gocloud.dev: gocloud.dev/secrets/awskms Index | Examples | Files

package awskms

import "gocloud.dev/secrets/awskms"

Package awskms provides a secrets implementation backed by AWS KMS. Use OpenKeeper to construct a *secrets.Keeper.

URLs

For secrets.OpenKeeper, awskms registers for the scheme "awskms". The default URL opener will use an AWS session with the default credentials and configuration; see https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for more details. To customize the URL opener, or for more details on the URL format, see URLOpener. See https://gocloud.dev/concepts/urls/ for background information.

As

awskms exposes the following type for As:

- Error: awserr.Error

Code:

ctx := context.Background()

// secrets.OpenKeeper creates a *secrets.Keeper from a URL.
// The host + path are the key ID; this example uses an alias. See
// https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
// for more details.
keeper, err := secrets.OpenKeeper(ctx, "awskms://alias/my-key")
if err != nil {
    log.Fatal(err)
}
defer keeper.Close()

Index

Examples

Package Files

kms.go

Constants

const Scheme = "awskms"

Scheme is the URL scheme awskms registers its URLOpener under on secrets.DefaultMux.

Variables

var Set = wire.NewSet(
    KeeperOptions{},
    URLOpener{},
    Dial,
)

Set holds Wire providers for this package.

func Dial Uses

func Dial(p client.ConfigProvider) (*kms.KMS, error)

Dial gets an AWS KMS service client.

func OpenKeeper Uses

func OpenKeeper(client *kms.KMS, keyID string, opts *KeeperOptions) *secrets.Keeper

OpenKeeper returns a *secrets.Keeper that uses AWS KMS. The key ID can be in the form of an Amazon Resource Name (ARN), alias name, or alias ARN. See https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn for more details. See the package documentation for an example.

Code:

// Establish an AWS session.
// See https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for more info.
sess, err := session.NewSession(nil)
if err != nil {
    log.Fatal(err)
}

// Get a client to use with the KMS API.
client, err := awskms.Dial(sess)
if err != nil {
    log.Fatal(err)
}

// Construct a *secrets.Keeper.
keeper := awskms.OpenKeeper(
    client,
    // Get the key ID. Here is an example of using an alias. See
    // https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
    // for more details.
    "alias/test-secrets",
    nil,
)
defer keeper.Close()

// Now we can use keeper to encrypt or decrypt.
ctx := context.Background()
plaintext := []byte("Hello, Secrets!")
ciphertext, err := keeper.Encrypt(ctx, plaintext)
if err != nil {
    log.Fatal(err)
}
decrypted, err := keeper.Decrypt(ctx, ciphertext)
if err != nil {
    log.Fatal(err)
}
_ = decrypted

type KeeperOptions Uses

type KeeperOptions struct{}

KeeperOptions controls Keeper behaviors. It is provided for future extensibility.

type URLOpener Uses

type URLOpener struct {
    // ConfigProvider must be set to a non-nil value.
    ConfigProvider client.ConfigProvider

    // Options specifies the options to pass to OpenKeeper.
    Options KeeperOptions
}

URLOpener opens AWS KMS URLs like "awskms://keyID".

The URL Host + Path are used as the key ID, which can be in the form of an Amazon Resource Name (ARN), alias name, or alias ARN. See https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn for more details.

See gocloud.dev/aws/ConfigFromURLParams for supported query parameters for overriding the aws.Session from the URL.

func (*URLOpener) OpenKeeperURL Uses

func (o *URLOpener) OpenKeeperURL(ctx context.Context, u *url.URL) (*secrets.Keeper, error)

OpenKeeperURL opens an AWS KMS Keeper based on u.

Package awskms imports 15 packages (graph) and is imported by 2 packages. Updated 2019-05-17. Refresh now. Tools for package owners.