Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with DD_KMS_API_KEY #116

Closed
kbariotis opened this issue Oct 20, 2020 · 4 comments
Closed

Issue with DD_KMS_API_KEY #116

kbariotis opened this issue Oct 20, 2020 · 4 comments

Comments

@kbariotis
Copy link

Expected Behavior

I would expect metrics to be recorded on Datadog when using the DD_KMS_API_KEY variable.

Actual Behavior

No metrics are being recorded.

Some times I get this log output (but not all of the times):

START RequestId: 8d48efe8-8a70-45fe-87fd-92ed37598d1e Version: $LATEST
{"message":"[dd.trace_id=6021779273530932769 dd.span_id=5330958935018271181] {\"innerError\":{\"message\":null,\"code\":\"InvalidCiphertextException\",\"time\":\"2020-10-20T12:38:23.593Z\",\"requestId\":\"8ed89fe0-f9b7-47d4-a4aa-b6ba896e3299\",\"statusCode\":400,\"retryable\":false,\"retryDelay\":13.137550140158893},\"status\":\"error\",\"message\":\"datadog:couldn't decrypt kms api key\"}","level":"error","severity":"ERROR","timestamp":"2020-10-20T12:38:23.613Z"}
END RequestId: 8d48efe8-8a70-45fe-87fd-92ed37598d1e
REPORT RequestId: 8d48efe8-8a70-45fe-87fd-92ed37598d1e	Duration: 1148.02 ms	Billed Duration: 1200 ms	Memory Size: 256 MB	Max Memory Used: 198 MB	Init Duration: 1833.00 ms

Steps to Reproduce the Problem

  1. Encrypt an API Key from Datadog using the helpers in the AWS Lambda Console.
  2. Add the appropriate policy to Lambdas' role as instructed by AWS Lambda Console.
  3. Try to run the Lambda function

Specifications

  • Datadog Lambda Layer version: latest
  • Node version: 12
@agocs
Copy link
Contributor

agocs commented Oct 20, 2020

Hey @kbariotis, are you setting DD_KMS_API_KEY to just the CiphertextBlob, or to the JSON ouput of the kms encrypt operation? For something like this, you'd be better off contacting [email protected] directly.

@kbariotis
Copy link
Author

@agocs thanks, I'm using the AWS Lambda console encrypt helpers. So I enter an env variable with the API key string value and then click Encrypt and then it just replaces it with the encrypted value.

Is it a different process I have to follow?

@agocs
Copy link
Contributor

agocs commented Oct 22, 2020

@DarcyRaynerDD do you have any experience setting DD_KMS_API_KEY?

@kbariotis Current best practice is to use the datadog forwarder by setting DD_FLUSH_TO_LOG = true, rather than setting an API key in the in the library. It looks to me like the library is expecting the JSON output from the aws kms encrypt operation. It's actually not clear to me how KMS-encrypting env vars is supposed to work.

@DarcyRaynerDD DarcyRaynerDD mentioned this issue Oct 23, 2020
Merged
11 tasks
@kbariotis
Copy link
Author

kbariotis commented Oct 26, 2020
edited
Loading

Hey @DarcyRaynerDD, thanks for the fix. I'm trying to test it but I don't see an active release with that commit. Also a build action seem to be stuck? Thanks

@tianchu tianchu closed this as completed Nov 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kbariotis @agocs @tianchu