When a KMS encrypted COS bucket is deletes it kicks off a process to de-register from the KMS key BUT it does not wait until de-registration occurs.
Since it does not wait, there is a race condition that can occur where the auth policy can be deleted before the de-registration completes, meaning the KMS key cannot be deleted.
As a workaround, suggest updating the time sleep we have to also wait on destroy
ocofaigh
commented
1 month ago
When a KMS encrypted COS bucket is deletes it kicks off a process to de-register from the KMS key BUT it does not wait until de-registration occurs. Since it does not wait, there is a race condition that can occur where the auth policy can be deleted before the de-registration completes, meaning the KMS key cannot be deleted.
As a workaround, suggest updating the time sleep we have to also wait on destroy