def test_init_with_regionless_key_ids_and_region_names(): key_ids = ("alias/key_1", ) region_names = ("test-region-1", ) provider = StrictAwsKmsMasterKeyProvider(region_names=region_names, key_ids=key_ids) assert provider.master_key( "alias/key_1").config.client.meta.region_name == region_names[0]
def arn_from_key_id(key_id): # type: (str) -> str """Determine the KMS CMK Arn for the identified key ID. To avoid needing additional KMS permissions, we just call ``generate_data_key`` using a master key identified by ``key_id``. :param str key_id: Original key ID :returns: Full Arn for KMS CMK that key ID identifies :rtype: str """ provider = StrictAwsKmsMasterKeyProvider(key_ids=[key_id]) encrypted_data_key = provider.master_key(key_id.encode(ENCODING)).generate_data_key( algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, encryption_context={} ) return encrypted_data_key.key_provider.key_info.decode(ENCODING)