The Aspire AWS KMS encryption provider uses keys created in KMS to encrypt and decrypt the data. The secrets will be encrypted with KMS encryption mechanisms, and stored in the Aspire Configuration indexes once encrypted. When Aspire needs the secret value, it calls KMS decrypt mechanism to obtain the value back.
To enable AWS KMS Encryption, you must change your Aspire Settings file on the encryptionProvider section to point to the KMS encryption provider jar:
"encryptionProvider": { "_comments_implementation": [ "Maven coordinates of the encryption provider", "default is: com.accenture.aspire:aspire-encryption-provider" ], "implementation": "com.accenture.aspire:aspire-aws-kms-encryption-provider" },
When creating a KMS key for Aspire, make sure to include the following properties:
Key Policy:
You can add or remove permissions to this policy if needed, but make sure it still have the Encrypt, Decrypt and DescribeKey ones for the user or role that Aspire will use.
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[account_id]:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" } ] }
Save the policy specified above into a file called policy.json, fill in the [ account_id ] , [ role/user ] and [ role_id/user_id ] details and execute (inside the same folder where the policy file was created):
aws kms create-key --policy file://policy.json --description "Aspire Encryption key" --profile kms_role > newKey
on the file newKey you will see a json with the details of your new key. Copy the Key ARN and configure it as Aspire Properties