How to use AWS KMS in AWS lambda

眉间皱痕 提交于 2019-12-22 05:15:22

问题


I've just started to work with AWS services, particularly AWS Lambda. Is there a way to use AWS KMS service from within Lambda code (Java). I'd like to use KMS to decrypt an encrypted externalized (read from a property) secret. My Lambda code is in java. Thanks in advance.


回答1:


Yes, it should work fine.

I recently ported a Node.js RESTful API over to Lambda and didn't have to change any KMS code.

You'll just need to make sure the role your Lambda function runs under has permissions to the key you setup through AWS to use with the encrypt/decrypt calls.




回答2:


In Python:

with open('encrypted_pem.txt', 'r') as encrypted_pem:
    pem_file = encrypted_pem.read()

kms = boto3.client('kms', region_name=REGION)
return kms.decrypt(CiphertextBlob=b64decode(pem_file))['Plaintext']

Taken from AWS Labs Chef cleanup source.

The README of that repo explains how to encrypt the PEM file in the first place using the AWS KMS CLI.




回答3:


I have an implementation in Node.js 10.x (async/await fashion) it can be useful to you. First of all, as previously said, you must be sure to provide the Lambda function with a role with permissions to KMS service.

In Javascript:

const AWS = require('aws-sdk');
const fs  = require('fs');
const kms = new AWS.KMS();
const { promisify } = require('util');
const readFileAsync = promisify(fs.readFile);

const decrypt = async (kms) => {
  let secret = null;
  try {
    const secretPath = `./your.encrypted.file.json`;
    const encryptedSecret = await readFileAsync(secretPath);
    let params = {
      CiphertextBlob: encryptedSecret
    };

    const decrypted = await kms.decrypt(params).promise();
    secret = decrypted.Plaintext.toString('utf-8');
  } catch (exception) {
    console.error(exception);
    throw new Error(exception);
  }

  return JSON.parse(secret);
}


来源:https://stackoverflow.com/questions/32620182/how-to-use-aws-kms-in-aws-lambda

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!