AWS KMS Decrypt Error Credstash

Question

My aws account is in us-west-2 region. and the KMS key created in that account has ARN arn:aws:kms:us-east-1::key/. In my node module, I am using Credstash to decrypt the key which is encrypted using the KMS key.

var credstash = new Credstash({ 'table': 'tablename', 'awsOpts': { 'region':'region' } });
let secret = credstash.getSecret({name: 'keyname'}).then(result =>{
    console.log(result);
});;

I am getting below exception.

 "The ciphertext refers to a customer master key that does not exist,
 does not exist in this region, or you are not allowed to access"

Below is the IAM policy in sls file.

Effect: "Allow"
      Action: ["kms:Decrypt"]
      Resource: [
         Fn::Join: ["", [ "arn:aws:kms:us-east-1:accountid:key/",{"Fn::Sub": "kmskey"}]]
      ]

Any pointers to fix this issue will be of great help

Have you given access to this user for encrypting/decrypting using this kms key? This should be in the encryption key section under iam. — Aniket Thakur

Anil Bhaskaran Anil Bhaskaran · Accepted Answer · 2017-10-10T05:43:39

Please use the below

new Credstash({ 'table': <table-name>, 'awsOpts' : { 'region': 'us-west-2' }, 'kmsOpts': { 'region' : 'us-east-1'}} )

AWS KMS Decrypt Error Credstash

1 Answers