Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integration with AWS KMS #910

Closed
ipsi-apant opened this issue Oct 16, 2023 · 3 comments
Closed

Integration with AWS KMS #910

ipsi-apant opened this issue Oct 16, 2023 · 3 comments
Labels
status: team-discussion Team has to figure out how to proceed status: waiting-for-feedback Waiting for feedback from issuer

Comments

@ipsi-apant
Copy link

Type: Feature

Is your feature request related to a problem? Please describe.
Looking for AWS KMS integration.
There is a use case where a public key alias stored on a dynamodb record. A new public key per record.
There will be CRUD operations. For POST calls, it needs to read public key from a record, then encrypt data.
For GET calls, decrypt this data using AWS KMS provider.

I didn't find out of the box option in spring-cloud-aws, so planning to create a customer service.
Before creating a custom service, wanted to have some understanding whether, is there an option for this use case?

Describe the solution you'd like
Ability to integrate KMS service for encryption and decryption. For this use case the strategy is per request. However, the solution can be configurable based on different strategies.

Examples which I could think of (some maybe incorrect):

  • Request strategy - encrypt and decrypt per request
  • Application strategy - same key across application. This can be set in application.yaml
  • Endpoint path match strategy - based on endpoint

Describe alternatives you've considered
Manually creating a KMS service (spring component) and manage these cases.
This will have some side effect where this encryption and decryption (cross cutting) logic will sit at application level. So components which are using this service as dependency will need to cover it's cases. Possible duplication of exception handling and they need to cover in unit tests.
Another option to use Spring AoP, which I think a possible option. This application is WebFlux type. The data to be encrypt/decrypt is just a couple of fields, so my understanding AoP may cause excess conversions from and to Mono/Flux. I could be wrong here.

Happy to provide more information as per request
@MatejNedic MatejNedic added the status: team-discussion Team has to figure out how to proceed label Oct 19, 2023
@maciejwalkowiak
Copy link
Contributor

Zalando made a library to integrate KMS with Spring Boot https://github.com/zalando/spring-cloud-config-aws-kms (does not seem active anymore). Can you show some examples how you would like KMS integration to work? Because I am not entirely sure if I understand your use case.

@maciejwalkowiak maciejwalkowiak added the status: waiting-for-feedback Waiting for feedback from issuer label Nov 6, 2023
@danielrohe
Copy link

We at Zalando adopted our library (https://github.com/zalando/spring-cloud-config-aws-kms) to the style of Spring Cloud AWS 3.1.x with our the latest version 3.1.1.

@maciejwalkowiak
Copy link
Contributor

Thanks @danielrohe for an update. As Zalando provides this functionality, we will just link them in readme.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: team-discussion Team has to figure out how to proceed status: waiting-for-feedback Waiting for feedback from issuer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@maciejwalkowiak @danielrohe @MatejNedic @ipsi-apant