StrictAwsKmsMasterKeyProvider fails with CMK Alias ARN

[ragona]

I'm having some trouble that I've narrowed down to my usage of StrictAwsKmsMasterKeyProvider. When you provide a CMK alias to a StrictAwsKmsMasterKeyProvider then the encrypt works fine, but if you immediately turn around to decrypt the resulting blob, it will fail.

It appears that on encrypt the ESDK will use the key alias, but on decrypt it inspects the blob and discovers the full ARN. The provider is configured with the Alias ARN, so there is a mismatch of key ID, and it fails as intended.

If you use the strict ARN then it works fine, but this means that you can't just construct an alias, you have to describe the alias each time. The documentation here seems to suggest that a key alias should work, so my guess is that is a bug.

Any suggestions?

(p.s. Miss you, team!)

[farleyb-amazon]

Hey Ryan, this actually is intentional -- the Strict provider does not allow decryption with aliases, for exactly the reason you've pointed out.

Using the strict ARN is our recommendation, but I understand that isn't feasible for all cases. If you want to avoid querying for key ARNs or knowing them ahead of time, you might look into the DiscoveryAwsKmsMasterKeyProvider for your decrypt path, which will allow decryption without explicitly listing key ARNs. If you do use this approach, I'd recommend using a DiscoveryFilter, which lets you limit decryption to only ciphertexts created by keys from the specified AWS accounts and partitions.

In the meantime, I see what you're saying about the documentation suggesting that aliases might work (or at least not being clear enough that they won't work). We'll get that fixed.

[acioc]

Hi! We miss you too!!

Created #311 to make the documentation text clearer.

Closing this issue, but please re-open or cut us a new issue if you have any other questions.

[ragona]

Makes total sense, thank you! I'll keep using the DiscoveryAwsKmsMasterKeyProvider for decrypt (can confirm that was how I got around the decrypt error), and I'll add a DiscoveryFilter to pin it to the intended account.