I want to create a key that's managed by AWS. So far this is what I have
@mock_kms
def test_mocking_getting_keys(self):
session = boto3.Session(profile_name=profile)
client = session.client('kms', 'us-east-2')
key = client.create_key(
Policy='string',
Description='string',
KeyUsage='SIGN_VERIFY',
CustomerMasterKeySpec='RSA_2048',
Origin='AWS_KMS',
CustomKeyStoreId='string',
BypassPolicyLockoutSafetyCheck=True,
Tags=[
{
'TagKey': 'string',
'TagValue': 'string'
},
]
)
print(key)
But the key doesn't seem to have KeyManager field:
{'KeyMetadata': {'AWSAccountId': '012345678912', 'KeyId': '7fc3e676-0d1c-4526-9161-41b27a776033', 'Arn': 'arn:aws:kms:us-east-2:012345678912:key/7fc3e676-0d1c-4526-9161-41b27a776033', 'CreationDate': datetime.datetime(2020, 1, 3, 13, 31, 17, tzinfo=tzutc()), 'Enabled': True, 'Description': 'string', 'KeyUsage': 'SIGN_VERIFY', 'KeyState': 'Enabled'}, 'ResponseMetadata': {'HTTPStatusCode': 200, 'HTTPHeaders': {'server': 'amazon.com'}, 'RetryAttempts': 0}}
I tried adding KeyManager as a param during create_key call but that didn't work either.
Seems like moto doens't return the KeyManager field. Is there a way to mock that return value specifically but not change the behavior of the dictionary.get method for the rest of the params?
i.e.
key['KeyMetadata']['AWSAccountId']
would return the mocked value and then
key['KeyMetadata']['KeyManager']
would return a another mocked value that I could specify.
To create a KMS key in the console or by using the APIs, you must have the following permission in an IAM policy. Whenever possible, use condition keys to limit the permissions. For example, you can use the kms:KeySpec condition key in an IAM policy to allow principals to create only symmetric encryption keys.
You can use the PutKeyPolicy operation to change the key policy of a KMS key in your AWS account. You cannot use this API on a KMS key in a different AWS account. Use the GetKeyPolicy operation to get the existing key policy document, and then save the key policy document to a file.
To find the key ID and ARN (console) To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys. To find the key ID for a KMS key, see the row that begins with the KMS key alias. The Key ID column appears in the tables by default.
An alias is an independent AWS resource The actions that you take on the alias don't affect its associated KMS key. You can create an alias for a KMS key and then update the alias so it's associated with a different KMS key. You can even delete the alias without any effect on the associated KMS key.
The KeyManager
attribute is currently not returned by Moto, you can either open an Issue on the Moto GitHub, or add it yourself (either locally, or PR'ed to upstream)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With