Issue with getting Region when federated

[michaelajr]

Wondering if there is an issue with getting the region when the profile is federated. I am in a federated account using a role that has kms:*, and I get this when decrypting:

com.amazonaws.encryptionsdk.exception.CannotUnwrapDataKeyException: Unable to decrypt any data keys

This is not an issue with using aliases. This works perfect in another account where I am not federated, using an IAM User with full admin permissions. Is there something else needed here?

    @Override
    public void decryptFile(
            final String encryptedFilename, 
            final String decryptedFilename) {

        final KmsMasterKeyProvider provider
                = new KmsMasterKeyProvider(
                        new DefaultAWSCredentialsProviderChain());

        final AwsCrypto awsCrypto
                = new AwsCrypto();

        try (final FileInputStream fileInputStream
                = new FileInputStream(
                        encryptedFilename);

                final FileOutputStream fileOutputStream
                        = new FileOutputStream(
                                decryptedFilename);

                final CryptoInputStream<?> decryptingStream
                        = awsCrypto
                                .createDecryptingStream(
                                        provider, 
                                        fileInputStream)) {

            IOUtils.copy(
                    decryptingStream,
                    fileOutputStream);

        } catch (IOException exception) {
            throw new DecryptionException(exception);
        }
    }

[michaelajr]

And oddly enough adding this...

provider.setRegion(Region.getRegion(Regions.US_EAST_1));

...fixes the issue. Just do not understand it. I have the ~/.aws/config file set with the correct region. The region needs to be determined at runtime.

[mattsb42-aws]

What version are you using? This should have been addressed by the regional client supplier added in 1.3.1.

It's hard to tell without seeing your exact config and how you are using federated sessions, but I suspect that when you load the credentials for the federated session, the credential loader is not looking in your config for a default region.

[michaelajr]

Thanks for the help. Here's my set up...

$ env | grep AWS
AWS_DEFAULT_REGION=us-east-1
AWS_REGION=us-east-1

~/.aws/credentials

[default]
aws_access_key_id=redacted
aws_secret_access_key=redacted
aws_session_token=redacted
aws_security_token= redacted

~/.aws/config

[default]
region=us-east-1

Using 1.3.2 of the SDK now (was at 1.3.1). And now using the KmsMasterKeyProvider builder.

        final KmsMasterKeyProvider provider
                = KmsMasterKeyProvider.builder()
                        .withCredentials(
                                new DefaultAWSCredentialsProviderChain())
                        .build();

Yields:

com.amazonaws.encryptionsdk.exception.AwsCryptoException: Can't use keys from region null

Adding `.withDefaultRegion("us-east-1")

        final KmsMasterKeyProvider provider
                = KmsMasterKeyProvider.builder()
                        .withDefaultRegion("us-east-1")
                        .withCredentials(
                                new DefaultAWSCredentialsProviderChain())
                        .build()

Yields

com.amazonaws.encryptionsdk.exception.AwsCryptoException: Can't use keys from region null

The region is definitely not getting set. Or it is getting overwritten. Seems to find the credentials just fine.

[michaelajr]

And going back the old way (now deprecated):

        final KmsMasterKeyProvider provider
                = new KmsMasterKeyProvider(
                        new DefaultAWSCredentialsProviderChain());

Gives me:

com.amazonaws.encryptionsdk.exception.CannotUnwrapDataKeyException: Unable to decrypt any data keys
	at com.eoniantech.secretslocker.aws.ClassPathSecretsLockerIT_get.testGet(ClassPathSecretsLockerIT_get.java:44)
Caused by: com.amazonaws.encryptionsdk.exception.AwsCryptoException: Can't use keys from region us-east-1

Crazy.

[michaelajr]

So to get this working I have use 1.3.1 - and explicitly set the region. Which is of course not what I want. The region needs to be set at runtime. What on earth can be wrong here?

[mattsb42-aws]

Were you using 1.3.1 when you had to set the region? As of 1.3.1 the KMS master key provider should automatically vend a KMS master key for the right region on decrypt based on the ARN in the header.

EDIT: Sorry, re-read and saw you're using 1.3.2 now.

[michaelajr]

When using 1.3.1 the region was undetermined, so the provider could not vend a key. By explicitly adding the region on the provider - it worked. Key is still undetermined when using 1.3.2, and there is not way to set the region.

[michaelajr]

This has to be an issue with the credentials/profile loader in the SDK. Or I'm just doing something wrong in my credentials/config setup. I do not think this has anything to do with the Encryption SDK.

[bdonlan]

Normally, if you use the builder, the KMSMasterKeyProvider should find the appropriate region by examining the key ID in the ciphertext headers during the decrypt flow. It's strange that this isn't working. How are you generating your ciphertexts?

If it's possible to attach a ciphertext generated using a test key, we could take a look at the headers and see if the region is missing somehow.

[michaelajr]

Sure. I can upload an encrypted file in bit. Thanks for the help. When the region is explicitly set, the provider vends the correct key. So when the region is not set, it seems the "region chain" logic (or whatever determines the region to use) is not working. Like I said, this works when using a IAM user and not a federated user.

[michaelajr]

Here's example ciphertext created by a test key.
example.zip