I am implementing a custom email sending Lambda for Cognito. When attempting to decrypt the "code" I am receiving the "Aws::KMS::Errors::InvalidCiphertextException" exception.
I have a symmetric KMS key assigned to the Lambda via the Cognito User Pool, and can successfully trigger the Lambda.
I have attempted to use both "Base64.decode64" and Base64.strict_decode64" before passing the ciphertext to the decode method.
The CloudTrail logs are showing that Cognito is using the KMS GenerateKeyPair method, and providing an encryption context:
{
"userpool-id": "my-user-pool",
"aws-crypto-public-key": "AULXovx/...=="
}
I have therefore attempted to pass this "encryption_context" to the decrypt method, however the "aws-crypto-public-key" is unique to each request. The KMS documentation explains (as best I can understand) that public keys are not applicable for symmetric keys.
Questions:
- Have I correctly understood the requirements to decode the ciphertext input?
- If so, how can I retrieve the public-key value for the given ciphertext input?
Language: Ruby
SDK Version: 3