A memo when testing the processing using KMS on a local PC.
Start local-kms called from AWS SDK in the container.
Since we will test encryption and decryption this time, set the Key used for encryption. Create a seed.yaml file with the local-kms document as it is.
Keys:
- Metadata:
KeyId: bc436485-5092-42b8-92a3-0aa8b93536dc
BackingKeys:
- 5cdaead27fe7da2de47945d73cd6d79e36494e73802f3cd3869f1d2cb0b5d7a9
Aliases:
- AliasName: alias/testing
TargetKeyId: bc436485-5092-42b8-92a3-0aa8b93536dc
After creating yaml, start local-kms.
docker run -p 8080:8080 \
--mount type=bind,source="$(pwd)"/init,target=/init \
nsmithuk/local-kms
Specifies to access local-kms from Endpoint Configuration when creating a KMSClient instance. The region can be anything.
//Specify local KMS for Endpoint.Region is OK anywhere
AwsClientBuilder.EndpointConfiguration endpointConfig =
new AwsClientBuilder.EndpointConfiguration("http://localhost:8080/", "ap-northeast-1");
kmsClient = AWSKMSClientBuilder.standard().withEndpointConfiguration(endpointConfig).build();
After that, call the required method from the generated KMSClient. local-kms performs encryption and decryption just like KMS. You can also register a customer key. It's easy because you don't have to deploy to AWS or set up KMS.
By the way, the called Log on the local-kms side looks like this. Accounts and regions seem appropriate.
Encryption called: arn:aws:kms:eu-west-2:111122223333:key/bc436485-5092-42b8-92a3-0aa8b93536dc
Recommended Posts