//Configure ... configures using global settings
func Configure(cfg *GlobalConfig) {
svc = kms.New(session.New(
&aws.Config{
Region: aws.String(cfg.AWSRegion),
},
))
}
func (c Cluster) stackConfig(opts StackTemplateOptions, compressUserData bool) (*stackConfig, error) {
assets, err := ReadTLSAssets(opts.TLSAssetsDir)
if err != nil {
return nil, err
}
stackConfig := stackConfig{}
if stackConfig.Config, err = c.Config(); err != nil {
return nil, err
}
awsConfig := aws.NewConfig()
awsConfig = awsConfig.WithRegion(stackConfig.Config.Region)
kmsSvc := kms.New(session.New(awsConfig))
compactAssets, err := assets.compact(stackConfig.Config, kmsSvc)
if err != nil {
return nil, fmt.Errorf("failed to compress TLS assets: %v", err)
}
stackConfig.Config.TLSConfig = compactAssets
if stackConfig.UserDataWorker, err = execute(opts.WorkerTmplFile, stackConfig.Config, compressUserData); err != nil {
return nil, fmt.Errorf("failed to render worker cloud config: %v", err)
}
if stackConfig.UserDataController, err = execute(opts.ControllerTmplFile, stackConfig.Config, compressUserData); err != nil {
return nil, fmt.Errorf("failed to render controller cloud config: %v", err)
}
return &stackConfig, nil
}
// loadSneakerManager returns a sneaker manager if one is configured on the env.
func loadSneakerManager() *sneaker.Manager {
path := String("SNEAKER_S3_PATH")
if path == "" {
return nil
}
u, err := url.Parse(path)
if err != nil {
log.WithField("path", path).Fatal("Invalid SNEAKER_S3_PATH")
return nil
}
if u.Path != "" && u.Path[0] == '/' {
u.Path = u.Path[1:]
}
sess := session.New()
config := aws.NewConfig().WithRegion(String("SNEAKER_S3_REGION", "us-west-2")).WithMaxRetries(3)
return &sneaker.Manager{
Objects: s3.New(sess, config),
Envelope: sneaker.Envelope{
KMS: kms.New(sess, config),
},
Bucket: u.Host,
Prefix: u.Path,
KeyId: String("SNEAKER_MASTER_KEY"),
}
}
func getAliasInformation(alias, region string) (string, error) {
arn := ""
svc := kms.New(session.New(&aws.Config{
Region: ®ion,
}))
truncated := true
var marker *string
for truncated {
out, err := svc.ListAliases(&kms.ListAliasesInput{
Marker: marker,
})
if err != nil {
return arn, err
}
for _, aliasEntry := range out.Aliases {
if *aliasEntry.AliasName == "alias/"+alias {
return *aliasEntry.AliasArn, nil
}
}
truncated = *out.Truncated
marker = out.NextMarker
}
return "", errors.New("The alias " + alias + " does not exist in your account. Please add the proper alias to a key")
}
func ExampleKMS_RetireGrant() {
svc := kms.New(nil)
params := &kms.RetireGrantInput{
GrantId: aws.String("GrantIdType"),
GrantToken: aws.String("GrantTokenType"),
KeyId: aws.String("KeyIdType"),
}
resp, err := svc.RetireGrant(params)
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
// Generic AWS error with Code, Message, and original error (if any)
fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
if reqErr, ok := err.(awserr.RequestFailure); ok {
// A service error occurred
fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
}
} else {
// This case should never be hit, the SDK should always return an
// error which satisfies the awserr.Error interface.
fmt.Println(err.Error())
}
}
// Pretty-print the response data.
fmt.Println(awsutil.Prettify(resp))
}
func ExampleKMS_CreateAlias() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.CreateAliasInput{
AliasName: aws.String("AliasNameType"), // Required
TargetKeyId: aws.String("KeyIdType"), // Required
}
resp, err := svc.CreateAlias(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_CreateKey() {
svc := kms.New(nil)
params := &kms.CreateKeyInput{
Description: aws.String("DescriptionType"),
KeyUsage: aws.String("KeyUsageType"),
Policy: aws.String("PolicyType"),
}
resp, err := svc.CreateKey(params)
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
// Generic AWS Error with Code, Message, and original error (if any)
fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
if reqErr, ok := err.(awserr.RequestFailure); ok {
// A service error occurred
fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
}
} else {
// This case should never be hit, the SDK should always return an
// error which satisfies the awserr.Error interface.
fmt.Println(err.Error())
}
}
// Pretty-print the response data.
fmt.Println(awsutil.StringValue(resp))
}
func ExampleKMS_ScheduleKeyDeletion() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.ScheduleKeyDeletionInput{
KeyId: aws.String("KeyIdType"), // Required
PendingWindowInDays: aws.Int64(1),
}
resp, err := svc.ScheduleKeyDeletion(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_PutKeyPolicy() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.PutKeyPolicyInput{
KeyId: aws.String("KeyIdType"), // Required
Policy: aws.String("PolicyType"), // Required
PolicyName: aws.String("PolicyNameType"), // Required
BypassPolicyLockoutSafetyCheck: aws.Bool(true),
}
resp, err := svc.PutKeyPolicy(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_RetireGrant() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.RetireGrantInput{
GrantId: aws.String("GrantIdType"),
GrantToken: aws.String("GrantTokenType"),
KeyId: aws.String("KeyIdType"),
}
resp, err := svc.RetireGrant(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_Encrypt() {
svc := kms.New(nil)
params := &kms.EncryptInput{
KeyID: aws.String("KeyIdType"), // Required
Plaintext: []byte("PAYLOAD"), // Required
EncryptionContext: map[string]*string{
"Key": aws.String("EncryptionContextValue"), // Required
// More values...
},
GrantTokens: []*string{
aws.String("GrantTokenType"), // Required
// More values...
},
}
resp, err := svc.Encrypt(params)
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
// Generic AWS Error with Code, Message, and original error (if any)
fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
if reqErr, ok := err.(awserr.RequestFailure); ok {
// A service error occurred
fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
}
} else {
// This case should never be hit, the SDK should always return an
// error which satisfies the awserr.Error interface.
fmt.Println(err.Error())
}
}
// Pretty-print the response data.
fmt.Println(awsutil.StringValue(resp))
}
func ExampleKMS_ListRetirableGrants() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.ListRetirableGrantsInput{
RetiringPrincipal: aws.String("PrincipalIdType"), // Required
Limit: aws.Int64(1),
Marker: aws.String("MarkerType"),
}
resp, err := svc.ListRetirableGrants(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func loadManager() *sneaker.Manager {
u, err := url.Parse(os.Getenv("SNEAKER_S3_PATH"))
if err != nil {
log.Fatalf("bad SNEAKER_S3_PATH: %s", err)
}
if u.Path != "" && u.Path[0] == '/' {
u.Path = u.Path[1:]
}
ctxt, err := parseContext(os.Getenv("SNEAKER_MASTER_CONTEXT"))
if err != nil {
log.Fatalf("bad SNEAKER_MASTER_CONTEXT: %s", err)
}
return &sneaker.Manager{
Objects: s3.New(nil),
Envelope: sneaker.Envelope{
KMS: kms.New(nil),
},
Bucket: u.Host,
Prefix: u.Path,
EncryptionContext: ctxt,
KeyID: os.Getenv("SNEAKER_MASTER_KEY"),
}
}
func ExampleKMS_GetParametersForImport() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.GetParametersForImportInput{
KeyId: aws.String("KeyIdType"), // Required
WrappingAlgorithm: aws.String("AlgorithmSpec"), // Required
WrappingKeySpec: aws.String("WrappingKeySpec"), // Required
}
resp, err := svc.GetParametersForImport(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_Encrypt() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.EncryptInput{
KeyId: aws.String("KeyIdType"), // Required
Plaintext: []byte("PAYLOAD"), // Required
EncryptionContext: map[string]*string{
"Key": aws.String("EncryptionContextValue"), // Required
// More values...
},
GrantTokens: []*string{
aws.String("GrantTokenType"), // Required
// More values...
},
}
resp, err := svc.Encrypt(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_GenerateRandom() {
svc := kms.New(nil)
params := &kms.GenerateRandomInput{
NumberOfBytes: aws.Long(1),
}
resp, err := svc.GenerateRandom(params)
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
// Generic AWS Error with Code, Message, and original error (if any)
fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
if reqErr, ok := err.(awserr.RequestFailure); ok {
// A service error occurred
fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
}
} else {
// This case should never be hit, the SDK should always return an
// error which satisfies the awserr.Error interface.
fmt.Println(err.Error())
}
}
// Pretty-print the response data.
fmt.Println(awsutil.StringValue(resp))
}
func ExampleKMS_CreateKey() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.CreateKeyInput{
BypassPolicyLockoutSafetyCheck: aws.Bool(true),
Description: aws.String("DescriptionType"),
KeyUsage: aws.String("KeyUsageType"),
Origin: aws.String("OriginType"),
Policy: aws.String("PolicyType"),
}
resp, err := svc.CreateKey(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_DescribeKey() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.DescribeKeyInput{
KeyId: aws.String("KeyIdType"), // Required
GrantTokens: []*string{
aws.String("GrantTokenType"), // Required
// More values...
},
}
resp, err := svc.DescribeKey(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_ReEncrypt() {
svc := kms.New(session.New())
params := &kms.ReEncryptInput{
CiphertextBlob: []byte("PAYLOAD"), // Required
DestinationKeyId: aws.String("KeyIdType"), // Required
DestinationEncryptionContext: map[string]*string{
"Key": aws.String("EncryptionContextValue"), // Required
// More values...
},
GrantTokens: []*string{
aws.String("GrantTokenType"), // Required
// More values...
},
SourceEncryptionContext: map[string]*string{
"Key": aws.String("EncryptionContextValue"), // Required
// More values...
},
}
resp, err := svc.ReEncrypt(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func loadManager(config *config.Config) (*sneaker.Manager, error) {
u, err := url.Parse(config.SneakerS3.SneakerS3Path)
if err != nil {
return nil, err
}
if u.Path != "" && u.Path[0] == '/' {
u.Path = u.Path[1:]
}
// here, we provide access and secret keys for aws
creds := credentials.NewStaticCredentials(config.SneakerS3.AwsAccesskeyId, config.SneakerS3.AwsSecretAccessKey, "")
// we'r gonna use aws providers and region to init aws config
session := session.New(aws.NewConfig().WithCredentials(creds).WithRegion(config.SneakerS3.AwsRegion))
return &sneaker.Manager{
Objects: s3.New(session),
Envelope: sneaker.Envelope{
KMS: kms.New(session),
},
Bucket: u.Host,
Prefix: u.Path,
KeyId: config.SneakerS3.SneakerMasterKey,
}, nil
}
func ExampleKMS_UpdateAlias() {
svc := kms.New(nil)
params := &kms.UpdateAliasInput{
AliasName: aws.String("AliasNameType"), // Required
TargetKeyID: aws.String("KeyIdType"), // Required
}
resp, err := svc.UpdateAlias(params)
if err != nil {
if awsErr, ok := err.(awserr.Error); ok {
// Generic AWS Error with Code, Message, and original error (if any)
fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
if reqErr, ok := err.(awserr.RequestFailure); ok {
// A service error occurred
fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
}
} else {
// This case should never be hit, the SDK should always return an
// error which satisfies the awserr.Error interface.
fmt.Println(err.Error())
}
}
// Pretty-print the response data.
fmt.Println(awsutil.StringValue(resp))
}
func ExampleKMS_UpdateKeyDescription() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.UpdateKeyDescriptionInput{
Description: aws.String("DescriptionType"), // Required
KeyId: aws.String("KeyIdType"), // Required
}
resp, err := svc.UpdateKeyDescription(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func ExampleKMS_GenerateDataKeyWithoutPlaintext() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.GenerateDataKeyWithoutPlaintextInput{
KeyId: aws.String("KeyIdType"), // Required
EncryptionContext: map[string]*string{
"Key": aws.String("EncryptionContextValue"), // Required
// More values...
},
GrantTokens: []*string{
aws.String("GrantTokenType"), // Required
// More values...
},
KeySpec: aws.String("DataKeySpec"),
NumberOfBytes: aws.Int64(1),
}
resp, err := svc.GenerateDataKeyWithoutPlaintext(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func TestKMSGenerateCipherData(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, `{"CiphertextBlob":"AQEDAHhqBCCY1MSimw8gOGcUma79cn4ANvTtQyv9iuBdbcEF1QAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDJ6IcN5E4wVbk38MNAIBEIA7oF1E3lS7FY9DkoxPc/UmJsEwHzL82zMqoLwXIvi8LQHr8If4Lv6zKqY8u0+JRgSVoqCvZDx3p8Cn6nM=","KeyId":"arn:aws:kms:us-west-2:042062605278:key/c80a5cdb-8d09-4f9f-89ee-df01b2e3870a","Plaintext":"6tmyz9JLBE2yIuU7iXpArqpDVle172WSmxjcO6GNT7E="}`)
}))
sess := unit.Session.Copy(&aws.Config{
MaxRetries: aws.Int(0),
Endpoint: aws.String(ts.URL[7:]),
DisableSSL: aws.Bool(true),
S3ForcePathStyle: aws.Bool(true),
Region: aws.String("us-west-2"),
})
svc := kms.New(sess)
handler := NewKMSKeyGenerator(svc, "testid")
keySize := 32
ivSize := 16
cd, err := handler.GenerateCipherData(keySize, ivSize)
assert.NoError(t, err)
assert.Equal(t, keySize, len(cd.Key))
assert.Equal(t, ivSize, len(cd.IV))
assert.NotEmpty(t, cd.Key)
assert.NotEmpty(t, cd.IV)
}
func ExampleKMS_ImportKeyMaterial() {
sess, err := session.NewSession()
if err != nil {
fmt.Println("failed to create session,", err)
return
}
svc := kms.New(sess)
params := &kms.ImportKeyMaterialInput{
EncryptedKeyMaterial: []byte("PAYLOAD"), // Required
ImportToken: []byte("PAYLOAD"), // Required
KeyId: aws.String("KeyIdType"), // Required
ExpirationModel: aws.String("ExpirationModelType"),
ValidTo: aws.Time(time.Now()),
}
resp, err := svc.ImportKeyMaterial(params)
if err != nil {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Println(err.Error())
return
}
// Pretty-print the response data.
fmt.Println(resp)
}
func (c *KMSCredential) KMS() security.KMS {
config := aws.NewConfig().WithCredentials(credentials.NewCredentials(c)).WithRegion(c.Region)
session := session.New(config)
return &KMS{
kms: kms.New(session),
keyID: c.KeyID,
}
}
func init() {
svc = kms.New(session.New(), aws.NewConfig().WithRegion("us-east-1"))
keyID = os.Getenv("AWS_KMS_KEY_ID")
if keyID == "" {
log.Fatal("You have to pass AWS_KMS_KEY_ID as a env var")
}
}
func New(region, keyID string) (*KMS, error) {
config := aws.NewConfig().WithCredentials(credentials.NewEnvCredentials()).WithRegion(region)
session := session.New(config)
kms := &KMS{
kms: kms.New(session),
keyID: keyID,
}
return kms, nil
}
func KmsDecrypt(awsRegion string, encryptionContext map[string]*string, encryptedBytes []byte) (decryptedBytes []byte, err error) {
svc := kms.New(session.New(), &aws.Config{Region: aws.String(awsRegion)})
params := &kms.DecryptInput{
CiphertextBlob: encryptedBytes,
EncryptionContext: encryptionContext,
}
resp, err := svc.Decrypt(params)
return resp.Plaintext, err
}
func NewKMSMethod(region, keyId string) (*KMSMethod, error) {
method := &KMSMethod{
client: kms.New(session.New(), &aws.Config{Region: aws.String(region)}),
keyId: keyId,
}
return method, nil
}
