Versions Compared

Old Version 3

changes.mady.by.user Andres Aguilar

Saved on

compared with

New Version 4

changes.mady.by.user Andres Aguilar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To enable AWS KMS Encryption, you must change your settings.json Aspire Settings file on the encryptionProvider section to point to the KMS encryption provider jar:

...

  • Symmetric key: allows aspire to encrypt and decrypt secrets using the key
  • Permissions: The user or role to be used by Aspire should be granted the kms:Encrypt, kms:Decrypt and kms:DescribeKey permissions.

Key Policy:

You can add or remove permissions to this policy if needed, but make sure it still have the Encrypt, Decrypt and DescribeKey ones for the user or role that Aspire will use.

Code Block
languagejs
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[account_id]:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

...

Save the policy specified above into a file called policy.json, fill in the [ account_id ] , [ role/user ] and  [ role_id/user_id ] details and execute (inside the same folder where the policy file was created):

Code Block
languagebash
aws kms create-key --policy file://policy.json --description "Aspire Encryption key"  --profile kms_role > newKey

...