Skip to content

Files

Latest commit

 

History

History

examples

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
src
src
 
 
test
test
 
 
README.rst
README.rst
 
 
__init__.py
__init__.py
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 
tox.ini
tox.ini
 
 

README.rst

AWS DynamoDB Encryption Client Examples

This section features examples that show you how to use the AWS DynamoDB Encryption Client. We demonstrate how to use the encryption and decryption APIs and how to set up some common configuration patterns.

APIs

The AWS DynamoDB Encryption Client provides four high-level APIs: EncryptedClient, EncryptedItem, EncryptedResource, and EncryptedTable.

You can find examples that demonstrate these APIs in the examples/src/dynamodb_encryption_sdk_examples directory. Each of these examples uses AWS KMS as the materials provider.

Material Providers

To use the encryption and decryption APIs, you need to describe how you want the library to protect your data keys. You can do this by configuring material providers. AWS KMS is the most common material provider used with the AWS DynamoDB Encryption SDK, and each of the API examples above uses AWS KMS. This section describes the other providers that come bundled with this library.

For more details on the different type of material providers, see How to choose a cryptographic materials provider.

Running the examples

In order to run these examples, these things must be configured:

  1. Ensure that AWS credentials are available in one of the automatically discoverable credential locations.
  2. The AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID environment variable must be set to a valid AWS KMS CMK ARN that can be used by the available credentials.
  3. The AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID and AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2 environment variables must be set to two related AWS KMS Multi-Region key ids in different regions.
  4. The DDB_ENCRYPTION_CLIENT_TEST_TABLE_NAME environment variable must be set to a valid DynamoDB table name, in the default region, to which the discoverable credentials have read, write, and describe permissions.