Skip to content
CloudMock

KMS

Overview

Section titled “Overview”

CloudMock emulates AWS KMS, supporting symmetric key management, simulated encrypt/decrypt operations, key aliases, and key lifecycle (enable, disable, schedule deletion).

Supported Operations

Section titled “Supported Operations”
OperationStatusNotes
CreateKeySupportedCreates a symmetric CMK and returns its key ID and ARN
DescribeKeySupportedReturns key metadata
ListKeysSupportedReturns all key IDs and ARNs
EncryptSupportedEncrypts plaintext using a CMK; returns base64 ciphertext
DecryptSupportedDecrypts ciphertext; returns plaintext
CreateAliasSupportedAssociates a friendly name with a key
ListAliasesSupportedReturns all aliases
EnableKeySupportedSets key state to Enabled
DisableKeySupportedSets key state to Disabled
ScheduleKeyDeletionSupportedMarks a key for deletion after a waiting period

Quick Start

Section titled “Quick Start”

curl

Section titled “curl”
Terminal window
# Create a key
curl -X POST http://localhost:4566 \
  -H "X-Amz-Target: TrentService.CreateKey" \
  -H "Content-Type: application/x-amz-json-1.1" \
  -d '{"Description": "My test key"}'


# Encrypt
curl -X POST http://localhost:4566 \
  -H "X-Amz-Target: TrentService.Encrypt" \
  -H "Content-Type: application/x-amz-json-1.1" \
  -d '{"KeyId": "<key-id>", "Plaintext": "SGVsbG8sIEtNUw=="}'

Node.js

Section titled “Node.js”
import { KMSClient, CreateKeyCommand, EncryptCommand, DecryptCommand } from '@aws-sdk/client-kms';


const kms = new KMSClient({
  endpoint: 'http://localhost:4566',
  region: 'us-east-1',
  credentials: { accessKeyId: 'test', secretAccessKey: 'test' },
});


const key = await kms.send(new CreateKeyCommand({ Description: 'test key' }));
const keyId = key.KeyMetadata!.KeyId!;


const enc = await kms.send(new EncryptCommand({
  KeyId: keyId, Plaintext: Buffer.from('secret value'),
}));


const dec = await kms.send(new DecryptCommand({
  CiphertextBlob: enc.CiphertextBlob!,
}));
console.log(Buffer.from(dec.Plaintext!).toString()); // secret value

Python

Section titled “Python”
import boto3


kms = boto3.client('kms', endpoint_url='http://localhost:4566',
                   aws_access_key_id='test', aws_secret_access_key='test',
                   region_name='us-east-1')


key = kms.create_key(Description='test key')
key_id = key['KeyMetadata']['KeyId']


enc = kms.encrypt(KeyId=key_id, Plaintext=b'secret value')
ciphertext = enc['CiphertextBlob']


dec = kms.decrypt(CiphertextBlob=ciphertext)
print(dec['Plaintext'])  # b'secret value'

Configuration

Section titled “Configuration”
cloudmock.yml
services:
  kms:
    enabled: true

No additional service-specific configuration is required.

Known Differences from AWS

Section titled “Known Differences from AWS”
  • Encryption is simulated: ciphertext is an encoded form of the plaintext that can be round-tripped through Decrypt. It is not cryptographically secure.
  • Key rotation and asymmetric key operations are not implemented.
  • Envelope encryption patterns (GenerateDataKey, GenerateDataKeyWithoutPlaintext) are not implemented.
  • Grants and key policies are not implemented.
  • Multi-region keys are not implemented.

Error Codes

Section titled “Error Codes”
CodeHTTP StatusDescription
NotFoundException400The specified key does not exist
DisabledException400The key is disabled
InvalidCiphertextException400The ciphertext is not valid
KMSInvalidStateException400The key is in an invalid state for this operation
AlreadyExistsException400An alias with this name already exists