search

pulumi / pulumi

Pulumi - Infrastructure as Code in any programming language 🚀
https://www.pulumi.com
Apache License 2.0
21.92k stars 1.13k forks source link

awskms encryption provider should support all key types available for ENCRYPT_DECRYPT #17649

Open nergdron opened 3 weeks ago

nergdron commented 3 weeks ago

What happened?

There's various key formats that AWS lists as usable for key_usage=ENCRYPT_DECRYPT, including asymmetric RSA keys, such as key_spec=RSA_4096. however, when trying to use a key like this with the awskms encryption provider, it fails with an error that indicates it only works with the basic SYMMETRIC_DEFAULT key type.

Example

$ pulumi stack init dev --secrets-provider="awskms://alias/project/keyname?region=us-west-2&awssdk=v2&profile=project-profile"

error: could not create secrets manager for new stack: secrets (code=InvalidArgument): operation error KMS: Encrypt, https response error StatusCode: 400, RequestID: <ID omitted>, InvalidKeyUsageException: Algorithm SYMMETRIC_DEFAULT is incompatible with key spec RSA_4096.

Output of pulumi about

CLI          
Version      3.137.0
Go Version   go1.23.2
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  aws     6.57.0
resource  awsx    2.16.1
resource  docker  4.5.7
resource  docker  3.6.1
language  nodejs  unknown

Host     
OS       arch
Version  "rolling"
Arch     x86_64

This project is written in nodejs: executable='/usr/bin/node' version='v23.1.0'

Backend        
Name           hostname
URL            file://~
User           tessa
Organizations  
Token type     personal

Dependencies:
NAME            VERSION
typescript      5.6.3
@pulumi/aws     6.57.0
@pulumi/awsx    2.16.1
@pulumi/pulumi  3.137.0
@types/node     18.19.61

Pulumi locates its logs in /tmp by default
warning: Failed to get information about the current stack: No current stack

Additional context

seems like this is a problem with asymmetric key types, and that other projects have upgraded their go cloud libraries to support this KMS usage.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

justinvp commented 2 weeks ago

Thanks for the issue! We use https://gocloud.dev for this functionality under the covers. We're currently on v0.37.0, but the latest version is v0.40.0. It's possible upgrading to the latest version would enable this, but we'd have to look into it. Note that it looks like there are some breaking changes after v0.37.0, so we'll have to evaluate those and any impact before upgrading.