Client hangs on encryption if the account making the request does not have encryption permission

[agbizzzle]

Environment details

• OS: Linux Debian
• Node.js version: 10.21.0
• npm version: 6.14.3
• @google-cloud/kms version: 2.1.2

Steps to reproduce

1. Ensure the IAM account in question does not have permission to encrypt e.g. no 'Cloud KMS CryptoKey Encrypter/Decrypter' or 'Cloud KMS CryptoKey Encrypter' IAM roles

2. Try encrypting a payload e.g.

await kmsClient.encrypt({
    name: kmsClient.cryptoKeyPath('PROJECT_ID', 'LOCATION', 'KEY_RING', 'KEY'),
    plaintext: 'payload to encrypt'
  }, { timeout: 5000 });

The client hangs hangs indefinitely. For some reason if the plaintext parameter is removed then the invalid permission error is thrown e.g.

await kmsClient.encrypt({
    name: kmsClient.cryptoKeyPath('PROJECT_ID', 'LOCATION', 'KEY_RING', 'KEY')
  }, { timeout: 5000 });

Error:

{ Error: 7 PERMISSION_DENIED: Permission 'cloudkms.cryptoKeyVersions.useToEncrypt' denied on resource 'RESOURCE_PATH' (or it may not exist).

Expected behavior

When the plaintext parameter is included, the client should throw an error similar to that when the plaintext parameter is excluded

Note: This may actually not be related to a missing permission. The client also hangs and never returns a response even when the right IAM roles are present

[sofisl]

Hey there! Can you confirm the expected behavior (i.e., getting an error, etc.)? I want to make sure I can adequately reproduce this behavior.

[agbizzzle]

@sofisl I updated the description to include the expected behavior

[agbizzzle]

@sofisl I got this working and I believe I know what the issue is. My request was invalid in that the plainText payload should be base64 encoded and it wasn't. After I encoded it the client worked as expected however I'd expect the client to throw an error rather than hang

[rhyeen]

For Typescript users, I got these two snippets to work.

For encryption:

const [response] = await client.encrypt({
      name: keyName,
      plaintext: Buffer.from(plaintext).toString('base64'), // e.g. decryptedStr from below snippet
});
const encryptedStr = Buffer.from(response.ciphertext || '').toString('base64');

For decryption:

const [response] = await client.decrypt({
  name: keyName,
  ciphertext: base64Ciphertext, // e.g. encryptedStr from above snippet
});
const decryptedStr = Buffer.from(response.plaintext || '').toString('utf8');

[alexander-fenster]

Thank you folks for the report!

The reason of this problem is that when the request contains string payload for the plaintext field (that is defined as bytes in the proto and is supposed to be a Buffer), gRPC immediately returns 13 INTERNAL. Unfortunately, in this library 13 INTERNAL is set as a retryable code, so it keeps retrying with exponential backoff until the timeout (10 minutes) happens.

We'll see what we can do here.