aws_encryption_sdk.key_providers.kms

Master Key Providers for use with AWS KMS

Classes

KMSMasterKey(**kwargs) Master Key class for KMS CMKs.
KMSMasterKeyConfig(key_id[, client, …]) Configuration object for MasterKey objects.
KMSMasterKeyProvider(**kwargs) Master Key Provider for KMS.
KMSMasterKeyProviderConfig([…]) Configuration object for KMSMasterKeyProvider objects.
class aws_encryption_sdk.key_providers.kms.KMSMasterKey(**kwargs)

Bases: aws_encryption_sdk.key_providers.base.MasterKey

Master Key class for KMS CMKs.

Parameters:

Performs transformations needed for KMS.

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyConfig(key_id, client=NOTHING, grant_tokens=NOTHING)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyConfig

Configuration object for MasterKey objects.

Parameters:
  • key_id (str) – KMS CMK ID
  • client (botocore.client.KMS) – Boto3 KMS client
  • grant_tokens (list) – List of grant tokens to pass to KMS on CMK operations
client_default()

Create a client if one was not provided.

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyProvider(**kwargs)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyProvider

Master Key Provider for KMS.

>>> import aws_encryption_sdk
>>> kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
...     'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
...     'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
... ])
>>> kms_key_provider.add_master_key('arn:aws:kms:ap-northeast-1:4444444444444:alias/another-key')

Note

If no botocore_session is provided, the default botocore session will be used.

Note

If multiple AWS Identities are needed, one of two options are available:

  • Additional KMSMasterKeyProvider instances may be added to the primary MasterKeyProvider.
  • KMSMasterKey instances may be manually created and added to this KMSMasterKeyProvider.
Parameters:
  • config (aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig) – Configuration object (optional)
  • botocore_session (botocore.session.Session) – botocore session object (optional)
  • key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional)
  • region_names (list) – List of regions for which to pre-populate clients (optional)

Prepares mutable attributes.

add_regional_client(region_name)

Adds a regional client for the specified region if it does not already exist.

Parameters:region_name (str) – AWS Region ID (ex: us-east-1)
add_regional_clients_from_list(region_names)

Adds multiple regional clients for the specified regions if they do not already exist.

Parameters:region_names (list) – List of regions for which to pre-populate clients
class aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig(botocore_session=NOTHING, key_ids=NOTHING, region_names=NOTHING)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyProviderConfig

Configuration object for KMSMasterKeyProvider objects.

Parameters:
  • botocore_session (botocore.session.Session) – botocore session object (optional)
  • key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional)
  • region_names (list) – List of regions for which to pre-populate clients (optional)