Exemple #1
0
//Configure ... configures using global settings
func Configure(cfg *GlobalConfig) {
	svc = kms.New(session.New(
		&aws.Config{
			Region: aws.String(cfg.AWSRegion),
		},
	))
}
Exemple #2
0
func (c Cluster) stackConfig(opts StackTemplateOptions, compressUserData bool) (*stackConfig, error) {
	assets, err := ReadTLSAssets(opts.TLSAssetsDir)
	if err != nil {
		return nil, err
	}
	stackConfig := stackConfig{}

	if stackConfig.Config, err = c.Config(); err != nil {
		return nil, err
	}

	awsConfig := aws.NewConfig()
	awsConfig = awsConfig.WithRegion(stackConfig.Config.Region)
	kmsSvc := kms.New(session.New(awsConfig))

	compactAssets, err := assets.compact(stackConfig.Config, kmsSvc)
	if err != nil {
		return nil, fmt.Errorf("failed to compress TLS assets: %v", err)
	}

	stackConfig.Config.TLSConfig = compactAssets

	if stackConfig.UserDataWorker, err = execute(opts.WorkerTmplFile, stackConfig.Config, compressUserData); err != nil {
		return nil, fmt.Errorf("failed to render worker cloud config: %v", err)
	}
	if stackConfig.UserDataController, err = execute(opts.ControllerTmplFile, stackConfig.Config, compressUserData); err != nil {
		return nil, fmt.Errorf("failed to render controller cloud config: %v", err)
	}

	return &stackConfig, nil
}
Exemple #3
0
// loadSneakerManager returns a sneaker manager if one is configured on the env.
func loadSneakerManager() *sneaker.Manager {
	path := String("SNEAKER_S3_PATH")
	if path == "" {
		return nil
	}
	u, err := url.Parse(path)
	if err != nil {
		log.WithField("path", path).Fatal("Invalid SNEAKER_S3_PATH")
		return nil
	}
	if u.Path != "" && u.Path[0] == '/' {
		u.Path = u.Path[1:]
	}

	sess := session.New()
	config := aws.NewConfig().WithRegion(String("SNEAKER_S3_REGION", "us-west-2")).WithMaxRetries(3)
	return &sneaker.Manager{
		Objects: s3.New(sess, config),
		Envelope: sneaker.Envelope{
			KMS: kms.New(sess, config),
		},
		Bucket: u.Host,
		Prefix: u.Path,
		KeyId:  String("SNEAKER_MASTER_KEY"),
	}
}
Exemple #4
0
func getAliasInformation(alias, region string) (string, error) {
	arn := ""
	svc := kms.New(session.New(&aws.Config{
		Region: &region,
	}))

	truncated := true
	var marker *string
	for truncated {
		out, err := svc.ListAliases(&kms.ListAliasesInput{
			Marker: marker,
		})
		if err != nil {
			return arn, err
		}
		for _, aliasEntry := range out.Aliases {
			if *aliasEntry.AliasName == "alias/"+alias {
				return *aliasEntry.AliasArn, nil
			}
		}
		truncated = *out.Truncated
		marker = out.NextMarker
	}

	return "", errors.New("The alias " + alias + " does not exist in your account. Please add the proper alias to a key")
}
Exemple #5
0
func ExampleKMS_RetireGrant() {
	svc := kms.New(nil)

	params := &kms.RetireGrantInput{
		GrantId:    aws.String("GrantIdType"),
		GrantToken: aws.String("GrantTokenType"),
		KeyId:      aws.String("KeyIdType"),
	}
	resp, err := svc.RetireGrant(params)

	if err != nil {
		if awsErr, ok := err.(awserr.Error); ok {
			// Generic AWS error with Code, Message, and original error (if any)
			fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
			if reqErr, ok := err.(awserr.RequestFailure); ok {
				// A service error occurred
				fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
			}
		} else {
			// This case should never be hit, the SDK should always return an
			// error which satisfies the awserr.Error interface.
			fmt.Println(err.Error())
		}
	}

	// Pretty-print the response data.
	fmt.Println(awsutil.Prettify(resp))
}
Exemple #6
0
func ExampleKMS_CreateAlias() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.CreateAliasInput{
		AliasName:   aws.String("AliasNameType"), // Required
		TargetKeyId: aws.String("KeyIdType"),     // Required
	}
	resp, err := svc.CreateAlias(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #7
0
func ExampleKMS_CreateKey() {
	svc := kms.New(nil)

	params := &kms.CreateKeyInput{
		Description: aws.String("DescriptionType"),
		KeyUsage:    aws.String("KeyUsageType"),
		Policy:      aws.String("PolicyType"),
	}
	resp, err := svc.CreateKey(params)

	if err != nil {
		if awsErr, ok := err.(awserr.Error); ok {
			// Generic AWS Error with Code, Message, and original error (if any)
			fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
			if reqErr, ok := err.(awserr.RequestFailure); ok {
				// A service error occurred
				fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
			}
		} else {
			// This case should never be hit, the SDK should always return an
			// error which satisfies the awserr.Error interface.
			fmt.Println(err.Error())
		}
	}

	// Pretty-print the response data.
	fmt.Println(awsutil.StringValue(resp))
}
Exemple #8
0
func ExampleKMS_ScheduleKeyDeletion() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.ScheduleKeyDeletionInput{
		KeyId:               aws.String("KeyIdType"), // Required
		PendingWindowInDays: aws.Int64(1),
	}
	resp, err := svc.ScheduleKeyDeletion(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #9
0
func ExampleKMS_PutKeyPolicy() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.PutKeyPolicyInput{
		KeyId:                          aws.String("KeyIdType"),      // Required
		Policy:                         aws.String("PolicyType"),     // Required
		PolicyName:                     aws.String("PolicyNameType"), // Required
		BypassPolicyLockoutSafetyCheck: aws.Bool(true),
	}
	resp, err := svc.PutKeyPolicy(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #10
0
func ExampleKMS_RetireGrant() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.RetireGrantInput{
		GrantId:    aws.String("GrantIdType"),
		GrantToken: aws.String("GrantTokenType"),
		KeyId:      aws.String("KeyIdType"),
	}
	resp, err := svc.RetireGrant(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #11
0
func ExampleKMS_Encrypt() {
	svc := kms.New(nil)

	params := &kms.EncryptInput{
		KeyID:     aws.String("KeyIdType"), // Required
		Plaintext: []byte("PAYLOAD"),       // Required
		EncryptionContext: map[string]*string{
			"Key": aws.String("EncryptionContextValue"), // Required
			// More values...
		},
		GrantTokens: []*string{
			aws.String("GrantTokenType"), // Required
			// More values...
		},
	}
	resp, err := svc.Encrypt(params)

	if err != nil {
		if awsErr, ok := err.(awserr.Error); ok {
			// Generic AWS Error with Code, Message, and original error (if any)
			fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
			if reqErr, ok := err.(awserr.RequestFailure); ok {
				// A service error occurred
				fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
			}
		} else {
			// This case should never be hit, the SDK should always return an
			// error which satisfies the awserr.Error interface.
			fmt.Println(err.Error())
		}
	}

	// Pretty-print the response data.
	fmt.Println(awsutil.StringValue(resp))
}
Exemple #12
0
func ExampleKMS_ListRetirableGrants() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.ListRetirableGrantsInput{
		RetiringPrincipal: aws.String("PrincipalIdType"), // Required
		Limit:             aws.Int64(1),
		Marker:            aws.String("MarkerType"),
	}
	resp, err := svc.ListRetirableGrants(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #13
0
func loadManager() *sneaker.Manager {
	u, err := url.Parse(os.Getenv("SNEAKER_S3_PATH"))
	if err != nil {
		log.Fatalf("bad SNEAKER_S3_PATH: %s", err)
	}
	if u.Path != "" && u.Path[0] == '/' {
		u.Path = u.Path[1:]
	}

	ctxt, err := parseContext(os.Getenv("SNEAKER_MASTER_CONTEXT"))
	if err != nil {
		log.Fatalf("bad SNEAKER_MASTER_CONTEXT: %s", err)
	}

	return &sneaker.Manager{
		Objects: s3.New(nil),
		Envelope: sneaker.Envelope{
			KMS: kms.New(nil),
		},
		Bucket:            u.Host,
		Prefix:            u.Path,
		EncryptionContext: ctxt,
		KeyID:             os.Getenv("SNEAKER_MASTER_KEY"),
	}
}
Exemple #14
0
func ExampleKMS_GetParametersForImport() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.GetParametersForImportInput{
		KeyId:             aws.String("KeyIdType"),       // Required
		WrappingAlgorithm: aws.String("AlgorithmSpec"),   // Required
		WrappingKeySpec:   aws.String("WrappingKeySpec"), // Required
	}
	resp, err := svc.GetParametersForImport(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #15
0
func ExampleKMS_Encrypt() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.EncryptInput{
		KeyId:     aws.String("KeyIdType"), // Required
		Plaintext: []byte("PAYLOAD"),       // Required
		EncryptionContext: map[string]*string{
			"Key": aws.String("EncryptionContextValue"), // Required
			// More values...
		},
		GrantTokens: []*string{
			aws.String("GrantTokenType"), // Required
			// More values...
		},
	}
	resp, err := svc.Encrypt(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #16
0
func ExampleKMS_GenerateRandom() {
	svc := kms.New(nil)

	params := &kms.GenerateRandomInput{
		NumberOfBytes: aws.Long(1),
	}
	resp, err := svc.GenerateRandom(params)

	if err != nil {
		if awsErr, ok := err.(awserr.Error); ok {
			// Generic AWS Error with Code, Message, and original error (if any)
			fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
			if reqErr, ok := err.(awserr.RequestFailure); ok {
				// A service error occurred
				fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
			}
		} else {
			// This case should never be hit, the SDK should always return an
			// error which satisfies the awserr.Error interface.
			fmt.Println(err.Error())
		}
	}

	// Pretty-print the response data.
	fmt.Println(awsutil.StringValue(resp))
}
Exemple #17
0
func ExampleKMS_CreateKey() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.CreateKeyInput{
		BypassPolicyLockoutSafetyCheck: aws.Bool(true),
		Description:                    aws.String("DescriptionType"),
		KeyUsage:                       aws.String("KeyUsageType"),
		Origin:                         aws.String("OriginType"),
		Policy:                         aws.String("PolicyType"),
	}
	resp, err := svc.CreateKey(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #18
0
func ExampleKMS_DescribeKey() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.DescribeKeyInput{
		KeyId: aws.String("KeyIdType"), // Required
		GrantTokens: []*string{
			aws.String("GrantTokenType"), // Required
			// More values...
		},
	}
	resp, err := svc.DescribeKey(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #19
0
func ExampleKMS_ReEncrypt() {
	svc := kms.New(session.New())

	params := &kms.ReEncryptInput{
		CiphertextBlob:   []byte("PAYLOAD"),       // Required
		DestinationKeyId: aws.String("KeyIdType"), // Required
		DestinationEncryptionContext: map[string]*string{
			"Key": aws.String("EncryptionContextValue"), // Required
			// More values...
		},
		GrantTokens: []*string{
			aws.String("GrantTokenType"), // Required
			// More values...
		},
		SourceEncryptionContext: map[string]*string{
			"Key": aws.String("EncryptionContextValue"), // Required
			// More values...
		},
	}
	resp, err := svc.ReEncrypt(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #20
0
func loadManager(config *config.Config) (*sneaker.Manager, error) {
	u, err := url.Parse(config.SneakerS3.SneakerS3Path)
	if err != nil {

		return nil, err
	}
	if u.Path != "" && u.Path[0] == '/' {
		u.Path = u.Path[1:]
	}

	// here, we provide access and secret keys for aws
	creds := credentials.NewStaticCredentials(config.SneakerS3.AwsAccesskeyId, config.SneakerS3.AwsSecretAccessKey, "")

	// we'r gonna use aws providers and region to init aws config
	session := session.New(aws.NewConfig().WithCredentials(creds).WithRegion(config.SneakerS3.AwsRegion))

	return &sneaker.Manager{
		Objects: s3.New(session),
		Envelope: sneaker.Envelope{
			KMS: kms.New(session),
		},
		Bucket: u.Host,
		Prefix: u.Path,
		KeyId:  config.SneakerS3.SneakerMasterKey,
	}, nil
}
Exemple #21
0
func ExampleKMS_UpdateAlias() {
	svc := kms.New(nil)

	params := &kms.UpdateAliasInput{
		AliasName:   aws.String("AliasNameType"), // Required
		TargetKeyID: aws.String("KeyIdType"),     // Required
	}
	resp, err := svc.UpdateAlias(params)

	if err != nil {
		if awsErr, ok := err.(awserr.Error); ok {
			// Generic AWS Error with Code, Message, and original error (if any)
			fmt.Println(awsErr.Code(), awsErr.Message(), awsErr.OrigErr())
			if reqErr, ok := err.(awserr.RequestFailure); ok {
				// A service error occurred
				fmt.Println(reqErr.Code(), reqErr.Message(), reqErr.StatusCode(), reqErr.RequestID())
			}
		} else {
			// This case should never be hit, the SDK should always return an
			// error which satisfies the awserr.Error interface.
			fmt.Println(err.Error())
		}
	}

	// Pretty-print the response data.
	fmt.Println(awsutil.StringValue(resp))
}
Exemple #22
0
func ExampleKMS_UpdateKeyDescription() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.UpdateKeyDescriptionInput{
		Description: aws.String("DescriptionType"), // Required
		KeyId:       aws.String("KeyIdType"),       // Required
	}
	resp, err := svc.UpdateKeyDescription(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #23
0
func ExampleKMS_GenerateDataKeyWithoutPlaintext() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.GenerateDataKeyWithoutPlaintextInput{
		KeyId: aws.String("KeyIdType"), // Required
		EncryptionContext: map[string]*string{
			"Key": aws.String("EncryptionContextValue"), // Required
			// More values...
		},
		GrantTokens: []*string{
			aws.String("GrantTokenType"), // Required
			// More values...
		},
		KeySpec:       aws.String("DataKeySpec"),
		NumberOfBytes: aws.Int64(1),
	}
	resp, err := svc.GenerateDataKeyWithoutPlaintext(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
func TestKMSGenerateCipherData(t *testing.T) {
	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintln(w, `{"CiphertextBlob":"AQEDAHhqBCCY1MSimw8gOGcUma79cn4ANvTtQyv9iuBdbcEF1QAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDJ6IcN5E4wVbk38MNAIBEIA7oF1E3lS7FY9DkoxPc/UmJsEwHzL82zMqoLwXIvi8LQHr8If4Lv6zKqY8u0+JRgSVoqCvZDx3p8Cn6nM=","KeyId":"arn:aws:kms:us-west-2:042062605278:key/c80a5cdb-8d09-4f9f-89ee-df01b2e3870a","Plaintext":"6tmyz9JLBE2yIuU7iXpArqpDVle172WSmxjcO6GNT7E="}`)
	}))

	sess := unit.Session.Copy(&aws.Config{
		MaxRetries:       aws.Int(0),
		Endpoint:         aws.String(ts.URL[7:]),
		DisableSSL:       aws.Bool(true),
		S3ForcePathStyle: aws.Bool(true),
		Region:           aws.String("us-west-2"),
	})

	svc := kms.New(sess)
	handler := NewKMSKeyGenerator(svc, "testid")

	keySize := 32
	ivSize := 16

	cd, err := handler.GenerateCipherData(keySize, ivSize)
	assert.NoError(t, err)
	assert.Equal(t, keySize, len(cd.Key))
	assert.Equal(t, ivSize, len(cd.IV))
	assert.NotEmpty(t, cd.Key)
	assert.NotEmpty(t, cd.IV)
}
Exemple #25
0
func ExampleKMS_ImportKeyMaterial() {
	sess, err := session.NewSession()
	if err != nil {
		fmt.Println("failed to create session,", err)
		return
	}

	svc := kms.New(sess)

	params := &kms.ImportKeyMaterialInput{
		EncryptedKeyMaterial: []byte("PAYLOAD"),       // Required
		ImportToken:          []byte("PAYLOAD"),       // Required
		KeyId:                aws.String("KeyIdType"), // Required
		ExpirationModel:      aws.String("ExpirationModelType"),
		ValidTo:              aws.Time(time.Now()),
	}
	resp, err := svc.ImportKeyMaterial(params)

	if err != nil {
		// Print the error, cast err to awserr.Error to get the Code and
		// Message from an error.
		fmt.Println(err.Error())
		return
	}

	// Pretty-print the response data.
	fmt.Println(resp)
}
Exemple #26
0
func (c *KMSCredential) KMS() security.KMS {
	config := aws.NewConfig().WithCredentials(credentials.NewCredentials(c)).WithRegion(c.Region)
	session := session.New(config)
	return &KMS{
		kms:   kms.New(session),
		keyID: c.KeyID,
	}
}
Exemple #27
0
func init() {
	svc = kms.New(session.New(), aws.NewConfig().WithRegion("us-east-1"))

	keyID = os.Getenv("AWS_KMS_KEY_ID")

	if keyID == "" {
		log.Fatal("You have to pass AWS_KMS_KEY_ID as a env var")
	}
}
Exemple #28
0
func New(region, keyID string) (*KMS, error) {
	config := aws.NewConfig().WithCredentials(credentials.NewEnvCredentials()).WithRegion(region)
	session := session.New(config)
	kms := &KMS{
		kms:   kms.New(session),
		keyID: keyID,
	}
	return kms, nil
}
Exemple #29
0
func KmsDecrypt(awsRegion string, encryptionContext map[string]*string, encryptedBytes []byte) (decryptedBytes []byte, err error) {
	svc := kms.New(session.New(), &aws.Config{Region: aws.String(awsRegion)})

	params := &kms.DecryptInput{
		CiphertextBlob:    encryptedBytes,
		EncryptionContext: encryptionContext,
	}
	resp, err := svc.Decrypt(params)
	return resp.Plaintext, err
}
Exemple #30
0
func NewKMSMethod(region, keyId string) (*KMSMethod, error) {

	method := &KMSMethod{
		client: kms.New(session.New(), &aws.Config{Region: aws.String(region)}),
		keyId:  keyId,
	}

	return method, nil

}