Skip to content

Timeout for StrictAwsKmsMasterKeyProvider #446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ZacharyThomas opened this issue Mar 21, 2022 · 2 comments
Closed

Timeout for StrictAwsKmsMasterKeyProvider #446

ZacharyThomas opened this issue Mar 21, 2022 · 2 comments

Comments

@ZacharyThomas
Copy link

Problem:

Frequently we provide timeouts and retries to our boto clients to retry requests. I searched through the documentation, and it seems like you can only provide a client to a KMSMasterKeyConfig instance, but I do not see how I could configure my
StrictAwsKmsMasterKeyProvider to customize KMSMasterKeyConfig, without subclassing. This is how we use the SDK now:

    sdk_client = EncryptionSDKClient()
    key_provider = StrictAwsKmsMasterKeyProvider(
        key_ids=[key_id],
        region_names=[settings.AWS_REGION],
    )
    if encryption_context is None:
        encryption_context = {}

    ciphertext, _ = sdk_client.encrypt(
        source=plaintext,
        key_provider=key_provider,
        encryption_context=encryption_context,
    )

Ideally, we would be able to use the SDKClient or KeyProvider to pass our KMS client preferences.

Solution:

Seems like the current issue is that the KeyProvider implements a _client method:
https://github.com/aws/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/key_providers/kms.py#L684

Which always creates / registers a client. Allowing me to pass a client in the KMSMasterKeyProviderConfig object should alleviate that.

Out of scope:

Is there anything the solution will intentionally NOT address?
@alex-chew alex-chew mentioned this issue Apr 19, 2022
Merged
1 task
@texastony
Copy link
Contributor

Howdy @ZacharyThomas,

I apologize for our tardy response.
Please see this PR for an example of customizing the client.

However, your statement is correct:

I do not see how I could configure ... without subclassing

As the AWS Encryption SDK for Python (ESDK-Python) is currently written,
you must subclass one of the exposed KMSMasterKeyProvider:

  • DiscoveryAwsKmsMasterKeyProvider
  • StrictAwsKmsMasterKeyProvider

Ultimately, we want to refactor the ESDK-Python,
replacing Key Providers with Keyrings.

The KMS Keyrings have a cleaner interface for providing KMS clients.

We do not have a timeline for when this refactor will be done.

In the meantime, please,
follow your original instinct and our draft example and
subclass a KMS Master Key Provider to customize the KMS Client.

Much Obliged,
AWS Crypto Tools

@alex-chew alex-chew mentioned this issue Aug 23, 2022
Open
@alex-chew
Copy link
Contributor

Hi @ZacharyThomas,

I'm going to close this as the example and workaround above address your original concerns. I've open a new issue to track the feature request to provide a custom client in a cleaner way here: #497

Please feel free to re-open this or open a new issue if you have further questions or concerns. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alex-chew @texastony @ZacharyThomas