Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Decrypting AWS DB Activity Stream

See original GitHub issue

I get the following error

Error: unencryptedDataKey has not been set
    at Object.needs (/var/task/node_modules/@aws-crypto/material-management/build/main/needs.js:29:15)
    at NodeDecryptionMaterial.getUnencryptedDataKey (/var/task/node_modules/@aws-crypto/material-management/build/main/cryptographic_material.js:180:17)
    at NodeDefaultCryptographicMaterialsManager.decryptMaterials (/var/task/node_modules/@aws-crypto/material-management-node/build/main/node_cryptographic_materials_manager.js:49:46)
    at process._tickCallback (internal/process/next_tick.js:68:7)

while running a lambda function to decrypt DB activity streams.

const aws = require("aws-sdk");
const {
    decrypt,
    RawAesKeyringNode,
    RawAesWrappingSuiteIdentifier,
} = require('@aws-crypto/client-node')

console.log('Loading function');
aws.config.logger = console;


exports.handler = async (event, context) => {
    const kms = new aws.KMS({ region: "us-west-2" });
    try {
        const output = await Promise.all(
            event.records.map(async (record) => {
                const data = Buffer.from(record.databaseActivityEvents, 'base64');
                const key = Buffer.from(record.key, 'base64');
                const promise = await kms.decrypt({
                    CiphertextBlob: key,
                    EncryptionContext: {
                        "aws:rds:dbc-id": process.env.cluster_id,
                    }
                }).promise();
                console.log(typeof promise.Plaintext, promise.Plaintext);
                const wrappingSuite = RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING;
                const unencryptedMasterKey = new Uint8Array(promise.Plaintext);
                console.log(unencryptedMasterKey.byteLength);
                console.log(promise.Plaintext)
                const keyring = new RawAesKeyringNode({
                    keyName: "aes-name",
                    keyNamespace: "aes-namespace",
                    wrappingSuite: wrappingSuite,
                    unencryptedMasterKey: unencryptedMasterKey,
                });

                const d = await decrypt(keyring, record.databaseActivityEvents, {encoding: 'base64'});
                console.log(d);
            })
        );
        console.log(`Processing completed.  Successful records ${output.length}.`);
    } catch (err) {
        console.log(err);
    }
};

with Test Data

{
  "invocationId": "invocationIdExample",
  "deliveryStreamArn": "arn:aws:kinesis:EXAMPLE",
  "region": "us-west-2",
  "records": [
    {
      "type": "DatabaseActivityMonitoringRecords",
      "version": "1.0",
      "databaseActivityEvents": "AYADeNXig1LTUwpx7uXCSRBTBuUAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFqSVhETGpKajJ5djh2TFV0RHNuMFM1eDQ5emIvZy9CN1pmUSs4cUtGenJudXJwT3VnSlR0Nlhwc1p4RnZXL0hxUT09AAEAAkJDABtEYXRhS2V5AAAAgAAAAAw70KtkoLqQkIBTM7IAMMOHE9BBr0oWz9kbwm6gadhx4cL0BnBmyxZxwr+dNzYIQN8mF5MwNB2pTwvYc7eJqQIAAAAADAAAEAAAAAAAAAAAAAAAAAAn5FJ3KVLaFhkoQwqhk73u/////wAAAAEAAAAAAAAAAAAAAAEAAAJxBlzFL/29OBU67dwDfo6/iX3XxnwQsGHx65Ts8oNAHrjwZJ9Wl/nnQ2KaY/OdCq0Tv8+u9TUnTlRdWcsXEXZ2PAP9/ejJYsdlIW0kda/jeNfb2PLkj7vzvC7KzYpY8A9BQhc8a8bm5NNeTgh/ARjkUA7pdeG6AA4DXc5w8yl6aN42o+l3c1NNX2DedT+OF9xc6fs+dqkUEzdoHK6mShuaPWdSFwzLKtGfHC5z6bqpe5mI313pccO1WSEzVioFC0g5G7mQ2f2oMuh86BjEAxT9bkU8VmtxVstaDYcXvjvu4S91Lj3UGx1dHnkA3n5P1SSvy99N1xHZxz+sAndAZ9IlcC0+EnBmWppeLwqjRJSm0qxENOkqDF3AFCkiE70HVxmXyLg70+njWXEmHhlyzBCsw2RzeGfiqXuBV12EGWud3kPKHZ3+3UXkkmvHrt/01G8MdCgvhYawsP3K4MqoNt5iZcXtsgCx+6XouIaP+6qIKVFRPVW6T6ue5pEJzYU3AG0tZ8s0/F/I44bUXRKXeEIhfcJGiDdix/fOTVB5iy946RkaCWBxam7AAmC3JjvM5uVe8ZQ5ZjjrPLD+42n1/ny+rRLtY83AfmGCAF8Nv/yj+NQZE7at91gRNYeBjGQk8sX8JchTWwQNYrsgEMWOEZ9B34q6Hqb4im4lm32oJFpwecgTrWdHQ5afSt4A9u4y5BAJXtXqdpBkzP1Ail4Fqit+NYDxdiwuVM37a6baeslaJppzDOH9r40kxiDVDMgFTl/PgXSpL7RbQhWcIA0vcke2DHiO2kBWmHpphK7jLSpprFuVP/WJagSJbJ+ZGvI406UBYacZqWvAyfknVnGttJucETsAZzBlAjEArAzQjkTRcSAUdn0pXvR3D3HhtxGzLvkR48Frso4GzDlXkUIgGHgV7kS0AksB0OdxAjArbCAXaH1CXcMkt1OKlMXZfyeLwJn10fVJ/zxbrxl3b6aaGIR4EI4yTS6T2l8T82o=",
      "key": "AQIDAHj5sC4V75fw9OgpNzg8eJz30SjZJKlkaeCghpgU0ZZpcwGyagVf0Vv0OdZEh9ge6wKPAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMIZT3HfWUMjZXZFp0AgEQgDtqf5tHswwRHSQNqlkXMuoVe2N+zfnJVJ0njS2es8vDqGm54lDCbUVMAIkaSZAx62ygv0IFD8UpExo3og=="
    }
  ]
}

I followed https://github.com/awslabs/aws-encryption-sdk-javascript/blob/master/modules/example-node/src/aes_simple.ts and https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.html#DBActivityStreams.CodeExample

Not sure if this is a bug or I did something wrong. Any help would be much appreciated

Issue Analytics

State:
Created 4 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

seebeescommented, Jul 17, 2019

Looking deeper at the databaseActivityEvents example value you have I can see that the keyName and keyNamespace need to change to:

keyName: "DataKey",
keyNamespace: "BC",

The raw keyrings are tricky as these values must exactly match or the keyring will not even attempt to decrypt. I have opened #152 to track this error message.

1reaction

seebeescommented, Jul 17, 2019

It looks like the RawAesKeyringNode is not finding an encrypted data key to decrypt. Do you have a copy of your encryption code? The

As a side note, for every record you are making an AWS KMS decrypt call. Why not use a KMS keyring?

Top Results From Across the Web

How to decrypt database activity events from AWS Aurora?

Yes it uses RDS Activity stream KMS key (ActivityStreamKmsKeyId) for encrypting the log event and also base64 encoding.

Monitoring database activity streams - Amazon Aurora

Database activity streams monitor and report activities. ... Following are sample decrypted JSON audit logs of activity event records.

Set up Database Activity Streams (DAS)

However, an RDS event is sent indicating that activity stream records might ... def decrypt_decompress(payload, key): decrypted = decrypt_payload(payload, ...

5.1: Setup KMS for Database Activity Streaming

Database Activity Streaming requires a Master Key to encrypt the key that in turn encrypts the logged database activity. The Default AWS RDS...

Amazon Aurora database activity stream data for segregation ...

Aurora activity data is Base64 encoded and encrypted using an AWS Key Management Service (AWS KMS) key. For this post, we decrypt the...