Make router.kms_provider() unneeded if only a single provider is configured

timgraham · timgraham · commit 7f0d08d09542 · 2025-10-27T15:48:15.000-04:00
diff --git a/django_mongodb_backend/schema.py b/django_mongodb_backend/schema.py
@@ -498,9 +498,14 @@ def _get_encrypted_fields(self, model, key_alt_name=None, path_prefix=None):
         key_vault_collection.create_index(
             "keyAltNames", unique=True, partialFilterExpression={"keyAltNames": {"$exists": True}}
         )
-
-        kms_provider = router.kms_provider(model)
+        # Select the KMS provider.
         kms_providers = auto_encryption_opts._kms_providers
+        if len(kms_providers) == 1:
+            # If one provider is configured, no need to consult the router.
+            kms_provider = next(iter(kms_providers.keys()))
+        else:
+            # Otherwise, call the user-defined router.kms_provider().
+            kms_provider = router.kms_provider(model)
         # Providing master_key raises an error for the local provider.
         master_key = kms_providers[kms_provider] if kms_provider != "local" else None
         client_encryption = self.connection.client_encryption
diff --git a/docs/howto/queryable-encryption.rst b/docs/howto/queryable-encryption.rst
@@ -124,9 +124,6 @@ models in that application. The router also specifies the :ref:`KMS provider
                 return "encrypted"
             return None
 
-        def kms_provider(self, model, **hints):
-            return "local"
-
         db_for_write = db_for_read
 
 Then in your Django settings, add the custom database router to the
@@ -184,11 +181,12 @@ Example of KMS configuration with ``aws`` in your :class:`kms_providers
         },
     }
 
+(TODO: If there's a use case for multiple providers, motivate with a use case
+and add a test.)
 
-In your :ref:`custom database router <qe-configuring-database-routers-setting>`,
-specify the KMS provider to use for the models in your application:
-
-.. code-block:: python
+If you've configured multiple KMS providers, you must define logic to determine
+the provider for each model in your :ref:`database router
+<qe-configuring-database-routers-setting>`::
 
     class EncryptedRouter:
         # ...
diff --git a/docs/ref/utils.rst b/docs/ref/utils.rst
@@ -83,8 +83,3 @@ following parts can be considered stable.
                     else:
                         return db == "default"
                 return None
-
-            def kms_provider(self, model):
-                if model_has_encrypted_fields(model):
-                    return "local"
-            return None
