Closed gerryfletch closed 2 years ago
I'd also note that the AWS KMS docs specify that you can use the alias
or arn
: https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#API_Sign_RequestSyntax
Edit: I can also verify the exact commands in the issue description work totally fine against the real AWS KMS.
Hi @gerryfletch.
This does sound like it could be a local-kms
bug. I'll take a look at it this coming weekend to see if I can get to the bottom of it.
Hi @gerryfletch
I am struggling to replicate this. I've put the following into a test.sh
echo "Creating Asymmetric Keys in KMS"
KEY_ID=$(awslocal kms create-key \
--description "Used to sign and verify JWTs." \
--key-usage "SIGN_VERIFY" \
--key-spec "RSA_2048" \
--origin "AWS_KMS" \
--tags "TagKey=ServiceName,TagValue=s-auth" \
--no-multi-region \
| jq -r '.KeyMetadata.KeyId')
echo "Creating and Associating Alias 'jwt-sign' to key ${KEY_ID}"
awslocal kms create-alias \
--alias-name "alias/jwt-sign" \
--target-key-id $KEY_ID
echo "Signing the message using the alias"
awslocal kms sign \
--key-id=alias/jwt-sign \
--signing-algorithm=RSASSA_PSS_SHA_256 \
--message eyJoZWxsbyI6IndvcmxkIn0=
Which when I run appears successful; the output being.
bash ./test.sh
Creating Asymmetric Keys in KMS
Creating and Associating Alias 'jwt-sign' to key 1ce158de-5b0c-46b5-a58c-d5fb6a6624b5
Signing the message using the alias
{
"KeyId": "arn:aws:kms:eu-west-2:111122223333:key/1ce158de-5b0c-46b5-a58c-d5fb6a6624b5",
"Signature": "lhNPJZ2fnqz8B2qC5wGxRv0kNYkt9Sil7mKK49SbA4UPVVq65/J5K2Y1nBqn/B8/snYSeHWHBaFIdX6IHZHtcuZWNCKZEfv2NseqvBjJXq1CRy15Vwc3taQqcDJAABWNZqhzdmcgfgT1UKuaSjvgJeZiafoBNiEWLRyExiDaPcBqSaAmsvaf4tb3Y3yyrSMOUx67Ebn0OTtMhDB+BKV2CYQBUprI078hv1CLKvyVKOUBTabOne/ZkUCsg34+zZQ6uCD+jrntSHBEX8ZgEYuw2jncCsGMLwenbaVRuEnx/3kcbZ3gVLNJoncz3JUtvbS88UU6jUEdYezXk2KstZItMg==",
"SigningAlgorithm": "RSASSA_PSS_SHA_256"
}
This was done with the latest version of Local KMS (3.11.0) and the latest version of the AWS CLI (2.5.6).
The only odd thing I did find is that if the message
sent to the Sign endpoint is not valid base64, you get a misleading error about the key not being found, rather than it being an encoding issue.
Are you able to me any more details?
Thanks @nsmithuk. I was using local-kms
via localstack
, and despite updating the localstack
images, it looks like it isn't using the latest version of your image. Swapping out localstack and running local-kms
myself works fine. Apologies for creating the issue and thanks for the speedy response!
Hello,
I'm creating an RSA key pair and associating an alias:
I'm finding that functions like
encrypt
anddecrypt
can successfully use the alias:However, using the
alias
orarn
for thesign
operation fails, and only works if I use the Key ID directly:I'm unsure if this is a quirk of aliases in KMS, or a bug in
local-kms
- any pointers would be greatly appreciated.