awskmsmrkdiscoverykeyring

Documentation

Overview

Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0

This example sets up the AWS KMS MRK (multi-region key) Discovery Keyring The AWS KMS discovery keyring is an AWS KMS keyring that doesn't specify any wrapping keys. When decrypting, an MRK discovery keyring allows the AWS Encryption SDK to ask AWS KMS to decrypt any encrypted data key by using the AWS KMS MRK that encrypted it, regardless of who owns or has access to that AWS KMS key. The call succeeds only when the caller has kms:Decrypt permission on the AWS KMS MRK. The AWS Encryption SDK provides a standard AWS KMS discovery keyring and a discovery keyring for AWS KMS multi-Region keys. Because it doesn't specify any wrapping keys, a discovery keyring can't encrypt data. If you use a discovery keyring to encrypt data, alone or in a multi-keyring, the encrypt operation fails. The AWS Key Management Service (AWS KMS) MRK keyring interacts with AWS KMS to create, encrypt, and decrypt data keys with multi-region AWS KMS keys (MRKs). This example creates a KMS MRK Keyring and then encrypts a custom input exampleText with an encryption context. This encrypted ciphertext is then decrypted using an MRK Discovery keyring. This example also includes some sanity checks for demonstration: 1. Ciphertext and plaintext data are not the same 2. Decrypted plaintext value matches exampleText These sanity checks are for demonstration in the example only. You do not need these in your code. For information about using multi-Region keys with the AWS Encryption SDK, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks For more info on KMS MRKs (multi-region keys), see the KMS documentation: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html For more information on how to use KMS Discovery keyrings, see https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html#kms-keyring-discovery For more information on KMS Key identifiers, see https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id

Index

• func AwsKmsMrkDiscoveryKeyringExample(exampleText, defaultRegionMrkKeyArn, defaultMRKKeyRegion, ... string)

Functions

func AwsKmsMrkDiscoveryKeyringExample

func AwsKmsMrkDiscoveryKeyringExample(exampleText, defaultRegionMrkKeyArn, defaultMRKKeyRegion, alternateRegionMrkKeyRegion, defaultKMSKeyAccountID string)