kms

package
v0.75.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 7, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

README

Google Cloud Key Management Service

This service is google.golang.org/api/cloudkms/v1/Service proxy

To check all supported method run

     endly -s='gcp/kms'

To check method contract run endly -s='gcp/kms' -a=methodName

    endly -s='gcp/kms:keyRingsList' 

References:

Usage:
Creating a symmetric key
  • With gcloud
gcloud kms keyrings create my_ring --location us-central1

gcloud kms keys create my_key --location us-central1 \
  --keyring my_ring --purpose encryption

  • With endly
endly deploy

@deploy.yaml

pipeline:
  secure:
    deployKey:
      action: gcp/kms:deployKey
      credentials: gcp-e2e
      ring: my_ring
      key: my_key
      purpose: ENCRYPT_DECRYPT
      bindings:
        - role: roles/cloudkms.cryptoKeyEncrypterDecrypter
          members:
            - user:awitas@vindicotech.com
            - serviceAccount:${gcp.serviceAccount}

    keyInfo:
      action: print
      message: 'Deployed key: ${deployKey.Primary.Name}'

Encryption with a symmetric key
  • With gcloud
gcloud kms encrypt \
  --location=us-central1  \
  --keyring=my_ring \
  --key=my_key \
  --version=1 \
  --plaintext-file=data.txt \
  --ciphertext-file=data.enc
  • With endly
endly decrypt

@encrypt.yaml

pipeline:
  encrypt:
    action: gcp/kms:encrypt
    logging: false
    ring: my_ring
    key: my_key
    source:
      URL: data.txt
    dest:
      URL: data.enc
Decryption with a symmetric key
  • With gcloud

gcloud kms decrypt \
  --location=us-central1 \
  --keyring=my_ring \
  --key=my_key \
  --ciphertext-file=data.enc \
  --plaintext-file=data.dec
  • With endly
endly decrypt

@encrypt.yaml

pipeline:
  encrypt:
    action: gcp/kms:encrypt
    logging: false
    ring: my_ring
    key: my_key
    source:
      URL: data.txt
    dest:
      URL: data.enc
Inline encryption/decryption
endy -r=inline

@inline.yaml

pipeline:
  secure:
    deployKey:
      action: gcp/kms:deployKey
      credentials: gcp-e2e
      ring: my_ring
      key: my_key
      purpose: ENCRYPT_DECRYPT
      logging: false
      bindings:
        - role: roles/cloudkms.cryptoKeyEncrypterDecrypter
          members:
            - user:awitas@vindicotech.com
            - serviceAccount:${gcp.serviceAccount}

    keyInfo:
      action: print
      message: 'Deployed key: ${deployKey.Primary.Name}'

    encrypt:
      action: gcp/kms:encrypt
      ring: my_ring
      key: my_key
      plainData: this is test
      logging: false
      
    decrypt:
      action: gcp/kms:decrypt
      ring: my_ring
      key: my_key
      cipherBase64Text: ${encrypt.CipherBase64Text}
      logging: false
    info:
      action: print
      message: 'decrypted:  $AsString(${decrypt.PlainData})'
Google storage asset encryption/decryption
endy -r=secure

@secure.yaml

pipeline:
  secure:
    deployKey:
      action: gcp/kms:deployKey
      credentials: gcp-e2e
      ring: my_ring
      key: my_key
      logging: false
      purpose: ENCRYPT_DECRYPT
      bindings:
        - role: roles/cloudkms.cryptoKeyEncrypterDecrypter
          members:
            - serviceAccount:$gcp.serviceAccount

    encrypt:
      action: gcp/kms:encrypt
      logging: false
      ring: my_ring
      key: my_key
      plainData: this is test
      dest:
        URL: /tmp/config.json.enc
    decrypt:
      action: gcp/kms:decrypt
      logging: false
      ring: my_ring
      key: my_key
      source:
        URL: /tmp/config.json.enc
    info:
      action: print
      message: $AsString(${decrypt.PlainData})

Accessing encrypted URL asset
package main

import (
	"context"
	"encoding/base64"
	"fmt"
	"google.golang.org/api/cloudkms/v1"
	"google.golang.org/api/option"
	"log"
	_ "github.com/viant/toolbox/storage/gs"
	"github.com/viant/endly/model/location"
	"os"
	"path"
)

func main() {

	resource := location.NewResource("gs://myBucket/config.json.enc")
	keyURI := "projects/MY_PROJECT/locations/REGION/keyRings/my_ring/cryptoKeys/my_key"
	plain, err := decrypt(keyURI, resource)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("%s\n", plain)
}

func decrypt(key string, resource *location.Resource) ([]byte, error) {
	data, err := resource.DownloadText()
	if err != nil {
		return nil, err
	}
	ctx := context.Background()
	kmsService, err := cloudkms.NewService(ctx, option.WithScopes(cloudkms.CloudPlatformScope, cloudkms.CloudkmsScope))
	if err != nil {
		return nil, err
	}
	service := cloudkms.NewProjectsLocationsKeyRingsCryptoKeysService(kmsService)
	response, err := service.Decrypt(key, &cloudkms.DecryptRequest{Ciphertext:data}).Context(ctx).Do()
	if err != nil {
		return nil, err
	}
	return base64.StdEncoding.DecodeString(string(response.Plaintext))
}

Documentation

Index

Constants

View Source
const (
	//ServiceID Google cloudkms Service ID.
	ServiceID = "gcp/kms"
)

Variables

This section is empty.

Functions

func InitRequest

func InitRequest(context *endly.Context, rawRequest map[string]interface{}) error

func New

func New() endly.Service

New creates a new cloudkms service

func ShallUpdatePolicy

func ShallUpdatePolicy(prev, policy *Policy) bool

ShallUpdatePolicy returns true if policy needs to be updated

Types

type CtxClient

type CtxClient struct {
	*gcp.AbstractClient
	// contains filtered or unexported fields
}

CtxClient represents context client

func GetClient

func GetClient(context *endly.Context) (*CtxClient, error)

func (*CtxClient) Service

func (s *CtxClient) Service() interface{}

func (*CtxClient) SetService

func (s *CtxClient) SetService(service interface{}) error

type DecryptRequest

type DecryptRequest struct {
	KeyInfo
	CipherData       []byte
	CipherBase64Text string
	Source           *location.Resource
}

DecryptRequest represents decrypt response

func NewDecryptRequest

func NewDecryptRequest(region, ring, keyId string, data []byte) *DecryptRequest

NewEncryptRequest creates a new DecryptRequest

func (*DecryptRequest) Init

func (r *DecryptRequest) Init() error

Init initializes request

type DecryptResponse

type DecryptResponse struct {
	PlainData []byte
	PlainText string
}

DecryptResponse represents decrypt response

type DeployKeyRequest

type DeployKeyRequest struct {
	KeyInfo
	Labels  map[string]string
	Purpose string
	*Policy
	PolicyVersion int64
	// contains filtered or unexported fields
}

DeployKeyRequest represents a deploy KeyInfo request

func NewDeployKeyRequest

func NewDeployKeyRequest(region, ring, keyId, purpose string) *DeployKeyRequest

NewDeployKeyRequest creates a new DeployKeyRequest

func (*DeployKeyRequest) Init

func (r *DeployKeyRequest) Init() error

func (*DeployKeyRequest) Validate

func (r *DeployKeyRequest) Validate() error

type DeployKeyResponse

type DeployKeyResponse struct {
	*cloudkms.CryptoKey
	Policy *Policy
}

DeployKeyRequest represents a deploy KeyInfo response

type EncryptRequest

type EncryptRequest struct {
	KeyInfo
	PlainBase64Text string
	PlainData       []byte
	Source          *location.Resource
	Dest            *location.Resource
}

EncryptRequest represents encrypt request

func NewEncryptRequest

func NewEncryptRequest(region, ring, keyId string, plainData []byte) *EncryptRequest

NewEncryptRequest creates a new EncryptRequest

func (*EncryptRequest) Init

func (r *EncryptRequest) Init() error

Init initializes request

func (*EncryptRequest) Validate

func (r *EncryptRequest) Validate() error

type EncryptResponse

type EncryptResponse struct {
	CipherData       []byte
	CipherBase64Text string
}

EncryptResponse represents encrypt response

type KeyInfo

type KeyInfo struct {
	Region string
	Key    string
	Ring   string
	// contains filtered or unexported fields
}

func (*KeyInfo) Init

func (r *KeyInfo) Init() error

Init initializes key

func (*KeyInfo) Validate

func (r *KeyInfo) Validate() error

type Policy

type Policy struct {
	Bindings []*cloudkms.Binding
	Version  int64
}

Policy represents kms policy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL