-
Notifications
You must be signed in to change notification settings - Fork 244
/
generate-data-key-without-plaintext.rs
76 lines (63 loc) · 2.07 KB
/
generate-data-key-without-plaintext.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0.
*/
use aws_config::meta::region::RegionProviderChain;
use aws_sdk_kms::model::DataKeySpec;
use aws_sdk_kms::{Client, Error, Region, PKG_VERSION};
use structopt::StructOpt;
#[derive(Debug, StructOpt)]
struct Opt {
/// The default AWS Region.
#[structopt(short, long)]
region: Option<String>,
/// The encryption key.
#[structopt(short, long)]
key: String,
/// Whether to display additional information.
#[structopt(short, long)]
verbose: bool,
}
/// Creates an AWS KMS data key without plaintext.
/// # Arguments
///
/// * `[-k KEY]` - The name of the data key.
/// * `[-d DEFAULT-REGION]` - The Region in which the client is created.
/// If not supplied, uses the value of the **AWS_REGION** environment variable.
/// If the environment variable is not set, defaults to **us-west-2**.
/// * `[-v]` - Whether to display additional information.
#[tokio::main]
async fn main() -> Result<(), Error> {
tracing_subscriber::fmt::init();
let Opt {
key,
region,
verbose,
} = Opt::from_args();
let region_provider = RegionProviderChain::first_try(region.map(Region::new))
.or_default_provider()
.or_else(Region::new("us-west-2"));
let shared_config = aws_config::from_env().region(region_provider).load().await;
let client = Client::new(&shared_config);
println!();
if verbose {
println!("KMS version: {}", PKG_VERSION);
println!("Region: {:?}", shared_config.region().unwrap());
println!("KMS key: {}", &key);
println!();
}
let resp = client
.generate_data_key_without_plaintext()
.key_id(key)
.key_spec(DataKeySpec::Aes256)
.send()
.await?;
// Did we get an encrypted blob?
let blob = resp.ciphertext_blob.expect("Could not get encrypted text");
let bytes = blob.as_ref();
let s = base64::encode(&bytes);
println!();
println!("Data key:");
println!("{}", s);
Ok(())
}