Thanks to visit codestin.com
Credit goes to github.com

Skip to content

bug: KMS decrypt fails for symmetric decryption when KeyId is provided #12530

New issue
New issue
Open
Open
bug: KMS decrypt fails for symmetric decryption when KeyId is provided#12530
Assignees
simonrw
Labels
aws:kmsAWS Key Management Servicestatus: backlogTriaged but not yet being worked ontype: bugBug report
@cj-christoph-gysin

Description

@cj-christoph-gysin
cj-christoph-gysin
opened on Apr 16, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When decrypting data encrypted using symmetric encryption, the keyId is included in the ciphertext blob and does not need to be provided. However, when providing the keyId, localstack fails with an error:

2025-04-16T08:48:25.069  INFO --- [et.reactor-2] localstack.request.aws     : AWS kms.Decrypt => 500 (InternalError)
2025-04-16T08:48:25.089 ERROR --- [et.reactor-1] l.aws.handlers.logging     : exception during call chain
Traceback (most recent call last):
  File "/opt/code/localstack/.venv/lib/python3.11/site-packages/rolo/gateway/chain.py", line 166, in handle
    handler(self, self.context, response)
  File "/opt/code/localstack/localstack-core/localstack/aws/handlers/service.py", line 113, in __call__
    handler(chain, context, response)
  File "/opt/code/localstack/localstack-core/localstack/aws/handlers/service.py", line 83, in __call__
    skeleton_response = self.skeleton.invoke(context)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/aws/skeleton.py", line 154, in invoke
    return self.dispatch_request(serializer, context, instance)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/aws/skeleton.py", line 168, in dispatch_request
    result = handler(context, instance) or {}
             ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/aws/skeleton.py", line 118, in __call__
    return self.fn(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/services/kms/provider.py", line 1022, in decrypt
    plaintext = key.decrypt(ciphertext, encryption_context)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/code/localstack/localstack-core/localstack/services/kms/models.py", line 334, in decrypt
    return decrypt(key, ciphertext.ciphertext, ciphertext.iv, ciphertext.tag, aad)
                        ^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'ciphertext'

This only seems to happen when invoked from Lambda, I'm unable to reproduce this when directly invoking the API using the AWS SDK.

Expected Behavior

KMS decrypt succeeds also when KeyId is provided.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

I'll try to create a minimal Lambda function that can reproduce the problem.

Environment

- OS: macOS 15.4
- LocalStack:
  LocalStack version: 4.3.1.dev57
  LocalStack build date: 2025-04-16
  LocalStack build git hash: 2ec35743d

Anything else?

No response

Metadata

Metadata

Assignees

Labels

aws:kmsAWS Key Management Servicestatus: backlogTriaged but not yet being worked ontype: bugBug report

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions