spring-cloud-aws icon indicating copy to clipboard operation
spring-cloud-aws copied to clipboard

Published 20 hours ago verified publisher icon awspring

Integration with AWS KMS

Open ipsi-apant opened this issue 1 year ago • 2 comments

Type: Feature

Is your feature request related to a problem? Please describe. Looking for AWS KMS integration. There is a use case where a public key alias stored on a dynamodb record. A new public key per record. There will be CRUD operations. For POST calls, it needs to read public key from a record, then encrypt data. For GET calls, decrypt this data using AWS KMS provider.

I didn't find out of the box option in spring-cloud-aws, so planning to create a customer service. Before creating a custom service, wanted to have some understanding whether, is there an option for this use case?

Describe the solution you'd like Ability to integrate KMS service for encryption and decryption. For this use case the strategy is per request. However, the solution can be configurable based on different strategies.

Examples which I could think of (some maybe incorrect):

  • Request strategy - encrypt and decrypt per request
  • Application strategy - same key across application. This can be set in application.yaml
  • Endpoint path match strategy - based on endpoint

Describe alternatives you've considered Manually creating a KMS service (spring component) and manage these cases. This will have some side effect where this encryption and decryption (cross cutting) logic will sit at application level. So components which are using this service as dependency will need to cover it's cases. Possible duplication of exception handling and they need to cover in unit tests. Another option to use Spring AoP, which I think a possible option. This application is WebFlux type. The data to be encrypt/decrypt is just a couple of fields, so my understanding AoP may cause excess conversions from and to Mono/Flux. I could be wrong here.

Happy to provide more information as per request

ipsi-apant avatar Oct 16 '23 06:10 ipsi-apant

Zalando made a library to integrate KMS with Spring Boot https://github.com/zalando/spring-cloud-config-aws-kms (does not seem active anymore). Can you show some examples how you would like KMS integration to work? Because I am not entirely sure if I understand your use case.

maciejwalkowiak avatar Nov 06 '23 09:11 maciejwalkowiak

We at Zalando adopted our library (https://github.com/zalando/spring-cloud-config-aws-kms) to the style of Spring Cloud AWS 3.1.x with our the latest version 3.1.1.

danielrohe avatar Apr 25 '24 13:04 danielrohe