We have installed aws-encryption. We have a key in KMS which we want to use for decryption in a shell script. The hello world example works fine in the development environment, where we have created a kms-key. The arn is stored in a variable $dev_key_arn.
> echo 'Hello World' | aws-encryption-cli --encrypt --master-keys key=$dev_key_arn --input - --output - --encode -S | aws-encryption-cli --decrypt --input - --output - --decode -S
Hello World
We also have a production environment, so want to use the kms-key $prod_key_arn. We have valid AWS-credentials in a profile called prod, so we would expect
> echo 'Hello World' | aws-encryption-cli --encrypt --master-keys key=$prod_key_arn profile=prod region=eu-west-1 --input - --output - --encode -S | aws-encryption-cli --decrypt --input - --output - --decode -S
Encountered unexpected error: increase verbosity to see details.
DecryptKeyError("Unable to decrypt any data key")
But it fails with above message. When examined the encrypted message, we see that it successfully encrypts the message.
> aws-encryption-cli --encrypt --master-keys key=arn:aws:kms:eu-west-1:953495156568:key/2197020f-5b3c-4d05-bffc-04cf6114e405 profile=prod region=eu-west-1 provider=aws-kms --input /tmp/prod_key --output - --encode -S
AYADePCKfZUuL<....>iza1AU=
The arn of the key is stored in the encrypted material. But where goes the information about profile? It cannot be passed in as parameter when decoding and it does not seem to be part of the encoded material.
Back