Make router.kms_provider() unneeded if only a single provider is configured

timgraham · timgraham · commit c095f6a85608 · 2025-10-28T12:59:22.000-04:00
diff --git a/django_mongodb_backend/schema.py b/django_mongodb_backend/schema.py
@@ -498,8 +498,15 @@ def _get_encrypted_fields(self, model, key_alt_name=None, path_prefix=None):
         key_vault_collection.create_index(
             "keyAltNames", unique=True, partialFilterExpression={"keyAltNames": {"$exists": True}}
         )
-
-        kms_provider = router.kms_provider(model)
+        # Select the KMS provider.
+        kms_providers = auto_encryption_opts._kms_providers
+        if len(kms_providers) == 1:
+            # If one provider is configured, no need to consult the router.
+            kms_provider = next(iter(kms_providers.keys()))
+        else:
+            # Otherwise, call the user-defined router.kms_provider().
+            kms_provider = router.kms_provider(model)
+        # Providing master_key raises an error for the local provider.
         master_key = connection.settings_dict.get("KMS_CREDENTIALS").get(kms_provider)
         client_encryption = self.connection.client_encryption
 
diff --git a/docs/howto/queryable-encryption.rst b/docs/howto/queryable-encryption.rst
@@ -124,9 +124,6 @@ models in that application. The router also specifies the :ref:`KMS provider
                 return "encrypted"
             return None
 
-        def kms_provider(self, model, **hints):
-            return "local"
-
         db_for_write = db_for_read
 
 Then in your Django settings, add the custom database router to the
@@ -194,10 +191,12 @@ Example of KMS configuration with ``aws`` in your :class:`kms_providers
         },
     }
 
-In your :ref:`custom database router <qe-configuring-database-routers-setting>`,
-specify the KMS provider to use for the models in your application:
+(TODO: If there's a use case for multiple providers, motivate with a use case
+and add a test.)
 
-.. code-block:: python
+If you've configured multiple KMS providers, you must define logic to determine
+the provider for each model in your :ref:`database router
+<qe-configuring-database-routers-setting>`::
 
     class EncryptedRouter:
         # ...
diff --git a/docs/ref/utils.rst b/docs/ref/utils.rst
@@ -83,8 +83,3 @@ following parts can be considered stable.
                     else:
                         return db == "default"
                 return None
-
-            def kms_provider(self, model):
-                if model_has_encrypted_fields(model):
-                    return "local"
-            return None
