The default keyspec does not work when creating a sign/verify key.
Making the field configurable allows us to give valid keyspec options to generate a sign/verify key.
To reproduce
create an aws::kms-key resource where the field key-usage is set. to 'SIGN_VERIFY'
Error: Can't create aws::kms-key test-dj1-sign-verify resource!
Caused by: Unexpected error: software.amazon.awssdk.services.kms.model.KmsException: The operation failed because the KeyUsage value of the CMK is SIGN_VERIFY. To perform this operation, the KeyUsage value must be ENCRYPT_DECRYPT. (Service: Kms, Status Code: 400, Request ID: b7ff629c-4f13-4c52-973f-e2cf70dc5881)
at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125)
With the PR
One can set the the key-spec to RSA_4096 and successfully get passed the error.
Looking for changes...
+ Create aws::kms-key test-dj1-sign-verify
· aliases: [ 'alias/test-dj1-sign-verify/roslyn-signverify' ]
· description: 'KMS key used for signing and verifying configs.'
· enabled: true
· key-spec: RSA_4096
· key-usage: 'SIGN_VERIFY'
Are you sure you want to change resources? (y/N) y
+ Creating aws::kms-key test-dj1-sign-verify (elapsed time: 1916ms) OK
The default keyspec does not work when creating a sign/verify key.
Making the field configurable allows us to give valid keyspec options to generate a sign/verify key.
To reproduce
create an
aws::kms-keyresource where the fieldkey-usageis set. to'SIGN_VERIFY'With the PR
One can set the the
key-spectoRSA_4096and successfully get passed the error.