Content-Length: 232235 | pFad | http://github.com/localstack/localstack/issues/12530

59 bug: KMS decrypt fails for symmetric decryption when `KeyId` is provided · Issue #12530 · localstack/localstack · GitHub
Skip to content

bug: KMS decrypt fails for symmetric decryption when KeyId is provided #12530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
cj-christoph-gysin opened this issue Apr 16, 2025 · 1 comment
Open
1 task done

bug: KMS decrypt fails for symmetric decryption when KeyId is provided #12530

cj-christoph-gysin opened this issue Apr 16, 2025 · 1 comment
Labels
aws:kms AWS Key Management Service status: backlog Triaged but not yet being worked on type: bug Bug report

Comments

@cj-christoph-gysin
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When decrypting data encrypted using symmetric encryption, the keyId is included in the ciphertext blob and does not need to be provided. However, when providing the keyId, localstack fails with an error:

2025-04-16T08:48:25.069  INFO --- [et.reactor-2] localstack.request.aws     : AWS kms.Decrypt => 500 (InternalError)
2025-04-16T08:48:25.089 ERROR --- [et.reactor-1] l.aws.handlers.logging     : exception during call chain
Traceback (most recent call last):
  File "/opt/code/localstack/.venv/lib/python3.11/site-packages/rolo/gateway/chain.py", line 166, in handle
    handler(self, self.context, response)
  File "/opt/code/localstack/localstack-core/localstack/aws/handlers/service.py", line 113, in __call__
    handler(chain, context, response)
  File "/opt/code/localstack/localstack-core/localstack/aws/handlers/service.py", line 83, in __call__
    skeleton_response = self.skeleton.invoke(context)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/aws/skeleton.py", line 154, in invoke
    return self.dispatch_request(serializer, context, instance)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/aws/skeleton.py", line 168, in dispatch_request
    result = handler(context, instance) or {}
             ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/aws/skeleton.py", line 118, in __call__
    return self.fn(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/services/kms/provider.py", line 1022, in decrypt
    plaintext = key.decrypt(ciphertext, encryption_context)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/services/kms/models.py", line 334, in decrypt
    return decrypt(key, ciphertext.ciphertext, ciphertext.iv, ciphertext.tag, aad)
                        ^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'ciphertext'

This only seems to happen when invoked from Lambda, I'm unable to reproduce this when directly invoking the API using the AWS SDK.

Expected Behavior

KMS decrypt succeeds also when KeyId is provided.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

I'll try to create a minimal Lambda function that can reproduce the problem.

Environment

- OS: macOS 15.4
- LocalStack:
  LocalStack version: 4.3.1.dev57
  LocalStack build date: 2025-04-16
  LocalStack build git hash: 2ec35743d

Anything else?

No response
@cj-christoph-gysin cj-christoph-gysin added status: triage needed Requires evaluation by maintainers type: bug Bug report labels Apr 16, 2025
@cj-christoph-gysin
Copy link
Author

Looks like there is some assumption in the code when keyId is provided: https://github.com/localstack/localstack/blob/master/localstack-core/localstack/services/kms/provider.py#L984-L989

@ryan-berke ryan-berke added aws:kms AWS Key Management Service status: backlog Triaged but not yet being worked on and removed status: triage needed Requires evaluation by maintainers labels Apr 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws:kms AWS Key Management Service status: backlog Triaged but not yet being worked on type: bug Bug report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cj-christoph-gysin @ryan-berke








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/localstack/localstack/issues/12530

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy