aws_encryption_sdk.key_providers.kms¶

Master Key Providers for use with AWS KMS

Classes

`KMSMasterKey`(**kwargs)	Master Key class for KMS CMKs.
`KMSMasterKeyConfig`(key_id[, client, …])	Configuration object for MasterKey objects.
`KMSMasterKeyProvider`(**kwargs)	Master Key Provider for KMS.
`KMSMasterKeyProviderConfig`([…])	Configuration object for KMSMasterKeyProvider objects.

class aws_encryption_sdk.key_providers.kms.KMSMasterKey(**kwargs)¶

Bases: aws_encryption_sdk.key_providers.base.MasterKey

Master Key class for KMS CMKs.

New in version 1.5.0: Master key providers are deprecated. Use aws_encryption_sdk.keyrings.aws_kms.AwsKmsKeyring instead.

Parameters:	config (aws_encryption_sdk.key_providers.kms.KMSMasterKeyConfig) – Configuration object (config or individual parameters required) key_id (bytes) – KMS CMK ID client (botocore.client.KMS) – Boto3 KMS client grant_tokens (list) – List of grant tokens to pass to KMS on CMK operations

Performs transformations needed for KMS.

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyConfig(key_id, client=NOTHING, grant_tokens=NOTHING)¶

Bases: aws_encryption_sdk.key_providers.base.MasterKeyConfig

Configuration object for MasterKey objects.

Parameters:	key_id (str) – KMS CMK ID client (botocore.client.KMS) – Boto3 KMS client grant_tokens (list) – List of grant tokens to pass to KMS on CMK operations

client_default()¶: Create a client if one was not provided.

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyProvider(**kwargs)¶

Bases: aws_encryption_sdk.key_providers.base.MasterKeyProvider

Master Key Provider for KMS.

New in version 1.5.0: Master key providers are deprecated. Use aws_encryption_sdk.keyrings.aws_kms.AwsKmsKeyring instead.

To encrypt data, you must configure KMSMasterKeyProvider with at least one CMK. If you configure KMSMasterKeyProvider with multiple CMKs, it generates the data key using the first CMK and encrypts that data key using the rest, so that the encrypted message includes a copy of the data key encrypted under each configured CMK.

>>> from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider
>>> kms_key_provider = KMSMasterKeyProvider(key_ids=[
...     "arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222",
...     "arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333",
... ])

You can also configure KMSMasterKeyProvider with CMKs in multiple regions:

>>> from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider
>>> kms_key_provider = KMSMasterKeyProvider(key_ids=[
...     "arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222",
...     "arn:aws:kms:us-west-2:3333333333333:key/33333333-3333-3333-3333-333333333333",
...     "arn:aws:kms:ap-northeast-1:4444444444444:key/44444444-4444-4444-4444-444444444444",
... ])

KMSMasterKeyProvider needs AWS credentials in order to interact with AWS KMS. There are two ways that you can provide these credentials:

Provide your AWS credentials in one of the standard AWS credential discovery locations and the KMSMasterKeyProvider instance automatically discovers those credentials.

>>> from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider
>>> import botocore.session
>>> kms_key_provider = KMSMasterKeyProvider()

Provide an existing botocore session to KMSMasterKeyProvider. This option can be useful if you want to use specific credentials or if you want to reuse an existing botocore session instance to decrease startup costs.

>>> from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider
>>> import botocore.session
>>> existing_botocore_session = botocore.session.Session(profile="custom")
>>> kms_key_provider = KMSMasterKeyProvider(botocore_session=existing_botocore_session)

If you need different credentials to use different CMKs, you can combine multiple KMSMasterKeyProvider or KMSMasterKey instances, each with their own credentials. However, we recommend that you use aws_encryption_sdk.keyrings.aws_kms.AwsKmsKeyring and client suppliers for a simpler user experience.

Parameters:	config (aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig) – Configuration object (optional) botocore_session (botocore.session.Session) – botocore session object (optional) key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional) region_names (list) – List of regions for which to pre-populate clients (optional)

Prepares mutable attributes.

add_regional_client(region_name)¶

Adds a regional client for the specified region if it does not already exist.

Parameters:	region_name (str) – AWS Region ID (ex: us-east-1)

add_regional_clients_from_list(region_names)¶

Adds multiple regional clients for the specified regions if they do not already exist.

Parameters:	region_names (list) – List of regions for which to pre-populate clients

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig(botocore_session=NOTHING, key_ids=NOTHING, region_names=NOTHING)¶

Bases: aws_encryption_sdk.key_providers.base.MasterKeyProviderConfig

Configuration object for KMSMasterKeyProvider objects.

Parameters:	botocore_session (botocore.session.Session) – botocore session object (optional) key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional) region_names (list) – List of regions for which to pre-populate clients (optional)