Terraform, AWS Access Keys and Keybase

resource "aws_iam_access_key" "example_key" {
  user    = aws_iam_user.example.name
  pgp_key = "keybase:yaleman"
}

│ Error: Error retrieving Public Key for keybase:yaleman: unable to fetch keys for user(s) "yaleman" from keybase
│ 
│   with aws_iam_access_key.example_key,
│   on example.tf line 26, in resource "aws_iam_access_key" "example_key":
│   26: resource "aws_iam_access_key" "example_key" {
│ 

➜ keybase pgp list
Keybase Key ID:  010...340a
PGP Fingerprint: e1...7
PGP Identities:
   James Hodgkinson <james@...>

➜ gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
<snip>
Please select what kind of key you want:
   (1) RSA and RSA (default)
   <snip>
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 
Requested keysize is 3072 bits
Please specify how long the key should be valid.
Key is valid for? (0) 10y
Key expires at Tue 22 Jun 2032 10:28:31 AM AEST
Is this correct? (y/N) y
<snip>
Real name: James Hodgkinson
E-mail address: james@terminaloutcomes.com
Comment: Keybase
You selected this USER-ID:
    "James Hodgkinson (Keybase) <james@terminaloutcomes.com>"

Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? O
<snip>
gpg: key E281370A6DB472BE marked as ultimately trusted
<snip>
public and secret key created and signed.

pub   rsa3072 2022-06-25 [SC] [expires: 2032-06-22]
      <snip>
uid                      James Hodgkinson (Keybase) <james@terminaloutcomes.com>
sub   rsa3072 2022-06-25 [E] [expires: 2032-06-22]

➜ keybase pgp select
You are selecting a PGP key from your local GnuPG keychain, and will publish a statement signed with this key to make it part of your Keybase.io identity.

Note that GnuPG will prompt you to perform this signature.

You can also import the secret key to *local*, *encrypted* Keybase keyring, enabling decryption and signing with the Keybase client.
To do that, use "--import" flag.

Learn more: keybase pgp help select

▶ ERROR You already have a PGP key registered (<snip>)
Specify the `--multi` flag to override this check

➜ keybase pgp select --multi
You are selecting a PGP key from your local GnuPG keychain, and will publish a statement signed with this key to make it part of your Keybase.io identity.

Note that GnuPG will prompt you to perform this signature.

You can also import the secret key to *local*, *encrypted* Keybase keyring, enabling decryption and signing with the Keybase client.
To do that, use "--import" flag.

Learn more: keybase pgp help select

#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
1    3072R   E281370A6DB472BE             James Hodgkinson <james@terminaloutcomes.com>
Choose a key: 1
▶ INFO Generated new PGP key:
▶ INFO   user: James Hodgkinson (Keybase) <james@terminaloutcomes.com>
▶ INFO   3072-bit RSA key, ID E281370A6DB472BE, created 2022-06-25

output "example_key_access_key" {
  value = aws_iam_access_key.example_key.encrypted_secret
}

terraform output -raw example_key_access_key | \
    base64 --decode | \
    keybase pgp decrypt

▶ ERROR decrypt error: unable to find a PGP decryption key for this message

➜ keybase pgp select --multi --import
You are selecting a PGP key to publish in your profile, and
importing secret key to *local*, *encrypted* Keybase keyring.
<snip>

#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
1    3072R   E281370A6DB472BE             James Hodgkinson <james@terminaloutcomes.com>
Choose a key: 1
You've already selected this public key for use on Keybase. Would you like to update it on Keybase? [Y/n] y
▶ INFO Posting update for key <snip.
▶ INFO Key was already up to date.
Do you want to import secret half of this key to local Keybase keyring? [Y/n] y
▶ INFO Key <snip> already exists. Only importing the private key.

➜ terraform output -raw example_key_access_key | \
	base64 -d | \
	keybase pgp decrypt                 
<snip> :D