bug: KMS Alias Creation Fails to Return Error #7494
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
This looks similar to #6471
I am trying to sign something using KMS for some tests. It seems like doing so using an alias does not work. For example I create a key and an alias like so:
# Add a key used for signing urls
aws-cli --endpoint-url=http://localhost:4566 kms create-key \
--key-usage SIGN_VERIFY \
--key-spec RSA_4096
# Add well known alias for key
aws-cli --endpoint-url=http://localhost:4566 kms create-alias \
--alias-name "some-nice-alias-name" \
--target-key-id <key id generated above>
I can see that this looks to have worked by verifying the key and alias on the CLI
aws-cli --endpoint-url=http://localhost:4566 kms list-keys
{
"Keys": [
{
"KeyId": "f7d2d869-f6b8-4977-96ea-5bd70cb0d5f2",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/<someuuid>"
}
]
}
and
aws-cli --endpoint-url=http://localhost:4566 kms list-aliases
{
"Aliases": [
{
"AliasName": "census-webform-url-signing-key",
"AliasArn": "arn:aws:kms:us-east-1:000000000000:alias/some-nice-alias-name",
"TargetKeyId": "<sameuuid>",
"CreationDate": "2023-01-13T16:58:52.279782-05:00"
}
]
}
however attempting to sign something does not work
# Make sure we can sign
aws-cli --endpoint-url=http://localhost:4566 kms sign \
--cli-binary-format raw-in-base64-out \
--key-id "alias/some-nice-alias-name" \
--message 'wwwtestcom' \
--message-type RAW \
--signing-algorithm "RSASSA_PSS_SHA_512"
results in
An error occurred (NotFoundException) when calling the Sign operation: Unable to find KMS alias with name alias/some-nice-alias-name
Expected Behavior
Would expect output from the last command not the resulting error.
How are you starting LocalStack?
With a docker-compose file
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
docker run localstack/localstack
Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)
aws-cli --endpoint-url=http://localhost:4566 kms create-key \
--key-usage SIGN_VERIFY \
--key-spec RSA_4096
aws-cli --endpoint-url=http://localhost:4566 kms create-alias \
--alias-name "some-nice-alias-name" \
--target-key-id <key id generated above>
aws-cli --endpoint-url=http://localhost:4566 kms list-keys
{
"Keys": [
{
"KeyId": "f7d2d869-f6b8-4977-96ea-5bd70cb0d5f2",
"KeyArn": "arn:aws:kms:us-east-1:000000000000:key/<someuuid>"
}
]
}
aws-cli --endpoint-url=http://localhost:4566 kms list-aliases
{
"Aliases": [
{
"AliasName": "census-webform-url-signing-key",
"AliasArn": "arn:aws:kms:us-east-1:000000000000:alias/some-nice-alias-name",
"TargetKeyId": "<sameuuid>",
"CreationDate": "2023-01-13T16:58:52.279782-05:00"
}
]
}
aws-cli --endpoint-url=http://localhost:4566 kms sign \
--cli-binary-format raw-in-base64-out \
--key-id "alias/some-nice-alias-name" \
--message 'wwwtestcom' \
--message-type RAW \
--signing-algorithm "RSASSA_PSS_SHA_512"
Environment
- OS: Macos 12.6.2
- LocalStack: latest docker imageAnything else?
I did test using the same using the actual generated key ID and this works. I also attempted this through a BOTO3 client in python and the same resulted.