创建 KMS 密钥策略在 Go 中探索
来源:stackoverflow
时间:2024-02-06 11:36:22 322浏览 收藏
怎么入门Golang编程?需要学习哪些知识点?这是新手们刚接触编程时常见的问题;下面golang学习网就来给大家整理分享一些知识点,希望能够给初学者一些帮助。本篇文章就来介绍《创建 KMS 密钥策略在 Go 中探索》,涉及到,有需要的可以收藏一下
问题内容
我正在尝试使用 aws sdk v2 函数调用创建 kms 密钥:
conn := kms.NewFromConfig(cfg)
input := kms.CreateKeyInput{
KeySpec: types.KeySpecEccNistP521,
KeyUsage: types.KeyUsageTypeSignVerify,
MultiRegion: aws.Bool(true),
Policy: aws.String("")
}
output, err := conn.CreateKey(ctx, &input)
我遇到的问题是我不确定如何生成密钥的策略。我假设我可以为 iam 策略文档创建 json,但我认为自己生成该文档的前景并不特别诱人。是否有可以用来生成此文档的包或库?
正确答案
我最终创建了自己的策略结构:
// policy describes a policy document that can be used to configure permissions in iam
type policy struct {
version string `json:"version"`
id string `json:"id"`
statements []*statement `json:"statement"`
}
// statement describes a set of permissions that define what resources and users should have access
// to the resources described therein
type statement struct {
id string `json:"sid"`
effect effect `json:"effect"`
principalarns principals `json:"principal"`
actionarns actions `json:"action"`
resourcearns resources `json:"resource"`
}
// principals describes a list of principals associated with a policy statement
type principals []string
// marhsaljson converts a principals collection to json
func (p principals) marshaljson() ([]byte, error) {
// first, get the inner string from the list of principals
var inner string
if len(p) > 1 {
inner = marshal(p...)
} else if len(p) == 1 {
inner = strings.quote(p[0], "\"")
} else {
return nil, fmt.errorf("principal must contain at least one element")
}
// next, create the principal block and return it
return []byte(fmt.sprintf("{\"aws\": %s}", inner)), nil
}
// actions describes a list of actions that may or may not be taken by principals with regard to the
// resources described in a policy statement
type actions []action
// marshaljson converts an actions collection to json
func (a actions) marshaljson() ([]byte, error) {
// first, get the inner string from the list of actions
var inner string
if len(a) > 1 {
inner = marshal(a...)
} else if len(a) == 1 {
inner = strings.quote(a[0], "\"")
} else {
return nil, fmt.errorf("action must contain at least one element")
}
// next, create the action block and return it
return []byte(inner), nil
}
// resources describes a list of resources effected by the policy statement
type resources []string
// marshaljson converts a resources collection to json
func (r resources) marshaljson() ([]byte, error) {
// first, get the inner string from the list of actions
var inner string
if len(r) > 1 {
inner = marshal(r...)
} else if len(r) == 1 {
inner = strings.quote(r[0], "\"")
} else {
return nil, fmt.errorf("resource must contain at least one element")
}
// next, create the action block and return it
return []byte(inner), nil
}
// helper function that converts a list of items to a json-string
func marshal[s ~string](items ...s) string {
return "[" + strings.modifyandjoin(func(item string) string { return strings.quote(item, "\"") }, ",", items...) + "]"
}
// effect describes the effect a policy statement will have upon the resource and for the actions described
type effect string
var (
// allow to grant access of the resource and actions to the principals described in the policy statement
allow = effect("allow")
// deny to deny access of the resource and actions from the principals described in the policy statement
deny = effect("deny")
)
// action describes a valid operation that may be made against a particular aws resource
type action string
// describes the various action types available to aws
var (
cancelkeydeletion = action("kms:cancelkeydeletion")
connectcustomkeystore = action("kms:connectcustomkeystore")
createalias = action("kms:createalias")
createcustomkeystore = action("kms:createcustomkeystore")
creategrant = action("kms:creategrant")
createkey = action("kms:createkey")
decrypt = action("kms:decrypt")
deletealias = action("kms:deletealias")
deletecustomkeystore = action("kms:deletecustomkeystore")
deleteimportedkeymaterial = action("kms:deleteimportedkeymaterial")
describecustomkeystores = action("kms:describecustomkeystores")
describekey = action("kms:describekey")
disablekey = action("kms:disablekey")
disablekeyrotation = action("kms:disablekeyrotation")
disconnectcustomkeystore = action("kms:disconnectcustomkeystore")
enablekey = action("kms:enablekey")
enablekeyrotation = action("kms:enablekeyrotation")
encrypt = action("kms:encrypt")
generatedatakey = action("kms:generatedatakey")
generatedatakeypair = action("kms:generatedatakeypair")
generatedatakeypairwithoutplaintext = action("kms:generatedatakeypairwithoutplaintext")
generatedatakeywithoutplaintext = action("kms:generatedatakeywithoutplaintext")
generatemac = action("kms:generatemac")
generaterandom = action("kms:generaterandom")
getkeypolicy = action("kms:getkeypolicy")
getkeyrotationstatus = action("kms:getkeyrotationstatus")
getparametersforimport = action("kms:getparametersforimport")
getpublickey = action("kms:getpublickey")
importkeymaterial = action("kms:importkeymaterial")
listaliases = action("kms:listaliases")
listgrants = action("kms:listgrants")
listkeypolicies = action("kms:listkeypolicies")
listkeys = action("kms:listkeys")
listresourcetags = action("kms:listresourcetags")
listretirablegrants = action("kms:listretirablegrants")
putkeypolicy = action("kms:putkeypolicy")
reencryptfrom = action("kms:reencryptfrom")
reencryptto = action("kms:reencryptto")
replicatekey = action("kms:replicatekey")
retiregrant = action("kms:retiregrant")
revokegrant = action("kms:revokegrant")
schedulekeydeletion = action("kms:schedulekeydeletion")
sign = action("kms:sign")
tagresource = action("kms:tagresource")
untagresource = action("kms:untagresource")
updatealias = action("kms:updatealias")
updatecustomkeystore = action("kms:updatecustomkeystore")
updatekeydescription = action("kms:updatekeydescription")
updateprimaryregion = action("kms:updateprimaryregion")
verify = action("kms:verify")
verifymac = action("kms:verifymac")
kmsall = action("kms:*")
)
然后我可以在我的代码中使用它,如下所示:
conn := kms.NewFromConfig(cfg)
policy := Policy {
Version: "2012-10-17",
ID: "test-key",
Statements: []*policy.Statement{
{
ID: "test-failure",
Effect: policy.Allow,
PrincipalArns: []string{"arn:aws:kms:eu-west-2:111122223333:root"},
ActionArns: policy.Actions{policy.KmsAll},
ResourceArns: []string{"*"},
},
},
}
pData, err := json.Marshal(policy)
if err != nil {
return err
}
input := kms.CreateKeyInput{
KeySpec: types.KeySpecEccNistP521,
KeyUsage: types.KeyUsageTypeSignVerify,
MultiRegion: aws.Bool(true),
Policy: aws.String(string(pData)),
}
output, err := conn.CreateKey(ctx, &input)
我在一个开源包中添加了此代码,可以在 here 中找到,以便其他人可以使用它。
今天关于《创建 KMS 密钥策略在 Go 中探索》的内容介绍就到此结束,如果有什么疑问或者建议,可以在golang学习网公众号下多多回复交流;文中若有不正之处,也希望回复留言以告知!
声明:本文转载于:stackoverflow 如有侵犯,请联系study_golang@163.com删除
相关阅读
更多>
-
502 收藏
-
502 收藏
-
501 收藏
-
501 收藏
-
501 收藏
最新阅读
更多>
-
139 收藏
-
204 收藏
-
325 收藏
-
478 收藏
-
486 收藏
-
439 收藏
-
357 收藏
-
352 收藏
-
101 收藏
-
440 收藏
-
212 收藏
-
143 收藏
课程推荐
更多>
-
- 前端进阶之JavaScript设计模式
- 设计模式是开发人员在软件开发过程中面临一般问题时的解决方案,代表了最佳的实践。本课程的主打内容包括JS常见设计模式以及具体应用场景,打造一站式知识长龙服务,适合有JS基础的同学学习。
- 立即学习 543次学习
-
- GO语言核心编程课程
- 本课程采用真实案例,全面具体可落地,从理论到实践,一步一步将GO核心编程技术、编程思想、底层实现融会贯通,使学习者贴近时代脉搏,做IT互联网时代的弄潮儿。
- 立即学习 516次学习
-
- 简单聊聊mysql8与网络通信
- 如有问题加微信:Le-studyg;在课程中,我们将首先介绍MySQL8的新特性,包括性能优化、安全增强、新数据类型等,帮助学生快速熟悉MySQL8的最新功能。接着,我们将深入解析MySQL的网络通信机制,包括协议、连接管理、数据传输等,让
- 立即学习 500次学习
-
- JavaScript正则表达式基础与实战
- 在任何一门编程语言中,正则表达式,都是一项重要的知识,它提供了高效的字符串匹配与捕获机制,可以极大的简化程序设计。
- 立即学习 487次学习
-
- 从零制作响应式网站—Grid布局
- 本系列教程将展示从零制作一个假想的网络科技公司官网,分为导航,轮播,关于我们,成功案例,服务流程,团队介绍,数据部分,公司动态,底部信息等内容区块。网站整体采用CSSGrid布局,支持响应式,有流畅过渡和展现动画。
- 立即学习 485次学习