Skip to content

Commit 3ed84f7

Browse files
seebeeslavaleri
seebees
and
lavaleri
authored
feat: AWS KMS multi-Region Key support (#350)
Added new the master key MRKAwareKMSMasterKey and the new master key providers MRKAwareStrictAwsKmsMasterKeyProvider and MRKAwareDiscoveryAwsKmsMasterKeyProvider that support AWS KMS multi-Region Keys. See https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html for more details about AWS KMS multi-Region Keys. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks for more details about how the AWS Encryption SDK interoperates with AWS KMS multi-Region keys. Co-authored-by: lavaleri <[email protected]>
1 parent 511d840 commit 3ed84f7

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

56 files changed

+3224
-305
lines changed

.github/workflows/ci_tests.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ env:
1212
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
1313
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: |
1414
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
15+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: |
16+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
17+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: |
18+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1519
1620
jobs:
1721
tests:

.gitmodules

+6
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
11
[submodule "test_vector_handlers/test/aws-crypto-tools-test-vector-framework"]
22
path = test_vector_handlers/test/aws-crypto-tools-test-vector-framework
33
url = https://github.com/awslabs/private-aws-crypto-tools-test-vector-framework-staging.git
4+
[submodule "aws-encryption-sdk-specification"]
5+
path = aws-encryption-sdk-specification
6+
url = https://github.com/awslabs/private-aws-encryption-sdk-specification-staging.git
7+
[submodule "test_vector_handlers/test/aws-encryption-sdk-test-vectors"]
8+
path = test_vector_handlers/test/aws-encryption-sdk-test-vectors
9+
url = https://github.com/awslabs/private-aws-encryption-sdk-test-vectors-staging.git

CHANGELOG.rst

+18
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,24 @@
22
Changelog
33
*********
44

5+
2.3.0 -- 2021-06-16
6+
===================
7+
8+
Features
9+
--------
10+
* AWS KMS multi-Region Key support
11+
12+
Added new the master key MRKAwareKMSMasterKey
13+
and the new master key providers MRKAwareStrictAwsKmsMasterKeyProvider
14+
and MRKAwareDiscoveryAwsKmsMasterKeyProvider
15+
that support AWS KMS multi-Region Keys.
16+
17+
See https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
18+
for more details about AWS KMS multi-Region Keys.
19+
See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks
20+
for more details about how the AWS Encryption SDK interoperates
21+
with AWS KMS multi-Region keys.
22+
523
2.2.0 -- 2021-05-27
624
===================
725

aws-encryption-sdk-specification

buildspec.yml

+3
Original file line numberDiff line numberDiff line change
@@ -46,3 +46,6 @@ batch:
4646

4747
- identifier: code_coverage
4848
buildspec: codebuild/coverage/coverage.yml
49+
50+
- identifier: compliance
51+
buildspec: codebuild/compliance/compliance.yml

codebuild/compliance/compliance.yml

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
version: 0.2
2+
3+
phases:
4+
install:
5+
runtime-versions:
6+
nodejs: latest
7+
build:
8+
commands:
9+
- aws-encryption-sdk-specification/util/test_conditions -s 'src/**/**/*.py' -s 'compliance_exceptions/*.py' -t 'test/**/*.py'

codebuild/py27/awses_local.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
1115
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
1216

codebuild/py27/examples.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py27/integ.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py35/awses_local.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
1115
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
1216

codebuild/py35/examples.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py35/integ.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py36/awses_local.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
1115
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
1216

codebuild/py36/examples.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py36/integ.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py37/awses_local.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
1115
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
1216

codebuild/py37/examples.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py37/integ.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py38/awses_local.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
1115
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
1216

codebuild/py38/examples.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py38/integ.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py39/awses_1.7.1.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
1115
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
1216

codebuild/py39/awses_2.0.0.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
1115
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
1216

codebuild/py39/awses_latest.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
1115
AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
1216

codebuild/py39/examples.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

codebuild/py39/integ.yml

+4
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ env:
77
arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
88
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
99
arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
10+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
11+
arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
12+
AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
13+
arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
1014
1115
phases:
1216
install:

compliance_exceptions/aws-kms-mrk-aware-master-key-provider.py

+79
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# Due to how Python MasterKeys and MasterKeyProviders are set up,
2+
# there are some parts of the Java-focused spec which are non-applicable
3+
4+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
5+
# //= type=exception
6+
# //# The regional client
7+
# //# supplier MUST be defined in discovery mode.
8+
# // The Python implementation does not include a client supplier as a configuration option.
9+
# // Instead a list of regions may be passed. If not passed, a default region will be used.
10+
# // This behavior is true even of Discovery MKPs.
11+
12+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
13+
# //= type=exception
14+
# //# The function MUST only provide master keys if the input provider id
15+
# //# equals "aws-kms".
16+
# // Python does not take in provider ID as input to this new_master_key.
17+
# // Each MK determines on it's own whether to process based on provider ID in owns_data_key
18+
19+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
20+
# //= type=exception
21+
# //# An AWS KMS client
22+
# //# MUST be obtained by calling the regional client supplier with this
23+
# //# AWS Region.
24+
# // Python doesn't use a client-supplier, but _client(new_key_id) will grab a client
25+
# // based on the region in new_key_id, which is always the behavior we want.
26+
27+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.9
28+
# //= type=exception
29+
# //# The set of encrypted data keys MUST first be filtered to match this
30+
# //# master key's configuration.
31+
# // Each MK is responsible for defining whether an EDK matches it's configuration in
32+
# // as part of _decrypt_data_key.
33+
34+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
35+
# //= type=exception
36+
# //# In strict mode, the requested AWS KMS key ARN MUST match a member of the configured key ids by using AWS
37+
# //# KMS MRK Match for Decrypt (aws-kms-mrk-match-for-decrypt.md#implementation) otherwise this function MUST error.
38+
# // Python isn't concerned with ensuring the configured key ids match during new_master_key, given that
39+
# // Python doesn't filter EDKs before creating the master keys for decryption. Each MK is responsible for raising
40+
# // an error if the EDK isn't an MRK aware match. For encryption, the keys are pre-populated based on the configured
41+
# // keys, which again makes any check non-applicable.
42+
43+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
44+
# //= type=exception
45+
# //# On initialization the caller MUST provide:
46+
# // Strict and discovery modes and their corresponding inputs are split
47+
# // into two different classes. Additionally,
48+
# // Python does not take in a regional client supplier,
49+
# // but instead takes in a list of regions to create clients out of.
50+
51+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
52+
# //= type=exception
53+
# //# Finally if the
54+
# //# provider info is identified as a multi-Region key (aws-kms-key-
55+
# //# arn.md#identifying-an-aws-kms-multi-region-key) the AWS Region MUST
56+
# //# be the region from the AWS KMS key in the configured key ids matched
57+
# //# to the requested AWS KMS key by using AWS KMS MRK Match for Decrypt
58+
# //# (aws-kms-mrk-match-for-decrypt.md#implementation).
59+
# // This is not relevant due to the fact that Strict MRK Aware MKPs will create an MK for
60+
# // each configured key ID on initialization, each with
61+
# // a client that matches the region in the configured key ID.
62+
# // During decryption, the region from the EDK's provider info does
63+
# // not figure into what client region to use.
64+
# // The MKs the MKP vends should always have a client region that matches the key ID
65+
66+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.9
67+
# //= type=exception
68+
# //# If this attempt results in an error, then
69+
# //# these errors MUST be collected.
70+
# // Python logs errors instead of collecting them.
71+
72+
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.9
73+
# //= type=exception
74+
# //# Additionally
75+
# //# each provider info MUST be a valid AWS KMS ARN (aws-kms-key-arn.md#a-
76+
# //# valid-aws-kms-arn) with a resource type of "key".
77+
# // Python MKPs do not filter before using each MK to decrypt. Each MK is
78+
# // Individually responsible for throwing if it shouldn't be used for decrypt.
79+

0 commit comments

Comments
 (0)