Hi Team,
I would like to report an issue regarding the regional client injection into the AwsKmsCryptographicMaterialsProvider.
Package version used: v1.1.1
Anything unusual about your environment or deployment: The environment is a local development environment, docker-compose is used with two services: a python:3.7.4-buster container for running the Python code, and a nsmithuk/local-kms container for a local KMS mock.
Bug reproduction steps:
-
Set up a local KMS mock container. You can use it either as a docker-compose service or as a standalone container. REGION is to be set to us-west-2.
-
Set up a key in the local mock container as per the usage notes using the following YAML:
Keys:
- Metadata:
KeyId: bc436485-5092-42b8-92a3-0aa8b93536dc
BackingKeys:
- 5cdaead27fe7da2de47945d73cd6d79e36494e73802f3cd3869f1d2cb0b5d7a9
Aliases:
- AliasName: alias/testing
TargetKeyId: bc436485-5092-42b8-92a3-0aa8b93536dc
- Create a small piece of code which does for example an item insert using EncryptedTable, with the following configuration:
aws_cmk_id = 'arn:aws:kms:us-west-2:111122223333:key/bc436485-5092-42b8-92a3-0aa8b93536dc'
client = boto3.session.Session().client('kms', region_name='us-west-2', endpoint_url='http://kms-service:8080')
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id, regional_clients={'us-west-2': client})
Please feel free to replace http://kms-service:8080 with the appropriate URL based on your local environment.
- After the above a call to the EncryptedTable helper should use the client which was created in step 3, but that's not the case, the
AwsKmsCryptographicMaterialsProvider's _regional_clients attribute is empty, and it falls back to the base KMS client and tries to reach out to AWS.
I was able to mitigate the issue by deleting lines 218-220 from material_providers/aws_kms.py's __attrs_post_init__ function:
self._regional_clients = (
{}
) # type: Dict[Text, botocore.client.BaseClient] # noqa pylint: disable=attribute-defined-outside-init
but I am unsure if this is the correct solution.
Any help regarding the above is much appreciated.
Hi Team,
I would like to report an issue regarding the regional client injection into the
AwsKmsCryptographicMaterialsProvider.Package version used: v1.1.1
Anything unusual about your environment or deployment: The environment is a local development environment, docker-compose is used with two services: a
python:3.7.4-bustercontainer for running the Python code, and a nsmithuk/local-kms container for a local KMS mock.Bug reproduction steps:
Set up a local KMS mock container. You can use it either as a docker-compose service or as a standalone container. REGION is to be set to
us-west-2.Set up a key in the local mock container as per the usage notes using the following YAML:
Please feel free to replace
http://kms-service:8080with the appropriate URL based on your local environment.AwsKmsCryptographicMaterialsProvider's_regional_clientsattribute is empty, and it falls back to the base KMS client and tries to reach out to AWS.I was able to mitigate the issue by deleting lines 218-220 from
material_providers/aws_kms.py's__attrs_post_init__function:but I am unsure if this is the correct solution.
Any help regarding the above is much appreciated.