docs: add example to replicate AWS KMS MKP behavior with AWS KMS keyring #255
Conversation
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
| We have found that separating these two behaviors out, | ||
| as we did in the AWS KMS keyring, |
There was a problem hiding this comment.
how about "We have found that separating these two behaviors into the AWS KMS Keyring and the AWS KMS discovery keyring"
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
…_provider.py Co-Authored-By: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com>
examples/README.md
Outdated
| @@ -44,6 +44,8 @@ We start with AWS KMS examples, then show how to use other wrapping keys. | |||
| * [with keyrings](./src/keyring/aws_kms/discovery_decrypt_in_region_only.py) | |||
| * How to decrypt with a preferred region but failover to others | |||
| * [with keyrings](./src/keyring/aws_kms/discovery_decrypt_with_preferred_regions.py) | |||
| * How to replicate the behavior of an AWS KMS master key provider | |||
There was a problem hiding this comment.
Can we use "reproduce" instead of "replicate?" The KMS is using "replicate" and "replica" for other purposes. Although most people won't notice, I can envisions someone with limited English language skills googling this and becoming hopelessly confused.
| # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| """ | ||
| Before there were keyrings, there were master key providers. |
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
| the AWS KMS master key provider always attempts to decrypt | ||
| *any* data keys that were encrypted under an AWS KMS CMK. |
There was a problem hiding this comment.
| the AWS KMS master key provider always attempts to decrypt | |
| *any* data keys that were encrypted under an AWS KMS CMK. | |
| the AWS KMS master key provider can decrypt | |
| *any* data key that was encrypted under an AWS KMS CMK. |
-or-
the AWS KMS master key provider can use any AWS KMS CMK that encrypted
a data key to decrypt it.
There was a problem hiding this comment.
That's not quite what I was getting at. Whether or not it can decrypt depends on the KMS/IAM permissions. Just like the discovery keyring, the point I was trying to make is that it does in fact reach out to the KMS service for every KMS-encrypted EDK whether or not it succeeds.
There was a problem hiding this comment.
The difficulty here is the combination of "always" and "any." Does the ESDK always attempt to decrypt all of the encrypted data keys in an encrypted message? Or, it can attempt to decrypt any of them?
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
Co-Authored-By: June Blender <juneb@users.noreply.github.com>
| In earlier versions of the AWS Encryption SDK, | ||
| you used master key providers to determine how your data keys are protected. |
There was a problem hiding this comment.
| In earlier versions of the AWS Encryption SDK, | |
| you used master key providers to determine how your data keys are protected. | |
| You might have used master key providers to protect your data keys in an earlier versions of the AWS Encryption SDK. This example shows how to replace a master key provider with a keyring that behaves the same way. |
I might never have used the ESDK before.
| the AWS KMS master key provider always attempts to decrypt | ||
| *any* data keys that were encrypted under an AWS KMS CMK. |
There was a problem hiding this comment.
The difficulty here is the combination of "always" and "any." Does the ESDK always attempt to decrypt all of the encrypted data keys in an encrypted message? Or, it can attempt to decrypt any of them?
* show using multiple CMKs * demonstrate how the generating CMK is defined in both * explain that it does not matter if the CMK keyring fails
| # This also means that it does not matter if the CMK keyring fails on decrypt, | ||
| # for example if you configured it with aliases which would work on encrypt | ||
| # but fail to match any encrypted data keys on decrypt, | ||
| # because the discovery keyring attempts to decrypt any AWS KMS-encrypted | ||
| # data keys that it finds. |
There was a problem hiding this comment.
This sentence is really long, can you break it up?
examples/src/keyring/aws_kms/act_like_aws_kms_master_key_provider.py
Outdated
Show resolved
Hide resolved
…_provider.py Co-Authored-By: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com>
Issue #, if available:
resolves: #248
Description of changes:
In addition to using the configured AWS KMS CMKs, the AWS KMS master key provider attempts to decrypt any data keys that were encrypted under an AWS KMS CMK. This behavior is not always obvious, and when we designed the AWS KMS keyring, we decided that it was best to separate these behaviors, but as customers migrate from master key providers to keyrings, it will be helpful to have an example of how to replicate the exact behavior of the AWS KMS master key provider using keyrings.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: