aws_encryption_sdk.key_providers.kms

Master Key Providers for use with AWS KMS

Classes

KMSMasterKey(**kwargs)

Master Key class for KMS CMKs.

KMSMasterKeyConfig(key_id[, client, …])

Configuration object for MasterKey objects.

KMSMasterKeyProvider(**kwargs)

Master Key Provider for KMS.

KMSMasterKeyProviderConfig([…])

Configuration object for KMSMasterKeyProvider objects.

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig(botocore_session=NOTHING, key_ids=NOTHING, region_names=NOTHING)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyProviderConfig

Configuration object for KMSMasterKeyProvider objects.

Parameters
  • botocore_session (botocore.session.Session) – botocore session object (optional)

  • key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional)

  • region_names (list) – List of regions for which to pre-populate clients (optional)

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyProvider(**kwargs)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyProvider

Master Key Provider for KMS.

>>> import aws_encryption_sdk
>>> kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
...     'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
...     'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
... ])
>>> kms_key_provider.add_master_key('arn:aws:kms:ap-northeast-1:4444444444444:alias/another-key')

Note

If no botocore_session is provided, the default botocore session will be used.

Note

If multiple AWS Identities are needed, one of two options are available:

  • Additional KMSMasterKeyProvider instances may be added to the primary MasterKeyProvider.

  • KMSMasterKey instances may be manually created and added to this KMSMasterKeyProvider.

Parameters
  • config (aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig) – Configuration object (optional)

  • botocore_session (botocore.session.Session) – botocore session object (optional)

  • key_ids (list) – List of KMS CMK IDs with which to pre-populate provider (optional)

  • region_names (list) – List of regions for which to pre-populate clients (optional)

Prepares mutable attributes.

add_regional_client(region_name)

Adds a regional client for the specified region if it does not already exist.

Parameters

region_name (str) – AWS Region ID (ex: us-east-1)

add_regional_clients_from_list(region_names)

Adds multiple regional clients for the specified regions if they do not already exist.

Parameters

region_names (list) – List of regions for which to pre-populate clients

class aws_encryption_sdk.key_providers.kms.KMSMasterKeyConfig(key_id, client=NOTHING, grant_tokens=NOTHING)

Bases: aws_encryption_sdk.key_providers.base.MasterKeyConfig

Configuration object for MasterKey objects.

Parameters
  • key_id (str) – KMS CMK ID

  • client (botocore.client.KMS) – Boto3 KMS client

  • grant_tokens (list) – List of grant tokens to pass to KMS on CMK operations

client_default()

Create a client if one was not provided.

class aws_encryption_sdk.key_providers.kms.KMSMasterKey(**kwargs)

Bases: aws_encryption_sdk.key_providers.base.MasterKey

Master Key class for KMS CMKs.

Parameters

Performs transformations needed for KMS.