Bootstrap FreeKB - Amazon Web Services (AWS) - Resolve "You cannot generate a data key with an asymmetric CMK"
Amazon Web Services (AWS) - Resolve "You cannot generate a data key with an asymmetric CMK"
Updated:   |  Amazon Web Services (AWS) articles

Let's say something like this is being returned.

You cannot generate a data key with an asymmetric CMK

 

I got this when attempting to upload a file to one of my Amazon Web Services (AWS) S3 Buckets using Python boto3 using one of my KMS Customer Managed Keys (CMK), like this.

#!/usr/bin/python3
import boto3
import os

client = boto3.client('s3')
client.upload_file("/tmp/foo.txt", 
                   "my-bucket-abc123", 
                   "foo.txt",
                   ExtraArgs={"ServerSideEncryption": "aws:kms", 
                              "SSEKMSKeyId": "e35ad552-7cad-4db1-ab55-2c4b932ac2c4"})

 

Notice in this example that the error being returned has "asymmetric". I used the aws kms describe-key command and indeed, my key was asymmetric.

~]$ aws kms describe-key --key-id e35ad552-7cad-4db1-ab55-2c4b932ac2c4
{
    "KeyMetadata": {
        "AWSAccountId": "123456789012",
        "KeyId": "e35ad552-7cad-4db1-ab55-2c4b932ac2c4",
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/e35ad552-7cad-4db1-ab55-2c4b932ac2c4",
        "CreationDate": "2024-03-06T02:56:19.107000+00:00",
        "Enabled": true,
        "Description": "",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "RSA_2048",
        "KeySpec": "RSA_2048",
        "EncryptionAlgorithms": [
            "RSAES_OAEP_SHA_1",
            "RSAES_OAEP_SHA_256"
        ],
        "MultiRegion": false
    }
}

 

Let's create a symetric key. By default, the aws kms create-key command will create a symmetric key.

~]# aws kms create-key --description my-symmetric-key
{
    "KeyMetadata": {
        "AWSAccountId": "12345679012",
        "KeyId": "4802df3b-1b8b-4f7b-af98-61bbf207468d",
        "Arn": "arn:aws:kms:us-east-1:12345679012:key/4802df3b-1b8b-4f7b-af98-61bbf207468d",
        "CreationDate": "2024-03-07T02:41:58.949000+00:00",
        "Enabled": true,
        "Description": "my-symmetric-key",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "KeySpec": "SYMMETRIC_DEFAULT",
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ],
        "MultiRegion": false
    }
}

 

Almost always, you will want to give the key an alias too which can be done with the aws kms create-alias command.

aws kms create-alias --alias-name alias/my-symmetric-key --target-key-id e35ad552-7cad-4db1-ab55-2c4b932ac2c4

 

I then updated my Python script to have the ID of my-symmetric-key and I no longer got the error. cool!

#!/usr/bin/python3
import boto3
import os

client = boto3.client('s3')
client.upload_file("/tmp/foo.txt", 
                   "my-bucket-abc123", 
                   "foo.txt",
                   ExtraArgs={"ServerSideEncryption": "aws:kms", 
                              "SSEKMSKeyId": "4802df3b-1b8b-4f7b-af98-61bbf207468d"})

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 93459d in the box below so that we can be sure you are a human.