aws_dbesdk_dynamodb.encrypted.client

High-level helper class to provide an encrypting wrapper for boto3 DynamoDB clients.

Classes

EncryptedClient(*, client, encryption_config)

Wrapper for a boto3 DynamoDB client that transparently encrypts/decrypts items.
class aws_dbesdk_dynamodb.encrypted.client.EncryptedClient(*, client: BaseClient, encryption_config: DynamoDbTablesEncryptionConfig, expect_standard_dictionaries: bool | None = False)

Bases: EncryptedBotoInterface

Wrapper for a boto3 DynamoDB client that transparently encrypts/decrypts items.

This class implements the complete boto3 DynamoDB client API, allowing it to serve as a drop-in replacement that transparently handles encryption and decryption of items.

The API matches the standard boto3 DynamoDB client interface:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html#client

This class will encrypt/decrypt items for the following operations:

  • put_item

  • get_item

  • query

  • scan

  • batch_write_item

  • batch_get_item

  • transact_get_items

  • transact_write_items

  • delete_item

Any calls to update_item can only update unsigned attributes. If an attribute to be updated is marked as signed, this operation will raise a DynamoDbEncryptionTransformsException.

The following operations are not supported for encrypted tables:

  • execute_statement

  • execute_transaction

  • batch_execute_statement

Calling these operations for encrypted tables will raise a DynamoDbEncryptionTransformsException. This client can still be used to call these operations on plaintext tables.

Any other operations on this class will defer to the underlying boto3 DynamoDB client’s implementation.

EncryptedClient can also return an EncryptedPaginator for transparent decryption of paginated results.

Create an EncryptedClient object.

Parameters:

  • client (botocore.client.BaseClient) – Initialized boto3 DynamoDB client

  • encryption_config (DynamoDbTablesEncryptionConfig) – Initialized DynamoDbTablesEncryptionConfig

  • expect_standard_dictionaries (Optional[bool]) – Does the underlying boto3 client expect items to be standard Python dictionaries? This should only be set to True if you are using a client obtained from a service resource or table resource (ex: table.meta.client). If this is True, EncryptedClient will expect item-like shapes to be standard Python dictionaries (default: False).

__init__(*, client: BaseClient, encryption_config: DynamoDbTablesEncryptionConfig, expect_standard_dictionaries: bool | None = False)

Create an EncryptedClient object.

Parameters:

  • client (botocore.client.BaseClient) – Initialized boto3 DynamoDB client

  • encryption_config (DynamoDbTablesEncryptionConfig) – Initialized DynamoDbTablesEncryptionConfig

  • expect_standard_dictionaries (Optional[bool]) – Does the underlying boto3 client expect items to be standard Python dictionaries? This should only be set to True if you are using a client obtained from a service resource or table resource (ex: table.meta.client). If this is True, EncryptedClient will expect item-like shapes to be standard Python dictionaries (default: False).

put_item(**kwargs) dict[str, Any]

Put a single item to a table. Encrypts the item before writing to DynamoDB.

The input and output syntaxes match those for the boto3 DynamoDB put_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/put_item.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client put_item request syntax. The value in "Item" will be encrypted locally before being written to DynamoDB.

Returns:

The response from DynamoDB. This matches the boto3 client put_item response syntax.

Return type:

dict

get_item(**kwargs) dict[str, Any]

Get a single item from a table. Decrypts the item after reading from DynamoDB.

The input and output syntaxes match those for the boto3 DynamoDB get_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/get_item.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client get_item request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client get_item response syntax. The value in "Item" field be decrypted locally after being read from DynamoDB.

Return type:

dict

query(**kwargs) dict[str, Any]

Query items from a table or index. Decrypts any returned items.

The input and output syntaxes match those for the boto3 DynamoDB client query API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/query.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. These match the boto3 query API parameters.

Returns:

The response from DynamoDB. This matches the boto3 client query API response.

The "Items" field will be decrypted locally after being read from DynamoDB.

Return type:

dict

scan(**kwargs) dict[str, Any]

Scan an entire table or index. Decrypts any returned items.

The input and output syntaxes match those for the boto3 DynamoDB scan API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/scan.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client scan request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client scan response syntax. The values in "Items" will be decrypted locally after being read from DynamoDB.

Return type:

dict

batch_write_item(**kwargs) dict[str, Any]

Put or delete multiple items in one or more tables.

For put operations, encrypts items before writing.

The input and output syntaxes match those for the boto3 DynamoDB batch_write_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/batch_write_item.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client batch_write_item request syntax. Items in "PutRequest" values in the "RequestItems" argument will be encrypted locally before being written to DynamoDB.

Returns:

The response from DynamoDB. This matches the boto3 client batch_write_item response syntax.

Return type:

dict

batch_get_item(**kwargs) dict[str, Any]

Get multiple items from one or more tables. Decrypts any returned items.

The input and output syntaxes match those for the boto3 DynamoDB batch_get_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/batch_get_item.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 batch_get_item request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client batch_get_item response syntax. The values in "Responses" will be decrypted locally after being read from DynamoDB.

Return type:

dict

transact_get_items(**kwargs) dict[str, Any]

Get multiple items in a single transaction. Decrypts any returned items.

The input and output syntaxes match those for the boto3 DynamoDB transact_get_items API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/transact_get_items.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client transact_get_items request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client transact_get_items response syntax.

Return type:

dict

transact_write_items(**kwargs) dict[str, Any]

Perform multiple write operations in a single transaction.

For put operations, encrypts items before writing.

The input and output syntaxes match those for the boto3 DynamoDB client transact_write_items API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/transact_write_items.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client transact_write_items request syntax. Any "PutRequest" values in the "TransactItems" argument will be encrypted locally before being written to DynamoDB.

Returns:

The response from DynamoDB. This matches the boto3 client transact_write_items response syntax.

Return type:

dict

delete_item(**kwargs)

Delete an item from a table by the specified key.

The input and output syntaxes match those for the boto3 DynamoDB client delete_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/delete_item.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client delete_item request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client delete_item response syntax. Any values in the "Attributes" field will be decrypted locally after being read from DynamoDB.

Return type:

dict

update_item(**kwargs)

Update an unsigned attribute in an item on a table.

If the attribute is signed, this operation will raise DynamoDbEncryptionTransformsException.

The input and output syntaxes match those for the boto3 DynamoDB client update_item API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/update_item.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client update_item request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client update_item response syntax.

Return type:

dict

Raises:

DynamoDbEncryptionTransformsException – If an attribute specified in the UpdateExpression is signed.

execute_statement(**kwargs)

Call execute_statement on the underlying client if the table is not configured for encryption.

If the table is configured for encryption, this operation will raise DynamoDbEncryptionTransformsException.

The input and output syntaxes match those for the boto3 DynamoDB client execute_statement API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/execute_statement.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client execute_statement request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client execute_statement response syntax.

Return type:

dict

Raises:

DynamoDbEncryptionTransformsException – If this operation is called for an encrypted table.

execute_transaction(**kwargs)

Call execute_transaction on the underlying client if the table is not configured for encryption.

If the table is configured for encryption, this operation will raise DynamoDbEncryptionTransformsException.

The input and output syntaxes match those for the boto3 DynamoDB client execute_transaction API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/execute_transaction.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client execute_transaction request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client execute_transaction response syntax.

Return type:

dict

Raises:

DynamoDbEncryptionTransformsException – If this operation is called for an encrypted table.

batch_execute_statement(**kwargs)

Call batch_execute_statement on the underlying client if the table is not configured for encryption.

If the table is configured for encryption, this operation will raise DynamoDbEncryptionTransformsException.

The input and output syntaxes match those for the boto3 DynamoDB client batch_execute_statement API:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/batch_execute_statement.html

Parameters:

**kwargs – Keyword arguments to pass to the operation. This matches the boto3 client batch_execute_statement request syntax.

Returns:

The response from DynamoDB. This matches the boto3 client batch_execute_statement response syntax.

Return type:

dict

Raises:

DynamoDbEncryptionTransformsException – If this operation is called for an encrypted table.

get_paginator(operation_name: str) EncryptedPaginator | Paginator

Get a paginator from the underlying client.

If the paginator requested is for “scan” or “query”, the paginator returned will transparently decrypt the returned items.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html#paginators

Parameters:

operation_name (str) – Name of operation for which to get paginator

Returns:

An EncryptedPaginator that will transparently decrypt items for scan/query operations; for other operations, the standard paginator.

Return type:

EncryptedPaginator | botocore.client.Paginator