Troubleshooting Guide: Resolving ‘Amazon MSK Doesn’t Support Secrets with Key Aliases’ Error

Introduction

If you have encountered the following error message when associating a AWS SecretsManager secret with a AWS MSK cluster for user authentication, you might have noticed the error can be misleading.

The error is actually referring to the kms key that the secret is using for encryption and not referring to the secret itself.

To resolve this issue a kms key without an alias must be used when encrypting the secret in AWS SecretsManager that will be used by the MSK Cluster.

Follow these steps to create a new kms key without an alias and a new secret and encrypting the secret using the kms key id.

Step 1

the AWS CLI must be used to create a kms key without an alias .

aws kms create-key --region eu-west-1 --description "KMS key without alias" --no-bypass-policy-lockout-safety-check

You will see the following output. Take note of the KeyId. The same KeyId will be used when referencing the key when encrypting the secret in AWS SecretsManager.

Step 2

Create a new secret and encrypt the secret using the kms key id when referencing which key to use for encrypting the secret.

Click Next to configure and create the new secret.

Conclusion

The error should now be resolved and the secret will be able to be associated with the MSK Cluster user authentication.