Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documentation fix for kms create grant #3883

Open
wants to merge 1 commit into
base: develop
from

Conversation

@gene1wood
Copy link
Contributor

commented Sep 19, 2019

(Originally proposed in #3202)

The create_grant call doesn't actually allow the use of key aliases. If you use a key alias, AWS returns an exception

Here's code to reproduce this error. To test it you'll need to set the kms_key value to your KMS key's alias and set the grantee_principle to the ARN of an IAM role that exists

import boto.kms
kms = boto.kms.connect_to_region('us-east-1')
kms_key="alias/mykeyalias"
grantee_principal = 'arn:aws:iam::123456789012:role/ExampleRole'
operations = ['Decrypt']
context = {'EncryptionContextSubset': {'foo': 'bar'}}
result = kms.create_grant(key_id = kms_key,
                          grantee_principal = grantee_principal,
                          operations=operations,
                          constraints=context)

Expected results would be to have the grant created.

Actual results are the exception

boto.kms.exceptions.InvalidArnException: InvalidArnException: 400 Bad Request
{u'message': u'Key Aliases are not supported for this operation.', u'__type': u'InvalidArnException'}
Originally proposed in #3202, the same content here in a new commit

The `create_grant` call doesn't actually allow the use of key aliases. If you use a key alias, AWS returns an exception

Here's code to reproduce this error. To test it you'll need to set the `kms_key` value to your KMS key's alias and set the `grantee_principle` to the ARN of an IAM role that exists

```
import boto.kms
kms = boto.kms.connect_to_region('us-east-1')
kms_key="alias/mykeyalias"
grantee_principal = 'arn:aws:iam::123456789012:role/ExampleRole'
operations = ['Decrypt']
context = {'EncryptionContextSubset': {'foo': 'bar'}}
result = kms.create_grant(key_id = kms_key,
                          grantee_principal = grantee_principal,
                          operations=operations,
                          constraints=context)
```

Expected results would be to have the grant created.

Actual results are the exception

```
boto.kms.exceptions.InvalidArnException: InvalidArnException: 400 Bad Request
{u'message': u'Key Aliases are not supported for this operation.', u'__type': u'InvalidArnException'}
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.