From 1ae8d79e834ea1730e41c16cf31fc9753a664a1c Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 27 Aug 2024 17:00:20 -0600 Subject: [PATCH] fix(kms-key): only get tags if customer managed key --- resources/kms-key.go | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/resources/kms-key.go b/resources/kms-key.go index adba6096..043824e5 100644 --- a/resources/kms-key.go +++ b/resources/kms-key.go @@ -60,7 +60,7 @@ func (l *KMSKeyLister) List(_ context.Context, o interface{}) ([]resource.Resour if errors.As(err, &awsError) { if awsError.Code() == "AccessDeniedException" { inaccessibleKeys = true - logrus.WithError(err).Debug("unable to describe key") + logrus.WithField("arn", key.KeyArn).WithError(err).Debug("unable to describe key") continue } } @@ -76,13 +76,26 @@ func (l *KMSKeyLister) List(_ context.Context, o interface{}) ([]resource.Resour Manager: resp.KeyMetadata.KeyManager, } - tags, err := svc.ListResourceTags(&kms.ListResourceTagsInput{ - KeyId: key.KeyId, - }) - if err != nil { - logrus.WithError(err).Error("unable to list tags") - } else { - kmsKey.Tags = tags.Tags + // Note: we check for customer managed keys here because we can't list tags for AWS managed keys + // This way AWS managed keys still show up but get filtered out by the Filter method + if ptr.ToString(resp.KeyMetadata.KeyManager) == kms.KeyManagerTypeCustomer { + tags, err := svc.ListResourceTags(&kms.ListResourceTagsInput{ + KeyId: key.KeyId, + }) + if err != nil { + var awsError awserr.Error + if errors.As(err, &awsError) { + if awsError.Code() == "AccessDeniedException" { + inaccessibleKeys = true + logrus.WithError(err).Debug("unable to list tags") + continue + } else { + logrus.WithError(err).Error("unable to list tags") + } + } + } else { + kmsKey.Tags = tags.Tags + } } resources = append(resources, kmsKey)