KMSMasterKey swallows root cause errors

[andrey-guzco]

Security issue notifications

If you discover a potential security issue in the AWS Encryption SDK we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public GitHub issue.

Problem:

KMSMasterKey swallows root causes:

aws-encryption-sdk-python/src/aws_encryption_sdk/key_providers/kms.py

Line 202 in d316a18

except (ClientError, KeyError):

    try:
        response = self.config.client.generate_data_key(**kms_params)
        # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.10
        # //# The response's "Plaintext" MUST be the plaintext in the output.
        plaintext = response["Plaintext"]
        # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.10
        # //# The response's cipher text blob MUST be used as the returned as the
        # //# ciphertext for the encrypted data key in the output.
        ciphertext = response["CiphertextBlob"]
        key_id = response["KeyId"]
    except (ClientError, KeyError):
        error_message = "Master Key {key_id} unable to generate data key".format(key_id=self._key_id)
        _LOGGER.exception(error_message)
        raise GenerateKeyError(error_message)

Solution:

Log actual error. I am debugging in the dark here.