README
¶
AWS KMS Signer
This package implements signer.Signer using AWS KMS.
It uses KMS for Sign operations and caches the public key/address in memory after initialization.
Requirements
- AWS credentials must be available via the standard AWS SDK credential chain.
- The configured KMS key must be an asymmetric Ed25519 key.
Configuration
Set evnode.signer.signer_type to kms, set evnode.signer.kms.provider to aws,
and provide at least evnode.signer.kms.aws.key_id.
Example:
signer:
signer_type: kms
kms:
provider: aws
aws:
key_id: arn:aws:kms:eu-central-1:123456789012:key/00000000-0000-0000-0000-000000000000
region: eu-central-1
profile: default
timeout: 1s
max_retries: 3
Notes
kms.aws.timeoutis the timeout per KMS Sign request.kms.aws.max_retriescontrols retries for transient KMS/API/network failures.
Documentation
¶
Overview ¶
Package aws implements a signer.Signer backed by AWS KMS. It delegates signing to a remote KMS key and caches the public key locally.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type KMSClient ¶
type KMSClient interface {
Sign(ctx context.Context, params *kms.SignInput, optFns ...func(*kms.Options)) (*kms.SignOutput, error)
GetPublicKey(ctx context.Context, params *kms.GetPublicKeyInput, optFns ...func(*kms.Options)) (*kms.GetPublicKeyOutput, error)
}
KMSClient is the subset of the AWS KMS client API that KmsSigner needs. This allows mocking in tests.
type KmsSigner ¶
type KmsSigner struct {
// contains filtered or unexported fields
}
KmsSigner implements the signer.Signer interface using AWS KMS.
func NewKmsSigner ¶
func NewKmsSigner(ctx context.Context, region string, profile string, keyID string, opts *Options) (*KmsSigner, error)
NewKmsSigner creates a new Signer backed by an AWS KMS Ed25519 key. It uses the standard AWS credential chain (env vars, ~/.aws/credentials, IAM roles, etc.).
func (*KmsSigner) GetAddress ¶
GetAddress returns the cached address derived from the public key.
Source Files