AWS SQS send message with KMS ID on cli

Question

I have an SQS Queue encrypted with a KMS Customer Master Key (CMK)

I can't get the --message-attributes syntax right to add the KMS key id when using the send-message cli command

aws sqs send-message --queue-url "queue/url" --message-body "testing" --message-attributes '{"keyId": {"DataType":"String", "StringValue":"mKeyId"}}'

The error I get back is

An error occurred (KMS.NotFoundException) when calling the SendMessage operation: Invalid keyId (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request ID: 02cae15e-bf78-11e7-c001-f9dff348cb7e)

The key is the correct key, and I've also tried with the key alias.

Couldn't find anything in the SQS docs

What am I getting wrong with the syntax?

score 2 · Accepted Answer · answered Nov 02 '17 at 19:33

Turns out I created a bad queue via cloudformation

When reading the Cloudformation docs for SQS, the KmsMasterKeyId I had included my CMK alias, when you should only use an alias when using the AWS managed sse (/alias/aws/sqs).

When updating to my actual key id, the cli command I used worked just fine

aws sqs send-message --queue-url "queue/url" --message-body "testing" --message-attributes '{"keyId": {"DataType":"String", "StringValue":"mKeyId"}}'

AWS SQS send message with KMS ID on cli

1 Answers1