Amazon Web Services (AWS) - Resolve "You cannot generate a data key with an asymmetric CMK"

by
Jeremy Canfield |
Updated: February 25 2024
| Amazon Web Services (AWS) articles
Let's say something like this is being returned.
You cannot generate a data key with an asymmetric CMK
I got this when attempting to upload a file to one of my Amazon Web Services (AWS) S3 Buckets using Python boto3 using one of my KMS Customer Managed Keys (CMK), like this.
#!/usr/bin/python3
import boto3
import os
client = boto3.client('s3')
client.upload_file("/tmp/foo.txt",
"my-bucket-abc123",
"foo.txt",
ExtraArgs={"ServerSideEncryption": "aws:kms",
"SSEKMSKeyId": "e35ad552-7cad-4db1-ab55-2c4b932ac2c4"})
Notice in this example that the error being returned has "asymmetric". I used the aws kms describe-key command and indeed, my key was asymmetric.
~]$ aws kms describe-key --key-id e35ad552-7cad-4db1-ab55-2c4b932ac2c4
{
"KeyMetadata": {
"AWSAccountId": "123456789012",
"KeyId": "e35ad552-7cad-4db1-ab55-2c4b932ac2c4",
"Arn": "arn:aws:kms:us-east-1:123456789012:key/e35ad552-7cad-4db1-ab55-2c4b932ac2c4",
"CreationDate": "2024-03-06T02:56:19.107000+00:00",
"Enabled": true,
"Description": "",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "RSA_2048",
"KeySpec": "RSA_2048",
"EncryptionAlgorithms": [
"RSAES_OAEP_SHA_1",
"RSAES_OAEP_SHA_256"
],
"MultiRegion": false
}
}
Let's create a symetric key. By default, the aws kms create-key command will create a symmetric key.
~]# aws kms create-key --description my-symmetric-key
{
"KeyMetadata": {
"AWSAccountId": "12345679012",
"KeyId": "4802df3b-1b8b-4f7b-af98-61bbf207468d",
"Arn": "arn:aws:kms:us-east-1:12345679012:key/4802df3b-1b8b-4f7b-af98-61bbf207468d",
"CreationDate": "2024-03-07T02:41:58.949000+00:00",
"Enabled": true,
"Description": "my-symmetric-key",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"Origin": "AWS_KMS",
"KeyManager": "CUSTOMER",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"KeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"MultiRegion": false
}
}
Almost always, you will want to give the key an alias too which can be done with the aws kms create-alias command.
aws kms create-alias --alias-name alias/my-symmetric-key --target-key-id e35ad552-7cad-4db1-ab55-2c4b932ac2c4
I then updated my Python script to have the ID of my-symmetric-key and I no longer got the error. cool!
#!/usr/bin/python3
import boto3
import os
client = boto3.client('s3')
client.upload_file("/tmp/foo.txt",
"my-bucket-abc123",
"foo.txt",
ExtraArgs={"ServerSideEncryption": "aws:kms",
"SSEKMSKeyId": "4802df3b-1b8b-4f7b-af98-61bbf207468d"})
Did you find this article helpful?
If so, consider buying me a coffee over at