Skip to content

Support decrypting API keys encrypted with an encryption context #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Jun 10, 2021
Merged

Support decrypting API keys encrypted with an encryption context #145

merged 16 commits into from
Jun 10, 2021

Conversation

nhinsch
Copy link
Contributor

@nhinsch nhinsch commented Jun 9, 2021
edited
Loading

What does this PR do?

When decrypting the API key using KMS, try first with the encryption context added by the Lambda console UI, then try without.

Bonus: Updates black (the code formatter) to v21.

Motivation

The Lambda console UI changed the way it encrypts environment variables. The current behavior is to encrypt environment variables using the function name as an encryption context. Previously, the behavior was to encrypt environment variables without an encryption context. The Lambda Extension currently only supports API keys encrypted using the previous behavior. We need to support both, as supplying the incorrect encryption context will cause decryption to fail.

Testing Guidelines

I added unit test coverage for this function and tested manually.

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog
  • This PR passes the integration tests (ask a Datadog member to run the tests)

@nhinsch nhinsch marked this pull request as ready for review June 9, 2021 23:19
@nhinsch nhinsch requested a review from a team as a code owner June 9, 2021 23:19
tianchu
tianchu reviewed Jun 10, 2021
View reviewed changes
DarcyRaynerDD
DarcyRaynerDD approved these changes Jun 10, 2021
View reviewed changes
Copy link
Contributor

@DarcyRaynerDD DarcyRaynerDD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nhinsch nhinsch merged commit 315c73d into main Jun 10, 2021
@nhinsch nhinsch deleted the ngh/fix-kms branch June 10, 2021 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianchu tianchu tianchu left review comments

@DarcyRaynerDD DarcyRaynerDD DarcyRaynerDD approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nhinsch @tianchu @DarcyRaynerDD