aws_encryption_sdk.key_providers.kms¶
Master Key Providers for use with AWS KMS
Classes
KMSMasterKey (**kwargs) |
Master Key class for KMS CMKs. |
KMSMasterKeyConfig (key_id[, client, …]) |
Configuration object for MasterKey objects. |
KMSMasterKeyProvider (**kwargs) |
Master Key Provider for KMS. |
KMSMasterKeyProviderConfig ([…]) |
Configuration object for KMSMasterKeyProvider objects. |
-
class
aws_encryption_sdk.key_providers.kms.
KMSMasterKey
(**kwargs)¶ Bases:
aws_encryption_sdk.key_providers.base.MasterKey
Master Key class for KMS CMKs.
New in version 1.5.0: Master key providers are deprecated. Use
aws_encryption_sdk.keyrings.aws_kms.AwsKmsKeyring
instead.Parameters: - config (aws_encryption_sdk.key_providers.kms.KMSMasterKeyConfig) – Configuration object (config or individual parameters required)
- key_id (bytes) – KMS CMK ID
- client (botocore.client.KMS) – Boto3 KMS client
- grant_tokens (list) – List of grant tokens to pass to KMS on CMK operations
Performs transformations needed for KMS.
-
class
aws_encryption_sdk.key_providers.kms.
KMSMasterKeyConfig
(key_id, client=NOTHING, grant_tokens=NOTHING)¶ Bases:
aws_encryption_sdk.key_providers.base.MasterKeyConfig
Configuration object for MasterKey objects.
Parameters: -
client_default
()¶ Create a client if one was not provided.
-
-
class
aws_encryption_sdk.key_providers.kms.
KMSMasterKeyProvider
(**kwargs)¶ Bases:
aws_encryption_sdk.key_providers.base.MasterKeyProvider
Master Key Provider for KMS.
New in version 1.5.0: Master key providers are deprecated. Use
aws_encryption_sdk.keyrings.aws_kms.AwsKmsKeyring
instead.To encrypt data, you must configure
KMSMasterKeyProvider
with at least one CMK. If you configureKMSMasterKeyProvider
with multiple CMKs, it generates the data key using the first CMK and encrypts that data key using the rest, so that the encrypted message includes a copy of the data key encrypted under each configured CMK.>>> from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider >>> kms_key_provider = KMSMasterKeyProvider(key_ids=[ ... "arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222", ... "arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333", ... ])
You can also configure
KMSMasterKeyProvider
with CMKs in multiple regions:>>> from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider >>> kms_key_provider = KMSMasterKeyProvider(key_ids=[ ... "arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222", ... "arn:aws:kms:us-west-2:3333333333333:key/33333333-3333-3333-3333-333333333333", ... "arn:aws:kms:ap-northeast-1:4444444444444:key/44444444-4444-4444-4444-444444444444", ... ])
KMSMasterKeyProvider
needs AWS credentials in order to interact with AWS KMS. There are two ways that you can provide these credentials:- Provide your AWS credentials in one of the standard AWS credential discovery locations
and the
KMSMasterKeyProvider
instance automatically discovers those credentials.
>>> from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider >>> import botocore.session >>> kms_key_provider = KMSMasterKeyProvider()
- Provide an existing botocore session to
KMSMasterKeyProvider
. This option can be useful if you want to use specific credentials or if you want to reuse an existing botocore session instance to decrease startup costs.
>>> from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider >>> import botocore.session >>> existing_botocore_session = botocore.session.Session(profile="custom") >>> kms_key_provider = KMSMasterKeyProvider(botocore_session=existing_botocore_session)
If you need different credentials to use different CMKs, you can combine multiple
KMSMasterKeyProvider
orKMSMasterKey
instances, each with their own credentials. However, we recommend that you useaws_encryption_sdk.keyrings.aws_kms.AwsKmsKeyring
and client suppliers for a simpler user experience.Parameters: - config (aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig) – Configuration object (optional)
- botocore_session (botocore.session.Session) – botocore session object (optional)
- key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional)
- region_names (list) – List of regions for which to pre-populate clients (optional)
Prepares mutable attributes.
- Provide your AWS credentials in one of the standard AWS credential discovery locations
and the
-
class
aws_encryption_sdk.key_providers.kms.
KMSMasterKeyProviderConfig
(botocore_session=NOTHING, key_ids=NOTHING, region_names=NOTHING)¶ Bases:
aws_encryption_sdk.key_providers.base.MasterKeyProviderConfig
Configuration object for KMSMasterKeyProvider objects.
Parameters: