Encrypted Client

High-level helper class to provide a familiar interface to encrypted tables.

class dynamodb_encryption_sdk.encrypted.client.EncryptedClient(client: botocore.client.BaseClient, materials_provider: dynamodb_encryption_sdk.material_providers.CryptographicMaterialsProvider, attribute_actions: Optional[dynamodb_encryption_sdk.structures.AttributeActions] = None, auto_refresh_table_indexes: Optional[bool] = True, expect_standard_dictionaries: Optional[bool] = False)[source]

Bases: object

High-level helper class to provide a familiar interface to encrypted tables.

>>> import boto3
>>> from dynamodb_encryption_sdk.encrypted.client import EncryptedClient
>>> from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
>>> client = boto3.client('dynamodb')
>>> aws_kms_cmp = AwsKmsCryptographicMaterialsProvider('alias/MyKmsAlias')
>>> encrypted_client = EncryptedClient(
...     client=client,
...     materials_provider=aws_kms_cmp
... )

Note

This class provides a superset of the boto3 DynamoDB client API, so should work as a drop-in replacement once configured.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html#client

If you want to provide per-request cryptographic details, the put_item, get_item, query, scan, batch_write_item, and batch_get_item methods will also accept a crypto_config parameter, defining a custom CryptoConfig instance for this request.

Warning

We do not currently support the update_item method.

Parameters

client (boto3.resources.base.BaseClient) – Pre-configured boto3 DynamoDB client object
materials_provider (CryptographicMaterialsProvider) – Cryptographic materials provider to use
attribute_actions (AttributeActions) – Table-level configuration of how to encrypt/sign attributes
auto_refresh_table_indexes (bool) – Should we attempt to refresh information about table indexes? Requires dynamodb:DescribeTable permissions on each table. (default: True)
expect_standard_dictionaries (bool) – Should we expect items to be standard Python dictionaries? This should only be set to True if you are using a client obtained from a service resource or table resource (ex: table.meta.client). (default: False)

update_item(**kwargs)[source]

Update item is not yet supported.

Raises: NotImplementedError – if called

get_paginator(operation_name)[source]

Get a paginator from the underlying client. If the paginator requested is for “scan” or “query”, the paginator returned will transparently decrypt the returned items.

Parameters: operation_name (str) – Name of operation for which to get paginator
Returns: Paginator for name
Return type: botocore.paginate.Paginator or EncryptedPaginator

class dynamodb_encryption_sdk.encrypted.client.EncryptedPaginator(paginator: botocore.paginate.Paginator, decrypt_method: Callable, crypto_config_method: Callable)[source]

Bases: object

Paginator that decrypts returned items before returning them.

Parameters

paginator (botocore.paginate.Paginator) – Pre-configured boto3 DynamoDB paginator object
decrypt_method – Item decryptor method from dynamodb_encryption_sdk.encrypted.item
crypto_config_method (callable) – Callable that returns a CryptoConfig

validate_decrypt_method(attribute, value)[source]: Validate that _decrypt_method is one of the item encryptors.

paginate(**kwargs: Any) → Iterator[Dict][source]: Create an iterator that will paginate through responses from the underlying paginator, transparently decrypting any returned items.