The Aspire AWS KMS encryption provider uses keys created in KMS to encrypt and decrypt the data. The secrets will be encrypted with KMS encryption mechanisms, and stored in the Aspire Configuration indexes once encrypted. When Aspire needs the secret value, it calls KMS decrypt mechanism to obtain the value back.
To enable AWS KMS Encryption, you must change your settings.json file on the encryptionProvider section to point to the KMS encryption provider jar:
"encryptionProvider": { "_comments_implementation": [ "Maven coordinates of the encryption provider", "default is: com.accenture.aspire:aspire-encryption-provider" ], "implementation": "com.accenture.aspire:aspire-aws-kms-encryption-provider" },
When creating a KMS key for Aspire, make sure to include the following properties:
Key Policy:
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[account_id]:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" } ] }
Save the policy specified above into a file, fill in the [ account_id ] , [ role/user ] and [ role_id/user_id ] details and execute:
aws kms create-key --policy file://policy.json --description "Aspire Encryption key" --profile kms_role > newKey
on the file newKey you will see a json with the details of your new key. Copy the Key ARN and configure it as Aspire Properties