Skip to content

KMS: Add list-key-rotations flag #12853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

KMS: Add list-key-rotations flag #12853

wants to merge 4 commits into from
+572 −6

Conversation

demaj
Copy link

@demaj demaj commented Jul 11, 2025
edited
Loading

Motivation

Adding support for ListKeyRotations. Mentioned in #12342.

Changes

Implementation of list-key-rotations feature for keys that may have multiple key materials associated with them.

As per AWS's, list-key-rotation is only allowed for:

  • symmetric keys
  • Imported keys from single-region-only

TODO

What's left to do:

  • Add support for imported EXTERNAL origin single-region keys

localstack-bot
localstack-bot reviewed Jul 11, 2025
View reviewed changes
Copy link
Contributor

@localstack-bot localstack-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome to LocalStack! Thanks for raising your first Pull Request and landing in your contributions. Our team will reach out with any reviews or feedbacks that we have shortly. We recommend joining our Slack Community and share your PR on the #community channel to share your contributions with us. Please make sure you are following our contributing guidelines and our Code of Conduct.

@localstack-bot
Copy link
Contributor

localstack-bot commented Jul 11, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@demaj
Copy link
Author

demaj commented Jul 11, 2025

I have read the CLA Document and I hereby sign the CLA

localstack-bot added a commit that referenced this pull request Jul 11, 2025
@localstack-bot
@demaj has signed the CLA in #12853
3ccf9e5
@viren-nadkarni viren-nadkarni added the semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases label Jul 14, 2025
@viren-nadkarni viren-nadkarni self-assigned this Jul 14, 2025
@demaj demaj force-pushed the kms-add-list-key-rotations branch from 6570477 to fd7df95 Compare July 17, 2025 02:57
@demaj demaj marked this pull request as ready for review July 17, 2025 02:58
@demaj demaj requested a review from sannya-singal as a code owner July 17, 2025 02:58
demaj
demaj commented Jul 17, 2025
View reviewed changes
localstack-core/localstack/services/kms/provider.py
f"failed to satisfy constraint: Member must satisfy enum value set: [ALL_KEY_MATERIAL, ROTATIONS_ONLY]"
)

if key.metadata["KeySpec"] != KeySpec.SYMMETRIC_DEFAULT:
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per AWS docs, for asymmetric keys when IncludeKeyMaterial is not provided we simply return the Rotations as empty [].
See here: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-compare.html#key-type-table

demaj
demaj commented Jul 17, 2025
View reviewed changes
localstack-core/localstack/services/kms/provider.py
if include_key_material == IncludeKeyMaterial.ALL_KEY_MATERIAL:
rotation_history.append(rotation_entry)
else: # Default ROTATIONS_ONLY
if rotation.rotation_type in ["AUTOMATIC", "ON_DEMAND"]:
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A KMS key on its creation doesn't have any rotation_type.

demaj
demaj commented Jul 17, 2025
View reviewed changes
localstack-core/localstack/services/kms/models.py
initial_rotation = KeyRotationEntry(
key_id=self.metadata["Arn"],
key_material_state="CURRENT",
key_material_id=long_uid(), # FIXME: a more appropriate KMS output
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently relying on uuid, open to suggestions.

demaj
demaj commented Jul 17, 2025
View reviewed changes
tests/aws/services/kms/test_kms.snapshot.json
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm getting "Truncated": false here. Not entirely sure why it's being included, I do not see it on my awscli output; there is a discrepancy between AWS Docs and AWS CLI.
Removed them manually from this file (I know we're not supposed to manually edit it). Let me know if I should re-add it and make changes on the function's response payload.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@localstack-bot localstack-bot localstack-bot left review comments

@sannya-singal sannya-singal Awaiting requested review from sannya-singal sannya-singal is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@viren-nadkarni viren-nadkarni

Labels
semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@demaj @localstack-bot @viren-nadkarni