Skip to content

signing and encryption keys in gcp, aws, azure kms#307

Merged
rootflo-hardik merged 2 commits into
developfrom
fix/separate_sign_encrypt_keys_kms
Jul 1, 2026
Merged

signing and encryption keys in gcp, aws, azure kms#307
rootflo-hardik merged 2 commits into
developfrom
fix/separate_sign_encrypt_keys_kms

Conversation

@rootflo-hardik

@rootflo-hardik rootflo-hardik commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • New Features

    • Encryption and decryption now support separate dedicated keys across AWS, Azure, and GCP.
    • Azure Key Vault can use a distinct key and key version for encrypt/decrypt operations.
  • Bug Fixes

    • Added clear errors when encryption/decryption keys are not configured, preventing silent fallback to the wrong key.
    • Improved key selection so decrypt operations only run when the encryption-specific key is available.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 99cc46ec-fa62-4878-8700-d0dabb3607aa

📥 Commits

Reviewing files that changed from the base of the PR and between fc31fa6 and 68413e6.

📒 Files selected for processing (1)
  • wavefront/server/packages/flo_cloud/flo_cloud/aws/kms.py
🚧 Files skipped from review as they are similar to previous changes (1)
  • wavefront/server/packages/flo_cloud/flo_cloud/aws/kms.py

📝 Walkthrough

Walkthrough

AwsKMS, AzureKMS, and GcpKMS now each use a separate configured encryption key for encrypt/decrypt operations. Initialization, client wiring, and runtime guards were updated so missing encryption-key settings raise ValueError.

Changes

Dedicated KMS encryption key support

Layer / File(s) Summary
AWS KMS dedicated encryption ARN
wavefront/server/packages/flo_cloud/flo_cloud/aws/kms.py
Adds AWS_KMS_ENC_ARN, stores it on the instance, and requires it in encrypt()/decrypt() using KeyId=self.aws_kms_enc_arn.
Azure Key Vault dedicated encryption key
wavefront/server/packages/flo_cloud/flo_cloud/azure/key_vault.py
Extends AzureKMS.__init__ with enc_key_name/enc_key_version, resolves them from AZURE_KEY_VAULT_ENC_KEY_NAME/VERSION, creates enc_crypto_client, and routes encrypt()/decrypt() through it with a missing-key guard.
GCP KMS dedicated encryption key
wavefront/server/packages/flo_cloud/flo_cloud/gcp/kms.py
Derives self.enc_key_name only from GCP_KMS_ENC_CRYPTO_KEY and raises ValueError in decrypt() when it is unset.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

  • rootflo/wavefront#255: Related Azure Key Vault work in the same module, with overlapping constructor and crypto-client wiring changes.

Suggested reviewers: vishnurk6247

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: separating signing and encryption keys across GCP, AWS, and Azure KMS.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/separate_sign_encrypt_keys_kms

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
wavefront/server/packages/flo_cloud/flo_cloud/azure/key_vault.py (1)

40-56: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Document the new encryption-key configuration.

enc_key_name/enc_key_version add new setup knobs, but the class docstring still only lists the primary signing key env vars. Please add AZURE_KEY_VAULT_ENC_KEY_NAME as required for encrypt/decrypt and AZURE_KEY_VAULT_ENC_KEY_VERSION as optional.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@wavefront/server/packages/flo_cloud/flo_cloud/azure/key_vault.py` around
lines 40 - 56, Update the KeyVault class documentation to include the new
encryption-key settings introduced alongside enc_key_name and enc_key_version.
In the docstring for the Azure Key Vault configuration, add
AZURE_KEY_VAULT_ENC_KEY_NAME as a required environment variable for
encrypt/decrypt and AZURE_KEY_VAULT_ENC_KEY_VERSION as an optional one, matching
the existing descriptions for the primary key settings.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@wavefront/server/packages/flo_cloud/flo_cloud/aws/kms.py`:
- Line 25: AwsKMS.encrypt() and AwsKMS.decrypt() are returning the full boto3
response dict instead of the raw payload bytes, which makes them inconsistent
with FloKMS and the other providers. Update the AwsKMS methods to extract and
return the actual byte fields from the KMS response: use CiphertextBlob from
encrypt() and Plaintext from decrypt(), keeping the public behavior aligned with
the other KMS implementations.

---

Nitpick comments:
In `@wavefront/server/packages/flo_cloud/flo_cloud/azure/key_vault.py`:
- Around line 40-56: Update the KeyVault class documentation to include the new
encryption-key settings introduced alongside enc_key_name and enc_key_version.
In the docstring for the Azure Key Vault configuration, add
AZURE_KEY_VAULT_ENC_KEY_NAME as a required environment variable for
encrypt/decrypt and AZURE_KEY_VAULT_ENC_KEY_VERSION as an optional one, matching
the existing descriptions for the primary key settings.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 43de534a-8e16-4dd9-a8dc-e56db5cadab6

📥 Commits

Reviewing files that changed from the base of the PR and between fe9326d and fc31fa6.

📒 Files selected for processing (3)
  • wavefront/server/packages/flo_cloud/flo_cloud/aws/kms.py
  • wavefront/server/packages/flo_cloud/flo_cloud/azure/key_vault.py
  • wavefront/server/packages/flo_cloud/flo_cloud/gcp/kms.py

Comment thread wavefront/server/packages/flo_cloud/flo_cloud/aws/kms.py Outdated
@rootflo-hardik rootflo-hardik merged commit 21e191d into develop Jul 1, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants