ValueError: Invalid endpoint: https://kms..amazonaws.com

[wongster80]

Hi,

When calling AwsKmsCryptographicMaterialsProvider:

aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id)

... I get the following error:

 Traceback (most recent call last):
  File "dynamodb_writer_enc.py", line 79, in <module>
    encrypted_table.put_item(Item=plaintext_item)
  File "/usr/local/lib/python3.7/site-packages/dynamodb_encryption_sdk/internal/utils.py", line 264, in encrypt_put_item
    crypto_config=crypto_config.with_item(_item_transformer(encrypt_method)(ddb_kwargs['Item']))
  File "/usr/local/lib/python3.7/site-packages/dynamodb_encryption_sdk/encrypted/item.py", line 145, in encrypt_python_item
    encrypted_ddb_item = encrypt_dynamodb_item(ddb_item, crypto_config)
  File "/usr/local/lib/python3.7/site-packages/dynamodb_encryption_sdk/encrypted/item.py", line 70, in encrypt_dynamodb_item
    encryption_materials = crypto_config.encryption_materials()
  File "/usr/local/lib/python3.7/site-packages/dynamodb_encryption_sdk/encrypted/__init__.py", line 93, in encryption_materials
    return self.materials_provider.encryption_materials(self.encryption_context)
  File "/usr/local/lib/python3.7/site-packages/dynamodb_encryption_sdk/material_providers/aws_kms.py", line 510, in encryption_materials
    initial_material, encrypted_initial_material = self._generate_initial_material(encryption_context)
  File "/usr/local/lib/python3.7/site-packages/dynamodb_encryption_sdk/material_providers/aws_kms.py", line 370, in _generate_initial_material
    response = self._client(key_id).generate_data_key(**kms_params)
  File "/usr/local/lib/python3.7/site-packages/dynamodb_encryption_sdk/material_providers/aws_kms.py", line 259, in _client
    return self._add_regional_client(region)
  File "/usr/local/lib/python3.7/site-packages/dynamodb_encryption_sdk/material_providers/aws_kms.py", line 239, in _add_regional_client
    ).client('kms', config=self._user_agent_adding_config)
  File "/usr/local/lib/python3.7/site-packages/boto3/session.py", line 263, in client
    aws_session_token=aws_session_token, config=config)
  File "/usr/local/lib/python3.7/site-packages/botocore/session.py", line 889, in create_client
    client_config=config, api_version=api_version)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 76, in create_client
    verify, credentials, scoped_config, client_config, endpoint_bridge)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 291, in _get_client_args
    verify, credentials, scoped_config, client_config, endpoint_bridge)
  File "/usr/local/lib/python3.7/site-packages/botocore/args.py", line 80, in get_client_args
    timeout=(new_config.connect_timeout, new_config.read_timeout))
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 239, in create_endpoint
    raise ValueError("Invalid endpoint: %s" % endpoint_url)
ValueError: Invalid endpoint: https://kms..amazonaws.com 

[karlw00t]

Is the aws_cmk_id string have the form of:

arn:aws:kms:region:account-id:key/key-id
or
arn:aws:kms:region:account-id:alias/alias

If not, could you provide an example string?

[wongster80]

Hi, aws_cmk_id is of this format: aws_cmk_id = 'arn:aws:iam::123456789123:policy/prd1688-us-east-1-dev1-k8s-jana-policy'

…

On Tue, Oct 16, 2018 at 6:40 PM Josh ***@***.***> wrote: Is the aws_cmk_id string have the form of: arn:aws:kms:region:account-id:key/key-id or arn:aws:kms:region:account-id:alias/alias If not, could you provide an example string you are providing? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#94 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABGgVEXybzCYXUCKxZt3XUcvsXRU_6YTks5ulop9gaJpZM4XifPx> .

[mattsb42-aws]

aws_cmk_id = 'arn:aws:iam::123456789123:policy/prd1688-us-east-1-dev1-k8s-jana-policy'

That is an Arn for an IAM policy, not a KMS CMK.

As an aside, we should catch this before it hits botocore. #95 opened to catch this.

[wongster80]

Thanks for pointing that out Matt. Dealing with some the KMS CMK permission issues with AWS support, but I think this issue can be closed.

…

On Wed, Oct 17, 2018 at 2:36 AM Matt Bullock ***@***.***> wrote: aws_cmk_id = 'arn:aws:iam::123456789123:policy/prd1688-us-east-1-dev1-k8s-jana-policy' That is an Arn for an IAM policy, not a KMS CMK. As an aside, we should catch this before it hits botocore. #95 <#95> opened to catch this. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#94 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABGgVPFwXgzQAcAKf-Z7RynNEh8ZPNXqks5ulvomgaJpZM4XifPx> .