AwsKmsCryptographicMaterialsProvider - __attrs_post_init__ overrides custom regional clients

[Szasza]

Hi Team,

I would like to report an issue regarding the regional client injection into the AwsKmsCryptographicMaterialsProvider.

Package version used: v1.1.1

Anything unusual about your environment or deployment: The environment is a local development environment, docker-compose is used with two services: a python:3.7.4-buster container for running the Python code, and a nsmithuk/local-kms container for a local KMS mock.

Bug reproduction steps:

1. Set up a local KMS mock container. You can use it either as a docker-compose service or as a standalone container. REGION is to be set to us-west-2.

2. Set up a key in the local mock container as per the usage notes using the following YAML:

Keys:
  - Metadata:
      KeyId: bc436485-5092-42b8-92a3-0aa8b93536dc
    BackingKeys:
      - 5cdaead27fe7da2de47945d73cd6d79e36494e73802f3cd3869f1d2cb0b5d7a9

Aliases:
  - AliasName: alias/testing
    TargetKeyId: bc436485-5092-42b8-92a3-0aa8b93536dc

3. Create a small piece of code which does for example an item insert using EncryptedTable, with the following configuration:

aws_cmk_id = 'arn:aws:kms:us-west-2:111122223333:key/bc436485-5092-42b8-92a3-0aa8b93536dc'
client = boto3.session.Session().client('kms', region_name='us-west-2', endpoint_url='http://kms-service:8080')
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id, regional_clients={'us-west-2': client})

Please feel free to replace http://kms-service:8080 with the appropriate URL based on your local environment.

4. After the above a call to the EncryptedTable helper should use the client which was created in step 3, but that's not the case, the AwsKmsCryptographicMaterialsProvider's _regional_clients attribute is empty, and it falls back to the base KMS client and tries to reach out to AWS.

I was able to mitigate the issue by deleting lines 218-220 from material_providers/aws_kms.py's __attrs_post_init__ function:

self._regional_clients = (
    {}
)  # type: Dict[Text, botocore.client.BaseClient]  # noqa pylint: disable=attribute-defined-outside-init

but I am unsure if this is the correct solution.

Any help regarding the above is much appreciated.

[mattsb42-aws]

Thanks for the bug report!

You are correct; it looks like those lines are overriding any values provided. I'll have to add some tests to verify, but I think that simply deleting that assignment is the correct fix here.

[Szasza]

@mattsb42-aws my pleasure, and thank you for the quick response and the feedback, it is much appreciated.