Versions Compared

Old Version 2

changes.mady.by.user Andres Aguilar

Saved on

compared with

New Version 3

changes.mady.by.user Andres Aguilar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Aspire AWS KMS encryption provider uses keys created in KMS to encrypt and decrypt the data. The secrets will be encrypted with KMS encryption mechanisms, and stored in the Aspire Configuration indexes once encrypted. When Aspire needs the secret value, it calls KMS decrypt mechanism to obtain the value back.


To enable AWS KMS Encryption, you must change your settings.json file on the encryptionProvider section to point to the KMS encryption provider jar:

Code Block
languagejs
   "encryptionProvider": {
      "_comments_implementation": [
        "Maven coordinates of the encryption provider",
        "default is: com.accenture.aspire:aspire-encryption-provider"
      ],
      "implementation": "com.accenture.aspire:aspire-aws-kms-encryption-provider"
    },


How to create a KMS Key suitable for Aspire?

When creating a KMS key for Aspire, make sure to include the following properties:

  • Symmetric key: allows aspire to encrypt and decrypt secrets using the key
  • Permissions: The user or role to be used by Aspire should be granted the kms:Encrypt, kms:Decrypt and kms:DescribeKey permissions.

Key Policy:

Code Block
languagejs
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[account_id]:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

Create kms key with aws cli

Save the policy specified above into a file, fill in the [ account_id ] , [ role/user ] and  [ role_id/user_id ] details and execute:

Code Block
languagebash
aws kms create-key --policy file://policy.json --description "Aspire Encryption key"  --profile kms_role > newKey

on the file newKey you will see a json with the details of your new key. Copy the Key ARN and configure it as Aspire Properties