Unable to decrypt secrets (infrastructure-live-acme)

kms
encryption

#1

Hi.
Following infrastrucure-live-acme I have everything deployed but the sample-app-backend-acme docker container keeps failing to start. A check of the logs reveals:

AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

I’m presuming that the key required is cmk-stage - which I can see has been created in the correct region us-east-1.

Using the arn for cmk-stage I can sucessfully encrypt a db_password, but when I immediatly try to decrypt the ciphertext, I get the same AccessDeniedException so this looks like an authorisation issue.

Things I’ve checked:

  • [my machine] my AWS logged in user has KMS full access in IAM and is the key administrator for cmk-stage
  • [on stage ecs instance] user is the principle for AllowAccessForKeyUsers

Am I missing an iam role, even though I’m the key administrator?

Any help on debugging this is appreciated.


#2

Ugh - cause entirely user related.


#3

Hahaha, it happens :slight_smile:

Anything you can share so the next person to hit this can save some time?


#4

gruntkms was behaving itself correctly, and the only issue was copypasta from a tired developer who couldn’t understand why the default encrypted db_password didn’t match the one created using the newly created stage key.