AWS KMS Anwendungsbeispiele SDK für Python (Boto3) - AWS SDKCode-Beispiele

Weitere AWS SDK Beispiele sind im Repo AWS Doc SDK Examples GitHub verfügbar.

Die vorliegende Übersetzung wurde maschinell erstellt. Im Falle eines Konflikts oder eines Widerspruchs zwischen dieser übersetzten Fassung und der englischen Fassung (einschließlich infolge von Verzögerungen bei der Übersetzung) ist die englische Fassung maßgeblich.

AWS KMS Anwendungsbeispiele SDK für Python (Boto3)

Die folgenden Codebeispiele zeigen Ihnen, wie Sie mithilfe von AWS SDK for Python (Boto3) with Aktionen ausführen und allgemeine Szenarien implementieren AWS KMS.

Basics sind Codebeispiele, die Ihnen zeigen, wie Sie die wichtigsten Operationen innerhalb eines Dienstes ausführen.

Aktionen sind Codeauszüge aus größeren Programmen und müssen im Kontext ausgeführt werden. Aktionen zeigen Ihnen zwar, wie Sie einzelne Servicefunktionen aufrufen, aber Sie können Aktionen im Kontext der zugehörigen Szenarien sehen.

Jedes Beispiel enthält einen Link zum vollständigen Quellcode, in dem Sie Anweisungen zum Einrichten und Ausführen des Codes im Kontext finden.

Grundlagen

Wie das aussehen kann, sehen Sie am nachfolgenden Beispielcode:

  • Erstelle einen KMS Schlüssel.

  • Listen Sie die KMS Schlüssel für Ihr Konto auf und informieren Sie sich über sie.

  • KMSSchlüssel aktivieren und deaktivieren.

  • Generieren Sie einen symmetrischen Datenschlüssel, der für die clientseitige Verschlüsselung verwendet werden kann.

  • Generieren Sie einen asymmetrischen Schlüssel, der zum digitalen Signieren von Daten verwendet wird.

  • Kennzeichnen Sie Schlüssel.

  • KMSSchlüssel löschen.

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KMSScenario: """Runs an interactive scenario that shows how to get started with KMS.""" def __init__( self, key_manager: KeyManager, key_encryption: KeyEncrypt, alias_manager: AliasManager, grant_manager: GrantManager, key_policy: KeyPolicy, ): self.key_manager = key_manager self.key_encryption = key_encryption self.alias_manager = alias_manager self.grant_manager = grant_manager self.key_policy = key_policy self.key_id = "" self.alias_name = "" self.asymmetric_key_id = "" def kms_scenario(self): key_description = "Created by the AWS KMS API" print(DASHES) print( """ Welcome to the AWS Key Management SDK Basics scenario. This program demonstrates how to interact with AWS Key Management using the AWS SDK for Python (Boto3). The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create and manage AWS KMS keys and control their use across a wide range of AWS services and applications. KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your data protection and regulatory compliance requirements. This Basics scenario creates two key types: - A symmetric encryption key is used to encrypt and decrypt data. - An asymmetric key used to digitally sign data. Let's get started... """ ) q.ask("Press Enter to continue...") print(DASHES) print(f"1. Create a symmetric KMS key\n") print( f"First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data." ) q.ask("Press Enter to continue...") self.key_id = self.key_manager.create_key(key_description)["KeyId"] print(f"A symmetric key was successfully created {self.key_id}.") q.ask("Press Enter to continue...") print(DASHES) print( """ 2. Enable a KMS key By default, when the SDK creates an AWS key, it is enabled. The next bit of code checks to determine if the key is enabled. """ ) q.ask("Press Enter to continue...") is_enabled = self.is_key_enabled(self.key_id) print(f"Is the key enabled? {is_enabled}") if not is_enabled: self.key_manager.enable_key(self.key_id) q.ask("Press Enter to continue...") print(DASHES) print(f"3. Encrypt data using the symmetric KMS key") plain_text = "Hello, AWS KMS!" print( f""" One of the main uses of symmetric keys is to encrypt and decrypt data. Next, the code encrypts the string "{plain_text}" with the SYMMETRIC_DEFAULT encryption algorithm. """ ) q.ask("Press Enter to continue...") encrypted_text = self.key_encryption.encrypt(self.key_id, plain_text) print(DASHES) print(f"4. Create an alias") print( """ Now, the program will create an alias for the KMS key. An alias is a friendly name that you can associate with a KMS key. The alias name should be prefixed with 'alias/'. """ ) alias_name = q.ask("Enter an alias name: ", q.non_empty) self.alias_manager.create_alias(self.key_id, alias_name) print(f"{alias_name} was successfully created.") self.alias_name = alias_name print(DASHES) print(f"5. List all of your aliases") q.ask("Press Enter to continue...") self.alias_manager.list_aliases(10) q.ask("Press Enter to continue...") print(DASHES) print(f"6. Enable automatic rotation of the KMS key") print( """ By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. """ ) q.ask("Press Enter to continue...") self.key_manager.enable_key_rotation(self.key_id) print(DASHES) print(f"Key rotation has been enabled for key with id {self.key_id}") print( """ 7. Create a grant A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. """ ) print( """ To create a grant you must specify a account_id. To specify the grantee account_id, use the Amazon Resource Name (ARN) of an AWS account_id. Valid principals include AWS accounts, IAM users, IAM roles, federated users, and assumed role users. """ ) account_id = q.ask( "Enter an account_id, or press enter to skip creating a grant... " ) grant = None if account_id != "": grant = self.grant_manager.create_grant( self.key_id, account_id, [ "Encrypt", "Decrypt", "DescribeKey", ], ) print(f"Grant created successfully with ID: {grant['GrantId']}") q.ask("Press Enter to continue...") print(DASHES) print(DASHES) print(f"8. List grants for the KMS key") q.ask("Press Enter to continue...") self.grant_manager.list_grants(self.key_id) q.ask("Press Enter to continue...") print(DASHES) print(f"9. Revoke the grant") print( """ The revocation of a grant immediately removes the permissions and access that the grant had provided. This means that any account_id (user, role, or service) that was granted access to perform specific KMS operations on a KMS key will no longer be able to perform those operations. """ ) q.ask("Press Enter to continue...") if grant is not None: self.grant_manager.revoke_grant(self.key_id, grant["GrantId"]) print(f"Grant ID: {grant['GrantId']} was successfully revoked!") q.ask("Press Enter to continue...") print(DASHES) print(f"10. Decrypt the data\n") print( """ Lets decrypt the data that was encrypted in an early step. The code uses the same key to decrypt the string that we encrypted earlier in the program. """ ) q.ask("Press Enter to continue...") decrypted_data = self.key_encryption.decrypt(self.key_id, encrypted_text) print(f"Data decrypted successfully for key ID: {self.key_id}") print(f"Decrypted data: {decrypted_data}") q.ask("Press Enter to continue...") print(DASHES) print(f"11. Replace a key policy\n") print( """ A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. By default, when you create a key by using the SDK, a policy is created that gives the AWS account that owns the KMS key full access to the KMS key. Let's try to replace the automatically created policy with the following policy. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::0000000000:root"}, "Action": "kms:*", "Resource": "*" }] } """ ) account_id = q.ask("Enter your account ID or press enter to skip: ") if account_id != "": policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": f"arn:aws:iam::{account_id}:root"}, "Action": "kms:*", "Resource": "*", } ], } self.key_policy.set_new_policy(self.key_id, policy) print("Key policy replacement succeeded.") q.ask("Press Enter to continue...") else: print("Skipping replacing the key policy.") print(DASHES) print(f"12. Get the key policy\n") print( f"The next bit of code that runs gets the key policy to make sure it exists." ) q.ask("Press Enter to continue...") policy = self.key_policy.get_policy(self.key_id) print(f"The key policy is: {policy}") q.ask("Press Enter to continue...") print(DASHES) print(f"13. Create an asymmetric KMS key and sign your data\n") print( """ Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs. By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization. """ ) q.ask("Press Enter to continue...") print(f"Sign and verify data operation succeeded.") self.asymmetric_key_id = self.key_manager.create_asymmetric_key() message = "Here is the message that will be digitally signed" signature = self.key_encryption.sign(self.asymmetric_key_id, message) if self.key_encryption.verify(self.asymmetric_key_id, message, signature): print("Signature verification succeeded.") else: print("Signature verification failed.") q.ask("Press Enter to continue...") print(DASHES) print(f"14. Tag your symmetric KMS Key\n") print( """ By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment """ ) q.ask("Press Enter to continue...") self.key_manager.tag_resource(self.key_id, "Environment", "Production") self.clean_up() def is_key_enabled(self, key_id: str) -> bool: """ Check if the key is enabled or not. :param key_id: The key to check. :return: True if the key is enabled, otherwise False. """ response = self.key_manager.describe_key(key_id) return response["Enabled"] is True def clean_up(self): """ Delete resources created by this scenario. """ if self.alias_name != "": print(f"Deleting the alias {self.alias_name}.") self.alias_manager.delete_alias(self.alias_name) window = 7 # The window in days for a scheduled deletion. if self.key_id != "": print( """ Warning: Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. """ ) if q.ask( f"Do you want to delete the key with ID {self.key_id} (y/n)?", q.is_yesno, ): print( f"The key {self.key_id} will be deleted with a window of {window} days. You can cancel the deletion before" ) print("the window expires.") self.key_manager.delete_key(self.key_id, window) self.key_id = "" if self.asymmetric_key_id != "": if q.ask( f"Do you want to delete the asymmetric key with ID {self.asymmetric_key_id} (y/n)?", q.is_yesno, ): print( f"The key {self.asymmetric_key_id} will be deleted with a window of {window} days. You can cancel the deletion before" ) print("the window expires.") self.key_manager.delete_key(self.asymmetric_key_id, window) self.asymmetric_key_id = "" if __name__ == "__main__": kms_scenario = None try: kms_client = boto3.client("kms") a_key_manager = KeyManager(kms_client) a_key_encrypt = KeyEncrypt(kms_client) an_alias_manager = AliasManager(kms_client) a_grant_manager = GrantManager(kms_client) a_key_policy = KeyPolicy(kms_client) kms_scenario = KMSScenario( key_manager=a_key_manager, key_encryption=a_key_encrypt, alias_manager=an_alias_manager, grant_manager=a_grant_manager, key_policy=a_key_policy, ) kms_scenario.kms_scenario() except Exception: logging.exception("Something went wrong with the demo!") if kms_scenario is not None: kms_scenario.clean_up()

Wrapper-Klasse und Methoden für die KMS Schlüsselverwaltung.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_key(self, key_description: str) -> dict[str, any]: """ Creates a key with a user-provided description. :param key_description: A description for the key. :return: The key ID. """ try: key = self.kms_client.create_key(Description=key_description)["KeyMetadata"] self.created_keys.append(key) return key except ClientError as err: logging.error( "Couldn't create your key. Here's why: %s", err.response["Error"]["Message"], ) raise def describe_key(self, key_id: str) -> dict[str, any]: """ Describes a key. :param key_id: The ARN or ID of the key to describe. :return: Information about the key. """ try: key = self.kms_client.describe_key(KeyId=key_id)["KeyMetadata"] return key except ClientError as err: logging.error( "Couldn't get key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def enable_key_rotation(self, key_id: str) -> None: """ Enables rotation for a key. :param key_id: The ARN or ID of the key to enable rotation for. """ try: self.kms_client.enable_key_rotation(KeyId=key_id) except ClientError as err: logging.error( "Couldn't enable rotation for key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def create_asymmetric_key(self) -> str: """ Creates an asymmetric key in AWS KMS for signing messages. :return: The ID of the created key. """ try: key = self.kms_client.create_key( KeySpec="RSA_2048", KeyUsage="SIGN_VERIFY", Origin="AWS_KMS" )["KeyMetadata"] self.created_keys.append(key) return key["KeyId"] except ClientError as err: logger.error( "Couldn't create your key. Here's why: %s", err.response["Error"]["Message"], ) raise def tag_resource(self, key_id: str, tag_key: str, tag_value: str) -> None: """ Add or edit tags on a customer managed key. :param key_id: The ARN or ID of the key to enable rotation for. :param tag_key: Key for the tag. :param tag_value: Value for the tag. """ try: self.kms_client.tag_resource( KeyId=key_id, Tags=[{"TagKey": tag_key, "TagValue": tag_value}] ) except ClientError as err: logging.error( "Couldn't add a tag for the key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def delete_key(self, key_id: str, window: int) -> None: """ Deletes a list of keys. Warning: Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. :param key_id: The ARN or ID of the key to delete. :param window: The waiting period, in days, before the KMS key is deleted. """ try: self.kms_client.schedule_key_deletion( KeyId=key_id, PendingWindowInDays=window ) except ClientError as err: logging.error( "Couldn't delete key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise

Wrapper-Klasse und Methoden für KMS Schlüsselaliase.

class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_alias(self, key_id: str, alias: str) -> None: """ Creates an alias for the specified key. :param key_id: The ARN or ID of a key to give an alias. :param alias: The alias to assign to the key. """ try: self.kms_client.create_alias(AliasName=alias, TargetKeyId=key_id) except ClientError as err: if err.response["Error"]["Code"] == "AlreadyExistsException": logger.error( "Could not create the alias %s because it already exists.", key_id ) else: logger.error( "Couldn't encrypt text. Here's why: %s", err.response["Error"]["Message"], ) raise def list_aliases(self, page_size: int) -> None: """ Lists aliases for the current account. :param page_size: The number of aliases to list per page. """ try: alias_paginator = self.kms_client.get_paginator("list_aliases") for alias_page in alias_paginator.paginate( PaginationConfig={"PageSize": page_size} ): print(f"Here are {page_size} aliases:") pprint(alias_page["Aliases"]) if alias_page["Truncated"]: answer = input( f"Do you want to see the next {page_size} aliases (y/n)? " ) if answer.lower() != "y": break else: print("That's all your aliases!") except ClientError as err: logging.error( "Couldn't list your aliases. Here's why: %s", err.response["Error"]["Message"], ) raise def delete_alias(self, alias: str) -> None: """ Deletes an alias. :param alias: The alias to delete. """ try: self.kms_client.delete_alias(AliasName=alias) except ClientError as err: logger.error( "Couldn't delete alias %s. Here's why: %s", alias, err.response["Error"]["Message"], ) raise

Wrapper-Klasse und Methoden für KMS die Schlüsselverschlüsselung.

class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def encrypt(self, key_id: str, text: str) -> str: """ Encrypts text by using the specified key. :param key_id: The ARN or ID of the key to use for encryption. :param text: The text to encrypt. :return: The encrypted version of the text. """ try: response = self.kms_client.encrypt(KeyId=key_id, Plaintext=text.encode()) print( f"The string was encrypted with algorithm {response['EncryptionAlgorithm']}" ) return response["CiphertextBlob"] except ClientError as err: if err.response["Error"]["Code"] == "DisabledException": logger.error( "Could not encrypt because the key %s is disabled.", key_id ) else: logger.error( "Couldn't encrypt text. Here's why: %s", err.response["Error"]["Message"], ) raise def decrypt(self, key_id: str, cipher_text: str) -> bytes: """ Decrypts text previously encrypted with a key. :param key_id: The ARN or ID of the key used to decrypt the data. :param cipher_text: The encrypted text to decrypt. :return: The decrypted text. """ try: return self.kms_client.decrypt(KeyId=key_id, CiphertextBlob=cipher_text)[ "Plaintext" ] except ClientError as err: logger.error( "Couldn't decrypt your ciphertext. Here's why: %s", err.response["Error"]["Message"], ) raise def sign(self, key_id: str, message: str) -> str: """ Signs a message with a key. :param key_id: The ARN or ID of the key to use for signing. :param message: The message to sign. :return: The signature of the message. """ try: return self.kms_client.sign( KeyId=key_id, Message=message.encode(), SigningAlgorithm="RSASSA_PSS_SHA_256", )["Signature"] except ClientError as err: logger.error( "Couldn't sign your message. Here's why: %s", err.response["Error"]["Message"], ) raise def verify(self, key_id: str, message: str, signature: str) -> bool: """ Verifies a signature against a message. :param key_id: The ARN or ID of the key used to sign the message. :param message: The message to verify. :param signature: The signature to verify. :return: True when the signature matches the message, otherwise False. """ try: response = self.kms_client.verify( KeyId=key_id, Message=message.encode(), Signature=signature, SigningAlgorithm="RSASSA_PSS_SHA_256", ) valid = response["SignatureValid"] print(f"The signature is {'valid' if valid else 'invalid'}.") return valid except ClientError as err: if err.response["Error"]["Code"] == "SignatureDoesNotMatchException": print("The signature is not valid.") else: logger.error( "Couldn't verify your signature. Here's why: %s", err.response["Error"]["Message"], ) raise

Wrapper-Klasse und Methoden für KMS Schlüsselzuweisungen.

class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_grant( self, key_id: str, principal: str, operations: [str] ) -> dict[str, str]: """ Creates a grant for a key that lets a principal generate a symmetric data encryption key. :param key_id: The ARN or ID of the key. :param principal: The principal to grant permission to. :param operations: The operations to grant permission for. :return: The grant that is created. """ try: return self.kms_client.create_grant( KeyId=key_id, GranteePrincipal=principal, Operations=operations, ) except ClientError as err: logger.error( "Couldn't create a grant on key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def list_grants(self, key_id): """ Lists grants for a key. :param key_id: The ARN or ID of the key to query. :return: The grants for the key. """ try: paginator = self.kms_client.get_paginator("list_grants") grants = [] page_iterator = paginator.paginate(KeyId=key_id) for page in page_iterator: grants.extend(page["Grants"]) print(f"Grants for key {key_id}:") pprint(grants) return grants except ClientError as err: logger.error( "Couldn't list grants for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def revoke_grant(self, key_id: str, grant_id: str) -> None: """ Revokes a grant so that it can no longer be used. :param key_id: The ARN or ID of the key associated with the grant. :param grant_id: The ID of the grant to revoke. """ try: self.kms_client.revoke_grant(KeyId=key_id, GrantId=grant_id) except ClientError as err: logger.error( "Couldn't revoke grant %s. Here's why: %s", grant_id, err.response["Error"]["Message"], ) raise

Wrapper-Klasse und Methoden für KMS wichtige Richtlinien.

class KeyPolicy: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyPolicy": """ Creates a KeyPolicy instance with a default KMS client. :return: An instance of KeyPolicy initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def set_new_policy(self, key_id: str, policy: dict[str, any]) -> None: """ Sets the policy of a key. Setting a policy entirely overwrites the existing policy, so care is taken to add a statement to the existing list of statements rather than simply writing a new policy. :param key_id: The ARN or ID of the key to set the policy to. :param policy: A new key policy. The key policy must allow the calling principal to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable """ try: self.kms_client.put_key_policy(KeyId=key_id, Policy=json.dumps(policy)) except ClientError as err: logger.error( "Couldn't set policy for key %s. Here's why %s", key_id, err.response["Error"]["Message"], ) raise def get_policy(self, key_id: str) -> dict[str, str]: """ Gets the policy of a key. :param key_id: The ARN or ID of the key to query. :return: The key policy as a dict. """ if key_id != "": try: response = self.kms_client.get_key_policy( KeyId=key_id, ) policy = json.loads(response["Policy"]) except ClientError as err: logger.error( "Couldn't get policy for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise else: pprint(policy) return policy else: print("Skipping get policy demo.")

Aktionen

Das folgende Codebeispiel zeigt die Verwendung. CreateAlias

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_alias(self, key_id: str, alias: str) -> None: """ Creates an alias for the specified key. :param key_id: The ARN or ID of a key to give an alias. :param alias: The alias to assign to the key. """ try: self.kms_client.create_alias(AliasName=alias, TargetKeyId=key_id) except ClientError as err: if err.response["Error"]["Code"] == "AlreadyExistsException": logger.error( "Could not create the alias %s because it already exists.", key_id ) else: logger.error( "Couldn't encrypt text. Here's why: %s", err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter CreateAliasPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. CreateGrant

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_grant( self, key_id: str, principal: str, operations: [str] ) -> dict[str, str]: """ Creates a grant for a key that lets a principal generate a symmetric data encryption key. :param key_id: The ARN or ID of the key. :param principal: The principal to grant permission to. :param operations: The operations to grant permission for. :return: The grant that is created. """ try: return self.kms_client.create_grant( KeyId=key_id, GranteePrincipal=principal, Operations=operations, ) except ClientError as err: logger.error( "Couldn't create a grant on key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter CreateGrantPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. CreateKey

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_key(self, key_description: str) -> dict[str, any]: """ Creates a key with a user-provided description. :param key_description: A description for the key. :return: The key ID. """ try: key = self.kms_client.create_key(Description=key_description)["KeyMetadata"] self.created_keys.append(key) return key except ClientError as err: logging.error( "Couldn't create your key. Here's why: %s", err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter CreateKeyPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. Decrypt

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def decrypt(self, key_id: str, cipher_text: str) -> bytes: """ Decrypts text previously encrypted with a key. :param key_id: The ARN or ID of the key used to decrypt the data. :param cipher_text: The encrypted text to decrypt. :return: The decrypted text. """ try: return self.kms_client.decrypt(KeyId=key_id, CiphertextBlob=cipher_text)[ "Plaintext" ] except ClientError as err: logger.error( "Couldn't decrypt your ciphertext. Here's why: %s", err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter Decrypt in AWS SDKfor Python (Boto3) Reference. API

Das folgende Codebeispiel zeigt die Verwendung. DeleteAlias

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def delete_alias(self, alias: str) -> None: """ Deletes an alias. :param alias: The alias to delete. """ try: self.kms_client.delete_alias(AliasName=alias) except ClientError as err: logger.error( "Couldn't delete alias %s. Here's why: %s", alias, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter DeleteAliasPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. DescribeKey

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def describe_key(self, key_id: str) -> dict[str, any]: """ Describes a key. :param key_id: The ARN or ID of the key to describe. :return: Information about the key. """ try: key = self.kms_client.describe_key(KeyId=key_id)["KeyMetadata"] return key except ClientError as err: logging.error( "Couldn't get key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter DescribeKeyPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. DisableKey

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def disable_key(self, key_id: str) -> None: try: self.kms_client.disable_key(KeyId=key_id) except ClientError as err: logging.error( "Couldn't disable key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter DisableKeyPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. EnableKey

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def enable_key(self, key_id: str) -> None: """ Enables a key. Gets the key state after each state change. :param key_id: The ARN or ID of the key to enable. """ try: self.kms_client.enable_key(KeyId=key_id) except ClientError as err: logging.error( "Couldn't enable key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter EnableKeyPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. EnableKeyRotation

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def enable_key_rotation(self, key_id: str) -> None: """ Enables rotation for a key. :param key_id: The ARN or ID of the key to enable rotation for. """ try: self.kms_client.enable_key_rotation(KeyId=key_id) except ClientError as err: logging.error( "Couldn't enable rotation for key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter EnableKeyRotationPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. Encrypt

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def encrypt(self, key_id: str, text: str) -> str: """ Encrypts text by using the specified key. :param key_id: The ARN or ID of the key to use for encryption. :param text: The text to encrypt. :return: The encrypted version of the text. """ try: response = self.kms_client.encrypt(KeyId=key_id, Plaintext=text.encode()) print( f"The string was encrypted with algorithm {response['EncryptionAlgorithm']}" ) return response["CiphertextBlob"] except ClientError as err: if err.response["Error"]["Code"] == "DisabledException": logger.error( "Could not encrypt because the key %s is disabled.", key_id ) else: logger.error( "Couldn't encrypt text. Here's why: %s", err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter Encrypt in AWS SDKfor Python (Boto3) Reference. API

Das folgende Codebeispiel zeigt die Verwendung. GenerateDataKey

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def generate_data_key(self, key_id): """ Generates a symmetric data key that can be used for client-side encryption. """ answer = input( f"Do you want to generate a symmetric data key from key {key_id} (y/n)? " ) if answer.lower() == "y": try: data_key = self.kms_client.generate_data_key( KeyId=key_id, KeySpec="AES_256" ) except ClientError as err: logger.error( "Couldn't generate a data key for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) else: pprint(data_key)
  • APIEinzelheiten finden Sie unter GenerateDataKeyPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. GetKeyPolicy

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyPolicy: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyPolicy": """ Creates a KeyPolicy instance with a default KMS client. :return: An instance of KeyPolicy initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def get_policy(self, key_id: str) -> dict[str, str]: """ Gets the policy of a key. :param key_id: The ARN or ID of the key to query. :return: The key policy as a dict. """ if key_id != "": try: response = self.kms_client.get_key_policy( KeyId=key_id, ) policy = json.loads(response["Policy"]) except ClientError as err: logger.error( "Couldn't get policy for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise else: pprint(policy) return policy else: print("Skipping get policy demo.")
  • APIEinzelheiten finden Sie unter GetKeyPolicyPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. ListAliases

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def list_aliases(self, page_size: int) -> None: """ Lists aliases for the current account. :param page_size: The number of aliases to list per page. """ try: alias_paginator = self.kms_client.get_paginator("list_aliases") for alias_page in alias_paginator.paginate( PaginationConfig={"PageSize": page_size} ): print(f"Here are {page_size} aliases:") pprint(alias_page["Aliases"]) if alias_page["Truncated"]: answer = input( f"Do you want to see the next {page_size} aliases (y/n)? " ) if answer.lower() != "y": break else: print("That's all your aliases!") except ClientError as err: logging.error( "Couldn't list your aliases. Here's why: %s", err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter ListAliasesPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. ListGrants

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def list_grants(self, key_id): """ Lists grants for a key. :param key_id: The ARN or ID of the key to query. :return: The grants for the key. """ try: paginator = self.kms_client.get_paginator("list_grants") grants = [] page_iterator = paginator.paginate(KeyId=key_id) for page in page_iterator: grants.extend(page["Grants"]) print(f"Grants for key {key_id}:") pprint(grants) return grants except ClientError as err: logger.error( "Couldn't list grants for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter ListGrantsPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. ListKeyPolicies

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyPolicy: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyPolicy": """ Creates a KeyPolicy instance with a default KMS client. :return: An instance of KeyPolicy initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def list_policies(self, key_id): """ Lists the names of the policies for a key. :param key_id: The ARN or ID of the key to query. """ try: policy_names = self.kms_client.list_key_policies(KeyId=key_id)[ "PolicyNames" ] except ClientError as err: logging.error( "Couldn't list your policies. Here's why: %s", err.response["Error"]["Message"], ) raise else: print(f"The policies for key {key_id} are:") pprint(policy_names)
  • APIEinzelheiten finden Sie unter ListKeyPoliciesPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. ListKeys

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def list_keys(self): """ Lists the keys for the current account by using a paginator. """ try: page_size = 10 print("\nLet's list your keys.") key_paginator = self.kms_client.get_paginator("list_keys") for key_page in key_paginator.paginate(PaginationConfig={"PageSize": 10}): print(f"Here are {len(key_page['Keys'])} keys:") pprint(key_page["Keys"]) if key_page["Truncated"]: answer = input( f"Do you want to see the next {page_size} keys (y/n)? " ) if answer.lower() != "y": break else: print("That's all your keys!") except ClientError as err: logging.error( "Couldn't list your keys. Here's why: %s", err.response["Error"]["Message"], )
  • APIEinzelheiten finden Sie unter ListKeysPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. PutKeyPolicy

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyPolicy: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyPolicy": """ Creates a KeyPolicy instance with a default KMS client. :return: An instance of KeyPolicy initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def set_policy(self, key_id: str, policy: dict[str, any]) -> None: """ Sets the policy of a key. Setting a policy entirely overwrites the existing policy, so care is taken to add a statement to the existing list of statements rather than simply writing a new policy. :param key_id: The ARN or ID of the key to set the policy to. :param policy: The existing policy of the key. :return: None """ principal = input( "Enter the ARN of an IAM role to set as the principal on the policy: " ) if key_id != "" and principal != "": # The updated policy replaces the existing policy. Add a new statement to # the list along with the original policy statements. policy["Statement"].append( { "Sid": "Allow access for ExampleRole", "Effect": "Allow", "Principal": {"AWS": principal}, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey", "kms:ReEncrypt*", ], "Resource": "*", } ) try: self.kms_client.put_key_policy(KeyId=key_id, Policy=json.dumps(policy)) except ClientError as err: logger.error( "Couldn't set policy for key %s. Here's why %s", key_id, err.response["Error"]["Message"], ) raise else: print(f"Set policy for key {key_id}.") else: print("Skipping set policy demo.")
  • APIEinzelheiten finden Sie unter PutKeyPolicyPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. ReEncrypt

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def re_encrypt(self, source_key_id, cipher_text): """ Takes ciphertext previously encrypted with one key and reencrypt it by using another key. :param source_key_id: The ARN or ID of the original key used to encrypt the ciphertext. :param cipher_text: The encrypted ciphertext. :return: The ciphertext encrypted by the second key. """ destination_key_id = input( f"Your ciphertext is currently encrypted with key {source_key_id}. " f"Enter another key ID or ARN to reencrypt it: " ) if destination_key_id != "": try: cipher_text = self.kms_client.re_encrypt( SourceKeyId=source_key_id, DestinationKeyId=destination_key_id, CiphertextBlob=cipher_text, )["CiphertextBlob"] except ClientError as err: logger.error( "Couldn't reencrypt your ciphertext. Here's why: %s", err.response["Error"]["Message"], ) else: print(f"Reencrypted your ciphertext as: {cipher_text}") return cipher_text else: print("Skipping reencryption demo.")
  • APIEinzelheiten finden Sie unter ReEncryptPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. RetireGrant

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def retire_grant(self, grant): """ Retires a grant so that it can no longer be used. :param grant: The grant to retire. """ try: self.kms_client.retire_grant(GrantToken=grant["GrantToken"]) except ClientError as err: logger.error( "Couldn't retire grant %s. Here's why: %s", grant["GrantId"], err.response["Error"]["Message"], ) else: print(f"Grant {grant['GrantId']} retired.")
  • APIEinzelheiten finden Sie unter RetireGrantPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. RevokeGrant

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def revoke_grant(self, key_id: str, grant_id: str) -> None: """ Revokes a grant so that it can no longer be used. :param key_id: The ARN or ID of the key associated with the grant. :param grant_id: The ID of the grant to revoke. """ try: self.kms_client.revoke_grant(KeyId=key_id, GrantId=grant_id) except ClientError as err: logger.error( "Couldn't revoke grant %s. Here's why: %s", grant_id, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter RevokeGrantPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. ScheduleKeyDeletion

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def delete_key(self, key_id: str, window: int) -> None: """ Deletes a list of keys. Warning: Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. :param key_id: The ARN or ID of the key to delete. :param window: The waiting period, in days, before the KMS key is deleted. """ try: self.kms_client.schedule_key_deletion( KeyId=key_id, PendingWindowInDays=window ) except ClientError as err: logging.error( "Couldn't delete key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise

Das folgende Codebeispiel zeigt, wie man es benutzt. Sign

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def sign(self, key_id: str, message: str) -> str: """ Signs a message with a key. :param key_id: The ARN or ID of the key to use for signing. :param message: The message to sign. :return: The signature of the message. """ try: return self.kms_client.sign( KeyId=key_id, Message=message.encode(), SigningAlgorithm="RSASSA_PSS_SHA_256", )["Signature"] except ClientError as err: logger.error( "Couldn't sign your message. Here's why: %s", err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter Sign In AWS SDKfor Python (Boto3) API -Referenz.

Das folgende Codebeispiel zeigt die Verwendung. TagResource

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def tag_resource(self, key_id: str, tag_key: str, tag_value: str) -> None: """ Add or edit tags on a customer managed key. :param key_id: The ARN or ID of the key to enable rotation for. :param tag_key: Key for the tag. :param tag_value: Value for the tag. """ try: self.kms_client.tag_resource( KeyId=key_id, Tags=[{"TagKey": tag_key, "TagValue": tag_value}] ) except ClientError as err: logging.error( "Couldn't add a tag for the key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter TagResourcePython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. UpdateAlias

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def update_alias(self, alias, current_key_id): """ Updates an alias by assigning it to another key. :param alias: The alias to reassign. :param current_key_id: The ARN or ID of the key currently associated with the alias. """ new_key_id = input( f"Alias {alias} is currently associated with {current_key_id}. " f"Enter another key ID or ARN that you want to associate with {alias}: " ) if new_key_id != "": try: self.kms_client.update_alias(AliasName=alias, TargetKeyId=new_key_id) except ClientError as err: logger.error( "Couldn't associate alias %s with key %s. Here's why: %s", alias, new_key_id, err.response["Error"]["Message"], ) else: print(f"Alias {alias} is now associated with key {new_key_id}.") else: print("Skipping alias update.")
  • APIEinzelheiten finden Sie unter UpdateAliasPython (Boto3) API -Referenz.AWS SDK

Das folgende Codebeispiel zeigt, wie man es benutzt. Verify

SDKfür Python (Boto3)
Anmerkung

Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository einrichten und ausführen.

class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def verify(self, key_id: str, message: str, signature: str) -> bool: """ Verifies a signature against a message. :param key_id: The ARN or ID of the key used to sign the message. :param message: The message to verify. :param signature: The signature to verify. :return: True when the signature matches the message, otherwise False. """ try: response = self.kms_client.verify( KeyId=key_id, Message=message.encode(), Signature=signature, SigningAlgorithm="RSASSA_PSS_SHA_256", ) valid = response["SignatureValid"] print(f"The signature is {'valid' if valid else 'invalid'}.") return valid except ClientError as err: if err.response["Error"]["Code"] == "SignatureDoesNotMatchException": print("The signature is not valid.") else: logger.error( "Couldn't verify your signature. Here's why: %s", err.response["Error"]["Message"], ) raise
  • APIEinzelheiten finden Sie unter Verify in AWS SDKfor Python (Boto3) API Reference.