func (k *KMS) DecryptKey(key *security.ManagedKey) error {
if !key.Encrypted() {
return fmt.Errorf("aws kms: key is already decrypted")
}
ctx := map[string]*string{key.ContextKey: &key.ContextValue}
req := &kms.DecryptInput{
CiphertextBlob: key.Ciphertext,
EncryptionContext: ctx,
}
resp, err := k.kms.Decrypt(req)
if err != nil {
if apiErr, ok := err.(awserr.Error); ok && apiErr.Message() == "" {
err = fmt.Errorf("%s", apiErr.Code())
}
return fmt.Errorf("aws kms: error decrypting data key: %s", err)
}
key.Plaintext = resp.Plaintext
key.Ciphertext = nil
return nil
}
