Hi, did something change in the logic of how KMS keys are synced in the aws_source plugin? I have a readonly role attached to CloudQuery, and it seems to fail to pick up KMS keys when it has no permission to describe the key from a key policy perspective.
If I’m not mistaken, in previous versions, those keys were added, albeit with a lot of empty fields. Has this been changed? I would still like to gain the information that is possible on the keys (e.g. key_id and arn).
Hi 
What version of the AWS plugin are you using now, and which one were you using before? I don’t see a mention of changes to KMS keys in the changelog from a quick search, but if we know the versions involved, we can take a closer look.
Hi Herman,
Currently, I am making use of version 23.2.0. Before that, I was using version 22.15.0, where the old keys were reported, if I’m not mistaken.
I have a different question: I see that for some services, the AWS API gives a 400 error because of rate limiting. Would you like me to open a GitHub issue for that?
Nice, thanks, we’ll take a look. About the rate limiting errors: yes, opening a GitHub issue would be great. If you can, also please include a redacted version of the config you are using.
Some rate limiting errors are expected here and there; but it should back off and retry until success. If that’s not the case, then an issue is warranted. You can also reduce the concurrency if you would rather have the sync go a bit slower but not hit rate limits.
By the way, we made some improvements to the rate limiting in AWS v23.3.1; could you try that version or later and see if it helps?