Documentation ¶
Overview ¶
Package awskms provides integration with the AWS Cloud KMS.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewClient ¶
NewClient returns a new AWS KMS client which will use default credentials to handle keys with uriPrefix prefix. uriPrefix must have the following format: 'aws-kms://arn:<partition>:kms:<region>:[:path]'. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html.
func NewClientWithCredentials ¶
NewClientWithCredentials returns a new AWS KMS client which will use given credentials to handle keys with uriPrefix prefix. uriPrefix must have the following format: 'aws-kms://arn:<partition>:kms:<region>:[:path]'. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html.
func NewClientWithKMS ¶
NewClientWithKMS returns a new AWS KMS client with user created KMS client. Client is responsible for keeping the region consistency between key URI and KMS client. uriPrefix must have the following format: 'aws-kms://arn:<partition>:kms:<region>:[:path]'. See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html.
Types ¶
type AWSAEAD ¶
type AWSAEAD struct {
// contains filtered or unexported fields
}
AWSAEAD represents a AWS KMS service to a particular URI.
func (*AWSAEAD) Decrypt ¶
Decrypt AEAD decrypts the data and verified the additional data.
Returns an error if the KeyId field in the response does not match the KeyURI provided when creating the client. If we don't do this, the possibility exists for the ciphertext to be replaced by one under a key we don't control/expect, but do have decrypt permissions on.
This check is disabled if AWSAEAD.keyURI is not in key ARN format.
See https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id.