AWS KMS解密错误Credstash

时间:2017-09-28 04:44:58

标签: aws-kms amazon-kms credstash

我的帐户位于us-west-2地区。并且在该帐户中创建的KMS密钥具有ARN arn:aws:kms:us-east-1 :: key /。在我的节点模块中,我使用Credstash来解密使用KMS密钥加密的密钥。

var credstash = new Credstash({ 'table': 'tablename', 'awsOpts': { 'region':'region' } });
let secret = credstash.getSecret({name: 'keyname'}).then(result =>{
    console.log(result);
});;

我正处于异常之下。

 "The ciphertext refers to a customer master key that does not exist,
 does not exist in this region, or you are not allowed to access"

以下是sls文件中的IAM策略。

Effect: "Allow"
      Action: ["kms:Decrypt"]
      Resource: [
         Fn::Join: ["", [ "arn:aws:kms:us-east-1:accountid:key/",{"Fn::Sub": "kmskey"}]]
      ]  

解决此问题的任何指示都会有很大帮助

1 个答案:

答案 0 :(得分:0)

请使用以下

new Credstash({ 'table': <table-name>, 'awsOpts' : { 'region': 'us-west-2' }, 'kmsOpts': { 'region' : 'us-east-1'}} )