Encrypted Client

High-level helper class to provide a familiar interface to encrypted tables.

class dynamodb_encryption_sdk.encrypted.client.EncryptedClient(client: botocore.client.BaseClient, materials_provider: dynamodb_encryption_sdk.material_providers.CryptographicMaterialsProvider, attribute_actions: Optional[dynamodb_encryption_sdk.structures.AttributeActions] = None, auto_refresh_table_indexes: Optional[bool] = True, expect_standard_dictionaries: Optional[bool] = False)[source]

Bases: object

High-level helper class to provide a familiar interface to encrypted tables.

>>> import boto3
>>> from dynamodb_encryption_sdk.encrypted.client import EncryptedClient
>>> from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
>>> client = boto3.client('dynamodb')
>>> aws_kms_cmp = AwsKmsCryptographicMaterialsProvider('alias/MyKmsAlias')
>>> encrypted_client = EncryptedClient(
...     client=client,
...     materials_provider=aws_kms_cmp
... )


This class provides a superset of the boto3 DynamoDB client API, so should work as a drop-in replacement once configured.


If you want to provide per-request cryptographic details, the put_item, get_item, query, scan, batch_write_item, and batch_get_item methods will also accept a crypto_config parameter, defining a custom CryptoConfig instance for this request.


We do not currently support the update_item method.

  • client (boto3.resources.base.BaseClient) – Pre-configured boto3 DynamoDB client object

  • materials_provider (CryptographicMaterialsProvider) – Cryptographic materials provider to use

  • attribute_actions (AttributeActions) – Table-level configuration of how to encrypt/sign attributes

  • auto_refresh_table_indexes (bool) – Should we attempt to refresh information about table indexes? Requires dynamodb:DescribeTable permissions on each table. (default: True)

  • expect_standard_dictionaries (bool) – Should we expect items to be standard Python dictionaries? This should only be set to True if you are using a client obtained from a service resource or table resource (ex: table.meta.client). (default: False)


Update item is not yet supported.


NotImplementedError – if called


Get a paginator from the underlying client. If the paginator requested is for “scan” or “query”, the paginator returned will transparently decrypt the returned items.


operation_name (str) – Name of operation for which to get paginator


Paginator for name

Return type

botocore.paginate.Paginator or EncryptedPaginator

class dynamodb_encryption_sdk.encrypted.client.EncryptedPaginator(paginator: botocore.paginate.Paginator, decrypt_method: Callable, crypto_config_method: Callable)[source]

Bases: object

Paginator that decrypts returned items before returning them.

  • paginator (botocore.paginate.Paginator) – Pre-configured boto3 DynamoDB paginator object

  • decrypt_method – Item decryptor method from dynamodb_encryption_sdk.encrypted.item

  • crypto_config_method (callable) – Callable that returns a CryptoConfig

validate_decrypt_method(attribute, value)[source]

Validate that _decrypt_method is one of the item encryptors.

paginate(**kwargs: Any) Iterator[Dict][source]

Create an iterator that will paginate through responses from the underlying paginator, transparently decrypting any returned items.