...
To enable AWS KMS Encryption, you must change your settings.json Aspire Settings file on the encryptionProvider section to point to the KMS encryption provider jar:
...
Key Policy:
You can add or remove permissions to this policy if needed, but make sure it still have the Encrypt, Decrypt and DescribeKey ones for the user or role that Aspire will use.
Code Block | ||
---|---|---|
| ||
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[account_id]:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" } ] } |
...
Save the policy specified above into a file called policy.json, fill in the [ account_id ] , [ role/user ] and [ role_id/user_id ] details and execute (inside the same folder where the policy file was created):
Code Block | ||
---|---|---|
| ||
aws kms create-key --policy file://policy.json --description "Aspire Encryption key" --profile kms_role > newKey |
...