session=botocore_session,
)
[1] https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html
Resolving per answer above. Please re-open this issue (or create a new one) if there are additional questions or you would like us to dive a bit deeper into anything.
Hi,
I created a sample encrypted table on AWS DynamoDB based on the example. In the table I created a partition_attribute and a sort_attribute. I also encrypted the table with KMS and then copied the KMS Master Key ARN to pass in to aws_cmk_id which is the argument in encrypt_item function in the python code. I am getting an error "Failed to generate materials using AWS KMS" am I doing something wrong? Do I need to do anything else to get this to work?
I have added the code I am trying to run below, which is basically the example and I just added a main function to pass in arguments.