Documentation
¶
Overview ¶
Package awskms provides a secrets implementation backed by AWS KMS. Use OpenKeeper to construct a *secrets.Keeper.
URLs ¶
For secrets.OpenKeeper, awskms registers for the scheme "awskms". The default URL opener will use an AWS session with the default credentials and configuration; see https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for more details. To customize the URL opener, or for more details on the URL format, see URLOpener. See https://github.com/eliben/gocdkx/concepts/urls/ for background information.
As ¶
awskms exposes the following type for As:
- Error: awserr.Error
Example ¶
package main
import (
"context"
"log"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/eliben/gocdkx/secrets/awskms"
)
func main() {
// Establish an AWS session.
// See https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for more info.
sess, err := session.NewSession(nil)
if err != nil {
log.Fatal(err)
}
// Get a client to use with the KMS API.
client, err := awskms.Dial(sess)
if err != nil {
log.Fatal(err)
}
// Construct a *secrets.Keeper.
keeper := awskms.OpenKeeper(
client,
// Get the key ID. Here is an example of using an alias. See
// https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
// for more details.
"alias/test-secrets",
nil,
)
defer keeper.Close()
// Now we can use keeper to encrypt or decrypt.
ctx := context.Background()
plaintext := []byte("Hello, Secrets!")
ciphertext, err := keeper.Encrypt(ctx, plaintext)
if err != nil {
log.Fatal(err)
}
decrypted, err := keeper.Decrypt(ctx, ciphertext)
_ = decrypted
}
Output:
Example (OpenKeeper) ¶
package main
import (
"context"
"log"
"github.com/eliben/gocdkx/secrets"
)
func main() {
ctx := context.Background()
// OpenKeeper creates a *secrets.Keeper from a URL.
// The host + path are the key ID; this example uses an alias. See
// https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
// for more details.
keeper, err := secrets.OpenKeeper(ctx, "awskms://alias/my-key")
if err != nil {
log.Fatal(err)
}
defer keeper.Close()
}
Output:
Index ¶
Examples ¶
Constants ¶
const Scheme = "awskms"
Scheme is the URL scheme awskms registers its URLOpener under on secrets.DefaultMux.
Variables ¶
var Set = wire.NewSet( KeeperOptions{}, URLOpener{}, Dial, )
Set holds Wire providers for this package.
Functions ¶
func Dial ¶
func Dial(p client.ConfigProvider) (*kms.KMS, error)
Dial gets an AWS KMS service client.
func OpenKeeper ¶
OpenKeeper returns a *secrets.Keeper that uses AWS KMS. The key ID can be in the form of an Amazon Resource Name (ARN), alias name, or alias ARN. See https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn for more details. See the package documentation for an example.
Types ¶
type KeeperOptions ¶
type KeeperOptions struct{}
KeeperOptions controls Keeper behaviors. It is provided for future extensibility.
type URLOpener ¶
type URLOpener struct {
// ConfigProvider must be set to a non-nil value.
ConfigProvider client.ConfigProvider
// Options specifies the options to pass to OpenKeeper.
Options KeeperOptions
}
URLOpener opens AWS KMS URLs like "awskms://keyID".
The URL Host + Path are used as the key ID, which can be in the form of an Amazon Resource Name (ARN), alias name, or alias ARN. See https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn for more details.
See github.com/eliben/gocdkx/aws/ConfigFromURLParams for supported query parameters for overriding the aws.Session from the URL.
Source Files