Add a custom, restricted KMS master key provider, that could operate without kms:GenerateDataKey permission, but with kms:GenerateDataKeyWithoutPlaintext + kms:Decode instead. The provider is disabled by default, can be enabled by setting a flag per context key.
Add a custom, restricted KMS master key provider, that could operate without
kms:GenerateDataKey
permission, but withkms:GenerateDataKeyWithoutPlaintext
+kms:Decode
instead. The provider is disabled by default, can be enabled by setting a flag per context key.