chore: Update README section on using StrictAwsKmsKeyProvider

farleyb-amazon · farleyb-amazon · commit 138ec5bf8221 · 2020-12-04T16:35:07.000-07:00
Be more explicit about the fact that, when using a
StrictAwsKmsMasterKeyProvider, key aliases are not
supported on decryption
diff --git a/README.rst b/README.rst
@@ -131,7 +131,10 @@ pre-existing instance of a ``botocore session`` to the ``StrictAwsKmsMasterKeyPr
 This latter option can be useful if you have an alternate way to store your AWS credentials or
 you want to reuse an existing instance of a botocore session in order to decrease startup costs.
 
-To create a ``StrictAwsKmsMasterKeyProvider`` you must provide one or more CMKs.
+To create a ``StrictAwsKmsMasterKeyProvider`` you must provide one or more CMKs. For providers that will only
+be used for encryption, you can use a key ARN or alias ARN. For providers that will be used for decryption, you
+must use the key ARN; aliases are not supported.
+
 If you configure the the ``StrictAwsKmsMasterKeyProvider`` with multiple CMKs, the `final message`_
 will include a copy of the data key encrypted by each configured CMK.
 
diff --git a/src/aws_encryption_sdk/key_providers/kms.py b/src/aws_encryption_sdk/key_providers/kms.py
@@ -237,7 +237,6 @@ class StrictAwsKmsMasterKeyProvider(BaseKMSMasterKeyProvider):
     ...     'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
     ...     'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
     ... ])
-    >>> kms_key_provider.add_master_key('arn:aws:kms:ap-northeast-1:4444444444444:alias/another-key')
 
     .. note::
         If no botocore_session is provided, the default botocore session will be used.
