小贝子编程

在Go中创建KMS密钥策略



我正试图使用AWS SDK v2函数调用创建一个KMS密钥:

conn := kms.NewFromConfig(cfg)
input := kms.CreateKeyInput{
KeySpec:     types.KeySpecEccNistP521,
KeyUsage:    types.KeyUsageTypeSignVerify,
MultiRegion: aws.Bool(true),
Policy:      aws.String("")
}
output, err := conn.CreateKey(ctx, &input)

我遇到的问题是,我不确定如何为密钥生成策略。我认为我可以为IAM策略文档创建JSON,但我不认为自己生成JSON的前景特别有吸引力。是否有可以用来生成此文档的包或库?

我最终创建了自己的策略结构:

// Policy describes a policy document that can be used to configure permissions in IAM
type Policy struct {
Version    string       `json:"Version"`
ID         string       `json:"Id"`
Statements []*Statement `json:"Statement"`
}
// Statement describes a set of permissions that define what resources and users should have access
// to the resources described therein
type Statement struct {
ID            string     `json:"Sid"`
Effect        Effect     `json:"Effect"`
PrincipalArns Principals `json:"Principal"`
ActionArns    Actions    `json:"Action"`
ResourceArns  Resources  `json:"Resource"`
}
// Principals describes a list of principals associated with a policy statement
type Principals []string
// MarhsalJSON converts a Principals collection to JSON
func (p Principals) MarshalJSON() ([]byte, error) {
// First, get the inner string from the list of principals
var inner string
if len(p) > 1 {
inner = marshal(p...)
} else if len(p) == 1 {
inner = strings.Quote(p[0], """)
} else {
return nil, fmt.Errorf("Principal must contain at least one element")
}
// Next, create the principal block and return it
return []byte(fmt.Sprintf("{"AWS": %s}", inner)), nil
}
// Actions describes a list of actions that may or may not be taken by principals with regard to the
// resources described in a policy statement
type Actions []Action
// MarshalJSON converts an Actions collection to JSON
func (a Actions) MarshalJSON() ([]byte, error) {
// First, get the inner string from the list of actions
var inner string
if len(a) > 1 {
inner = marshal(a...)
} else if len(a) == 1 {
inner = strings.Quote(a[0], """)
} else {
return nil, fmt.Errorf("Action must contain at least one element")
}
// Next, create the action block and return it
return []byte(inner), nil
}
// Resources describes a list of resources effected by the policy statement
type Resources []string
// MarshalJSON converts a Resources collection to JSON
func (r Resources) MarshalJSON() ([]byte, error) {
// First, get the inner string from the list of actions
var inner string
if len(r) > 1 {
inner = marshal(r...)
} else if len(r) == 1 {
inner = strings.Quote(r[0], """)
} else {
return nil, fmt.Errorf("Resource must contain at least one element")
}
// Next, create the action block and return it
return []byte(inner), nil
}
// Helper function that converts a list of items to a JSON-string
func marshal[S ~string](items ...S) string {
return "[" + strings.ModifyAndJoin(func(item string) string { return strings.Quote(item, """) }, ",", items...) + "]"
}
// Effect describes the effect a policy statement will have upon the resource and for the actions described
type Effect string
var (
// Allow to grant access of the resource and actions to the principals described in the policy statement
Allow = Effect("Allow")
// Deny to deny access of the resource and actions from the principals described in the policy statement
Deny = Effect("Deny")
)
// Action describes a valid operation that may be made against a particular AWS resource
type Action string
// Describes the various action types available to AWS
var (
CancelKeyDeletion                   = Action("kms:CancelKeyDeletion")
ConnectCustomKeyStore               = Action("kms:ConnectCustomKeyStore")
CreateAlias                         = Action("kms:CreateAlias")
CreateCustomKeyStore                = Action("kms:CreateCustomKeyStore")
CreateGrant                         = Action("kms:CreateGrant")
CreateKey                           = Action("kms:CreateKey")
Decrypt                             = Action("kms:Decrypt")
DeleteAlias                         = Action("kms:DeleteAlias")
DeleteCustomKeyStore                = Action("kms:DeleteCustomKeyStore")
DeleteImportedKeyMaterial           = Action("kms:DeleteImportedKeyMaterial")
DescribeCustomKeyStores             = Action("kms:DescribeCustomKeyStores")
DescribeKey                         = Action("kms:DescribeKey")
DisableKey                          = Action("kms:DisableKey")
DisableKeyRotation                  = Action("kms:DisableKeyRotation")
DisconnectCustomKeyStore            = Action("kms:DisconnectCustomKeyStore")
EnableKey                           = Action("kms:EnableKey")
EnableKeyRotation                   = Action("kms:EnableKeyRotation")
Encrypt                             = Action("kms:Encrypt")
GenerateDataKey                     = Action("kms:GenerateDataKey")
GenerateDataKeyPair                 = Action("kms:GenerateDataKeyPair")
GenerateDataKeyPairWithoutPlaintext = Action("kms:GenerateDataKeyPairWithoutPlaintext")
GenerateDataKeyWithoutPlaintext     = Action("kms:GenerateDataKeyWithoutPlaintext")
GenerateMac                         = Action("kms:GenerateMac")
GenerateRandom                      = Action("kms:GenerateRandom")
GetKeyPolicy                        = Action("kms:GetKeyPolicy")
GetKeyRotationStatus                = Action("kms:GetKeyRotationStatus")
GetParametersForImport              = Action("kms:GetParametersForImport")
GetPublicKey                        = Action("kms:GetPublicKey")
ImportKeyMaterial                   = Action("kms:ImportKeyMaterial")
ListAliases                         = Action("kms:ListAliases")
ListGrants                          = Action("kms:ListGrants")
ListKeyPolicies                     = Action("kms:ListKeyPolicies")
ListKeys                            = Action("kms:ListKeys")
ListResourceTags                    = Action("kms:ListResourceTags")
ListRetirableGrants                 = Action("kms:ListRetirableGrants")
PutKeyPolicy                        = Action("kms:PutKeyPolicy")
ReEncryptFrom                       = Action("kms:ReEncryptFrom")
ReEncryptTo                         = Action("kms:ReEncryptTo")
ReplicateKey                        = Action("kms:ReplicateKey")
RetireGrant                         = Action("kms:RetireGrant")
RevokeGrant                         = Action("kms:RevokeGrant")
ScheduleKeyDeletion                 = Action("kms:ScheduleKeyDeletion")
Sign                                = Action("kms:Sign")
TagResource                         = Action("kms:TagResource")
UntagResource                       = Action("kms:UntagResource")
UpdateAlias                         = Action("kms:UpdateAlias")
UpdateCustomKeyStore                = Action("kms:UpdateCustomKeyStore")
UpdateKeyDescription                = Action("kms:UpdateKeyDescription")
UpdatePrimaryRegion                 = Action("kms:UpdatePrimaryRegion")
Verify                              = Action("kms:Verify")
VerifyMac                           = Action("kms:VerifyMac")
KmsAll                              = Action("kms:*")
)

然后我可以在我的代码中这样使用:

conn := kms.NewFromConfig(cfg)
policy := Policy {
Version: "2012-10-17",
ID:      "test-key",
Statements: []*policy.Statement{
{
ID:            "test-failure",
Effect:        policy.Allow,
PrincipalArns: []string{"arn:aws:kms:eu-west-2:111122223333:root"},
ActionArns:    policy.Actions{policy.KmsAll},
ResourceArns:  []string{"*"},
},
},
}
pData, err := json.Marshal(policy)
if err != nil {
return err
}
input := kms.CreateKeyInput{
KeySpec:     types.KeySpecEccNistP521,
KeyUsage:    types.KeyUsageTypeSignVerify,
MultiRegion: aws.Bool(true),
Policy:      aws.String(string(pData)),
}
output, err := conn.CreateKey(ctx, &input)

我在一个开源软件包中添加了这方面的代码,可以在这里找到,这样其他人就可以使用它

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium