awsKmsKeyArn config must be a KMS key arn

aws

#1

Hi, I have an external AWS Cloud Formation template which created a KMS Key and exported it and I’m trying to reference that key within serverless.

I noticed in the docs that CloudFormation can only get the KMS Key ID [1], though serverless requires the KMS ARN. Given this information, unless there’s a better way, I’m trying to concatenate all the required values [2] to generate the KMS Key ARN in the form of: arn:aws:kms:<region>:<accound-id>:key/<kms-key-id>

I currently have something as follows where AccountId and kmsMasterKey are exported from my external CloudFormation stack.

awsKmsKeyArn: "{ Fn::Join: [:, [arn:aws:kms, ${opt:region, self:provider. region}, Fn::ImportValue: AccountId, key/, Fn::ImportValue: kmsMasterKey]] }"

Currently I get an error: “awsKmsKeyArn config must be a KMS key arn”.

Thanks, any help or better alternative is welcomed.

[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html

[2] https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html


#2

Partially answering my own question. I modified my CloudFormation stack to use “Fn::GetAtt” [1] rather than “Ref” because the first has the option to export the Arn, whereas Ref only exports the key id.

This doesn’t fully solve the problem, since it seems attempting an “Fn::ImportValue” doesn’t currently work since its expecting a string and will output the appropriate error.

[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html


#3

Any luck figuring this out? I’m struggling trying to set the awsKmsKeyArn value as well. I don’t want to hardcode the region or the key id in the value since i’m trying to deploy my application to multiple regions. I’d like to be able to reference the alias of the KMS key if possible.


#4

Unfortunately I haven’t made progress, though I’d still appreciate someone properly answering this.

I personally avoided this issue by opting for using AWS Secrets Manager to store my RDS instance information (what I was originally encrypting). You can use AWS Systems Manager’s Parameter Store to store any global configs. Though region info you may be able to get away with passing in the regions as parameters to the template