in src/aws_encryption_sdk_cli/internal/arg_parsing.py [0:0]
def _process_kms_key_config(parsed_args, action):
"""Processes a single key provider configuration for a KMS wrapping key
:param dict parsed_args: The parsed kwargs for the key provider
:param action: The action being taken (encrypt or decrypt)
"""
args_include_discovery = (
"discovery" in parsed_args or "discovery-account" in parsed_args or "discovery-partition" in parsed_args
)
if action == "encrypt" and args_include_discovery:
raise ParameterParseError("Discovery attributes are supported only on decryption for AWS KMS keys")
if "key" not in parsed_args and action == "encrypt":
raise ParameterParseError('At least one "key" must be provided for each wrapping key provider configuration')
_process_discovery_args(parsed_args)
discovery = parsed_args["discovery"]
if "key" in parsed_args and discovery:
# Decrypt MUST fail without attempting any decryption if discovery mode is enabled
# and at least one key=<Key ARN> parameter value is provided
raise ParameterParseError("If discovery is true (enabled), you cannot specify wrapping keys")
if "key" not in parsed_args:
if not discovery:
# Decrypt MUST fail without attempting any decryption if discovery mode is disabled
# and no key=<Key ARN> parameter value is provided
raise ParameterParseError("When discovery is false (disabled), you must specify at least one wrapping key")
parsed_args["key"] = []
return parsed_args