serverless-kms-secrets icon indicating copy to clipboard operation
serverless-kms-secrets copied to clipboard

Published 20 hours ago verified publisher icon nordcloud

KMS key alias does not work when specified in config

Open daniel-cottone opened this issue 6 years ago • 1 comments

If I replace the keyArn property in the secrets YAML file with the alias of the KMS key, creation of new secrets fails:

keyArn: 'arn:aws:kms:us-east-1:xxxxxxxx:alias/my-test-key'

Serverless: Encrypting using key my-test-key found in secrets.yml
Serverless: ServerlessError: Invalid keyId

daniel-cottone avatar Mar 15 '18 20:03 daniel-cottone

Looks like it's just taking the value after the last / which works fine when its the Id of a Key but when it's an alias it drops the "alias/" from the value its using which is what results in your "Invalid keyId" error.

arn:aws:kms:us-west-2:1234567890:alias/my-alias arn:aws:kms:us-west-2:1234567890:key/1111-2222-333-444-5555555

https://github.com/nordcloud/serverless-kms-secrets/blob/master/index.js#L130

it would be nice if the plugin supported storing the alias in the config file keyArn when that's what was used on the command line to generate the encrypted values.

JmeG avatar Aug 14 '18 20:08 JmeG