Add KMS Region Override Configuration

Summary

Adds support for a dedicated KMS region configuration (AWS_KMS_REGION) that can override the controller's default AWS region for KMS operations. This allows users to specify a different AWS region for KMS keys while using another region for general AWS services.

Motivation

Users may need to store their KMS keys in a specific AWS region that differs from the region where their other AWS resources (DynamoDB, S3, etc.) are located.

Previously, KMS operations used the same region as other AWS services (AWS_REGION). This change adds an optional override to specify a separate region specifically for KMS.

Changes

Configuration

Added:

• CONTROLLER_DISPERSER_KMS_REGION environment variable
• --controller-disperser-kms-region CLI flag
• KMSRegion field in DispersalRequestSignerConfig struct

Region Resolution Logic:

When creating KMS client:
  If KMSRegion is specified → use it for KMS operations
  Else → use Region for KMS operations (existing behavior)

Files Modified

1. api/clients/v2/dispersal_request_signer.go

   • Added KMSRegion optional field to DispersalRequestSignerConfig
   • Updated NewKMSDispersalRequestSigner to check KMSRegion first, fallback to Region
   • Updated error messages to include the actual region being used

2. disperser/cmd/controller/flags/flags.go

   • Added DisperserKMSRegionFlag for KMS region override
   • Added flag to optional flags list

3. disperser/cmd/controller/config.go

   • Wired new KMSRegion flag to DispersalRequestSignerConfig

4. api/clients/v2/dispersal_request_signer_test.go

   • Added TestKMSRegionOverride - Verifies KMSRegion overrides Region
   • Added TestKMSRegionDefault - Verifies default behavior when KMSRegion is not set

Usage Examples

Example 1: Using Different Regions for KMS and Other Services

# General AWS resources in us-east-1
export AWS_REGION=us-east-1

# KMS key stored in us-west-2
export CONTROLLER_DISPERSER_KMS_REGION=us-west-2
export CONTROLLER_DISPERSER_KMS_KEY_ID=arn:aws:kms:us-west-2:...

# Start controller
./controller --config controller.yaml

Example 2: Using Same Region (Default Behavior)

# Both AWS resources and KMS in us-east-1
export AWS_REGION=us-east-1
export CONTROLLER_DISPERSER_KMS_KEY_ID=arn:aws:kms:us-east-1:...

# No need to set CONTROLLER_DISPERSER_KMS_REGION
# KMS will automatically use AWS_REGION

# Start controller
./controller --config controller.yaml

Testing

Unit Tests

✅ All tests pass

• TestKMSRegionOverride - Verifies KMSRegion overrides Region
• TestKMSRegionDefault - Verifies default behavior when KMSRegion is not set

Backward Compatibility

✅ Fully backward compatible

• No breaking changes
• Existing configurations continue to work unchanged
• New setting is optional
• Default behavior: KMS uses AWS_REGION when override is not specified

Configuration Reference

Implementation Details

The implementation is straightforward:

// Determine which region to use for KMS operations
kmsRegion := config.Region
if config.KMSRegion != "" {
    kmsRegion = config.KMSRegion
}

// Create KMS client using the determined region