Encrypted Client

High-level helper class to provide a familiar interface to encrypted tables.

class dynamodb_encryption_sdk.encrypted.client.EncryptedClient(client, materials_provider, attribute_actions=None, auto_refresh_table_indexes=True, expect_standard_dictionaries=False)

Bases: object

High-level helper class to provide a familiar interface to encrypted tables.

>>> import boto3
>>> from dynamodb_encryption_sdk.encrypted.client import EncryptedClient
>>> from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
>>> client = boto3.client('dynamodb')
>>> aws_kms_cmp = AwsKmsCryptographicMaterialsProvider('alias/MyKmsAlias')
>>> encrypted_client = EncryptedClient(
...     client=client,
...     materials_provider=aws_kms_cmp
... )

Note

This class provides a superset of the boto3 DynamoDB client API, so should work as a drop-in replacement once configured.

https://boto3.readthedocs.io/en/latest/reference/services/dynamodb.html#client

If you want to provide per-request cryptographic details, the put_item, get_item, query, scan, batch_write_item, and batch_get_item methods will also accept a crypto_config parameter, defining a custom CryptoConfig instance for this request.

Warning

We do not currently support the update_item method.

Parameters:
  • client (boto3.resources.base.BaseClient) – Pre-configured boto3 DynamoDB client object
  • materials_provider (CryptographicMaterialsProvider) – Cryptographic materials provider to use
  • attribute_actions (AttributeActions) – Table-level configuration of how to encrypt/sign attributes
  • auto_refresh_table_indexes (bool) – Should we attempt to refresh information about table indexes? Requires dynamodb:DescribeTable permissions on each table. (default: True)
  • expect_standard_dictionaries (bool) – Should we expect items to be standard Python dictionaries? This should only be set to True if you are using a client obtained from a service resource or table resource (ex: table.meta.client). (default: False)
get_paginator(operation_name)

Get a paginator from the underlying client. If the paginator requested is for “scan” or “query”, the paginator returned will transparently decrypt the returned items.

Parameters:operation_name (str) – Name of operation for which to get paginator
Returns:Paginator for name
Return type:botocore.paginate.Paginator or EncryptedPaginator
update_item(**kwargs)

Update item is not yet supported.

Raises:NotImplementedError – if called
class dynamodb_encryption_sdk.encrypted.client.EncryptedPaginator(paginator, decrypt_method, crypto_config_method)

Bases: object

Paginator that decrypts returned items before returning them.

Parameters:
  • paginator (botocore.paginate.Paginator) – Pre-configured boto3 DynamoDB paginator object
  • decrypt_method – Item decryptor method from dynamodb_encryption_sdk.encrypted.item
  • crypto_config_method (callable) – Callable that returns a CryptoConfig
paginate(**kwargs)

Create an iterator that will paginate through responses from the underlying paginator, transparently decrypting any returned items.

validate_decrypt_method(attribute, value)

Validate that _decrypt_method is one of the item encryptors.