AWS cross-account assume role in Python for KMSClient

[ropnop]

Help us help you

Please tell us more about your Tink deployment.

Done!

Is your feature request related to a problem?

Yes - we leverage envelope encryption with master keys stored in Amazon KMS. However we use multiple AWS accounts and make use of AssumeRole to allow cross-account access to resources (incl. KMS). Our master keys can be stored in KMS in Account A, but a service in Account B needs to decrypt the keyset.

We can do this in Golang since awskms.NewClientWithKMS allows us to pass in an authenticated KMS client with the correct role assumed, but we haven't been able to figure out how to do the same with the Python library without fetching creds and writing them to a file.

Describe the solution you'd like

Ideally we could pass in a boto3 client to Python's awskms.AwsKmsClient that we've already initialized with the correct cross-account role. However, even just the ability to pass in credentials directly to AwsKmsClient would work as well. Currently the only option is to pass in a filename that contains the credentials.

Describe alternatives you've considered

We've considered using STS to fetch credentials for the assumedrole and write them to a temp file and then pass that filename in to AwsKmsClient, but this requires writing to disk

[thaidn]

@kste

[antoniocali]

Any updates on this, it feels very strange that such a normal behavior for aws is not supported :/

[juergw]

The current implementation doesn't allow this because it wraps the C++ code. But I agree that this is not ideal, and we also run into other problem because of the current design.

I will change this so that you will be able to create your own boto3 client and pass it to Tink.

[juergw]

I now (finally) added this feature. So I'll close this now. Please reopen it if there is still something missing here.