I am trying to decrypt a string with AWS KMS, but I am getting an InvalidCiphertextException error (with no further information following the exception name).
I was originally decrypting in a node js lambda, using an environment variable as the source for encryptedString:
var params = {
CiphertextBlob: Buffer.from(encryptedString, 'base64')
};
kms.decrypt(params, function(err, data) {
if (err) {
...
} else {
...
}
}
I have also tried it with the CiphertextBlob value as a String, i.e.:
CiphertextBlob: encryptedString
The KMS key used to encrypt the value originally is a symmetric CMK so I believe I shouldn't need to pass in the key ID.
I also tried the same thing via awscli (passing in ciphertext-blob as a string) but got the same error:
aws kms decrypt --ciphertext-blob <encrypted string value> --query PlainText | base64 --decode
Passing in the key ID had no effect either.
I have used an online tool to validate that the encrypted string is base64. I'm not too clued up on base64 encoding so not sure if that's all it takes to prove the cipher text is valid.
I'm sure I'm failing with something fundamental - either my encrypted string is not base64 or not what decrypt expects, or I am missing some additional decrypt arguments perhaps.
Thanks in advance.