README.md

AWS SDK for Rust code examples for AWS KMS

Purpose

These examples demonstrate how to perform several AWS Key Management Service (AWS KMS) operations using the developer preview version of the AWS SDK for Rust.

AWS KMS is an encryption and key management service scaled for the cloud. AWS KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.

Code examples

• Create a key (CreateKey)
• Decrypt an encrypted string (Decrypt)
• Encrypt a string (Encrypt)
• Create a data key (GenerateDataKey)
• Create a data key without plaintext (GenerateDataKeyWithoutPlaintext)
• Create random string (GenerateRandom)
• Create random 64-bit string (GenerateRandom using aws_hyper client)
• Lists your keys (ListKeys)
• Re-encrypts a string (ReEncrypt)

⚠ Important

• We recommend that you grant this code least privilege, or at most the minimum permissions required to perform the task. For more information, see Grant Least Privilege in the AWS Identity and Access Management User Guide.
• This code has not been tested in all AWS Regions. Some AWS services are available only in specific Regions.
• Running this code might result in charges to your AWS account.

Running the code examples

Prerequisites

You must have an AWS account, and have configured your default credentials and AWS Region as described in https://github.com/awslabs/aws-sdk-rust.

create-key

This example creates an AWS KMS key.

cargo run --bin create-key -- [-r REGION] [-v]

• REGION is the Region in which the client is created. If not supplied, uses the value of the AWS_REGION environment variable. If the environment variable is not set, defaults to us-west-2.
• -v displays additional information.

decrypt

This example decrypts a string encrypted by an AWS KMS key.

cargo run --bin decrypt -- -k KEY -i INPUT-FILE [-r REGION] [-v]

• KEY is the encryption key.
• INPUT-FILE is the name of the file containing text encrypted by the key.
• REGION is the Region in which the client is created. If not supplied, uses the value of the AWS_REGION environment variable. If the environment variable is not set, defaults to us-west-2.
• -v displays additional information.

encrypt

This example encrypts a string using an AWS KMS key.

cargo run --bin encrypt -- -k KEY -t TEXT -o OUT-FILE [-r REGION] [-v]

• KEY is the encryption key.
• TEXT is the string to encrypt by the key.
• OUT-FILE is the file in which the encrypted text is saved.
• REGION is the Region in which the client is created. If not supplied, uses the value of the AWS_REGION environment variable. If the environment variable is not set, defaults to us-west-2.
• -v displays additional information.

generate-data-key

This example creates a data key for client-side encryption using an AWS KMS data key.

cargo run --bin generate-data-key -- -k KEY -t TEXT -o OUT-FILE [-r REGION] [-v]

• KEY is the name of the AWS KMS data key.
• REGION is the Region in which the client is created. If not supplied, uses the value of the AWS_REGION environment variable. If the environment variable is not set, defaults to us-west-2.
• -v displays additional information.

generate-data-key-without-plaintext

This example creates a data key for client-side encryption using an AWS KMS data key, showing the plaintext public key but not the plaintext private key.

cargo run --bin generate-data-key-without-plaintext -- -k KEY -t TEXT -o OUT-FILE [-r REGION] [-v]

• KEY is the name of the AWS KMS data key.
• REGION is the Region in which the client is created. If not supplied, uses the value of the AWS_REGION environment variable. If the environment variable is not set, defaults to us-west-2.
• -v displays additional information.

generate-random

This example creates a random byte string that is cryptographically secure.

cargo run --bin generate-random -- -l LENGTH [-r REGION] [-v]

• LENGTH is the number of bytes, which must be less than 1024.
• REGION is the Region in which the client is created. If not supplied, uses the value of the AWS_REGION environment variable. If the environment variable is not set, defaults to us-west-2.
• -v displays additional information.

kms-helloworld

This example creates a random, 64-byte string that is cryptographically secure in us-east-1.

cargo run --bin kms-helloworld

list-keys

This example lists your AWS KMS keys in the Region.

cargo run --bin list-keys -- [-r REGION] [-v]

• REGION is the Region in which the client is created. If not supplied, uses the value of the AWS_REGION environment variable. If the environment variable is not set, defaults to us-west-2.
• -v displays additional information.

reencrypt-data

This example re-encrypts a text string that was encrypted using an AWS KMS key with another AWS KMS key.

cargo run --bin reencrypt-data -- -f FIRST-KEY -n NEW-KEY -i INPUT-FILE -o OUT-FILE [-r REGION] [-v]

• FIRST-KEY is the encryption key used to initially encrypt the text.
• NEW-KEY is the new encryption key used to re-encrypt the text.
• IN-FILE is the file containing the original encrypted text.
• OUT-FILE is the file in which the re-encrypted text is saved.
• REGION is the Region in which the client is created. If not supplied, uses the value of the AWS_REGION environment variable. If the environment variable is not set, defaults to us-west-2.
• -v displays additional information.

Resources

• AWS SDK for Rust repo
• • AWS SDK for Rust API Reference for AWS KMS
• AWS SDK for Rust API Reference Guide

Contributing

To propose a new code example to the AWS documentation team, see CONTRIBUTING.md. The team prefers to create code examples that show broad scenarios rather than individual API calls.

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0