-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shared snapshot copy uses source KMS not destination KMS #60
Comments
I did a bit of digging and altered the code in copy_local() to use _KMS_KEY_DEST_REGION in place of _KMS_KEY_SOURCE_REGION and I now get what I want/expect. It can't be this obvious though right?
|
Hi Karl, I see what you mean... I suppose the behaviour should be different whether you are copying cross-region or not. In your case, it appears you are only copying cross-account. It's a great catch! But the fix may be a bit more complicated. I'd want to make I do not break cross-account + cross-region. Thanks! |
I had a hunch it was something like this. Ironically, my actual future use case is cross account + cross region (for full DR protection) -- I was merely testing in the meantime with the cross-account only use case. I think a generalised fix makes sense though of course!
BTW, thanks for this project -- it is EXACTLY what I was looking for. It's the moon-on-a-stick for me :-)
On 13 Feb 2020, at 13:59, mrcoronel <[email protected]<mailto:[email protected]>> wrote:
Hi Karl, I see what you mean... I suppose the behaviour should be different whether you are copying cross-region or not. In your case, it appears you are only copying cross-account.
It's a great catch! But the fix may be a bit more complicated. I'd want to make I do not break cross-account + cross-region.
Thanks!
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#60?email_source=notifications&email_token=ALQENMG6UWIG57EYZP36B3LRCURZHA5CNFSM4KT2L5U2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELUJZOY#issuecomment-585669819>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ALQENMHXPO5PPLXJUVOZK3LRCURZHANCNFSM4KT2L5UQ>.
|
I've just deployed the stacks in Source and Destination AWS accounts (separate accounts) and configured with KmsKeyDestination and KmsKeySource CMKs. Region in both accounts is eu-west-1.
I am surprised to see that the resultant local snapshot "copies" in the external (destination) account are encrypted with the KmsKeySource and haven't been re-encrypted with my specified KmsKeyDestination.
If I manually copy a shared snapshot I am able to specify the local CMK instead and the copy successfully uses it.
Anything I am missing? What should I look for? Anything I can try?
Thanks!
Karl
The text was updated successfully, but these errors were encountered: