Description
Problem:
Frequently we provide timeouts and retries to our boto clients to retry requests. I searched through the documentation, and it seems like you can only provide a client to a KMSMasterKeyConfig instance, but I do not see how I could configure my
StrictAwsKmsMasterKeyProvider to customize KMSMasterKeyConfig, without subclassing. This is how we use the SDK now:
sdk_client = EncryptionSDKClient()
key_provider = StrictAwsKmsMasterKeyProvider(
key_ids=[key_id],
region_names=[settings.AWS_REGION],
)
if encryption_context is None:
encryption_context = {}
ciphertext, _ = sdk_client.encrypt(
source=plaintext,
key_provider=key_provider,
encryption_context=encryption_context,
)
Ideally, we would be able to use the SDKClient or KeyProvider to pass our KMS client preferences.
Solution:
Seems like the current issue is that the KeyProvider implements a _client method:
https://github.com/aws/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/key_providers/kms.py#L684
Which always creates / registers a client. Allowing me to pass a client in the KMSMasterKeyProviderConfig object should alleviate that.
Out of scope:
Is there anything the solution will intentionally NOT address?