Skip to content

(aws-opensearchservice): Domain construct should use KMS Key ARN instead of KeyId for cross-account reference #36017

New issue
New issue
Open
#36020
Open
(aws-opensearchservice): Domain construct should use KMS Key ARN instead of KeyId for cross-account reference#36017
#36020
Labels
@aws-cdk/aws-opensearchRelated to the @aws-cdk/aws-opensearchservice packagebugThis issue is a bug.effort/mediumMedium work item – several days of effortp2
@TaxBusby

Description

@TaxBusby
TaxBusby
opened on Nov 11, 2025

Describe the bug

Unable to use a KMS key from another AWS account when creating an OpenSearch Domain.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

const remoteKey = kms.Key.fromKeyArn(this, 'RemoteEncryptionKey', "arn:aws:kms:us-east-1:<different-account-id>:key/xxxx");

const domain = new Domain(this, 'Domain', {
  /*... Other settings ... */
  encryptionAtRest: {
    enabled: true,
    kmsKey: remoteKey,
  },
})

When used with a cross-account KMS Key reference, should create an opensearch domain using the specified KMS Key Arn.

Current Behavior

Results in an error:

Invalid request provided: Error in Accessing KmsKeyID with details:Key 'arn:aws:kms:us-east-1:<current-account-id>:key/xxxx' does not exist (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request ID: xxx; Proxy: null) (Service: OpenSearch, Status Code: 400, Request ID: xxx) (SDK Attempt Count: 1)" (RequestToken: xxx, HandlerErrorCode: InvalidRequest)

Reproduction Steps

  1. Create a KMS key in a AWS account A with appropriate grants to be used by AWS account B.
  2. Create Opensearch domain in CDK code as specified above using the ARN of the KMS key in account A.
  3. Deploy the CDK code to account B

Possible Solution

The current code in https://github.com/aws/aws-cdk/blob/v2.223.0/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts#L1991 passes the KMS Key Id to the underlying constructs instead of the ARN. It should use the Key ARN instead when available.

As a workaround, I am using the following code to bypass the issue:

const remoteKey = kms.Key.fromKeyArn(this, 'RemoteEncryptionKey', "arn:aws:kms:us-east-1:<different-account-id>:key/xxxx");
const domain = new Domain(this, 'Domain', {
  /*... Other settings ... */
  encryptionAtRest: {
    enabled: true,
    kmsKey:
      remoteKey &&
      ({
        keyRef: { keyArn: remoteKey.keyArn, keyId: remoteKey.keyArn },
      } as kms.IKeyRef),
  },
})

This works and creates the domain successfully using the correct key, suggesting that the code should be updated to use the ARN if available rather than the Key Id.

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.219.0

AWS CDK CLI version

2.1029.4 (build 09c0061)

Node.js Version

20

OS

linux

Language

TypeScript

Language Version

5.9.3

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-opensearchRelated to the @aws-cdk/aws-opensearchservice packagebugThis issue is a bug.effort/mediumMedium work item – several days of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions