You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.rst
+11-13Lines changed: 11 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -58,7 +58,7 @@ Installation
58
58
$ pip install "aws-encryption-sdk[MPL]"
59
59
60
60
The `[MPL]` suffix also installs the `AWS Cryptographic Material Providers Library (MPL)`_.
61
-
This is a library that contains interfaces for encrypting and decrypting your data.
61
+
This is a library that contains constructs for encrypting and decrypting your data.
62
62
We highly recommend installing the MPL.
63
63
However, if you do not wish to install the MPL, omit the `[MPL]` suffix.
64
64
@@ -94,7 +94,7 @@ CMMs that use master key providers have been marked as legacy since v4 of this l
94
94
95
95
Legacy Concepts
96
96
===============
97
-
This section describes legacy concepts used in earlier versions of this library.
97
+
This section describes legacy concepts introduced in earlier versions of this library.
98
98
These components have been superseded by new components in the `AWS Cryptographic Material Providers Library (MPL)`_.
99
99
Please avoid using these components, and instead use components in the MPL.
100
100
@@ -435,26 +435,24 @@ to your use-case in order to obtain peak performance.
435
435
436
436
Thread safety
437
437
==========================
438
-
TODO-MPL: need to write about keyring thread safety.
439
-
kms keyrings definitely not thread safe.
440
-
raw keyrings need testing, but may be launched as not thread safe.
441
-
442
-
The ``EncryptionSDKClient`` class is thread safe.
443
-
But instances of key material providers (i.e. keyrings or legacy master key providers) that call AWS KMS
444
-
(ex. ``AwsKmsMultiKeyring`` or other KMS keyrings; ``BaseKmsMasterKeyProvider`` or children of this class)
445
-
MUST not be shared between threads
438
+
The ``EncryptionSDKClient`` and all provided ``CryptoMaterialsManager`` in this library are thread safe.
439
+
But instances of ``BaseKMSMasterKeyProvider`` MUST not be shared between threads,
446
440
for the reasons outlined in `the boto3 docs <https://boto3.amazonaws.com/v1/documentation/api/latest/guide/resources.html#multithreading-or-multiprocessing-with-resources>`_.
447
441
448
-
Because these key material providers create a `new boto3 sessions <https://github.com/aws/aws-encryption-sdk-python/blob/08f305a9b7b5fc897d9cafac55fb98f3f2a6fe13/src/aws_encryption_sdk/key_providers/kms.py#L665-L674>`_ per region,
442
+
Because the ``BaseKMSMaterKeyProvider`` creates a `new boto3 sessions <https://github.com/aws/aws-encryption-sdk-python/blob/08f305a9b7b5fc897d9cafac55fb98f3f2a6fe13/src/aws_encryption_sdk/key_providers/kms.py#L665-L674>`_ per region,
449
443
users do not need to create a client for every region in every thread;
450
-
a single key material provider per thread is sufficient.
444
+
a new ``BaseKMSMasterKeyProvider`` per thread is sufficient.
451
445
452
-
(The ``BaseKMSMasterKeyProvider`` is the internal parent class of all the legacy KMS master key providers.)
446
+
(The ``BaseKMSMasterKeyProvider`` is the internal parent class of all the KMS Providers.)
453
447
454
448
Finally, while the ``CryptoMaterialsCache`` is thread safe,
455
449
sharing entries in that cache across threads needs to be done carefully
456
450
(see the !Note about partition name `in the API Docs <https://aws-encryption-sdk-python.readthedocs.io/en/latest/generated/aws_encryption_sdk.materials_managers.caching.html#aws_encryption_sdk.materials_managers.caching.CachingCryptoMaterialsManager>`_).
457
451
452
+
**Important:** Components from the `AWS Cryptographic Material Providers Library (MPL)`_ have separate thread safety considerations.
453
+
For more information, see the note on thread safety in that project's README.
0 commit comments