I think I've encountered a bug where the key actually required to decrypt a secret is different to the one describe secret reports.
For example, the command to decrypt should never be reporting issues with any key, other than the one listed in decribe-secret
[centos@ip-10-1-131-183 ~]$ aws secretsmanager describe-secret --secret-id "/firehawk/resourcetier/dev/file_deadline_cert"
{
"ARN": "arn:aws:secretsmanager:ap-southeast-2:972620357255:secret:/firehawk/resourcetier/dev/file_deadline_cert-T11A1O",
"Name": "/firehawk/resourcetier/dev/file_deadline_cert",
"KmsKeyId": "f7319b61-e3db-4fbe-9550-ce682f09e3c3",
"LastChangedDate": "2023-12-19T04:45:10.685000+00:00",
"LastAccessedDate": "2023-12-26T00:00:00+00:00",
"Tags": [
{
"Key": "accountid",
"Value": "972620357255"
},
{
"Key": "environment",
"Value": "dev"
},
{
"Key": "resourcetier",
"Value": "dev"
},
{
"Key": "terraform",
"Value": "true"
},
{
"Key": "region",
"Value": "ap-southeast-2"
},
{
"Key": "conflictkey",
"Value": "dev0"
},
{
"Key": "pipelineid",
"Value": "0"
}
],
"VersionIdsToStages": {
"687073d3-ef42-45fe-9e99-674297c22969": [
"AWSPREVIOUS"
],
"bb48135b-9b2b-40f9-8568-207ffe269577": [
"AWSCURRENT"
]
},
"CreatedDate": "2022-05-09T05:40:20.975000+00:00"
}
[centos@ip-10-1-131-183 ~]$ aws secretsmanager get-secret-value --secret-id "/firehawk/resourcetier/dev/file_deadline_cert"
An error occurred (DecryptionFailure) when calling the GetSecretValue operation: Secrets Manager can't decrypt the secret value: arn:aws:kms:ap-southeast-2:972620357255:key/e2a2662c-57f1-4236-8d86-e58bd982a115 is disabled. (Service: AWSKMS; Status Code:400; Error Code: DisabledException; Request ID: 05402fbe-cc71-478c-a284-63c9403328d7; Proxy: null)