Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you add KeyManager to a kms key mocked using moto

I want to create a key that's managed by AWS. So far this is what I have

@mock_kms
def test_mocking_getting_keys(self):
    session = boto3.Session(profile_name=profile)
    client = session.client('kms', 'us-east-2')
    key = client.create_key(
        Policy='string',
        Description='string',
        KeyUsage='SIGN_VERIFY',
        CustomerMasterKeySpec='RSA_2048',
        Origin='AWS_KMS',
        CustomKeyStoreId='string',
        BypassPolicyLockoutSafetyCheck=True,
        Tags=[
            {
                'TagKey': 'string',
                'TagValue': 'string'
            },
        ]
    )
    print(key)

But the key doesn't seem to have KeyManager field:

 {'KeyMetadata': {'AWSAccountId': '012345678912', 'KeyId': '7fc3e676-0d1c-4526-9161-41b27a776033', 'Arn': 'arn:aws:kms:us-east-2:012345678912:key/7fc3e676-0d1c-4526-9161-41b27a776033', 'CreationDate': datetime.datetime(2020, 1, 3, 13, 31, 17, tzinfo=tzutc()), 'Enabled': True, 'Description': 'string', 'KeyUsage': 'SIGN_VERIFY', 'KeyState': 'Enabled'}, 'ResponseMetadata': {'HTTPStatusCode': 200, 'HTTPHeaders': {'server': 'amazon.com'}, 'RetryAttempts': 0}}

I tried adding KeyManager as a param during create_key call but that didn't work either.

Seems like moto doens't return the KeyManager field. Is there a way to mock that return value specifically but not change the behavior of the dictionary.get method for the rest of the params?

i.e.

key['KeyMetadata']['AWSAccountId'] would return the mocked value and then key['KeyMetadata']['KeyManager'] would return a another mocked value that I could specify.

like image 601
Stupid.Fat.Cat Avatar asked Jan 03 '20 21:01

Stupid.Fat.Cat


People also ask

How do I add a key to KMS?

To create a KMS key in the console or by using the APIs, you must have the following permission in an IAM policy. Whenever possible, use condition keys to limit the permissions. For example, you can use the kms:KeySpec condition key in an IAM policy to allow principals to create only symmetric encryption keys.

How do I change my KMS key policy?

You can use the PutKeyPolicy operation to change the key policy of a KMS key in your AWS account. You cannot use this API on a KMS key in a different AWS account. Use the GetKeyPolicy operation to get the existing key policy document, and then save the key policy document to a file.

How do I find my KMS key ID?

To find the key ID and ARN (console) To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys. To find the key ID for a KMS key, see the row that begins with the KMS key alias. The Key ID column appears in the tables by default.

What is KMS key alias?

An alias is an independent AWS resource The actions that you take on the alias don't affect its associated KMS key. You can create an alias for a KMS key and then update the alias so it's associated with a different KMS key. You can even delete the alias without any effect on the associated KMS key.


1 Answers

The KeyManager attribute is currently not returned by Moto, you can either open an Issue on the Moto GitHub, or add it yourself (either locally, or PR'ed to upstream)

like image 75
Niobos Avatar answered Sep 22 '22 15:09

Niobos