com.amazonaws.encryptionsdk.kms

Class KmsMasterKeyProvider

java.lang.Object

com.amazonaws.encryptionsdk.MasterKeyProvider<KmsMasterKey>

com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider

All Implemented Interfaces:

KmsMethods

public class KmsMasterKeyProvider
extends MasterKeyProvider<KmsMasterKey>
implements KmsMethods

Provides MasterKeys backed by the AWS Key Management Service. This object is regional and if you want to use keys from multiple regions, you'll need multiple copies of this object.

Constructor Summary

Constructors

Constructor and Description
KmsMasterKeyProvider() Returns an instance of this object with default settings, default credentials, and configured to talk to the Regions.DEFAULT_REGION.
KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentials creds) Returns an instance of this object with default settings and configured to talk to the Regions.DEFAULT_REGION.
KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentialsProvider creds) Returns an instance of this object with default settings and configured to talk to the Regions.DEFAULT_REGION.
KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentialsProvider creds, com.amazonaws.regions.Region region, com.amazonaws.ClientConfiguration clientConfiguration, List<String> keyIds) Returns an instance of this object with the supplied configuration and credentials.
KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentialsProvider creds, com.amazonaws.regions.Region region, com.amazonaws.ClientConfiguration clientConfiguration, String keyId) Returns an instance of this object with the supplied configuration and credentials.
KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentialsProvider creds, String keyId) Returns an instance of this object with default settings configured to speak to the region specified by keyId (if specified).
KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentials creds, String keyId) Returns an instance of this object with default settings configured to speak to the region specified by keyId (if specified).
KmsMasterKeyProvider(com.amazonaws.services.kms.AWSKMS kms, com.amazonaws.regions.Region region, List<String> keyIds) Returns an instance of this object with the supplied client and region; the client will be configured to use the provided region.
KmsMasterKeyProvider(String keyId) Returns an instance of this object with default settings and credentials configured to speak to the region specified by keyId (if specified).

Method Summary

Modifier and Type	Method and Description
void	addGrantToken(String grantToken) Adds grantToken to the list of grantTokens sent to KMS when this class calls it.
DataKey<KmsMasterKey>	decryptDataKey(CryptoAlgorithm algorithm, Collection<? extends EncryptedDataKey> encryptedDataKeys, Map<String,String> encryptionContext) Iterates through encryptedDataKeys and returns the first one which can be successfully decrypted.
String	getDefaultProviderId() Returns "aws-kms"
List<String>	getGrantTokens() Returns the grantTokens which this object sends to KMS when calling it.
KmsMasterKey	getMasterKey(String provider, String keyId) Returns the specified MasterKey if possible.
List<KmsMasterKey>	getMasterKeysForEncryption(MasterKeyRequest request) Returns all CMKs provided to the constructor of this object.
com.amazonaws.regions.Region	getRegion()
void	setCustomEndpoint(String regionName, String endPoint) Configures this provider to use a custom endpoint.
void	setGrantTokens(List<String> grantTokens) Sets the grantTokens which should be submitted to KMS when calling it.
void	setRegion(com.amazonaws.regions.Region region) Set the AWS region of the AWS KMS service for access to the master key.

Methods inherited from class com.amazonaws.encryptionsdk.MasterKeyProvider

buildCannotDecryptDksException, buildCannotDecryptDksException, buildCannotDecryptDksException, canProvide, getMasterKey

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

KmsMasterKeyProvider

public KmsMasterKeyProvider()

Returns an instance of this object with default settings, default credentials, and configured to talk to the Regions.DEFAULT_REGION.

KmsMasterKeyProvider

public KmsMasterKeyProvider(String keyId)

Returns an instance of this object with default settings and credentials configured to speak to the region specified by keyId (if specified). Data will be protected with keyId as appropriate.

KmsMasterKeyProvider

public KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentials creds,
                            String keyId)

Returns an instance of this object with default settings configured to speak to the region specified by keyId (if specified). Data will be protected with keyId as appropriate.

KmsMasterKeyProvider

public KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentialsProvider creds,
                            String keyId)

Returns an instance of this object with default settings configured to speak to the region specified by keyId (if specified). Data will be protected with keyId as appropriate.

KmsMasterKeyProvider

public KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentials creds)

Returns an instance of this object with default settings and configured to talk to the Regions.DEFAULT_REGION.

KmsMasterKeyProvider

public KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentialsProvider creds)

Returns an instance of this object with default settings and configured to talk to the Regions.DEFAULT_REGION.

KmsMasterKeyProvider

public KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentialsProvider creds,
                            com.amazonaws.regions.Region region,
                            com.amazonaws.ClientConfiguration clientConfiguration,
                            String keyId)

Returns an instance of this object with the supplied configuration and credentials. keyId will be used to protect data.

KmsMasterKeyProvider

public KmsMasterKeyProvider(com.amazonaws.auth.AWSCredentialsProvider creds,
                            com.amazonaws.regions.Region region,
                            com.amazonaws.ClientConfiguration clientConfiguration,
                            List<String> keyIds)

Returns an instance of this object with the supplied configuration and credentials. all keys listed in keyIds will be used to protect data.

KmsMasterKeyProvider

public KmsMasterKeyProvider(com.amazonaws.services.kms.AWSKMS kms,
                            com.amazonaws.regions.Region region,
                            List<String> keyIds)

Returns an instance of this object with the supplied client and region; the client will be configured to use the provided region. All keys listed in keyIds will be used to protect data.

Method Detail

getDefaultProviderId

public String getDefaultProviderId()

Returns "aws-kms"

Specified by:

getDefaultProviderId in class MasterKeyProvider<KmsMasterKey>

getMasterKey

public KmsMasterKey getMasterKey(String provider,
                                 String keyId)
                          throws UnsupportedProviderException,
                                 NoSuchMasterKeyException

Description copied from class: MasterKeyProvider

Returns the specified MasterKey if possible.

Specified by:

getMasterKey in class MasterKeyProvider<KmsMasterKey>

Returns:

Throws:

UnsupportedProviderException - if this object cannot return MasterKeys associated with the given provider

NoSuchMasterKeyException - if this object cannot find (and thus construct) the MasterKey associated with keyId

getMasterKeysForEncryption

public List<KmsMasterKey> getMasterKeysForEncryption(MasterKeyRequest request)

Returns all CMKs provided to the constructor of this object.

Specified by:

getMasterKeysForEncryption in class MasterKeyProvider<KmsMasterKey>

decryptDataKey

public DataKey<KmsMasterKey> decryptDataKey(CryptoAlgorithm algorithm,
                                            Collection<? extends EncryptedDataKey> encryptedDataKeys,
                                            Map<String,String> encryptionContext)
                                     throws UnsupportedProviderException,
                                            AwsCryptoException

Description copied from class: MasterKeyProvider

Iterates through encryptedDataKeys and returns the first one which can be successfully decrypted.

Specified by:

decryptDataKey in class MasterKeyProvider<KmsMasterKey>

Returns:

a DataKey if one can be decrypted, otherwise returns null

Throws:

UnsupportedProviderException - if the encryptedDataKey is associated with an unsupported provider

CannotUnwrapDataKeyException - if the encryptedDataKey cannot be decrypted

AwsCryptoException

setGrantTokens

public void setGrantTokens(List<String> grantTokens)

Description copied from interface: KmsMethods

Sets the grantTokens which should be submitted to KMS when calling it.

Specified by:

setGrantTokens in interface KmsMethods

getGrantTokens

public List<String> getGrantTokens()

Description copied from interface: KmsMethods

Returns the grantTokens which this object sends to KMS when calling it.

Specified by:

getGrantTokens in interface KmsMethods

addGrantToken

public void addGrantToken(String grantToken)

Description copied from interface: KmsMethods

Adds grantToken to the list of grantTokens sent to KMS when this class calls it.

Specified by:

addGrantToken in interface KmsMethods

setCustomEndpoint

public void setCustomEndpoint(String regionName,
                              String endPoint)

Configures this provider to use a custom endpoint. Sets the underlying Region object to null, and instructs the internal KMS client to use the specified endPoint and regionName.

setRegion

public void setRegion(com.amazonaws.regions.Region region)

Set the AWS region of the AWS KMS service for access to the master key. This method simply calls the same method of the underlying AWSKMSClient

Parameters:

region - string containing the region.

getRegion

public com.amazonaws.regions.Region getRegion()