Closed
Description
import aws_encryption_sdk
from aws_encryption_sdk.key_providers.kms import KMSMasterKey
CMK_ARNS = {
"A": "arn1",
"B": "arn2"
}
plaintext=b'abdc'
context = {'purpose': 'encryption context'}
master_key_provider_A = aws_encryption_sdk.KMSMasterKeyProvider()
master_key_provider_A.add_master_key(CMK_ARNS['A'])
master_key_provider_A.add_master_key(CMK_ARNS['B'])
master_key_provider_B = KMSMasterKey(key_id=CMK_ARNS['B'])
encrypted_message, header = aws_encryption_sdk.encrypt(
encryption_context=context,
key_provider=master_key_provider_A,
source=plaintext
)
decrypted_message, decrypted_header = aws_encryption_sdk.decrypt(
key_provider=master_key_provider_B,
source=encrypted_message
)
Decrypting using master_key_provider_B fails intermittently with:
aws_encryption_sdk.exceptions.IncorrectMasterKeyError: Provided data key provider
MasterKeyInfo(provider_id='aws-kms', key_info=b'$ARN2') does not match Master Key
provider MasterKeyInfo(provider_id='aws-kms', key_info=b'$ARN1')
The expected behavior is that decryption always succeeds, since B's CMK is among those used in A's.