aws_encryption_sdk.key_providers.kms

Master Key Providers for use with AWS KMS

Classes

BaseKMSMasterKeyProvider(**kwargs) Master Key Provider for KMS.
DiscoveryAwsKmsMasterKeyProvider(**kwargs) Discovery Master Key Provider for KMS. This can only be used for decryption. It is configured with an optional
DiscoveryFilter([account_ids, partition]) DiscoveryFilter to control accounts and partitions that can be used by a KMS Master Key Provider.
KMSMasterKey(**kwargs) Master Key class for KMS CMKs.
KMSMasterKeyConfig(key_id[, client, …]) Configuration object for MasterKey objects.
KMSMasterKeyProviderConfig([…]) Configuration object for KMSMasterKeyProvider objects.
StrictAwsKmsMasterKeyProvider(**kwargs) Strict Master Key Provider for KMS.
class aws_encryption_sdk.key_providers.kms.BaseKMSMasterKeyProvider(**kwargs)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyProvider

Master Key Provider for KMS.

Note

Cannot be instantiated directly. Callers should use one of the implementing classes.

Prepares mutable attributes.

add_regional_client(region_name)

Adds a regional client for the specified region if it does not already exist.

Parameters:region_name (str) – AWS Region ID (ex: us-east-1)
add_regional_clients_from_list(region_names)

Adds multiple regional clients for the specified regions if they do not already exist.

Parameters:region_names (list) – List of regions for which to pre-populate clients
validate_config()

Validates the provided configuration.

Note

Must be implemented by specific KMSMasterKeyProvider implementations.

class aws_encryption_sdk.key_providers.kms.DiscoveryAwsKmsMasterKeyProvider(**kwargs)

Bases: aws_encryption_sdk.key_providers.kms.BaseKMSMasterKeyProvider

Discovery Master Key Provider for KMS. This can only be used for decryption. It is configured with an optional
Discovery Filter containing AWS account ids and partitions that should be trusted for decryption. If a ciphertext was encrypted with an AWS KMS master key that matches an account and partition listed by this provider, decryption will succeed. Otherwise, decryption will fail. If no Discovery Filter is configured, the provider will attempt to decrypt any ciphertext created by an AWS KMS Master Key Provider.
>>> import aws_encryption_sdk
>>> kms_key_provider = aws_encryption_sdk.DiscoveryAwsKmsMasterKeyProvider(discovery_filter=DiscoveryFilter(
...     account_ids=['2222222222222', '3333333333333']
... )

Note

If no botocore_session is provided, the default botocore session will be used.

Parameters:
  • config (aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig) – Configuration object (optional)
  • botocore_session (botocore.session.Session) – botocore session object (optional)
  • key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional)
  • region_names (list) – List of regions for which to pre-populate clients (optional)

Sets configuration required by this provider type.

validate_config()

Validates the provided configuration.

class aws_encryption_sdk.key_providers.kms.DiscoveryFilter(account_ids=NOTHING, partition=None)

Bases: object

DiscoveryFilter to control accounts and partitions that can be used by a KMS Master Key Provider.

Parameters:
  • account_ids (list) – List of AWS Account Ids that are allowed to be used for decryption
  • partition (str) – The AWS partition to which account_ids belong
class aws_encryption_sdk.key_providers.kms.KMSMasterKey(**kwargs)

Bases: aws_encryption_sdk.key_providers.base.MasterKey

Master Key class for KMS CMKs.

Parameters:

Performs transformations needed for KMS.

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyConfig(key_id, client=NOTHING, grant_tokens=NOTHING)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyConfig

Configuration object for MasterKey objects.

Parameters:
  • key_id (str) – KMS CMK ID
  • client (botocore.client.KMS) – Boto3 KMS client
  • grant_tokens (list) – List of grant tokens to pass to KMS on CMK operations
client_default()

Create a client if one was not provided.

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig(botocore_session=NOTHING, key_ids=NOTHING, region_names=NOTHING, discovery_filter=None)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyProviderConfig

Configuration object for KMSMasterKeyProvider objects.

Parameters:
  • botocore_session (botocore.session.Session) – botocore session object (optional)
  • key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional)
  • region_names (list) – List of regions for which to pre-populate clients (optional)
  • discovery_filter (DiscoveryFilter) – Filter indicating AWS accounts and partitions whose keys will be trusted for decryption
class aws_encryption_sdk.key_providers.kms.StrictAwsKmsMasterKeyProvider(**kwargs)

Bases: aws_encryption_sdk.key_providers.kms.BaseKMSMasterKeyProvider

Strict Master Key Provider for KMS. It is configured with an explicit list of AWS KMS master keys that should be used for encryption in decryption. On encryption, the plaintext will be encrypted with all configured master keys. On decryption, the ciphertext will be decrypted with the first master key that can decrypt. If the ciphertext is encrypted with a master key that was not explicitly configured, decryption will fail.

>>> import aws_encryption_sdk
>>> kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[
...     'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
...     'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
... ])
>>> kms_key_provider.add_master_key('arn:aws:kms:ap-northeast-1:4444444444444:alias/another-key')

Note

If no botocore_session is provided, the default botocore session will be used.

Note

If multiple AWS Identities are needed, one of two options are available:

  • Additional KMSMasterKeyProvider instances may be added to the primary MasterKeyProvider.
  • KMSMasterKey instances may be manually created and added to this KMSMasterKeyProvider.
Parameters:
  • config (aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig) – Configuration object (optional)
  • botocore_session (botocore.session.Session) – botocore session object (optional)
  • key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional)
  • region_names (list) – List of regions for which to pre-populate clients (optional)

Sets configuration required by this provider type.

validate_config()

Validates the provided configuration.