You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

The Aspire AWS KMS encryption provider uses keys created in KMS to encrypt and decrypt the data. The secrets will be encrypted with KMS encryption mechanisms, and stored in the Aspire Configuration indexes once encrypted. When Aspire needs the secret value, it calls KMS decrypt mechanism to obtain the value back.


To enable AWS KMS Encryption, you must change your Aspire Settings file on the encryptionProvider section to point to the KMS encryption provider jar:

   "encryptionProvider": {
      "_comments_implementation": [
        "Maven coordinates of the encryption provider",
        "default is: com.accenture.aspire:aspire-encryption-provider"
      ],
      "implementation": "com.accenture.aspire:aspire-aws-kms-encryption-provider"
    },


How to create a KMS Key suitable for Aspire?

When creating a KMS key for Aspire, make sure to include the following properties:

  • Symmetric key: allows aspire to encrypt and decrypt secrets using the key
  • Permissions: The user or role to be used by Aspire should be granted the kms:Encrypt, kms:Decrypt and kms:DescribeKey permissions.

Key Policy:

You can add or remove permissions to this policy if needed, but make sure it still have the Encrypt, Decrypt and DescribeKey ones for the user or role that Aspire will use.

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[account_id]:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

Create kms key with aws cli

Save the policy specified above into a file called policy.json, fill in the [ account_id ] , [ role/user ] and  [ role_id/user_id ] details and execute (inside the same folder where the policy file was created):

aws kms create-key --policy file://policy.json --description "Aspire Encryption key"  --profile kms_role > newKey

on the file newKey you will see a json with the details of your new key. Copy the Key ARN and configure it as Aspire Properties

  • No labels

Copyright © 2024 Accenture

Contact Us: [email protected]