Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Unable to decrypt any data key
See original GitHub issuecode:
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
os.environ["ENCRYPTION_KEY_ARN"]
])
def encrypt(plaintext):
ciphertext, _ = aws_encryption_sdk.encrypt(
source=plaintext,
key_provider=kms_key_provider
)
return base64.b64encode(ciphertext)
def decrypt(ciphertext_b64):
ciphertext = base64.b64decode(ciphertext_b64)
plaintext, _ = aws_encryption_sdk.decrypt(
source=ciphertext,
key_provider=kms_key_provider,
)
return plaintext
FYI, this is using v1.3.2.
I get the following error:
Unable to decrypt any data key
When I print out the ciphertext I can clearly see the correct encryption key arn. So I am not sure whats wrong here.
Issue Analytics
- State:
- Created 5 years ago
- Comments:11 (6 by maintainers)
Top Results From Across the Web
Unable to decrypt any data key · Issue #195 - GitHub
Hello. I'm able to encrypt a file using: cat file.txt | aws-encryption-sdk-cli --encrypt -i - --wrapping-keys key= region= --encode -S ...
Read more >aws-encryption-cli: How to decrypt using when profile was set ...
The hello world example works fine in my development environment, where I have created a kms-key (its arn is stored in the variable...
Read more >Troubleshooting migration to the latest versions
If your attempt to decrypt an encrypted message fails, it means that the AWS Encryption SDK could not (or would not) decrypt any...
Read more >aws_encryption_sdk.exceptions - aws-encryption-sdk
Exception class for errors encountered when MasterKeys try to generate data keys. Exception class for operations attempted against the incorrect Master Key.
Read more >Decrypt using when profile was set during encryption-AWS ...
It is using your default profile as in your encrypt command you set the profile to "prod", but in your decrypt command you...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
What permissions do you have to the KMS CMK? My initial suspicion is that you have
GenerateDataKeypermissions but notDecrypt.If you turn on debug logging, you can see the error that the underlying KMS client gives. That can show you exactly what the KMS response is to your request.
WARNING: Do not post debug logs here or anywhere else public, as they contain the entire request and response header and bodies for any AWS calls. For the KMS calls we use, that will include your plaintext data key.
Hmmm, I think I would have to see code and policies to debug any further.
^ This means that you don’t have access to the CMK when you are trying to decrypt. Because of this, I still think that it is a policy issue. One thing you could look for is to make sure that there are not policies (either in IAM or the key policy) that deny access to your principal (user/role) performing decrypt operations with this key (or more generally). Deny policies always take precedent over allow policies.