kms

package
v0.72.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

README

Google Cloud Key Management Service

This service is google.golang.org/api/cloudkms/v1/Service proxy

To check all supported method run

     endly -s='gcp/kms'

To check method contract run endly -s='gcp/kms' -a=methodName

    endly -s='gcp/kms:keyRingsList'

References:

Usage:
Creating a symmetric key
  • With gcloud
gcloud kms keyrings create my_ring --location us-central1

gcloud kms keys create my_key --location us-central1 \
  --keyring my_ring --purpose encryption
  • With endly
endly deploy

@deploy.yaml

pipeline:
  secure:
    deployKey:
      action: gcp/kms:deployKey
      credentials: gcp-e2e
      ring: my_ring
      key: my_key
      purpose: ENCRYPT_DECRYPT
      bindings:
        - role: roles/cloudkms.cryptoKeyEncrypterDecrypter
          members:
            - user:awitas@vindicotech.com
            - serviceAccount:${gcp.serviceAccount}

    keyInfo:
      action: print
      message: 'Deployed key: ${deployKey.Primary.Name}'
Encryption with a symmetric key
  • With gcloud
gcloud kms encrypt \
  --location=us-central1  \
  --keyring=my_ring \
  --key=my_key \
  --version=1 \
  --plaintext-file=data.txt \
  --ciphertext-file=data.enc
  • With endly
endly decrypt

@encrypt.yaml

pipeline:
  encrypt:
    action: gcp/kms:encrypt
    logging: false
    ring: my_ring
    key: my_key
    source:
      URL: data.txt
    dest:
      URL: data.enc
Decryption with a symmetric key
  • With gcloud

gcloud kms decrypt \
  --location=us-central1 \
  --keyring=my_ring \
  --key=my_key \
  --ciphertext-file=data.enc \
  --plaintext-file=data.dec
  • With endly
endly decrypt

@encrypt.yaml

pipeline:
  encrypt:
    action: gcp/kms:encrypt
    logging: false
    ring: my_ring
    key: my_key
    source:
      URL: data.txt
    dest:
      URL: data.enc
Inline encryption/decryption
endy -r=inline

@inline.yaml

pipeline:
  secure:
    deployKey:
      action: gcp/kms:deployKey
      credentials: gcp-e2e
      ring: my_ring
      key: my_key
      purpose: ENCRYPT_DECRYPT
      logging: false
      bindings:
        - role: roles/cloudkms.cryptoKeyEncrypterDecrypter
          members:
            - user:awitas@vindicotech.com
            - serviceAccount:${gcp.serviceAccount}

    keyInfo:
      action: print
      message: 'Deployed key: ${deployKey.Primary.Name}'

    encrypt:
      action: gcp/kms:encrypt
      ring: my_ring
      key: my_key
      plainData: this is test
      logging: false
      
    decrypt:
      action: gcp/kms:decrypt
      ring: my_ring
      key: my_key
      cipherBase64Text: ${encrypt.CipherBase64Text}
      logging: false
    info:
      action: print
      message: 'decrypted:  $AsString(${decrypt.PlainData})'
Google storage asset encryption/decryption
endy -r=secure

@secure.yaml

pipeline:
  secure:
    deployKey:
      action: gcp/kms:deployKey
      credentials: gcp-e2e
      ring: my_ring
      key: my_key
      logging: false
      purpose: ENCRYPT_DECRYPT
      bindings:
        - role: roles/cloudkms.cryptoKeyEncrypterDecrypter
          members:
            - serviceAccount:$gcp.serviceAccount

    encrypt:
      action: gcp/kms:encrypt
      logging: false
      ring: my_ring
      key: my_key
      plainData: this is test
      dest:
        URL: /tmp/config.json.enc
    decrypt:
      action: gcp/kms:decrypt
      logging: false
      ring: my_ring
      key: my_key
      source:
        URL: /tmp/config.json.enc
    info:
      action: print
      message: $AsString(${decrypt.PlainData})
Accessing encrypted URL asset
package main

import (
	"context"
	"encoding/base64"
	"fmt"
	"google.golang.org/api/cloudkms/v1"
	"google.golang.org/api/option"
	"log"
	_ "github.com/viant/toolbox/storage/gs"
	"github.com/viant/endly/model/location"
	"os"
	"path"
)

func main() {

	resource := location.NewResource("gs://myBucket/config.json.enc")
	keyURI := "projects/MY_PROJECT/locations/REGION/keyRings/my_ring/cryptoKeys/my_key"
	plain, err := decrypt(keyURI, resource)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("%s\n", plain)
}

func decrypt(key string, resource *location.Resource) ([]byte, error) {
	data, err := resource.DownloadText()
	if err != nil {
		return nil, err
	}
	ctx := context.Background()
	kmsService, err := cloudkms.NewService(ctx, option.WithScopes(cloudkms.CloudPlatformScope, cloudkms.CloudkmsScope))
	if err != nil {
		return nil, err
	}
	service := cloudkms.NewProjectsLocationsKeyRingsCryptoKeysService(kmsService)
	response, err := service.Decrypt(key, &cloudkms.DecryptRequest{Ciphertext:data}).Context(ctx).Do()
	if err != nil {
		return nil, err
	}
	return base64.StdEncoding.DecodeString(string(response.Plaintext))
}

Documentation

Index

Constants

View Source 
const (
	//ServiceID Google cloudkms Service ID.
	ServiceID = "gcp/kms"
)

Variables

This section is empty.

Functions

func InitRequest 

func InitRequest(context *endly.Context, rawRequest map[string]interface{}) error

func New 

func New() endly.Service

New creates a new cloudkms service

func ShallUpdatePolicy 

func ShallUpdatePolicy(prev, policy *Policy) bool

ShallUpdatePolicy returns true if policy needs to be updated

Types

type CtxClient 

type CtxClient struct {
	*gcp.AbstractClient
	// contains filtered or unexported fields
}

CtxClient represents context client

func GetClient 

func GetClient(context *endly.Context) (*CtxClient, error)

func (*CtxClient) Service 

func (s *CtxClient) Service() interface{}

func (*CtxClient) SetService 

func (s *CtxClient) SetService(service interface{}) error

type DecryptRequest 

type DecryptRequest struct {
	KeyInfo
	CipherData       []byte
	CipherBase64Text string
	Source           *location.Resource
}

DecryptRequest represents decrypt response

func NewDecryptRequest 

func NewDecryptRequest(region, ring, keyId string, data []byte) *DecryptRequest

NewEncryptRequest creates a new DecryptRequest

func (*DecryptRequest) Init 

func (r *DecryptRequest) Init() error

Init initializes request

type DecryptResponse 

type DecryptResponse struct {
	PlainData []byte
	PlainText string
}

DecryptResponse represents decrypt response

type DeployKeyRequest 

type DeployKeyRequest struct {
	KeyInfo
	Labels  map[string]string
	Purpose string
	*Policy
	PolicyVersion int64
	// contains filtered or unexported fields
}

DeployKeyRequest represents a deploy KeyInfo request

func NewDeployKeyRequest 

func NewDeployKeyRequest(region, ring, keyId, purpose string) *DeployKeyRequest

NewDeployKeyRequest creates a new DeployKeyRequest

func (*DeployKeyRequest) Init 

func (r *DeployKeyRequest) Init() error

func (*DeployKeyRequest) Validate 

func (r *DeployKeyRequest) Validate() error

type DeployKeyResponse 

type DeployKeyResponse struct {
	*cloudkms.CryptoKey
	Policy *Policy
}

DeployKeyRequest represents a deploy KeyInfo response

type EncryptRequest 

type EncryptRequest struct {
	KeyInfo
	PlainBase64Text string
	PlainData       []byte
	Source          *location.Resource
	Dest            *location.Resource
}

EncryptRequest represents encrypt request

func NewEncryptRequest 

func NewEncryptRequest(region, ring, keyId string, plainData []byte) *EncryptRequest

NewEncryptRequest creates a new EncryptRequest

func (*EncryptRequest) Init 

func (r *EncryptRequest) Init() error

Init initializes request

func (*EncryptRequest) Validate 

func (r *EncryptRequest) Validate() error

type EncryptResponse 

type EncryptResponse struct {
	CipherData       []byte
	CipherBase64Text string
}

EncryptResponse represents encrypt response

type KeyInfo 

type KeyInfo struct {
	Region string
	Key    string
	Ring   string
	// contains filtered or unexported fields
}

func (*KeyInfo) Init 

func (r *KeyInfo) Init() error

Init initializes key

func (*KeyInfo) Validate 

func (r *KeyInfo) Validate() error

type Policy 

type Policy struct {
	Bindings []*cloudkms.Binding
	Version  int64
}

Policy represents kms policy

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.