Hit limit of KMS keys

Question

Hit limit of KMS keys

JosephSalisbury opened this issue 7 years ago · comments

{"caller":"github.com/giantswarm/aws-operator/service/create/service.go:233","error":"could not encode TLS assets: [{/go/src/github.com/giantswarm/aws-operator/service/create/assets.go:15: } {/go/src/github.com/giantswarm/aws-operator/service/create/encrypt.go:87: } {InvalidParameter: 1 validation error(s) found.\n- minimum field size of 1, EncryptInput.KeyId.\n}]","time":"17-04-24 08:45:47.403"}

It looks like we hit the (1K) limit of KMS keys

Joe Salisbury · Answer 1 · Mon Apr 24 2017 17:12:01 GMT+0800 (China Standard Time)

Let's make sure we delete the key when deleting a cluster, I think that's the best we can do here

Michal Rostecki · Answer 2 · Mon Apr 24 2017 17:14:16 GMT+0800 (China Standard Time)

@JosephSalisbury You cannot explicitly remove the key, you can only schedule a deletion which happens after ~1 day. We are currently doing that: https://github.com/giantswarm/aws-operator/blob/master/resources/aws/kms.go#L58-L63

Joe Salisbury · Answer 3 · Mon Apr 24 2017 17:16:14 GMT+0800 (China Standard Time)

for my learning, from http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html it looks like the minimum time period is 7 days?

You can set the waiting period from a minimum of 7 days up to a maximum of 30 days.

but cool that we already schedule for deletion

Ross Fairbanks · Answer 4 · Mon Apr 24 2017 17:22:15 GMT+0800 (China Standard Time)

Yes good we're scheduling the key for deletion but we're using the default which is 30 days. We may want to reduce to 7 days.

https://godoc.org/github.com/aws/aws-sdk-go/service/kms#ScheduleKeyDeletionInput

Michal Rostecki · Answer 5 · Mon Apr 24 2017 17:25:03 GMT+0800 (China Standard Time)

OK, will do that.