README
¶
Google Cloud Key Management Service
This service is google.golang.org/api/cloudkms/v1/Service proxy
To check all supported method run
endly -s='gcp/kms'
To check method contract run endly -s='gcp/kms' -a=methodName
endly -s='gcp/kms:keyRingsList'
References:
Usage:
Creating a symmetric key
- With gcloud
gcloud kms keyrings create my_ring --location us-central1
gcloud kms keys create my_key --location us-central1 \
--keyring my_ring --purpose encryption
- With endly
endly deploy
pipeline:
secure:
deployKey:
action: gcp/kms:deployKey
credentials: gcp-e2e
ring: my_ring
key: my_key
purpose: ENCRYPT_DECRYPT
bindings:
- role: roles/cloudkms.cryptoKeyEncrypterDecrypter
members:
- user:awitas@vindicotech.com
- serviceAccount:${gcp.serviceAccount}
keyInfo:
action: print
message: 'Deployed key: ${deployKey.Primary.Name}'
Encryption with a symmetric key
- With gcloud
gcloud kms encrypt \
--location=us-central1 \
--keyring=my_ring \
--key=my_key \
--version=1 \
--plaintext-file=data.txt \
--ciphertext-file=data.enc
- With endly
endly decrypt
pipeline:
encrypt:
action: gcp/kms:encrypt
logging: false
ring: my_ring
key: my_key
source:
URL: data.txt
dest:
URL: data.enc
Decryption with a symmetric key
- With gcloud
gcloud kms decrypt \
--location=us-central1 \
--keyring=my_ring \
--key=my_key \
--ciphertext-file=data.enc \
--plaintext-file=data.dec
- With endly
endly decrypt
pipeline:
encrypt:
action: gcp/kms:encrypt
logging: false
ring: my_ring
key: my_key
source:
URL: data.txt
dest:
URL: data.enc
Inline encryption/decryption
endy -r=inline
pipeline:
secure:
deployKey:
action: gcp/kms:deployKey
credentials: gcp-e2e
ring: my_ring
key: my_key
purpose: ENCRYPT_DECRYPT
logging: false
bindings:
- role: roles/cloudkms.cryptoKeyEncrypterDecrypter
members:
- user:awitas@vindicotech.com
- serviceAccount:${gcp.serviceAccount}
keyInfo:
action: print
message: 'Deployed key: ${deployKey.Primary.Name}'
encrypt:
action: gcp/kms:encrypt
ring: my_ring
key: my_key
plainData: this is test
logging: false
decrypt:
action: gcp/kms:decrypt
ring: my_ring
key: my_key
cipherBase64Text: ${encrypt.CipherBase64Text}
logging: false
info:
action: print
message: 'decrypted: $AsString(${decrypt.PlainData})'
Google storage asset encryption/decryption
endy -r=secure
pipeline:
secure:
deployKey:
action: gcp/kms:deployKey
credentials: gcp-e2e
ring: my_ring
key: my_key
logging: false
purpose: ENCRYPT_DECRYPT
bindings:
- role: roles/cloudkms.cryptoKeyEncrypterDecrypter
members:
- serviceAccount:$gcp.serviceAccount
encrypt:
action: gcp/kms:encrypt
logging: false
ring: my_ring
key: my_key
plainData: this is test
dest:
URL: /tmp/config.json.enc
decrypt:
action: gcp/kms:decrypt
logging: false
ring: my_ring
key: my_key
source:
URL: /tmp/config.json.enc
info:
action: print
message: $AsString(${decrypt.PlainData})
Accessing encrypted URL asset
package main
import (
"context"
"encoding/base64"
"fmt"
"google.golang.org/api/cloudkms/v1"
"google.golang.org/api/option"
"log"
_ "github.com/viant/toolbox/storage/gs"
"github.com/viant/endly/model/location"
"os"
"path"
)
func main() {
resource := location.NewResource("gs://myBucket/config.json.enc")
keyURI := "projects/MY_PROJECT/locations/REGION/keyRings/my_ring/cryptoKeys/my_key"
plain, err := decrypt(keyURI, resource)
if err != nil {
log.Fatal(err)
}
fmt.Printf("%s\n", plain)
}
func decrypt(key string, resource *location.Resource) ([]byte, error) {
data, err := resource.DownloadText()
if err != nil {
return nil, err
}
ctx := context.Background()
kmsService, err := cloudkms.NewService(ctx, option.WithScopes(cloudkms.CloudPlatformScope, cloudkms.CloudkmsScope))
if err != nil {
return nil, err
}
service := cloudkms.NewProjectsLocationsKeyRingsCryptoKeysService(kmsService)
response, err := service.Decrypt(key, &cloudkms.DecryptRequest{Ciphertext:data}).Context(ctx).Do()
if err != nil {
return nil, err
}
return base64.StdEncoding.DecodeString(string(response.Plaintext))
}
Documentation
¶
Index ¶
- Constants
- func InitRequest(context *endly.Context, rawRequest map[string]interface{}) error
- func New() endly.Service
- func ShallUpdatePolicy(prev, policy *Policy) bool
- type CtxClient
- type DecryptRequest
- type DecryptResponse
- type DeployKeyRequest
- type DeployKeyResponse
- type EncryptRequest
- type EncryptResponse
- type KeyInfo
- type Policy
Constants ¶
View Source
const (
//ServiceID Google cloudkms Service ID.
ServiceID = "gcp/kms"
)
Variables ¶
This section is empty.
Functions ¶
func InitRequest ¶
func ShallUpdatePolicy ¶
ShallUpdatePolicy returns true if policy needs to be updated
Types ¶
type CtxClient ¶
type CtxClient struct {
*gcp.AbstractClient
// contains filtered or unexported fields
}
CtxClient represents context client
func (*CtxClient) SetService ¶
type DecryptRequest ¶
type DecryptRequest struct {
KeyInfo
CipherData []byte
CipherBase64Text string
Source *location.Resource
}
DecryptRequest represents decrypt response
func NewDecryptRequest ¶
func NewDecryptRequest(region, ring, keyId string, data []byte) *DecryptRequest
NewEncryptRequest creates a new DecryptRequest
type DecryptResponse ¶
DecryptResponse represents decrypt response
type DeployKeyRequest ¶
type DeployKeyRequest struct {
KeyInfo
Labels map[string]string
Purpose string
*Policy
PolicyVersion int64
// contains filtered or unexported fields
}
DeployKeyRequest represents a deploy KeyInfo request
func NewDeployKeyRequest ¶
func NewDeployKeyRequest(region, ring, keyId, purpose string) *DeployKeyRequest
NewDeployKeyRequest creates a new DeployKeyRequest
func (*DeployKeyRequest) Init ¶
func (r *DeployKeyRequest) Init() error
func (*DeployKeyRequest) Validate ¶
func (r *DeployKeyRequest) Validate() error
type DeployKeyResponse ¶
type DeployKeyResponse struct {
*cloudkms.CryptoKey
Policy *Policy
}
DeployKeyRequest represents a deploy KeyInfo response
type EncryptRequest ¶
type EncryptRequest struct {
KeyInfo
PlainBase64Text string
PlainData []byte
Source *location.Resource
Dest *location.Resource
}
EncryptRequest represents encrypt request
func NewEncryptRequest ¶
func NewEncryptRequest(region, ring, keyId string, plainData []byte) *EncryptRequest
NewEncryptRequest creates a new EncryptRequest
func (*EncryptRequest) Validate ¶
func (r *EncryptRequest) Validate() error
type EncryptResponse ¶
EncryptResponse represents encrypt response
Source Files
Click to show internal directories.
Click to hide internal directories.