aws-cdk: (custom resources): Can not get public key for a KMS key

What is the problem?

I tried to extract the public key for an asymmetric KMS key but I get a Response is not valid JSON error.

Reproduction Steps

const key = new aws_kms.Key(
  this,
  "key",
  {
    keySpec: aws_kms.KeySpec.ECC_NIST_P384,
    keyUsage: aws_kms.KeyUsage.SIGN_VERIFY,
  }
);
const publicKey = new custom_resources.AwsCustomResource(
  this,
  "publicKey",
  {
    onCreate: {
      service: "KMS",
      action: "getPublicKey",
      parameters: {
        KeyId: key.keyArn,
      },
      physicalResourceId: custom_resources.PhysicalResourceId.of(key.keyArn),
      outputPaths: ['PublicKey'],
    },
    policy: custom_resources.AwsCustomResourcePolicy.fromSdkCalls({
      resources: custom_resources.AwsCustomResourcePolicy.ANY_RESOURCE
    }),
  }
);

What did you expect to happen?

I expected that the stack deploys and I can extract the public key.

What actually happened?

Response is not valid JSON

In the CloudWatch Logs, I see that the PublicKey is retrieved, but it seems in a unusable format:

image

CDK CLI Version

2.12.0

Framework Version

No response

Node.js Version

v16.14.0

OS

Ubuntu

Language

Typescript

Language Version

No response

Other information

No response

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 8
  • Comments: 19 (5 by maintainers)

Most upvoted comments

The SDK returns this object. Of particular interest is PublicKey, which is a Uint8Array (i.e. it’s not a base64-encoded string).

+1
johannes-sscrc on May 13, 2022
Read more comments on GitHub
← aws-cdk: Creating an alias record for an existing hosted zone in Route53, does not find the zone with Python bindings
aws-cdk: (custom-resources): empty onEvent handler zip's being created, failing deploys →