1010you may already be working with an encrypted item obtained from
1111DynamoDb, and want to directly decrypt the item.
1212
13- This example demonstrates the 3 formats the Item Encryptor can accept:
13+ This example demonstrates the 3 formats the ItemEncryptor can accept:
1414- Python dictionaries (encrypt_python_item, decrypt_python_item)
1515- DynamoDB JSON (encrypt_dynamodb_item, decrypt_dynamodb_item)
1616- DBESDK shapes (encrypt_item, decrypt_item)
3232 DBEAlgorithmSuiteId ,
3333)
3434from aws_cryptographic_material_providers .mpl .references import IKeyring
35- from aws_dbesdk_dynamodb .encrypted .item import (
35+
36+ from aws_dbesdk_dynamodb .structures .item_encryptor import (
3637 DecryptItemInput ,
3738 DynamoDbItemEncryptorConfig ,
3839 EncryptItemInput ,
39- ItemEncryptor ,
4040)
41- from aws_dbesdk_dynamodb .smithygenerated . aws_cryptography_dbencryptionsdk_structuredencryption . models import (
41+ from aws_dbesdk_dynamodb .structures . structured_encryption import (
4242 CryptoAction ,
4343)
44+ from aws_dbesdk_dynamodb .encrypted .item import (
45+ ItemEncryptor ,
46+ )
4447
4548
4649def encrypt_decrypt_example (kms_key_id : str , ddb_table_name : str ) -> None :
@@ -121,7 +124,7 @@ def encrypt_decrypt_example(kms_key_id: str, ddb_table_name: str) -> None:
121124 # 5. Create the DynamoDb Item Encryptor
122125 item_encryptor = ItemEncryptor (config )
123126
124- # 6. Directly encrypt a Python dictionary item using the ItemEncryptor
127+ # 6. Encrypt a Python dictionary using the ItemEncryptor
125128 plaintext_dict_item : Dict [str , Any ] = {
126129 "partition_key" : "ItemEncryptDecryptExample" ,
127130 "sort_key" : 0 ,
@@ -134,6 +137,7 @@ def encrypt_decrypt_example(kms_key_id: str, ddb_table_name: str) -> None:
134137 encrypted_dict_item = encrypt_output .encrypted_item
135138
136139 # Demonstrate that the item has been encrypted according to the configuration
140+ # We do this for demonstration only, and you do not need to do this in your code.
137141 # Our configuration specified that the partition key should be SIGN_ONLY,
138142 # so it should not have been encrypted
139143 assert encrypted_dict_item ["partition_key" ] == "ItemEncryptDecryptExample"
@@ -145,16 +149,20 @@ def encrypt_decrypt_example(kms_key_id: str, ddb_table_name: str) -> None:
145149 assert "attribute1" in encrypted_dict_item
146150 assert encrypted_dict_item ["attribute1" ] != plaintext_dict_item ["attribute1" ]
147151
148- # 7. Directly decrypt the encrypted item using the DynamoDb Item Encryptor
152+ # Here, you could use a standard boto3 DynamoDB Table or Resource to store the item in a DynamoDB Table.
153+ # For this example, we will not do that, but will continue to work with the encrypted item.
154+
155+ # 7. Decrypt the encrypted item using the DynamoDb Item Encryptor
149156 decrypt_output = item_encryptor .decrypt_python_item (encrypted_dict_item )
150157 decrypted_dict_item = decrypt_output .plaintext_item
151158
152159 # Demonstrate that GetItem succeeded and returned the decrypted item
160+ # We do this for demonstration only, and you do not need to do this in your code.
153161 assert decrypted_dict_item ["partition_key" ] == "ItemEncryptDecryptExample"
154162 assert decrypted_dict_item ["sort_key" ] == 0
155163 assert decrypted_dict_item ["attribute1" ] == "encrypt and sign me!"
156164
157- # 8. Directly encrypt a DynamoDB JSON item using the ItemEncryptor
165+ # 8. Encrypt a DynamoDB JSON item using the ItemEncryptor
158166 plaintext_dynamodb_item : Dict [str , Any ] = {
159167 "partition_key" : {"S" : "ItemEncryptDecryptExample" },
160168 "sort_key" : {"N" : "0" },
@@ -165,7 +173,11 @@ def encrypt_decrypt_example(kms_key_id: str, ddb_table_name: str) -> None:
165173 encrypt_output = item_encryptor .encrypt_dynamodb_item (plaintext_dynamodb_item )
166174 encrypted_dynamodb_item = encrypt_output .encrypted_item
167175
168- # Demonstrate that the item has been encrypted according to the configuration
176+ # Here, you could use a standard boto3 DynamoDB Client to store the item in a DynamoDB Table.
177+ # For this example, we will not do that, but will continue to work with the encrypted item.
178+
179+ # Demonstrate that the item has been encrypted according to the configuration.
180+ # We do this for demonstration only, and you do not need to do this in your code.
169181 # Our configuration specified that the partition key should be SIGN_ONLY,
170182 # so it should not have been encrypted
171183 assert encrypted_dynamodb_item ["partition_key" ] == {"S" : "ItemEncryptDecryptExample" }
@@ -177,21 +189,26 @@ def encrypt_decrypt_example(kms_key_id: str, ddb_table_name: str) -> None:
177189 assert "attribute1" in encrypted_dynamodb_item
178190 assert encrypted_dynamodb_item ["attribute1" ] != plaintext_dynamodb_item ["attribute1" ]
179191
180- # 9. Directly decrypt the encrypted item using the DynamoDb Item Encryptor
192+ # 9. Decrypt the encrypted item using the DynamoDb Item Encryptor
181193 decrypt_output = item_encryptor .decrypt_dynamodb_item (encrypted_dynamodb_item )
182194 decrypted_dynamodb_item = decrypt_output .plaintext_item
183195
184196 # Demonstrate that GetItem succeeded and returned the decrypted item
197+ # We do this for demonstration only, and you do not need to do this in your code.
185198 assert decrypted_dynamodb_item ["partition_key" ] == {"S" : "ItemEncryptDecryptExample" }
186199 assert decrypted_dynamodb_item ["sort_key" ] == {"N" : "0" }
187200 assert decrypted_dynamodb_item ["attribute1" ] == {"S" : "encrypt and sign me!" }
188201
189- # 10. Directly encrypt a DBESDK shape item using the ItemEncryptor
202+ # 10. Encrypt a DBESDK shape item using the ItemEncryptor
190203 encrypt_item_input : EncryptItemInput = EncryptItemInput (plaintext_item = plaintext_dynamodb_item )
191204 encrypt_item_output = item_encryptor .encrypt_item (encrypt_item_input )
192205 encrypted_item = encrypt_item_output .encrypted_item
193206
194- # Demonstrate that the item has been encrypted according to the configuration
207+ # Here, you could use a standard boto3 DynamoDB Client to store the item in a DynamoDB Table.
208+ # For this example, we will not do that, but will continue to work with the encrypted item.
209+
210+ # Demonstrate that the item has been encrypted according to the configuration.
211+ # We do this for demonstration only, and you do not need to do this in your code.
195212 # Our configuration specified that the partition key should be SIGN_ONLY,
196213 # so it should not have been encrypted
197214 assert encrypted_item ["partition_key" ] == {"S" : "ItemEncryptDecryptExample" }
@@ -203,12 +220,13 @@ def encrypt_decrypt_example(kms_key_id: str, ddb_table_name: str) -> None:
203220 assert "attribute1" in encrypted_item
204221 assert encrypted_item ["attribute1" ] != plaintext_dynamodb_item ["attribute1" ]
205222
206- # 11. Directly decrypt the encrypted item using the DynamoDb Item Encryptor
223+ # 11. Decrypt the encrypted item using the DynamoDb Item Encryptor
207224 decrypt_item_input : DecryptItemInput = DecryptItemInput (encrypted_item = encrypted_item )
208225 decrypt_output = item_encryptor .decrypt_item (decrypt_item_input )
209226 decrypted_item = decrypt_output .plaintext_item
210227
211228 # Demonstrate that GetItem succeeded and returned the decrypted item
229+ # We do this for demonstration only, and you do not need to do this in your code.
212230 assert decrypted_item ["partition_key" ] == {"S" : "ItemEncryptDecryptExample" }
213231 assert decrypted_item ["sort_key" ] == {"N" : "0" }
214232 assert decrypted_item ["attribute1" ] == {"S" : "encrypt and sign me!" }
0 commit comments