dependency aws-encryption-sdk v3.1.0 uses incompatible downstream dependency (cryptography >=40)

[jsonmart]

aws-encryption-sdk v3.1.0 (python hook runtime dependency) has a dependency on cryptogrpahy>2.5 (see https://github.com/aws/aws-encryption-sdk-python/blob/7950abd73ee333407d2dadd02ef2d57c3df464cf/requirements.txt#L2). This causes python hooks to be bundled with the latest version of cryptography (40.0.1), however the cryptography package has recently fully deprecated a method used by aws-encryption-sdk v3.1.0 (utils.verify_instance). This is resulting in a runtime exception for python hooks bundled with cloudformation-cli-python-lib v2.1.15:

Unable to import module 'x.handlers': cannot import name 'verify_interface' from 'cryptography.utils' (/var/task/cryptography/utils.py) 

aws-encryption-sdk v3.1.1 no longer uses the verify_instancemethod and looks like it could be a suitable replacement (see: https://github.com/aws/aws-encryption-sdk-python/releases/tag/v3.1.1).

[kremerpatrick]

Is there an easy way around this while we wait for the fix to be merged?

[jsonmart]

@kremerpatrick - you can add cryptography<40.0.0 to requirements.txt in your generated hook package as a temporary workaround.

[kremerpatrick]

That worked, thank you!

[mrinaudo-aws]

Hi @jsonmart and @kremerpatrick - new versions of the plugin and the lib, cloudformation-cli-python-plugin-2.1.8 and cloudformation-cli-python-lib-2.1.16 are now available updates from pip as of yesterday, and include the merged PR mentioned above. You should now be able to expunge the temporary workaround, upgrade your local copies of the plugin and lib from pip, package your extension(s) as usual, and test without having the related error. Let us know!

[kremerpatrick]

That worked, thanks!