search

djcrabhat / aws-ssm-commander

A utility for dealing with values in AWS SSM Parameter Store
MIT License
7 stars 6 forks source link

kms decryption issue with KMS key not on the same region as parameter store. #9

Open gwsu2008 opened 4 years ago

gwsu2008 commented 4 years ago

Hi,

Getting an error when the password is encrypted using custom KMS key on a different region then the parameter store write region.

Usage: aws-ssm-commander write [OPTIONS] SSM_PREFIX FILE

Error: Invalid value: could not decode !kms value: An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

Steps to reproduce:

  1. create custom KMS key on us-east-1 and use it to encrypt a password for parameter store
  2. use this aws-ssm-commander write on a us-west-2 parameter store.

Maybe adding a new parameter --kms-region?

Workaround: Create custom KMS key on the same region.

Thanks

--Guang

djcrabhat commented 4 years ago

Good call. Ya, that's an interesting one. I think your flag for a specific KMS region is a good one. Will think on that.