Skip to content

Commit 296b8af

Browse files
jesseturner21jesseturner21
committed
add check for kms key in token vault before create one
1 parent aae1a9d commit 296b8af

File tree

4 files changed

+412
-23
lines changed

4 files changed

+412
-23
lines changed

manual-kms-test.md

Lines changed: 222 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,222 @@
1+
# Manual KMS Key Fix Verification
2+
3+
Tests for issue #337 — orphaned KMS keys on deploy.
4+
5+
The fix uses `GetTokenVaultCommand` to check if the account's token vault already has a customer-managed KMS key before creating a new one. This prevents orphaned keys across deploys and across different projects in the same account.
6+
7+
KMS keys are only created when the project uses a **non-Bedrock model provider** (Anthropic, OpenAI, Gemini), because those require storing an API key in the token vault via `ApiKeyCredentialProvider`. Bedrock uses IAM auth and skips this path entirely.
8+
9+
## Setup
10+
11+
```bash
12+
# Get credentials for the test account
13+
ada credentials update --account 325335451438 --provider isengard --role Admin --once
14+
15+
# Set region
16+
export AWS_REGION=us-west-2
17+
18+
# Create a throwaway test directory
19+
cd /tmp
20+
rm -rf kms-test-project && mkdir kms-test-project && cd kms-test-project
21+
22+
# Build latest from source
23+
(cd /Volumes/workplace/kmskeybug/agentcore-cli && npm run build)
24+
25+
# Use the local build of the CLI
26+
export AGENTCORE_CLI="/Volumes/workplace/kmskeybug/agentcore-cli/dist/cli/index.mjs"
27+
alias agentcore="node $AGENTCORE_CLI"
28+
29+
# Create project with Anthropic model provider (triggers KMS path)
30+
agentcore create \
31+
--name kmstest \
32+
--framework Strands \
33+
--model-provider Anthropic \
34+
--api-key sk-ant-fake-key-for-testing-12345 \
35+
--memory none \
36+
--skip-git \
37+
--skip-python-setup
38+
cd kmstest
39+
40+
# Add a deployment target (the CLI does not create one automatically)
41+
cat > agentcore/aws-targets.json << 'EOF'
42+
[
43+
{
44+
"name": "default",
45+
"account": "325335451438",
46+
"region": "us-west-2"
47+
}
48+
]
49+
EOF
50+
```
51+
52+
## Helper: check token vault KMS config
53+
54+
```bash
55+
# Check what key the token vault is currently using (source of truth)
56+
check_vault_kms() {
57+
aws bedrock-agentcore-control get-token-vault \
58+
--region $AWS_REGION \
59+
--query 'kmsConfiguration' \
60+
--output json
61+
}
62+
63+
# Read KMS key ARN from local deployed state
64+
read_kms_arn() {
65+
python3 -c "
66+
import json
67+
with open('agentcore/.cli/deployed-state.json') as f:
68+
d = json.load(f)
69+
for t in d['targets'].values():
70+
arn = (t.get('resources') or {}).get('identityKmsKeyArn')
71+
if arn:
72+
print(arn)
73+
break
74+
"
75+
}
76+
```
77+
78+
## Test 1: Key reuse across deploys (same project)
79+
80+
Verify that a second deploy reuses the existing KMS key instead of creating a new one.
81+
82+
```bash
83+
# First deploy
84+
agentcore deploy -y
85+
86+
# Record the KMS key ARN
87+
KEY_ARN_1=$(read_kms_arn)
88+
echo "First deploy key: $KEY_ARN_1"
89+
90+
if [ -z "$KEY_ARN_1" ]; then
91+
echo "FAIL: No KMS key ARN found in agentcore/.cli/deployed-state.json after first deploy"
92+
echo "Check that the project has ApiKeyCredentialProvider credentials."
93+
exit 1
94+
fi
95+
96+
# Check the vault directly
97+
echo "Vault KMS config after first deploy:"
98+
check_vault_kms
99+
100+
# Second deploy
101+
agentcore deploy -y
102+
103+
# Record the key ARN again
104+
KEY_ARN_2=$(read_kms_arn)
105+
echo "Second deploy key: $KEY_ARN_2"
106+
107+
# VERIFY: both ARNs should be identical
108+
if [ "$KEY_ARN_1" = "$KEY_ARN_2" ]; then
109+
echo "PASS: Key was reused"
110+
else
111+
echo "FAIL: New key created on second deploy"
112+
echo " First: $KEY_ARN_1"
113+
echo " Second: $KEY_ARN_2"
114+
fi
115+
116+
# VERIFY: only one key tagged for this project exists
117+
KEY_COUNT=$(aws resourcegroupstaggingapi get-resources \
118+
--tag-filters Key=agentcore:project,Values=kmstest \
119+
--resource-type-filters kms:key \
120+
--region $AWS_REGION \
121+
--query 'ResourceTagMappingList | length(@)' \
122+
--output text)
123+
echo "Keys tagged for this project: $KEY_COUNT"
124+
if [ "$KEY_COUNT" = "1" ]; then
125+
echo "PASS: Only one KMS key exists"
126+
else
127+
echo "FAIL: Expected 1 key, found $KEY_COUNT"
128+
fi
129+
```
130+
131+
## Test 2: Key reuse across different projects (same account)
132+
133+
Verify that a second project in the same account reuses the vault's existing CMK
134+
instead of creating a new orphaned key.
135+
136+
```bash
137+
# Save the key ARN from project 1
138+
KEY_ARN_PROJECT1=$(read_kms_arn)
139+
echo "Project 1 key: $KEY_ARN_PROJECT1"
140+
141+
# Create a second project in the same account
142+
cd /tmp/kms-test-project
143+
agentcore create \
144+
--name kmstest2 \
145+
--framework Strands \
146+
--model-provider Anthropic \
147+
--api-key sk-ant-fake-key-for-testing-67890 \
148+
--memory none \
149+
--skip-git \
150+
--skip-python-setup
151+
cd kmstest2
152+
153+
# Add a deployment target
154+
cat > agentcore/aws-targets.json << 'EOF'
155+
[
156+
{
157+
"name": "default",
158+
"account": "325335451438",
159+
"region": "us-west-2"
160+
}
161+
]
162+
EOF
163+
164+
# Deploy project 2
165+
agentcore deploy -y
166+
167+
KEY_ARN_PROJECT2=$(read_kms_arn)
168+
echo "Project 2 key: $KEY_ARN_PROJECT2"
169+
170+
# VERIFY: both projects should use the same key (the vault's CMK)
171+
if [ "$KEY_ARN_PROJECT1" = "$KEY_ARN_PROJECT2" ]; then
172+
echo "PASS: Both projects share the same vault CMK"
173+
else
174+
echo "FAIL: Project 2 created a new key instead of reusing the vault's CMK"
175+
echo " Project 1: $KEY_ARN_PROJECT1"
176+
echo " Project 2: $KEY_ARN_PROJECT2"
177+
fi
178+
179+
# VERIFY: vault still has the same key
180+
echo "Vault KMS config after project 2 deploy:"
181+
check_vault_kms
182+
183+
# Count total agentcore KMS keys in the account — should still be 1
184+
TOTAL_KEYS=$(aws resourcegroupstaggingapi get-resources \
185+
--tag-filters Key=agentcore:project \
186+
--resource-type-filters kms:key \
187+
--region $AWS_REGION \
188+
--query 'ResourceTagMappingList | length(@)' \
189+
--output text)
190+
echo "Total agentcore KMS keys in account: $TOTAL_KEYS"
191+
if [ "$TOTAL_KEYS" = "1" ]; then
192+
echo "PASS: No orphaned keys created"
193+
else
194+
echo "FAIL: Expected 1 key total, found $TOTAL_KEYS"
195+
fi
196+
```
197+
198+
## Cleanup
199+
200+
```bash
201+
# Delete test project directories
202+
cd /tmp
203+
rm -rf kms-test-project
204+
205+
# List any leftover KMS keys tagged for test projects
206+
aws resourcegroupstaggingapi get-resources \
207+
--tag-filters Key=agentcore:project \
208+
--resource-type-filters kms:key \
209+
--region $AWS_REGION \
210+
--query 'ResourceTagMappingList[].ResourceARN' \
211+
--output table
212+
213+
# To manually clean up KMS keys after all testing is done:
214+
# aws kms schedule-key-deletion --key-id KEY_ID --pending-window-in-days 7 --region $AWS_REGION
215+
```
216+
217+
## Expected results summary
218+
219+
| Test | Expected |
220+
|------|----------|
221+
| Test 1: Same project redeploy | Same KMS key ARN, only 1 key exists |
222+
| Test 2: Cross-project deploy | Both projects share the vault's CMK, no orphaned keys |

package-lock.json

Lines changed: 0 additions & 18 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)