Unable to decrypt secrets (infrastructure-live-acme)

Hi.
Following infrastrucure-live-acme I have everything deployed but the sample-app-backend-acme docker container keeps failing to start. A check of the logs reveals:

AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

I’m presuming that the key required is cmk-stage - which I can see has been created in the correct region us-east-1.

Using the arn for cmk-stage I can sucessfully encrypt a db_password, but when I immediatly try to decrypt the ciphertext, I get the same AccessDeniedException so this looks like an authorisation issue.

Things I’ve checked:

• [my machine] my AWS logged in user has KMS full access in IAM and is the key administrator for cmk-stage
• [on stage ecs instance] user is the principle for AllowAccessForKeyUsers

Am I missing an iam role, even though I’m the key administrator?

Any help on debugging this is appreciated.

Ugh - cause entirely user related.

Hahaha, it happens

Anything you can share so the next person to hit this can save some time?

gruntkms was behaving itself correctly, and the only issue was copypasta from a tired developer who couldn’t understand why the default encrypted db_password didn’t match the one created using the newly created stage key.