awskms

package
v0.40.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 10, 2024 License: Apache-2.0 Imports: 19 Imported by: 17

Documentation

Overview

Package awskms provides a secrets implementation backed by AWS KMS. Use OpenKeeper to construct a *secrets.Keeper, or OpenKeeperV2 to use AWS SDK V2.

URLs

For secrets.OpenKeeper, awskms registers for the scheme "awskms". The default URL opener will use an AWS session with the default credentials and configuration; see https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for more details. Use "awssdk=v1" or "awssdk=v2" to force a specific AWS SDK version. To customize the URL opener, or for more details on the URL format, see URLOpener. See https://gocloud.dev/concepts/urls/ for background information.

As

awskms exposes the following type for As:

  • Error: (V1) awserr.Error, (V2) any error type returned by the service, notably smithy.APIError
Example (OpenFromURL) 
package main

import (
	"context"
	"log"

	"gocloud.dev/secrets"
)

func main() {
	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.
	// PRAGMA: On gocloud.dev, add a blank import: _ "gocloud.dev/secrets/awskms"
	// PRAGMA: On gocloud.dev, hide lines until the next blank line.
	ctx := context.Background()

	// Use one of the following:

	// 1. By ID.
	keeperByID, err := secrets.OpenKeeper(ctx,
		"awskms://1234abcd-12ab-34cd-56ef-1234567890ab?region=us-east-1")
	if err != nil {
		log.Fatal(err)
	}
	defer keeperByID.Close()

	// 2. By alias.
	keeperByAlias, err := secrets.OpenKeeper(ctx,
		"awskms://alias/ExampleAlias?region=us-east-1")
	if err != nil {
		log.Fatal(err)
	}
	defer keeperByAlias.Close()

	// 3. By ARN. Note that ARN may contain ":" characters, which cannot be escaped
	// in the Host part of a URL, so the "awskms:///<ARN>" form should be used.
	const arn = "arn:aws:kms:us-east-1:111122223333:key/" +
		"1234abcd-12ab-34bc-56ef-1234567890ab"
	keeperByARN, err := secrets.OpenKeeper(ctx,
		"awskms:///"+arn+"?region=us-east-1")
	if err != nil {
		log.Fatal(err)
	}
	defer keeperByARN.Close()

	// Use "awssdk=v1" or "v2" to force a specific AWS SDK version.
	keeperUsingV2, err := secrets.OpenKeeper(ctx,
		"awskms://1234abcd-12ab-34cd-56ef-1234567890ab?region=us-east-1&awssdk=v2")
	if err != nil {
		log.Fatal(err)
	}
	defer keeperUsingV2.Close()
}

Output:

Index

Examples

Constants

View Source 
const Scheme = "awskms"

Scheme is the URL scheme awskms registers its URLOpener under on secrets.DefaultMux.

Variables

View Source 
var Set = wire.NewSet(
	wire.Struct(new(URLOpener), "ConfigProvider"),
	Dial,
	DialV2,
)

Set holds Wire providers for this package.

Functions

func Dial 

func Dial(p client.ConfigProvider) (*kms.KMS, error)

Dial gets an AWS KMS service client.

func DialV2 added in v0.24.0 

func DialV2(cfg awsv2.Config) (*kmsv2.Client, error)

DialV2 gets an AWS KMS service client using the AWS SDK V2.

func OpenKeeper deprecated added in v0.13.0 

func OpenKeeper(client *kms.KMS, keyID string, opts *KeeperOptions) *secrets.Keeper

OpenKeeper returns a *secrets.Keeper that uses AWS KMS. The key ID can be in the form of an Amazon Resource Name (ARN), alias name, or alias ARN. See https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn for more details. See the package documentation for an example.

Deprecated: AWS no longer supports their V1 API. Please migrate to OpenKeeperV2.

Example 
package main

import (
	"log"

	"github.com/aws/aws-sdk-go/aws/session"
	"gocloud.dev/secrets/awskms"
)

func main() {
	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.

	// Establish an AWS session.
	// See https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for more info.
	sess, err := session.NewSession(nil)
	if err != nil {
		log.Fatal(err)
	}

	// Get a client to use with the KMS API.
	client, err := awskms.Dial(sess)
	if err != nil {
		log.Fatal(err)
	}

	// Construct a *secrets.Keeper.
	keeper := awskms.OpenKeeper(client, "alias/test-secrets", nil)
	defer keeper.Close()
}

Output:

func OpenKeeperV2 added in v0.24.0 

func OpenKeeperV2(client *kmsv2.Client, keyID string, opts *KeeperOptions) *secrets.Keeper

OpenKeeperV2 returns a *secrets.Keeper that uses AWS KMS, using SDK v2. The key ID can be in the form of an Amazon Resource Name (ARN), alias name, or alias ARN. See https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn for more details. See the package documentation for an example.

Example 
package main

import (
	"context"
	"log"

	awsv2cfg "github.com/aws/aws-sdk-go-v2/config"
	"gocloud.dev/secrets/awskms"
)

func main() {
	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.

	// Establish a AWS V2 Config.
	// See https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/ for more info.
	ctx := context.Background()
	cfg, err := awsv2cfg.LoadDefaultConfig(ctx)
	if err != nil {
		log.Fatal(err)
	}

	// Get a client to use with the KMS API.
	client, err := awskms.DialV2(cfg)
	if err != nil {
		log.Fatal(err)
	}

	// Construct a *secrets.Keeper.
	keeper := awskms.OpenKeeperV2(client, "alias/test-secrets", nil)
	defer keeper.Close()
}

Output:

Types

type KeeperOptions 

type KeeperOptions struct {
	// EncryptionContext parameters.
	// See https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context.
	EncryptionContext map[string]string
}

KeeperOptions controls Keeper behaviors. It is provided for future extensibility.

type URLOpener added in v0.12.0 

type URLOpener struct {
	// UseV2 indicates whether the AWS SDK V2 should be used.
	UseV2 bool

	// ConfigProvider must be set to a non-nil value if UseV2 is false.
	ConfigProvider client.ConfigProvider

	// Options specifies the options to pass to OpenKeeper.
	// EncryptionContext parameters from the URL are merged in.
	Options KeeperOptions
}

URLOpener opens AWS KMS URLs like "awskms://keyID" or "awskms:///keyID".

The URL Host + Path are used as the key ID, which can be in the form of an Amazon Resource Name (ARN), alias name, or alias ARN. See https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn for more details. Note that ARNs may contain ":" characters, which cannot be escaped in the Host part of a URL, so the "awskms:///<ARN>" form should be used.

Use "awssdk=v1" to force using AWS SDK v1, "awssdk=v2" to force using AWS SDK v2, or anything else to accept the default.

EncryptionContext key/value pairs can be provided by providing URL parameters prefixed with "context_"; e.g., "...&context_abc=foo&context_def=bar" would result in an EncryptionContext of {abc=foo, def=bar}. See https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context.

For V1, see gocloud.dev/aws/ConfigFromURLParams for supported query parameters for overriding the aws.Session from the URL. For V2, see gocloud.dev/aws/V2ConfigFromURLParams.

func (*URLOpener) OpenKeeperURL added in v0.12.0 

func (o *URLOpener) OpenKeeperURL(ctx context.Context, u *url.URL) (*secrets.Keeper, error)

OpenKeeperURL opens an AWS KMS Keeper based on u.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.