Example for using multiple keys in multiple regions #177
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"). You | ||
| # may not use this file except in compliance with the License. A copy of | ||
| # the License is located at | ||
| # | ||
| # http://aws.amazon.com/apache2.0/ | ||
| # | ||
| # or in the "license" file accompanying this file. This file is | ||
| # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF | ||
| # ANY KIND, either express or implied. See the License for the specific | ||
| # language governing permissions and limitations under the License. | ||
| """ | ||
| Example showing basic encryption and decryption of a value already in memory | ||
| using multiple KMS CMKs in multiple regions. | ||
| """ | ||
| import aws_encryption_sdk | ||
|
|
||
|
|
||
| def encrypt(kms_key_provider, source_plaintext): | ||
| """Encrypts source_plaintext with the key(s) in kms_key_provider""" | ||
| return aws_encryption_sdk.encrypt(source=source_plaintext, key_provider=kms_key_provider) | ||
|
|
||
caitlin-tibbetts marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| def decrypt(kms_key_provider, ciphertext): | ||
| """Decrypts ciphertext with the key(s) in kms_key_provider""" | ||
| return aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) | ||
|
|
||
|
|
||
| def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_session=None): | ||
caitlin-tibbetts marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| """Encrypts and then decrypts a string under multiple KMS customer master keys (CMKs) in multiple regions. | ||
|
|
||
| :param str key_arn1: Amazon Resource Name (ARN) of the KMS CMK | ||
| :param str key_arn2: Amazon Resource Name (ARN) of another KMS CMK | ||
| :param bytes source_plaintext: Data to encrypt | ||
| :param botocore_session: existing botocore session instance | ||
| :type botocore_session: botocore.session.Session | ||
| """ | ||
| # Check that these keys are in different regions | ||
| assert not key_arn1[12:21] == key_arn2[12:21] | ||
caitlin-tibbetts marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| kwargs = dict(key_ids=[key_arn1, key_arn2]) | ||
|
|
||
| if botocore_session is not None: | ||
| kwargs["botocore_session"] = botocore_session | ||
|
|
||
| # Create master key provider using the ARNs of the keys and the session (botocore_session) | ||
| kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) | ||
|
|
||
| # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header | ||
| ciphertext, encrypted_message_header = encrypt(kms_key_provider, source_plaintext) | ||
|
|
||
| # Check that both key ARNs are in the message headers | ||
| assert len(encrypted_message_header.encrypted_data_keys) == 2 | ||
|
|
||
caitlin-tibbetts marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header | ||
| # Either of our keys can be used to decrypt the message | ||
| plaintext1, decrypted_message_header1 = decrypt( | ||
| aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn1])), ciphertext | ||
caitlin-tibbetts marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ) | ||
| plaintext2, decrypted_message_header2 = decrypt( | ||
| aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn2])), ciphertext | ||
| ) | ||
|
|
||
| # Check that the original message and the decrypted message are the same | ||
| assert source_plaintext == plaintext1 | ||
|
There was a problem hiding this comment. The output of the Before this check, let's add a decoding if necessary: if not isinstance(source_plaintext, bytes):
plaintext1 = plaintext1.decode("utf-8")
plaintext2 = plaintext2.decode("utf-8")There was a problem hiding this comment. Does this make the assumption that |
||
| assert source_plaintext == plaintext2 | ||
|
|
||
| # Check that the headers of the encrypted message and decrypted message match | ||
| assert all( | ||
| pair in encrypted_message_header.encryption_context.items() | ||
| for pair in decrypted_message_header1.encryption_context.items() | ||
| ) | ||
| assert all( | ||
| pair in encrypted_message_header.encryption_context.items() | ||
| for pair in decrypted_message_header2.encryption_context.items() | ||
| ) | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"). You | ||
| # may not use this file except in compliance with the License. A copy of | ||
| # the License is located at | ||
| # | ||
| # http://aws.amazon.com/apache2.0/ | ||
| # | ||
| # or in the "license" file accompanying this file. This file is | ||
| # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF | ||
| # ANY KIND, either express or implied. See the License for the specific | ||
| # language governing permissions and limitations under the License. | ||
| """Unit test suite for the encryption and decryption using multiple KMS CMKs in multiple regions example.""" | ||
|
|
||
| import botocore.session | ||
| import pytest | ||
|
|
||
| from ..src.multiple_kms_cmk_regions import multiple_kms_cmk_regions | ||
|
|
||
| # from .examples_test_utils import get_cmk_arn | ||
| from .examples_test_utils import static_plaintext | ||
|
|
||
|
|
||
| pytestmark = [pytest.mark.examples] | ||
caitlin-tibbetts marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
|
|
||
| def test_multiple_kms_cmk_regions(): | ||
| plaintext = static_plaintext | ||
| cmk_arn1 = "arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt" | ||
caitlin-tibbetts marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| cmk_arn2 = "arn:aws:kms:eu-central-1:658956600833:alias/EncryptDecrypt" | ||
| multiple_kms_cmk_regions( | ||
| cmk_arn1, cmk_arn2, source_plaintext=plaintext, botocore_session=botocore.session.Session() | ||
| ) | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.