70 lines
1.7 KiB
Go
70 lines
1.7 KiB
Go
package secret
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/config"
|
|
"github.com/aws/aws-sdk-go-v2/service/kms"
|
|
"github.com/aws/aws-sdk-go-v2/service/ssm"
|
|
)
|
|
|
|
type awskms struct {
|
|
service *kms.Client
|
|
}
|
|
|
|
// AWSKeyManagement uses AWS KMS for decrypting blobs.
|
|
//
|
|
// The keys passed in GetSecret are the encrypted blobs and will be converted with [ToBinary].
|
|
func AWSKeyManagement(options ...func(*config.LoadOptions) error) (Provider, error) {
|
|
config, err := config.LoadDefaultConfig(context.TODO(), options...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return awskms{kms.NewFromConfig(config)}, nil
|
|
}
|
|
|
|
func (p awskms) GetSecret(key string) (value []byte, err error) {
|
|
input := new(kms.DecryptInput)
|
|
input.CiphertextBlob = ToBinary(key)
|
|
|
|
var output *kms.DecryptOutput
|
|
if output, err = p.service.Decrypt(context.TODO(), input); err != nil {
|
|
return
|
|
}
|
|
|
|
return output.Plaintext, nil
|
|
}
|
|
|
|
type awsps struct {
|
|
service *ssm.Client
|
|
}
|
|
|
|
// AWSParameterStorage uses AWS Session Manager Parameter Storage for obtaining secrets.
|
|
func AWSParameterStorage(options ...func(*config.LoadOptions) error) (Provider, error) {
|
|
config, err := config.LoadDefaultConfig(context.TODO(), options...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return awsps{service: ssm.NewFromConfig(config)}, nil
|
|
}
|
|
|
|
func (p awsps) GetSecret(key string) (value []byte, err error) {
|
|
var yesPlease = true
|
|
input := new(ssm.GetParameterInput)
|
|
input.Name = &key
|
|
input.WithDecryption = &yesPlease
|
|
|
|
var output *ssm.GetParameterOutput
|
|
if output, err = p.service.GetParameter(context.TODO(), input); err != nil {
|
|
return
|
|
}
|
|
|
|
if output.Parameter == nil {
|
|
return nil, NotFound{Key: key}
|
|
}
|
|
|
|
return []byte(*output.Parameter.Value), nil
|
|
}
|