New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement AWS KMS cryptography (includes #21) #23
Conversation
For transparency: I personally only care about #21 and #22, but I decided to write and submit this one as well to ensure myself the API I designed in #21 allowed for implementing KMS. |
Also, please do note: because the aws_sdk crates are not yet published to crates.io, this introduces a git dependency. |
Unfortunately this feature can't be enabled on crates.io yet, until the AWS SDK is pushed to crates.io, so I'll postpone merging this PR until that happens. |
AWS SDK for Rust is now on crates.io, so this can finally be merged: https://crates.io/crates/aws-sdk-kms. |
@petreeftime cool. Do you want me to do a rebase again, or is this set to go in? |
I wanted to also make the tests run with Github Actions before merging, but I need to create a role and a KMS key in our test account to make it work and didn't quite find time for it. |
Fair enough. Just let me know if you need me to do anything else. |
Any progress in getting this merged? Thanks! |
Any news? We really need this for our deployment. |
I've rebased the dev branch I had to the latest commit, but I still need to figure out the testing part for this feature. |
I'll do some manual testing as soon as possible, merge and update the crate version to unblock you, and figure out the automated testing afterwards. |
86ee534
to
e71d8f3
Compare
This implements an abstracted signing crypto module that uses an Amazon Web Services Key Management Service key to sign data. It supports either KMS or local keys for verification. Fixes: awslabs#5 Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This bumps MSRV to 1.58 to allow adding some new dependencies. These dependencies could be kept back to some degree but I am unsure whether this would bring value. At this point, more and more libraries require version 2021, which was introduced with rust 1.56. Signed-off-by: Petre Eftime <epetre@amazon.com>
This fixes the build issues that cropped up from integrating other patches into the repo. Signed-off-by: Petre Eftime <epetre@amazon.com>
Signed-off-by: Petre Eftime <epetre@amazon.com>
This implements an abstracted signing crypto module that uses an Amazon
Web Services Key Management Service key to sign data.
It supports either KMS or local keys for verification.
Fixes: #5
Signed-off-by: Patrick Uiterwijk patrick@puiterwijk.org
This PR is based on top of #21 and #22.
It can be tested by setting the following environment variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION
AWS_KMS_TEST_KEY_ARN
- the ARN of the created test keyTEST_KEY_SIG_ALG
- a signature algorithm (ES256
,ES384
orES512
) that this key supportsThis test currently does not yet run via GitHub CI, since there's a lack of secrets.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the Apache License Version 2.0, as specified in the LICENSE file of this repository.