如何使用 aws encryption cli 进行解密？

Question

I have used the aws encryption cli to encrypt a zip file (a database backup actually) as follows:

aws-encryption-cli -vv --encrypt \
  --input "backup.zip" \
  --wrapping-keys key=caf...854 region=us-east-1 \
  --encryption-context purpose=dbbackup \
  --metadata-output backup.metadata \
  --output backup.zip.enc

This works great, and produces the encrypted backup file. However I can't seem to decrypt using the same basic pattern.

aws-encryption-cli \
  -vv \
  --decrypt \
  --input backup.zip.enc \
  --wrapping-keys key=caf...854 region=us-east-1 \
  --output backup.zip \
  --metadata-output backup.zip.metadatadec

Produces an error:

2020-11-13 15:04:04,580 - MainThread - aws_encryption_sdk.key_providers.base - DEBUG - IncorrectMasterKeyError("Provided data key provider MasterKeyInfo(provider_id='aws-kms', key_info=b'arn:aws:kms:us-east-1:...:key/caf...854') does not match Master Key provider MasterKeyInfo(provider_id='aws-kms', key_info=b'caf...854')",) raised when attempting to decrypt data key with master key MasterKeyInfo(provider_id='aws-kms', key_info=b'caf...854')

It looks to me like it's complaining that the KMS key ID doesn't match because on decryption it uses the full ARN (arn:aws:kms:us-east-1...) when on encryption it only used the ID (caf...854). I'm not sure how to change the behavior to use the same thing on both cases, or if something else is the problem?

Answer 1

FWIW, this seems to work if I specify the full ARN for the wrapping key key when I encrypt and decrypt. I'm not sure why it would succeed on the encryption but fail on decryption when I use only the ID - this feels like a bug (should either fail for both or work for both).