Encrypt throws incorrect error when a CMK within KMSMasterKeyProvider is disabled

[paavan98pm]

If a CMK is disabled/deleted within KMSMasterKeyProvider CMKs, the encrypt call throws a couple of errors (below).

botocore.errorfactory.DisabledException: An error occurred (DisabledException) when calling the Encrypt operation: arn:aws:kms:eu-west-2:xxxxxxx

aws_encryption_sdk.exceptions.EncryptKeyError: Master Key arn:aws:kms:eu-west-2

import aws_encryption_sdk

kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
    'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
    'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
my_plaintext = b'This is some super secret data!  Yup, sure is!'

my_ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
    source=my_plaintext,
    key_provider=kms_key_provider,
    encryption_context={
        'not really': 'a secret',
        'but adds': 'some authentication'
    }
)

decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt(
    source=my_ciphertext,
    key_provider=kms_key_provider
)

assert my_plaintext == decrypted_plaintext
assert encryptor_header.encryption_context == decryptor_header.encryption_context

[mattsb42-aws]

The general pattern here is correct. The behavior of KMSMasterKeyProvider on encrypt is that all master keys must succeed or the entire process will fail.

That said, this should be being swallowed in either a GenerateKeyError or EncryptKeyError to simply say that the master key failed the requested operation.