When using AWS KMS, Credstash advocates for using Key Policies and Grants to control access to the KMS Master Key used to encrypt your data. This enables permissions to be granted on a per-secret basis (when enforced by the Key Policy or Grant.)
Grants in KMS (like several other KMS features) are eventually-consistent. This means that there may be a period after creating a grant where credstash will be unable to access the KMS key, despite permissions being provided by the grant.
To mitigate this, KMS allows users to provide a Grant token in their request to the KMS API, which ensures the request will succeed on the first attempt. Credstash should surface a method to provide grant tokens (perhaps through a CLI flag or environment variable) to ensure users don't have to wait / retry credstash operations after receiving a grant.
When using AWS KMS, Credstash advocates for using Key Policies and Grants to control access to the KMS Master Key used to encrypt your data. This enables permissions to be granted on a per-secret basis (when enforced by the Key Policy or Grant.)
Grants in KMS (like several other KMS features) are eventually-consistent. This means that there may be a period after creating a grant where credstash will be unable to access the KMS key, despite permissions being provided by the grant.
To mitigate this, KMS allows users to provide a Grant token in their request to the KMS API, which ensures the request will succeed on the first attempt. Credstash should surface a method to provide grant tokens (perhaps through a CLI flag or environment variable) to ensure users don't have to wait / retry credstash operations after receiving a grant.