KMSMasterKeyProvider - requested master keys are generated before setting default region.

[dtmistry]

When using KMSMasterKeyProvider, can a CMK key alias be used as the key_id instead of the arn?

The KMS API GenerateDataKey operation accepts alias as the key_id. But it looks like the sdk expects the key_id to be an arn. If the key_id is not an arn, the init fails with the below error -

The below fails with an exception -

kwargs = dict(
    key_ids=["alias/cmk-alias"],
    region_names=["us-east-1"],
    botocore_session=existing_session
)
aws_encryption_sdk.KMSMasterKeyProvider(**kwargs)      

UnknownRegionError: No default region found and no region determinable from key id: alias/cmk-alias

/usr/local/lib/python2.7/site-packages/aws_encryption_sdk/key_providers/kms.py:50:UnknownRegionError

[mattsb42-aws]

Thanks for reporting this!

It looks like this is caused by us finding the default region after generating the pre-defined master keys rather than before.

We'll get a fix out for this shortly, but in the meantime you can work around this by not pre-populating the key IDs.

kwargs = dict(
    region_names=["us-east-1"],
    botocore_session=existing_session
)
key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs)
key_provider.add_master_key("alias/cmk-alias")

[mattsb42-aws]

This fix is now available in v1.3.7.