func (k *KMS) DecryptKey(key *security.ManagedKey) error { if !key.Encrypted() { return fmt.Errorf("aws kms: key is already decrypted") } ctx := map[string]*string{key.ContextKey: &key.ContextValue} req := &kms.DecryptInput{ CiphertextBlob: key.Ciphertext, EncryptionContext: ctx, } resp, err := k.kms.Decrypt(req) if err != nil { if apiErr, ok := err.(awserr.Error); ok && apiErr.Message() == "" { err = fmt.Errorf("%s", apiErr.Code()) } return fmt.Errorf("aws kms: error decrypting data key: %s", err) } key.Plaintext = resp.Plaintext key.Ciphertext = nil return nil }