@@ -172,22 +172,26 @@ def encrypt_decrypt_with_v3_default_cmm(key_arn,
172172 # commitment policy, REQUIRE_ENCRYPT_REQUIRE_DECRYPT is used by default.
173173 client = aws_encryption_sdk .EncryptionSDKClient (commitment_policy = CommitmentPolicy .REQUIRE_ENCRYPT_REQUIRE_DECRYPT )
174174
175- # Create a KMS master key provider. Note that because we are planning on decrypting using this same provider,
176- # we MUST provide the ARN of the KMS Key. If we provide a raw key id or a key alias, decryption will fail.
175+ # Create a KMS master key provider.
177176 kms_kwargs = dict (key_ids = [key_arn ])
178177 if botocore_session is not None :
179178 kms_kwargs ["botocore_session" ] = botocore_session
180179 master_key_provider = aws_encryption_sdk .StrictAwsKmsMasterKeyProvider (** kms_kwargs )
181180
181+ # Create the V3 default CMM (V3DefaultCryptoMaterialsManager) using the master_key_provider
182182 default_cmm = V3DefaultCryptoMaterialsManager (master_key_provider = master_key_provider )
183183
184184 # Encrypt the plaintext source data
185185 ciphertext , encryptor_header = client .encrypt (
186- source = source_plaintext , materials_manager = default_cmm
186+ source = source_plaintext ,
187+ materials_manager = default_cmm
187188 )
188189
189190 # Decrypt the ciphertext
190- cycled_plaintext , decrypted_header = client .decrypt (source = ciphertext , key_provider = master_key_provider )
191+ cycled_plaintext , decrypted_header = client .decrypt (
192+ source = ciphertext ,
193+ key_provider = master_key_provider
194+ )
191195
192196 # Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext
193197 assert cycled_plaintext == source_plaintext
0 commit comments