|
| 1 | +// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. |
| 2 | +// SPDX-License-Identifier: Apache-2.0 |
| 3 | + |
| 4 | +package misc |
| 5 | + |
| 6 | +import ( |
| 7 | + "context" |
| 8 | + "fmt" |
| 9 | + |
| 10 | + keystore "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographykeystoresmithygenerated" |
| 11 | + keystoretypes "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographykeystoresmithygeneratedtypes" |
| 12 | + "github.com/aws/aws-database-encryption-sdk-dynamodb/examples/utils" |
| 13 | + "github.com/aws/aws-sdk-go-v2/config" |
| 14 | + "github.com/aws/aws-sdk-go-v2/service/dynamodb" |
| 15 | + "github.com/aws/aws-sdk-go-v2/service/kms" |
| 16 | +) |
| 17 | + |
| 18 | +/* |
| 19 | + The Hierarchical Keyring Example and Searchable Encryption Examples |
| 20 | + rely on the existence of a DDB-backed key store with pre-existing |
| 21 | + branch key material or beacon key material. |
| 22 | +
|
| 23 | + See the "Create KeyStore Table Example" for how to first set up |
| 24 | + the DDB Table that will back this KeyStore. |
| 25 | +
|
| 26 | + This example demonstrates configuring a KeyStore and then |
| 27 | + using a helper method to create a branch key and beacon key |
| 28 | + that share the same Id, then return that Id. |
| 29 | + We will always create a new beacon key alongside a new branch key, |
| 30 | + even if you are not using searchable encryption. |
| 31 | +
|
| 32 | + This key creation should occur within your control plane. |
| 33 | +*/ |
| 34 | + |
| 35 | +func CreateBranchKeyIDExample( |
| 36 | + keyStoreTableName, |
| 37 | + logicalKeyStoreName, |
| 38 | + kmsKeyArn string) { |
| 39 | + cfg, err := config.LoadDefaultConfig(context.TODO()) |
| 40 | + utils.HandleError(err) |
| 41 | + ddbClient := dynamodb.NewFromConfig(cfg) |
| 42 | + kmsClient := kms.NewFromConfig(cfg) |
| 43 | + // 1. Configure your KeyStore resource. |
| 44 | + // This SHOULD be the same configuration that was used to create the DDB table |
| 45 | + // in the "Create KeyStore Table Example". |
| 46 | + kmsConfig := keystoretypes.KMSConfigurationMemberkmsKeyArn{ |
| 47 | + Value: kmsKeyArn, |
| 48 | + } |
| 49 | + keyStore, err := keystore.NewClient(keystoretypes.KeyStoreConfig{ |
| 50 | + DdbTableName: keyStoreTableName, |
| 51 | + KmsConfiguration: &kmsConfig, |
| 52 | + LogicalKeyStoreName: logicalKeyStoreName, |
| 53 | + DdbClient: ddbClient, |
| 54 | + KmsClient: kmsClient, |
| 55 | + }) |
| 56 | + utils.HandleError(err) |
| 57 | + // 2. Create a new branch key and beacon key in our KeyStore. |
| 58 | + // Both the branch key and the beacon key will share an Id. |
| 59 | + // This creation is eventually consistent. |
| 60 | + branchKey, err := keyStore.CreateKey(context.Background(), keystoretypes.CreateKeyInput{}) |
| 61 | + utils.HandleError(err) |
| 62 | + |
| 63 | + fmt.Println("Branch Key ID " + branchKey.BranchKeyIdentifier + " created in Create Branch Key ID Example.") |
| 64 | +} |
0 commit comments