awskms

package

v2.0.0 Latest Latest Go to latest Published: Jun 22, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/tink-crypto/tink-go-awskms

Links

Open Source Insights

Documentation ¶

Overview ¶

Package awskms provides integration with the AWS Key Management Service.

Index ¶

func NewClient(uriPrefix string) (registry.KMSClient, error)deprecated
func NewClientWithCredentials(uriPrefix string, credentialPath string) (registry.KMSClient, error)deprecated
func NewClientWithKMS(uriPrefix string, kms kmsiface.KMSAPI) (registry.KMSClient, error)deprecated
func NewClientWithOptions(uriPrefix string, opts ...ClientOption) (registry.KMSClient, error)
type AWSAEAD
- func (a *AWSAEAD) Decrypt(ciphertext, associatedData []byte) ([]byte, error)
- func (a *AWSAEAD) Encrypt(plaintext, associatedData []byte) ([]byte, error)
type ClientOption
type EncryptionContextName
- func (n EncryptionContextName) String() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewClient deprecated

func NewClient(uriPrefix string) (registry.KMSClient, error)

NewClient returns a KMSClient backed by AWS KMS using default credentials to handle keys whose URIs start with uriPrefix.

uriPrefix must have the following format:

aws-kms://arn:<partition>:kms:<region>:[<path>]

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html

AEAD primitives produced by this client will use LegacyAdditionalData when serializing associated data.

Deprecated: Instead, use NewClientWithOptions.

awskms.NewClientWithOptions(uriPrefix)

func NewClientWithCredentials deprecated

func NewClientWithCredentials(uriPrefix string, credentialPath string) (registry.KMSClient, error)

NewClientWithCredentials returns a KMSClient backed by AWS KMS using the given credentials to handle keys whose URIs start with uriPrefix.

uriPrefix must have the following format:

aws-kms://arn:<partition>:kms:<region>:[<path>]

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html

credentialPath can specify a file in CSV format as provided in the IAM console or an INI-style credentials file.

See https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html#cli-authentication-user-configure-csv and https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-format.

AEAD primitives produced by this client will use LegacyAdditionalData when serializing associated data.

Deprecated: Instead use NewClientWithOptions and WithCredentialPath.

awskms.NewClientWithOptions(uriPrefix, awskms.WithCredentialPath(credentialPath))

func NewClientWithKMS deprecated

func NewClientWithKMS(uriPrefix string, kms kmsiface.KMSAPI) (registry.KMSClient, error)

NewClientWithKMS returns a KMSClient backed by AWS KMS using the provided instance of the AWS SDK KMS client.

The caller is responsible for ensuring that the region specified in the KMS client is consitent with the region specified within uriPrefix.

uriPrefix must have the following format:

aws-kms://arn:<partition>:kms:<region>:[<path>]

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html

AEAD primitives produced by this client will use LegacyAdditionalData when serializing associated data.

Deprecated: Instead use NewClientWithOptions and WithKMS.

awskms.NewClientWithOptions(uriPrefix, awskms.WithKMS(kms))

func NewClientWithOptions ¶

func NewClientWithOptions(uriPrefix string, opts ...ClientOption) (registry.KMSClient, error)

NewClientWithOptions returns a registry.KMSClient which wraps an AWS KMS client and will handle keys whose URIs start with uriPrefix.

By default, the client will use default credentials.

AEAD primitives produced by this client will use AssociatedData when serializing associated data.

Types ¶

type AWSAEAD ¶

type AWSAEAD struct {
	// contains filtered or unexported fields
}

AWSAEAD is an implementation of the AEAD interface which performs cryptographic operations remotely via the AWS KMS service using a specific key URI.

func (*AWSAEAD) Decrypt ¶

func (a *AWSAEAD) Decrypt(ciphertext, associatedData []byte) ([]byte, error)

Decrypt decrypts the ciphertext and verifies the associated data.

func (*AWSAEAD) Encrypt ¶

func (a *AWSAEAD) Encrypt(plaintext, associatedData []byte) ([]byte, error)

Encrypt encrypts the plaintext with associatedData.

type ClientOption ¶

type ClientOption interface {
	// contains filtered or unexported methods
}

ClientOption is an interface for defining options that are passed to NewClientWithOptions.

func WithCredentialPath ¶

func WithCredentialPath(credentialPath string) ClientOption

WithCredentialPath instantiates the underlying AWS KMS client using the credentials located at credentialPath.

credentialPath can specify a file in CSV format as provided in the IAM console or an INI-style credentials file.

See https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html#cli-authentication-user-configure-csv and https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-format.

func WithEncryptionContextName ¶

func WithEncryptionContextName(name EncryptionContextName) ClientOption

WithEncryptionContextName sets the name which maps to the base64 encoded associated data within the EncryptionContext field of EncrypInput and DecryptInput requests.

The default is AssociatedData, which is compatible with the Tink AWS KMS extensions in other languages. In older versions of this packge, before this option was present, "additionalData" was hardcoded.

This option is provided to facilitate compatibility with older ciphertexts.

func WithKMS ¶

func WithKMS(kms kmsiface.KMSAPI) ClientOption

WithKMS sets the underlying AWS KMS client to kms, a preexisting AWS KMS client instance.

It's the callers responsibility to ensure that the configured region of kms aligns with the region in key URIs passed to this client. Otherwise, API requests will fail.

type EncryptionContextName ¶

type EncryptionContextName uint

EncryptionContextName specifies the name used in the EncryptionContext field of EncryptInput and DecryptInput requests. See WithEncryptionContextName for further details.

const (
	// AssociatedData will set the EncryptionContext name to "associatedData".
	AssociatedData EncryptionContextName = 1 + iota
	// LegacyAdditionalData will set the EncryptionContext name to "additionalData".
	LegacyAdditionalData
)

func (EncryptionContextName) String ¶

func (n EncryptionContextName) String() string

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
internal
fakeawskms Package fakeawskms provides a partial fake implementation of kmsiface.KMSAPI.	Package fakeawskms provides a partial fake implementation of kmsiface.KMSAPI.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL