I'm working on SAML identification workflows in Step Functions where SAML messages has to be signed and returned Assertion is also encrypted. I will use KMS to store two different asymmetric keys (one for sign/verify and other for encrypt/decrypt) and tried to use for example 'kms:Sign' and 'kms:Decrypt' from SF through SDK integrations meaning task ARNs 'arn:aws:states:::aws-sdk:kms:sign' and 'arn:aws:states:::aws-sdk:kms:decrypt' but can only retrieve binary data in responses, which are not Base64-encoded.
That's correct based on documentation: "When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded." Can I somehow always return Base64-encoded response or use binary response in context of SF json payloads? I can't figure out neither. Am I correct that SF can't decode/encode Base64? I also tried proxying through API gateway (which will use HTTP API as I think) but KMS responds always with 400 because CiphertextBlob can't be null. It isn't null, value is properly visible in step "request body payload after transformations" and I also can't figure out what prevents to call KMS through API gateway.
If I will use Lambda to decode Base64 from request body, call KMS operation and encode Base64 from response body, all works nicely. Except including that SDK into Lambda code will increase total latency with multiple hundreds milliseconds because cold starts are much slower with SDK imported. Can I somehow avoid those overheads coming from Lambda and use KMS straight from SF or through API gateway?
asked 5 years ago
AWS OFFICIALUpdated 8 months ago
