Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for asymmetric keys #24

Merged
merged 11 commits into from
Oct 16, 2020

Conversation

jtcul
Copy link
Contributor

@jtcul jtcul commented Sep 16, 2020

Issue #, if available:

N/A

Description of changes:

  • Adds support for asymmetric KMS keys
  • Adds contract tests for asymmetric keys
  • Refactored the update handler so that errors from updateKeyRotationStatus and updateKeyStatus are returned properly
  • Improved the depth of the Create / Read handler unit tests
  • Added a gitignore
  • Increased the memory allocated to the lambda functions (Allows for the contract tests to work on MacOS)

New wording:

  • "Specifies the type of CMK to create. The default value is SYMMETRIC_DEFAULT. This parameter is required only for asymmetric CMKs. You can't change the KeySpec value after the CMK is created."
  • "You cannot set the EnableKeyRotation property to true on asymmetric keys."

Questions for CloudFormation Reviewers:

  • Is there a way for us to specify our defaults such that the following update does not cause re-creation of the physical resource? Going from a template with only a key policy, to a template that explicitly specifies the default KeyUsage and KeySpec causes the resource to be re-created. This behavior is undesirable as the key should be the same, but it will no longer be able to decrypt data encrypted by the original key.

Original Template:

Resources:
  KeyResource:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: key-default
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Ref 'AWS::AccountId'
            Action: 'kms:*'
            Resource: '*'
Outputs:
  KeyId:
    Value: !Ref KeyResource

Updated Template:

Resources:
  KeyResource:
    Type: AWS::KMS::Key
    Properties:
      KeyUsage: ENCRYPT_DECRYPT
      KeySpec: SYMMETRIC_DEFAULT
      KeyPolicy:
        Version: 2012-10-17
        Id: key-default
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Ref 'AWS::AccountId'
            Action: 'kms:*'
            Resource: '*'
Outputs:
  KeyId:
    Value: !Ref KeyResource

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jtcul jtcul requested a review from ammokhov September 16, 2020 22:31
@pezzullig
Copy link

Great! this looks so close 👍. Any idea on a release date?

@jtcul
Copy link
Contributor Author

jtcul commented Sep 24, 2020

Great! this looks so close 👍. Any idea on a release date?

We don’t have a release date to announce at this time, but by following this repo, you’ll be notified if a new release contains support.

alias/template.yml Outdated Show resolved Hide resolved
key/aws-kms-key.json Outdated Show resolved Hide resolved
key/aws-kms-key.json Outdated Show resolved Hide resolved
key/docs/README.md Outdated Show resolved Hide resolved
@jtcul jtcul force-pushed the asymmetric-support branch from 6456259 to 832c218 Compare September 28, 2020 20:23
@jtcul jtcul merged commit f49054c into aws-cloudformation:master Oct 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

AWS::KMS::Key asymmetric signing key support
5 participants