AWS DynamoDB Encryption Client for Python
raw JSON → 3.3.0 verified Mon Apr 27 auth: no python
Client-side encryption library for Amazon DynamoDB that encrypts attribute values before storing them. Current version 3.3.0 (Aug 2024), Python 3.8+ required. Released by AWS, follows semantic versioning.
pip install dynamodb-encryption-sdk Common errors
error ModuleNotFoundError: No module named 'dynamodb_encryption_sdk' ↓
cause Package not installed or mistyped name.
fix
Install with: pip install dynamodb-encryption-sdk. Then import: import dynamodb_encryption_sdk
error AttributeError: module 'dynamodb_encryption_sdk' has no attribute 'CryptoConfig' ↓
cause Using old import path from v2.x or earlier.
fix
Use: from dynamodb_encryption_sdk import CryptoConfig
error TypeError: __init__() got an unexpected keyword argument 'key_id' ↓
cause Using AwsKmsCryptographicMaterialsProvider with 'key_id' parameter, but it expects 'key_id' correctly. Maybe 'key_arn' from old API.
fix
The correct parameter is 'key_id'. Ensure you are using dynamodb-encryption-sdk>=3.0.0 and pass 'key_id' as the KMS key identifier.
error dynamodb_encryption_sdk.exceptions.AWSKmsError: An error occurred (AccessDeniedException) when calling the Decrypt operation: ... ↓
cause The KMS key does not have the correct key policy to allow encrypt/decrypt from the current IAM role/user.
fix
Check KMS key policy and IAM permissions. Ensure the role has kms:Encrypt and kms:Decrypt for the specified key.
Warnings
breaking Version 3.x drops Python 2, 3.4, 3.5, 3.6, and 3.7. Only Python 3.8+ supported. Use Python 3.8 or later. ↓
fix Upgrade Python to 3.8+ and use dynamodb-encryption-sdk>=3.0.0.
breaking MostRecentProvider removed in v2.0.0. Replaced by CachingMostRecentProvider in v1.3.0, then removed entirely. ↓
fix Use CachingMostRecentProvider from dynamodb_encryption_sdk.material_providers.caching.
deprecated Python 3.7 support deprecated in v3.3.0 and may be removed in future. ↓
fix Upgrade Python to 3.8+.
gotcha AwsKmsCryptographicMaterialsProvider uses boto3 sessions; reusing a custom session can cause client conflicts if the same session is modified elsewhere. ↓
fix Pass a fresh botocore session or use the default session. Avoid sharing the same session across multiple material providers.
gotcha Do not reuse encryption config across different table structures. TableInfo includes table schema metadata that must match the actual table. ↓
fix Create a new TableInfo and CryptoConfig per table, or use the table's schema from DynamoDB.
Imports
- CryptoConfig wrong
from dynamodb_encryption_sdk.crypto import CryptoConfigcorrectfrom dynamodb_encryption_sdk import CryptoConfig - BlockCryptoMaterialsManager wrong
from dynamodb_encryption_sdk.materials_providers.block import BlockCryptoMaterialsManagercorrectfrom dynamodb_encryption_sdk.material_providers.block import BlockCryptoMaterialsManager - AwsKmsCryptographicMaterialsProvider
from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
Quickstart
import boto3
from dynamodb_encryption_sdk import CryptoConfig, CryptoActions
from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
from dynamodb_encryption_sdk.structures import TableInfo
kms_cmk_id = 'arn:aws:kms:us-east-1:123456789012:key/abc123'
key_provider = AwsKmsCryptographicMaterialsProvider(key_id=kms_cmk_id)
table_info = TableInfo(name='my_table')
config = CryptoConfig(materials_provider=key_provider, crypto_actions=CryptoActions.DO_NOTHING)
client = boto3.client('dynamodb')
# Encrypt an item before put_item
plaintext_item = {'pk': {'S': 'test'}, 'data': {'S': 'secret'}}
encrypted_item = config.encrypt_item(plaintext_item)
client.put_item(TableName='my_table', Item=encrypted_item)
# Decrypt on get
response = client.get_item(TableName='my_table', Key={'pk': {'S': 'test'}})
decrypted_item = config.decrypt_item(response['Item'])
print(decrypted_item['data']['S'])