Package io.confluent.kafka.schemaregistry.encryption.aws

Class AwsKmsClient

java.lang.Object
io.confluent.kafka.schemaregistry.encryption.aws.AwsKmsClient
All Implemented Interfaces:
com.google.crypto.tink.KmsClient
public final class AwsKmsClient extends Object implements com.google.crypto.tink.KmsClient
An implementation of KmsClient for AWS KMS.
Since:
1.0.0

  • Field Details

  • Constructor Details

    • AwsKmsClient

      public AwsKmsClient()
      Constructs a generic AwsKmsClient that is not bound to any specific key. This constructor should not be used. We recommend to register the client instead.

    • AwsKmsClient

      public AwsKmsClient(String uri)
      Constructs a specific AwsKmsClient that is bound to a single key identified by uri. This constructor should not be used. We recommend to register the client instead.

  • Method Details

    • doesSupport

      public boolean doesSupport(String uri)
      Specified by:
      doesSupport in interface com.google.crypto.tink.KmsClient
      Returns:
      true either if this client is a generic one and uri starts with PREFIX, or the client is a specific one that is bound to the key identified by uri.

    • withCredentials

      @CanIgnoreReturnValue public com.google.crypto.tink.KmsClient withCredentials(String credentialPath) throws GeneralSecurityException
      Loads AWS credentials from a properties file.

      The AWS access key ID is expected to be in the accessKey property and the AWS secret key is expected to be in the secretKey property.

      Specified by:
      withCredentials in interface com.google.crypto.tink.KmsClient
      Throws:
      GeneralSecurityException - if the client initialization fails

    • withDefaultCredentials

      @CanIgnoreReturnValue public com.google.crypto.tink.KmsClient withDefaultCredentials() throws GeneralSecurityException
      Loads default AWS credentials.

      AWS credentials provider chain that looks for credentials in this order:

      • Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
      • Java System Properties - aws.accessKeyId and aws.secretKey
      • Credential profiles file at the default location (~/.aws/credentials)
      • Instance profile credentials delivered through the Amazon EC2 metadata service
      Specified by:
      withDefaultCredentials in interface com.google.crypto.tink.KmsClient
      Throws:
      GeneralSecurityException - if the client initialization fails

    • withCredentialsProvider

      @CanIgnoreReturnValue public com.google.crypto.tink.KmsClient withCredentialsProvider(software.amazon.awssdk.auth.credentials.AwsCredentialsProvider provider) throws GeneralSecurityException
      Loads AWS credentials from a provider.
      Throws:
      GeneralSecurityException

    • removePrefix

      protected static String removePrefix(String expectedPrefix, String kmsKeyUri)

    • getAead

      public com.google.crypto.tink.Aead getAead(String uri) throws GeneralSecurityException
      Specified by:
      getAead in interface com.google.crypto.tink.KmsClient
      Throws:
      GeneralSecurityException

    • register

      public static void register(Optional<String> keyUri, Optional<String> credentialPath) throws GeneralSecurityException
      Creates and registers a AwsKmsClient(java.lang.String) with the Tink runtime.

      If keyUri is present, it is the only key that the new client will support. Otherwise the new client supports all AWS KMS keys.

      If credentialPath is present, load the credentials from that. Otherwise use the default credentials.

      Throws:
      GeneralSecurityException