KMS: return NotImplementedError for rotation of imported keys (#12932)

sannya-singal · web-flow · commit dfad92bae791 · 2025-07-30T17:16:21.000+05:30
diff --git a/localstack-core/localstack/services/kms/provider.py b/localstack-core/localstack/services/kms/provider.py
@@ -1408,9 +1408,7 @@ def rotate_key_on_demand(
         if key.metadata["KeySpec"] != KeySpec.SYMMETRIC_DEFAULT:
             raise UnsupportedOperationException()
         if key.metadata["Origin"] == OriginType.EXTERNAL:
-            raise UnsupportedOperationException(
-                f"{key.metadata['Arn']} origin is EXTERNAL which is not valid for this operation."
-            )
+            raise NotImplementedError("Rotation of imported keys is not supported yet.")
 
         key.rotate_key_on_demand()
 
diff --git a/tests/aws/services/kms/test_kms.py b/tests/aws/services/kms/test_kms.py
@@ -138,6 +138,21 @@ def test_create_key(
         assert f":{region_name}:" in response["Arn"]
         assert f":{account_id}:" in response["Arn"]
 
+    @markers.aws.only_localstack
+    def test_unsupported_rotate_key_on_demand_with_imported_key_material(
+        self, kms_create_key, aws_client, snapshot
+    ):
+        key_id = kms_create_key(Origin="EXTERNAL")["KeyId"]
+
+        with pytest.raises(ClientError) as e:
+            aws_client.kms.rotate_key_on_demand(KeyId=key_id)
+
+        assert e.value.response["ResponseMetadata"]["HTTPStatusCode"] == 501
+        assert (
+            e.value.response["Error"]["Message"]
+            == "Rotation of imported keys is not supported yet."
+        )
+
     @markers.aws.validated
     def test_tag_existing_key_and_untag(
         self, kms_client_for_region, kms_create_key, snapshot, region_name
@@ -1459,6 +1474,9 @@ def test_rotate_key_on_demand_raises_error_given_non_symmetric_key(
         snapshot.match("error-response", e.value.response)
 
     @markers.aws.validated
+    @pytest.mark.skip(
+        reason="This needs to be fixed as AWS introduced support for on demand rotation of imported keys."
+    )
     def test_rotate_key_on_demand_raises_error_given_key_with_imported_key_material(
         self, kms_create_key, aws_client, snapshot
     ):
