diff --git a/sources/integration/kms/find.go b/sources/integration/kms/find.go index dfb21b29..7bf6c6f7 100644 --- a/sources/integration/kms/find.go +++ b/sources/integration/kms/find.go @@ -2,9 +2,11 @@ package kms import ( "context" + "errors" "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms/types" + "github.com/aws/smithy-go" "github.com/overmindtech/aws-source/sources/integration" ) @@ -32,6 +34,12 @@ func findActiveKeyIDByTags(ctx context.Context, client *kms.Client, additionalAt tags, err := client.ListResourceTags(ctx, &kms.ListResourceTagsInput{ KeyId: keyListEntry.KeyId, }) + // There are some keys that even admins can't list the tags of. Not sure + // why but they seem to exist, we will ignore permissions errors here. + var awsErr *smithy.GenericAPIError + if errors.As(err, &awsErr) && awsErr.ErrorCode() == "AccessDeniedException" { + continue + } if err != nil { return nil, err } diff --git a/sources/kms/key.go b/sources/kms/key.go index cfa35dbc..22b6d14e 100644 --- a/sources/kms/key.go +++ b/sources/kms/key.go @@ -34,12 +34,14 @@ func getFunc(ctx context.Context, client kmsClient, scope string, input *kms.Des return nil, err } - resourceTags, err := tags(ctx, client, *input.KeyId) + // Some keys can be accessed, but not their tags, even if you have full + // admin access. No clue how this is possible but seems to be an + // inconsistency in the AWS API. In this case, we will ignore the error and + // embed it in a tag so that you can see that they are missing + var resourceTags map[string]string + resourceTags, err = tags(ctx, client, *input.KeyId) if err != nil { - return nil, &sdp.QueryError{ - ErrorType: sdp.QueryError_NOTFOUND, - ErrorString: err.Error(), - } + resourceTags = sources.HandleTagsError(ctx, err) } item := &sdp.Item{