Documentation ¶
Overview ¶
Package awskms provides integration with the AWS Key Management Service.
Index ¶
- func NewClient(uriPrefix string) (registry.KMSClient, error)deprecated
- func NewClientWithCredentials(uriPrefix string, credentialPath string) (registry.KMSClient, error)deprecated
- func NewClientWithKMS(uriPrefix string, kms kmsiface.KMSAPI) (registry.KMSClient, error)deprecated
- func NewClientWithOptions(uriPrefix string, opts ...ClientOption) (registry.KMSClient, error)
- type AWSAEAD
- type ClientOption
- type EncryptionContextName
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewClient
deprecated
NewClient returns a KMSClient backed by AWS KMS using default credentials to handle keys whose URIs start with uriPrefix.
uriPrefix must have the following format:
aws-kms://arn:<partition>:kms:<region>:[<path>]
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
AEAD primitives produced by this client will use LegacyAdditionalData when serializing associated data.
Deprecated: Instead, use NewClientWithOptions.
awskms.NewClientWithOptions(uriPrefix)
func NewClientWithCredentials
deprecated
NewClientWithCredentials returns a KMSClient backed by AWS KMS using the given credentials to handle keys whose URIs start with uriPrefix.
uriPrefix must have the following format:
aws-kms://arn:<partition>:kms:<region>:[<path>]
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
credentialPath can specify a file in CSV format as provided in the IAM console or an INI-style credentials file.
See https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html#cli-authentication-user-configure-csv and https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-format.
AEAD primitives produced by this client will use LegacyAdditionalData when serializing associated data.
Deprecated: Instead use NewClientWithOptions and WithCredentialPath.
awskms.NewClientWithOptions(uriPrefix, awskms.WithCredentialPath(credentialPath))
func NewClientWithKMS
deprecated
NewClientWithKMS returns a KMSClient backed by AWS KMS using the provided instance of the AWS SDK KMS client.
The caller is responsible for ensuring that the region specified in the KMS client is consitent with the region specified within uriPrefix.
uriPrefix must have the following format:
aws-kms://arn:<partition>:kms:<region>:[<path>]
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
AEAD primitives produced by this client will use LegacyAdditionalData when serializing associated data.
Deprecated: Instead use NewClientWithOptions and WithKMS.
awskms.NewClientWithOptions(uriPrefix, awskms.WithKMS(kms))
func NewClientWithOptions ¶
func NewClientWithOptions(uriPrefix string, opts ...ClientOption) (registry.KMSClient, error)
NewClientWithOptions returns a registry.KMSClient which wraps an AWS KMS client and will handle keys whose URIs start with uriPrefix.
By default, the client will use default credentials.
AEAD primitives produced by this client will use AssociatedData when serializing associated data.
Types ¶
type AWSAEAD ¶
type AWSAEAD struct {
// contains filtered or unexported fields
}
AWSAEAD is an implementation of the AEAD interface which performs cryptographic operations remotely via the AWS KMS service using a specific key URI.
type ClientOption ¶
type ClientOption interface {
// contains filtered or unexported methods
}
ClientOption is an interface for defining options that are passed to NewClientWithOptions.
func WithCredentialPath ¶
func WithCredentialPath(credentialPath string) ClientOption
WithCredentialPath instantiates the underlying AWS KMS client using the credentials located at credentialPath.
credentialPath can specify a file in CSV format as provided in the IAM console or an INI-style credentials file.
See https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html#cli-authentication-user-configure-csv and https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-format.
func WithEncryptionContextName ¶
func WithEncryptionContextName(name EncryptionContextName) ClientOption
WithEncryptionContextName sets the name which maps to the base64 encoded associated data within the EncryptionContext field of EncrypInput and DecryptInput requests.
The default is AssociatedData, which is compatible with the Tink AWS KMS extensions in other languages. In older versions of this packge, before this option was present, "additionalData" was hardcoded.
This option is provided to facilitate compatibility with older ciphertexts.
func WithKMS ¶
func WithKMS(kms kmsiface.KMSAPI) ClientOption
WithKMS sets the underlying AWS KMS client to kms, a preexisting AWS KMS client instance.
It's the callers responsibility to ensure that the configured region of kms aligns with the region in key URIs passed to this client. Otherwise, API requests will fail.
type EncryptionContextName ¶
type EncryptionContextName uint
EncryptionContextName specifies the name used in the EncryptionContext field of EncryptInput and DecryptInput requests. See WithEncryptionContextName for further details.
const ( // AssociatedData will set the EncryptionContext name to "associatedData". AssociatedData EncryptionContextName = 1 + iota // LegacyAdditionalData will set the EncryptionContext name to "additionalData". LegacyAdditionalData )
func (EncryptionContextName) String ¶
func (n EncryptionContextName) String() string
Directories ¶
Path | Synopsis |
---|---|
internal
|
|
fakeawskms
Package fakeawskms provides a partial fake implementation of kmsiface.KMSAPI.
|
Package fakeawskms provides a partial fake implementation of kmsiface.KMSAPI. |