Hello, I’m using serverless-kms-secrets to set some ENV variables I want to consume using Ruby.
I can confirm that the plugin works perfectly, it generated the file with the encrypted variable and I can see the encrypted variable in my environment on AWS lambda.
The problem is that I can’t decrypt it in Ruby. The code that decrypts it (correctly) in the plugin is here, I understand it gets the string saved in the file and encodes it using Base64, so no big deal.
In Ruby:
token = "blablabla"
client = Aws::KMS::Client.new(region: 'us-east-1')
blob = Base64.encode64(token)
client.decrypt({ciphertext_blob: blob})
....
Aws::KMS::Errors::InvalidCiphertextException ()
The client should get my credentials automatically, but I’m not sure I understand how the keyArn is used, doesn’t look relevant though.
How to solve?