KMS: Add TargetKeyId to default kms key alias response. (#5805)
This commit is contained in:
Brendan Keane
GitHub
parent
2c47ee10b1
commit
180b0b902f
@ -5,7 +5,7 @@ import re
|
|||||||
import warnings
|
import warnings
|
||||||
|
|
||||||
from moto.core.responses import BaseResponse
|
from moto.core.responses import BaseResponse
|
||||||
from moto.kms.utils import RESERVED_ALIASES
|
from moto.kms.utils import RESERVED_ALIASES, RESERVED_ALIASE_TARGET_KEY_IDS
|
||||||
from .models import kms_backends, KmsBackend
|
from .models import kms_backends, KmsBackend
|
||||||
from .policy_validator import validate_policy
|
from .policy_validator import validate_policy
|
||||||
from .exceptions import (
|
from .exceptions import (
|
||||||
@ -273,14 +273,16 @@ class KmsResponse(BaseResponse):
|
|||||||
"TargetKeyId": target_key_id,
|
"TargetKeyId": target_key_id,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
for reserved_alias in RESERVED_ALIASES:
|
for reserved_alias, target_key_id in RESERVED_ALIASE_TARGET_KEY_IDS.items():
|
||||||
exsisting = [
|
exsisting = [
|
||||||
a for a in response_aliases if a["AliasName"] == reserved_alias
|
a for a in response_aliases if a["AliasName"] == reserved_alias
|
||||||
]
|
]
|
||||||
if not exsisting:
|
if not exsisting:
|
||||||
|
arn = f"arn:aws:kms:{region}:{self.current_account}:{reserved_alias}"
|
||||||
response_aliases.append(
|
response_aliases.append(
|
||||||
{
|
{
|
||||||
"AliasArn": f"arn:aws:kms:{region}:{self.current_account}:{reserved_alias}",
|
"TargetKeyId": target_key_id,
|
||||||
|
"AliasArn": arn,
|
||||||
"AliasName": reserved_alias,
|
"AliasName": reserved_alias,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|||||||
@ -25,22 +25,26 @@ HEADER_LEN = KEY_ID_LEN + IV_LEN + TAG_LEN
|
|||||||
CIPHERTEXT_HEADER_FORMAT = f">{KEY_ID_LEN}s{IV_LEN}s{TAG_LEN}s"
|
CIPHERTEXT_HEADER_FORMAT = f">{KEY_ID_LEN}s{IV_LEN}s{TAG_LEN}s"
|
||||||
Ciphertext = namedtuple("Ciphertext", ("key_id", "iv", "ciphertext", "tag"))
|
Ciphertext = namedtuple("Ciphertext", ("key_id", "iv", "ciphertext", "tag"))
|
||||||
|
|
||||||
RESERVED_ALIASES = [
|
RESERVED_ALIASE_TARGET_KEY_IDS = {
|
||||||
"alias/aws/acm",
|
# NOTE: These would technically differ across account, but in that they are
|
||||||
"alias/aws/dynamodb",
|
# out of customer control, testing that they are different would be redundant.
|
||||||
"alias/aws/ebs",
|
"alias/aws/acm": "4f58743d-e279-4214-9270-8cc28277958d",
|
||||||
"alias/aws/elasticfilesystem",
|
"alias/aws/dynamodb": "7e6aa0ea-15a4-4e72-8b32-58e46e776888",
|
||||||
"alias/aws/es",
|
"alias/aws/ebs": "7adeb491-68c9-4a5b-86ec-a86ce5364094",
|
||||||
"alias/aws/glue",
|
"alias/aws/elasticfilesystem": "0ef0f111-cdc8-4dda-b0bc-bf625bd5f154",
|
||||||
"alias/aws/kinesisvideo",
|
"alias/aws/es": "3c7c1880-c353-4cea-9866-d8bc12f05573",
|
||||||
"alias/aws/lambda",
|
"alias/aws/glue": "90fd783f-e582-4cc2-a207-672ee67f8d58",
|
||||||
"alias/aws/rds",
|
"alias/aws/kinesisvideo": "7fd4bff3-6eb7-4283-8f11-a7e0a793a181",
|
||||||
"alias/aws/redshift",
|
"alias/aws/lambda": "ff9c4f27-2f29-4d9b-bf38-02f88b52a70c",
|
||||||
"alias/aws/s3",
|
"alias/aws/rds": "f5f30938-abed-41a2-a0f6-5482d02a2489",
|
||||||
"alias/aws/secretsmanager",
|
"alias/aws/redshift": "dcdae9aa-593a-4e0b-9153-37325591901f",
|
||||||
"alias/aws/ssm",
|
"alias/aws/s3": "8c3faf07-f43c-4d11-abdb-9183079214c7",
|
||||||
"alias/aws/xray",
|
"alias/aws/secretsmanager": "fee5173a-3972-428e-ae73-cd4c2a371222",
|
||||||
]
|
"alias/aws/ssm": "cb3f6250-5078-48c0-a75f-0290bf47694e",
|
||||||
|
"alias/aws/xray": "e9b758eb-6230-4744-93d1-ad3b7d71f2f6",
|
||||||
|
}
|
||||||
|
|
||||||
|
RESERVED_ALIASES = list(RESERVED_ALIASE_TARGET_KEY_IDS.keys())
|
||||||
|
|
||||||
|
|
||||||
def generate_key_id(multi_region=False):
|
def generate_key_id(multi_region=False):
|
||||||
|
|||||||
@ -275,13 +275,23 @@ def test_list_aliases():
|
|||||||
client = boto3.client("kms", region_name=region)
|
client = boto3.client("kms", region_name=region)
|
||||||
create_simple_key(client)
|
create_simple_key(client)
|
||||||
|
|
||||||
|
default_alias_target_keys = {
|
||||||
|
"aws/ebs": "7adeb491-68c9-4a5b-86ec-a86ce5364094",
|
||||||
|
"aws/s3": "8c3faf07-f43c-4d11-abdb-9183079214c7",
|
||||||
|
"aws/redshift": "dcdae9aa-593a-4e0b-9153-37325591901f",
|
||||||
|
"aws/rds": "f5f30938-abed-41a2-a0f6-5482d02a2489",
|
||||||
|
}
|
||||||
|
default_alias_names = list(default_alias_target_keys.keys())
|
||||||
|
|
||||||
aliases = client.list_aliases()["Aliases"]
|
aliases = client.list_aliases()["Aliases"]
|
||||||
aliases.should.have.length_of(14)
|
aliases.should.have.length_of(14)
|
||||||
default_alias_names = ["aws/ebs", "aws/s3", "aws/redshift", "aws/rds"]
|
|
||||||
for name in default_alias_names:
|
for name in default_alias_names:
|
||||||
full_name = f"alias/{name}"
|
full_name = f"alias/{name}"
|
||||||
arn = f"arn:aws:kms:{region}:{ACCOUNT_ID}:{full_name}"
|
arn = f"arn:aws:kms:{region}:{ACCOUNT_ID}:{full_name}"
|
||||||
aliases.should.contain({"AliasName": full_name, "AliasArn": arn})
|
target_key_id = default_alias_target_keys[name]
|
||||||
|
aliases.should.contain(
|
||||||
|
{"AliasName": full_name, "AliasArn": arn, "TargetKeyId": target_key_id}
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize(
|
@pytest.mark.parametrize(
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user