90 lines
2.2 KiB
Go
90 lines
2.2 KiB
Go
package secret
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/config"
|
|
"github.com/aws/aws-sdk-go-v2/credentials"
|
|
"github.com/aws/aws-sdk-go-v2/service/kms"
|
|
"github.com/aws/aws-sdk-go-v2/service/ssm"
|
|
)
|
|
|
|
type awskms struct {
|
|
options *providerOptions
|
|
service *kms.Client
|
|
}
|
|
|
|
// AWSKeyManagementService uses AWS KMS for decrypting blobs.
|
|
//
|
|
// The keys passed in GetSecret are the encrypted blobs and will be converted with [ToBinary].
|
|
func AWSKeyManagementService(opts ...Option) (Provider, error) {
|
|
var options = newProviderOptions(opts...)
|
|
|
|
var awsOptions []func(*config.LoadOptions) error
|
|
if options.clientID != "" {
|
|
// Configure OAuth
|
|
awsOptions = append(awsOptions, config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(options.clientID, options.secretID, "")))
|
|
}
|
|
if options.region != "" {
|
|
awsOptions = append(awsOptions, config.WithRegion(options.region))
|
|
}
|
|
|
|
config, err := config.LoadDefaultConfig(context.Background(), awsOptions...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if options.region != "" {
|
|
config.Region = options.region
|
|
}
|
|
|
|
return awskms{
|
|
options: options,
|
|
service: kms.NewFromConfig(config),
|
|
}, nil
|
|
}
|
|
|
|
func (p awskms) GetSecret(key string) (value []byte, err error) {
|
|
input := new(kms.DecryptInput)
|
|
input.CiphertextBlob = ToBinary(key)
|
|
|
|
var output *kms.DecryptOutput
|
|
if output, err = p.service.Decrypt(context.TODO(), input); err != nil {
|
|
return
|
|
}
|
|
|
|
return output.Plaintext, nil
|
|
}
|
|
|
|
type awsps struct {
|
|
service *ssm.Client
|
|
}
|
|
|
|
// AWSParameterStorage uses AWS Session Manager Parameter Storage for obtaining secrets.
|
|
func AWSParameterStorage(options ...func(*config.LoadOptions) error) (Provider, error) {
|
|
config, err := config.LoadDefaultConfig(context.TODO(), options...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return awsps{service: ssm.NewFromConfig(config)}, nil
|
|
}
|
|
|
|
func (p awsps) GetSecret(key string) (value []byte, err error) {
|
|
var yesPlease = true
|
|
input := new(ssm.GetParameterInput)
|
|
input.Name = &key
|
|
input.WithDecryption = &yesPlease
|
|
|
|
var output *ssm.GetParameterOutput
|
|
if output, err = p.service.GetParameter(context.TODO(), input); err != nil {
|
|
return
|
|
}
|
|
|
|
if output.Parameter == nil {
|
|
return nil, NotFound{Key: key}
|
|
}
|
|
|
|
return []byte(*output.Parameter.Value), nil
|
|
}
|