README
¶
kmssigner
A crypto.Signer implementation based on an AWS KMS key.
With AWS KMS keys, the private key never leaves KMS and all signing operations also occur within KMS. This comes with several benefits:
- with KMS the private key cannot be retrieved and thus it cannot be lost or stolen
- under-the-hood KMS uses a FIPS 140-2 L3 certified Hardware Security Module (HSM) to store the key
- all signing operations result in an audit log (via AWS CloudTrail)
- role based access control for signing operations (via AWS IAM)
- multiple region high-availability (if using a multi-region KMS key)
See https://github.com/adrianosela/kmsca for more info.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Option ¶
type Option func(s *Signer)
Option represents a configuration option for the signer.
func WithGetPublicKeyTimeout ¶
WithGetPublicKeyTimeout sets the timeout for the GetPublicKey operation (aws kms api call).
func WithSignTimeout ¶
WithSignTimeout sets the timeout for the Sign operation (aws kms api call).
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer can sign arbitrary bytes.
func NewSigner ¶
func NewSigner( cfg aws.Config, kmsKeyId string, signingAlgo types.SigningAlgorithmSpec, opts ...Option, ) (*Signer, error)
NewSigner returns a new signer
Source Files
Click to show internal directories.
Click to hide internal directories.