in src/aws_encryption_sdk/key_providers/kms.py [0:0]
def _new_master_key(self, key_id):
"""Returns a KMSMasterKey for the specified key_id.
:param bytes key_id: KMS CMK ID
:returns: KMS Master Key based on key_id
:rtype: aws_encryption_sdk.key_providers.kms.KMSMasterKey
:raises InvalidKeyIdError: if key_id is not a valid KMS CMK ID to which this key provider has access
:raises MasterKeyProviderError: if this MasterKeyProvider is in discovery mode and key_id is not allowed
"""
_key_id = to_str(key_id) # KMS client requires str, not bytes
if self.config.discovery_filter:
arn = arn_from_str(_key_id)
if (
arn.partition != self.config.discovery_filter.partition
or arn.account_id not in self.config.discovery_filter.account_ids
):
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
# //# In discovery mode if a discovery filter is configured the requested AWS
# //# KMS key ARN's "partition" MUST match the discovery filter's
# //# "partition" and the AWS KMS key ARN's "account" MUST exist in the
# //# discovery filter's account id set.
raise MasterKeyProviderError("Key {} not allowed by this Master Key Provider".format(key_id))
return self._new_master_key_impl(key_id)