kms

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 9, 2026 License: MIT Imports: 11 Imported by: 0

Documentation

Overview

Package kms is the AWS KMS backend for pkg/signing. Blank-import to activate; the init() call registers the backend under the name "aws-kms" against pkg/signing's global registry. 

import _ "gitlab.com/phpboyscout/go-tool-base/pkg/signing/kms"

The backend wraps a KMS-held asymmetric RSA SIGN_VERIFY key as a crypto.Signer that pkg/openpgpkey can use to mint an OpenPGP-armored public key. The private half never leaves AWS — every signing operation is a remote kms:Sign call.

Backend-specific CLI flag: 

--kms-region <region>   AWS region. Default: eu-west-2.

Credentials are resolved from the AWS SDK default chain (env vars / ~/.aws/credentials / IAM Roles Anywhere / OIDC web identity). Users with multiple profiles can either set AWS_PROFILE before invoking the minter or assume a role explicitly via `aws sts assume-role` and export the resulting credentials.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrUnsupportedKMSKeyType is returned by NewSigner when the
	// KMS key's public half is not RSA. AWS KMS does not expose
	// Ed25519 for asymmetric signing, so RSA is the only key type
	// this backend handles.
	ErrUnsupportedKMSKeyType = errors.New("KMS key is not RSA; only RSA SIGN_VERIFY keys are supported")

	// ErrUnsupportedHashFunc is returned by the signer when the
	// caller requests a hash function KMS RSA Sign does not map to.
	ErrUnsupportedHashFunc = errors.New("unsupported hash function; KMS RSA Sign accepts SHA-256 / 384 / 512 only")
)

Exported sentinel errors so callers (and tests) can errors.Is against specific failure modes.

Functions

func NewSigner 

func NewSigner(ctx context.Context, region, keyID string) (crypto.Signer, error)

NewSigner is the programmatic constructor for callers that don't want to go through the global pkg/signing registry. Most callers should use `signing.Get("aws-kms")` instead; this exists for integration tests and for tool authors who wire signing into their own command structure rather than `gtb keys mint`.

region is the AWS region the key lives in. The AWS SDK default credential chain is used; callers manage credentials externally (env vars, AWS_PROFILE, assume-role).

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.