Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not allow key= on decrypt with aws-kms master key provider #80

Closed
mattsb42-aws opened this issue Nov 16, 2017 · 0 comments
Closed

do not allow key= on decrypt with aws-kms master key provider #80

mattsb42-aws opened this issue Nov 16, 2017 · 0 comments
Assignees
@mattsb42-aws
Labels
blocking next release bug

Comments

@mattsb42-aws
Copy link
Member

mattsb42-aws commented Nov 16, 2017
edited

Problem

When decrypting with the AWS KMS master key provider, specifying the master key does not functionally do anything useful because the master key provider mirrors the KMS service behavior in decrypting any encrypted data key protected by a KMS CMK for which the calling identity has appropriate access. Accepting key values in an AWS KMS master key provider configuration on decrypt creates the false image that only those keys will be used for decrypt.

Solution

Raise an argument parsing error if a key value is provided with an AWS KMS master key provider on decrypt.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mattsb42-aws mattsb42-aws

Labels
blocking next release bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mattsb42-aws