Description
In our project, we are doing migration of aws sdk v1 to v2 including dynamodb, where the issue is whenever we are trying to read existing data in tables, which are encrypted and signed using DynamoDBEncryptor from v1, the decryption fails. I even tried adding LegacyOverride with DynamoDBEncryptor for existing data, still it failes, there isn't any documentation for the same as well. Can you let us know the steps to fix this, I will be pasting the code snippet for the reference,
@slf4j
@Getter
public class DynamoDbEncryptionFactory {
private final DynamoDbEnhancedClient enhancedClient;
public DynamoDbEncryptionFactory(String kmsKeyId, Map<String, List<?>> tableSchemas, AwsService awsService) {
final MaterialProviders matProv = MaterialProviders.builder()
.MaterialProvidersConfig(MaterialProvidersConfig.builder().build())
.build();
final IKeyring kmsKeyring = matProv.CreateAwsKmsMrkMultiKeyring(
CreateAwsKmsMrkMultiKeyringInput.builder().generator(kmsKeyId).build()
);
// Tried to add legacy encryptor/decryptor but it doesn't work with the new SDK
final DirectKmsMaterialProvider cmp = new DirectKmsMaterialProvider(awsService.getV1KMSClient(), kmsKeyId);
final DynamoDBEncryptor encryptor = DynamoDBEncryptor.getInstance(cmp);
LegacyOverride legacyOverride = LegacyOverride.builder().policy(LegacyPolicy.FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT)
.encryptor(encryptor)
.attributeActionsOnEncrypt(Collections.emptyMap())
.build();
Map<String, DynamoDbEnhancedTableEncryptionConfig> tableConfigs = new HashMap<>();
for (Map.Entry<String, List<?>> entry : tableSchemas.entrySet()) {
DynamoDbEnhancedTableEncryptionConfig build = DynamoDbEnhancedTableEncryptionConfig.builder()
.logicalTableName(entry.getKey())
.keyring(kmsKeyring)
.schemaOnEncrypt((TableSchema<?>) entry.getValue().get(0))
.build();
if(!((Map)entry.getValue().get(2)).isEmpty()){
log.info("Adding legacy override for table {}", entry.getKey());
log.info("Legacy override: {}", entry.getValue().get(2));
legacyOverride = legacyOverride.toBuilder().attributeActionsOnEncrypt((Map<String, CryptoAction>) entry.getValue().get(2)).build();
build = build.toBuilder()
.legacyOverride(legacyOverride)
.build();
}
if(!((List) entry.getValue().get(1)).isEmpty()) {
build = build.toBuilder()
.allowedUnsignedAttributes((List<String>) entry.getValue().get(1))
.build();
}
tableConfigs.put(
entry.getKey(),
build
);
}
final DynamoDbEncryptionInterceptor encryptionInterceptor =
DynamoDbEnhancedClientEncryption.CreateDynamoDbEncryptionInterceptor(
CreateDynamoDbEncryptionInterceptorInput.builder()
.tableEncryptionConfigs(tableConfigs)
.build()
);
DynamoDbClient encryptedDynamoDbClient = DynamoDbClient.builder()
.region(Region.of(awsService.getRegion()))
.credentialsProvider(awsService.getAwsCredentialsProvider())
.overrideConfiguration(
ClientOverrideConfiguration.builder()
.addExecutionInterceptor(encryptionInterceptor)
.build()
)
.build();
this.enhancedClient = DynamoDbEnhancedClient.builder()
.dynamoDbClient(encryptedDynamoDbClient)
.build();
}
}
When the custom converted gets invoked, it's not able to parse the content ERROR registry.model.v3.MapBinaryAttributeConverter - Error converting binary to EventTypeConfig com.fasterxml.jackson.core.JsonParseException: Unexpected character ('�' (code 65533 / 0xfffd)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false')u2028 at [Source: (String)"�(Lu2028�����Mo\u000C�!bf\u0019�\u0010���P.��jZf�\u001B�!y��A�\u000F)�Dc^>w��\u001C�Uy�Z�i�~E��[�c��\u001B���i�R�R��ύv���3��ZY�\u001BM"; line: 1, column: 2]u202