Skip to content
This repository was archived by the owner on Mar 23, 2026. It is now read-only.
This repository was archived by the owner on Mar 23, 2026. It is now read-only.

LocalStack KMS: CreateKey with KeySpec=ECC_NIST_EDWARDS25519 returns ValidationException #13886

Closed as not planned
Closed as not planned
LocalStack KMS: CreateKey with KeySpec=ECC_NIST_EDWARDS25519 returns ValidationException#13886
Labels
status: triage neededRequires evaluation by maintainerstype: bugBug report
@cppfuns

Description

@cppfuns
cppfuns
opened on Mar 5, 2026

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Summary

CreateKey with KeySpec: ECC_NIST_EDWARDS25519 (Ed25519, used for signing) returns ValidationException stating that the value is not in the allowed enum. The error’s allowed list matches the legacy CustomerMasterKeySpec enum (which does not include Ed25519), while the API type KeySpec in LocalStack’s own definitions does include ECC_NIST_EDWARDS25519. This suggests the CreateKey validation is checking KeySpec against the wrong enum.

Environment

  • Service: KMS
  • Operation: CreateKey
  • Request: KeySpec: ECC_NIST_EDWARDS25519, KeyUsage: SIGN_VERIFY
  • LocalStack used as KMS backend (e.g. endpoint http://localstack:4566)

Expected behavior

  • CreateKey with KeySpec: ECC_NIST_EDWARDS25519 succeeds and returns key metadata, consistent with:

Actual behavior

The call fails with:

ValidationException: 1 validation error detected: Value 'ECC_NIST_EDWARDS25519' at 'keySpec' failed to satisfy constraint: Member must satisfy enum value set: [RSA_2048, ECC_NIST_P384, ECC_NIST_P256, ECC_NIST_P521, HMAC_384, RSA_3072, ECC_SECG_P256K1, RSA_4096, SYMMETRIC_DEFAULT, HMAC_256, HMAC_224, HMAC_512]

So the parameter name in the error is keySpec, but the allowed set is exactly the legacy CustomerMasterKeySpec enum (no ECC_NIST_EDWARDS25519), while:

  • In localstack/aws/api/kms/init.py:
    • KeySpec (used by CreateKey’s KeySpec field) includes ECC_NIST_EDWARDS25519.
    • CustomerMasterKeySpec does not include ECC_NIST_EDWARDS25519 and matches the list in the error.

Root cause hypothesis

The validation for the KeySpec request parameter is likely using the CustomerMasterKeySpec enum (or an allowlist derived from it) instead of the KeySpec enum. So the API type definition is correct, but the server-side validation is too strict and rejects ECC_NIST_EDWARDS25519.

Reproducer (conceptual)

Using AWS SDK for Go v2 (KMS client):

out, err := kmsClient.CreateKey(ctx, &kms.CreateKeyInput{
    KeySpec:     types.KeySpecEccNistEdwards25519,
    KeyUsage:    types.KeyUsageTypeSignVerify,
    Origin:      types.OriginTypeAwsKms,
    Description: aws.String("Ed25519 test key"),
})
// err -> ValidationException as above

Same request against real AWS KMS succeeds.

Suggested fix

  • Ensure CreateKey’s validation for the KeySpec parameter uses the KeySpec enum (which includes ECC_NIST_EDWARDS25519), not CustomerMasterKeySpec.
  • If there is a shared validator or allowlist for “supported key specs,” update it so that KeySpec and CreateKey accept all values defined on KeySpec, including ECC_NIST_EDWARDS25519.

References

operation error KMS: CreateKey, https response error StatusCode: 400, RequestID: cc486809-451d-4e9a-93f0-ad8f7dc96ce3, api error ValidationException: 1 validation error detected: Value 'ECC_NIST_EDWARDS25519' at 'keySpec' failed to satisfy constraint: Member must satisfy enum value set: [RSA_2048, ECC_NIST_P384, ECC_NIST_P256,

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: triage neededRequires evaluation by maintainerstype: bugBug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions