KMS: sign() now supports Alias ARNs (#8094)

getmoto · Sep 7, 2024 · 924f5ec · 924f5ec
1 parent 17c2fa9
commit 924f5ec
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 12 deletions.
diff --git a/moto/kms/models.py b/moto/kms/models.py
@@ -372,22 +372,13 @@ def delete_key(self, key_id: str) -> None:
             self.keys.pop(key_id)
 
     def describe_key(self, key_id: str) -> Key:
-        # allow the different methods (alias, ARN :key/, keyId, ARN alias) to
-        # describe key not just KeyId
-        key_id = self.get_key_id(key_id)
-        if r"alias/" in str(key_id).lower():
-            key_id = self.get_key_id_from_alias(key_id)  # type: ignore[assignment]
-
-        key = self.keys[self.get_key_id(key_id)]
+        key = self.keys[self.any_id_to_key_id(key_id)]
 
         if key.multi_region:
-            if key.arn == key.multi_region_configuration["PrimaryKey"]["Arn"]:
-                return self.keys[self.get_key_id(key_id)]
-            else:
+            if key.arn != key.multi_region_configuration["PrimaryKey"]["Arn"]:
                 key.multi_region_configuration["MultiRegionKeyType"] = "REPLICA"
-                return key
 
-        return self.keys[self.get_key_id(key_id)]
+        return key
 
     def list_keys(self) -> Iterable[Key]:
         return self.keys.values()

diff --git a/tests/test_kms/test_kms_boto3.py b/tests/test_kms/test_kms_boto3.py
@@ -1192,6 +1192,30 @@ def test_sign_happy(plaintext):
     assert sign_response["KeyId"] == key_arn
 
 
+@mock_aws
+def test_sign_using_alias():
+    client = boto3.client("kms", region_name="us-west-2")
+
+    key = client.create_key(
+        Description="sk", KeyUsage="SIGN_VERIFY", KeySpec="RSA_2048"
+    )
+    key_id = key["KeyMetadata"]["KeyId"]
+    client.create_alias(AliasName="alias/my-alias", TargetKeyId=key_id)
+    client.sign(
+        KeyId=key_id, Message="plaintext", SigningAlgorithm="RSASSA_PSS_SHA_256"
+    )
+
+    key_id = "alias/my-alias"
+    client.sign(
+        KeyId=key_id, Message="plaintext", SigningAlgorithm="RSASSA_PSS_SHA_256"
+    )
+
+    key_id = f"arn:aws:kms:us-west-2:{ACCOUNT_ID}:alias/my-alias"
+    client.sign(
+        KeyId=key_id, Message="plaintext", SigningAlgorithm="RSASSA_PSS_SHA_256"
+    )
+
+
 @mock_aws
 def test_sign_invalid_signing_algorithm():
     client = boto3.client("kms", region_name="us-west-2")