def decrypt(file_input, s3_metadata, kms_client): """ Method to decrypt an S3 object with KMS based Client-side encryption (CSE). The object's metadata is used to fetch the encryption envelope such as the KMS key ID and the algorithm. """ logger.info("Decrypting Object with CSE-KMS") alg = s3_metadata.get(HEADER_ALG, None) iv = base64.b64decode(s3_metadata[HEADER_IV]) material_description = json.loads(s3_metadata[HEADER_MATDESC]) key = s3_metadata[HEADER_KEY] decryption_key = base64.b64decode(key) aes_key = get_decryption_aes_key(decryption_key, material_description, kms_client) content = file_input.read() decrypted = ( decrypt_gcm(content, aes_key, iv) if alg == ALG_GCM else decrypt_cbc(content, aes_key, iv) ) return BytesIO(decrypted)