KMSMasterKeyProvider Breaking Change in aws_encryption_sdk

[sc-alscient]

Hi

Version 2.0 of the aws_encryption_sdk has removed support for aws_encryption_sdk.KMSMasterKeyProvider. From the link below it looks like you can just replace it with aws_encryption_sdk.StrictAwsKmsMasterKeyProvider. I am about to test this so will update this issue after that.

https://aws-encryption-sdk-python.readthedocs.io/en/latest/index.html?highlight=KMSMasterKeyProvider#breaking-changes

Edit: aws_encryption_sdk.decrypt & aws_encryption_sdk.encrypt also need changed as per that link.

Thanks!

[sc-alscient]

Now I have fixed this problem, I am seeing issues with the links being over 2048 characters. See https://github.com/benkehoe/sfn-callback-urls/issues/7#issuecomment-760358496. Not sure if prior to your most recent update they were shorter. I assume so.

[sc-alscient]

After making these changes, the KEY_ID env var needs to be set to the Key Arn, not ID. If that isn't done, the link will be encrypted correctly but fail to be decrypted.

e.g. change !Ref EncryptionKey to !GetAtt EncryptionKey.Arn in the template.

[sc-alscient]

In order to get round the 2048 character limit I had to change the algorithm used to encrypt the string from the default (which uses signing) to unsigned. This is documented at https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/troubleshooting-migration.html#configuration-conflict_1

            ciphertext, encryptor_header = client.encrypt(
                algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA256,
                source=payload_string,
                key_provider=master_key_provider
            )

Not sure if this is the best approach, but it worked for me.