gocloud.dev: gocloud.dev/secrets/gcpkms Index | Examples | Files

package gcpkms

import "gocloud.dev/secrets/gcpkms"

Package gcpkms provides a secrets implementation backed by Google Cloud KMS. Use OpenKeeper to construct a *secrets.Keeper.


For secrets.OpenKeeper, gcpkms registers for the scheme "gcpkms". The default URL opener will create a connection using use default credentials from the environment, as described in https://cloud.google.com/docs/authentication/production. To customize the URL opener, or for more details on the URL format, see URLOpener. See https://gocloud.dev/concepts/urls/ for background information.


gcpkms exposes the following type for As:

- Error: *google.golang.org/grpc/status.Status


// This example is used in https://gocloud.dev/howto/secrets/#gcp

// import _ "gocloud.dev/secrets/gcpkms"

// Variables set up elsewhere:
ctx := context.Background()

keeper, err := secrets.OpenKeeper(ctx,
if err != nil {
defer keeper.Close()



Package Files



const Scheme = "gcpkms"

Scheme is the URL scheme gcpkms registers its URLOpener under on secrets.DefaultMux.


var Set = wire.NewSet(
    wire.Struct(new(URLOpener), "Client"),

Set holds Wire providers for this package.

func Dial Uses

func Dial(ctx context.Context, ts gcp.TokenSource) (*cloudkms.KeyManagementClient, func(), error)

Dial returns a client to use with Cloud KMS and a clean-up function to close the client after used.

func KeyResourceID Uses

func KeyResourceID(projectID, location, keyRing, key string) string

KeyResourceID constructs a key resourceID for GCP KMS. See https://cloud.google.com/kms/docs/object-hierarchy#key for more details.

func OpenKeeper Uses

func OpenKeeper(client *cloudkms.KeyManagementClient, keyResourceID string, opts *KeeperOptions) *secrets.Keeper

OpenKeeper returns a *secrets.Keeper that uses Google Cloud KMS. You can use KeyResourceID to construct keyResourceID from its parts, or provide the whole string if you have it (e.g., from the GCP console). See https://cloud.google.com/kms/docs/object-hierarchy#key for more details. See the package documentation for an example.


// This example is used in https://gocloud.dev/howto/secrets/#gcp-ctor

// Variables set up elsewhere:
ctx := context.Background()

// Get a client to use with the KMS API.
client, done, err := gcpkms.Dial(ctx, nil)
if err != nil {
// Close the connection when done.
defer done()

// You can also use gcpkms.KeyResourceID to construct this string.
const keyID = "projects/MYPROJECT/" +
    "locations/MYLOCATION/" +
    "keyRings/MYKEYRING/" +

// Construct a *secrets.Keeper.
keeper := gcpkms.OpenKeeper(client, keyID, nil)
defer keeper.Close()

type KeeperOptions Uses

type KeeperOptions struct{}

KeeperOptions controls Keeper behaviors. It is provided for future extensibility.

type URLOpener Uses

type URLOpener struct {
    // Client must be non-nil and be authenticated with "cloudkms" scope or equivalent.
    Client *cloudkms.KeyManagementClient

    // Options specifies the default options to pass to OpenKeeper.
    Options KeeperOptions

URLOpener opens GCP KMS URLs like "gcpkms://projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]".

The URL host+path are used as the key resource ID; see https://cloud.google.com/kms/docs/object-hierarchy#key for more details.

No query parameters are supported.

func (*URLOpener) OpenKeeperURL Uses

func (o *URLOpener) OpenKeeperURL(ctx context.Context, u *url.URL) (*secrets.Keeper, error)

OpenKeeperURL opens the GCP KMS URLs.

Package gcpkms imports 15 packages (graph) and is imported by 4 packages. Updated 2019-07-17. Refresh now. Tools for package owners.