After the 2.1.X of the AWS Encryption SDK CLI is released, I was trying to decrypt using the key=alias/mykmskey. It doesn't allow me to use that even though the documentation says it's possible. The only way I could get it to work is if I supplied the key=$keyID_Arn. In the previous release, I was able to use the alias if I'm not mistaken.
I personally prefer to have the option to use the alias as it's user-friendly. Having to supply the keyID is tedious and additional work.

Other Info:

• Platform: Windows Server 2019 Data center
• aws-encryption-cli version: aws-encryption-sdk-cli/2.1.0 aws-encryption-sdk/2.0.0
• Python: Python 3.9.0

Hi universalvishwa,

The behavior you're seeing is expected, version 2.1.x of the Encryption CLI does not support decrypting by specifying the alias. Can you point me to the documentation you're reading that says it's possible? That may be an error with our docs that we need to get fixed.

We recommend specifying the key id as a security best practice, but I do understand that doing so can require additional work. To that end, we have a discovery attribute of the --wrapping-keys parameter which allows decryption without explicitly listing all ARNs. You can use this without additional filtering, which will cause the Encryption CLI to try to decrypt any ciphertext it comes across:

aws-encryption-cli --decrypt ... --wrapping-keys discovery=true

However, if using discovery mode we recommend using the discovery "filter" attributes to limit decryption to only ciphertexts that are wrapped by AWS CMKs that belong to explicit accounts and partitions. For example:

aws-encryption-cli --decrypt ... --wrapping-keys discovery=true discovery-account=123456789012 discovery-partition=aws

(You can find more detailed docs for the discovery attribute here: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/crypto-cli-how-to.html#discovery-cli-attribute)

Would this work for your use case?

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/crypto-cli-reference.html#crypto-cli-parameters

key
Identifies the wrapping key used in the operation. The format is a key=ID pair. The key attribute is required in all encrypt commands.
When you use an AWS KMS customer master key (CMK) in an encrypt command, the value of the key attribute can be a key ID, key ARN, an alias name, or an alias ARN. For details about AWS KMS key identifiers, see Key identifiers in the AWS Key Management Service Developer Guide.

Just now, I tested your suggestion, it worked. I'm satisfied with that. I'll use that. Thank you.

I would still recommend to update the AWS Docs to make sure that it's clearly explained. Perhaps, include that suggestion as an example would be very helpful.

Moreover, Thanks for responding very quickly.

Glad to hear it!

It looks like that quote you called out comes from the section under the --master-keys parameter, which has been removed in 2.1.x. It is replaced by --wrapping-keys, and I do see that the key parameter is correctly described in that section:

In decrypt commands, the value of the key attribute must be a key ARN

Either way, we'll look into improvements in the docs to try to make this crystal clear. I'll go ahead and close out this issue, but do feel free to re-open (or cut a new one) if you have any other questions.