forked from DataDog/datadog-lambda-go
/
kms_decrypter.go
55 lines (45 loc) · 1.29 KB
/
kms_decrypter.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
/*
* Unless explicitly stated otherwise all files in this repository are licensed
* under the Apache License Version 2.0.
*
* This product includes software developed at Datadog (https://www.datadoghq.com/).
* Copyright 2019 Datadog, Inc.
*/
package metrics
import (
"encoding/base64"
"fmt"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/kms"
)
type (
// Decrypter attempts to decrypt a key
Decrypter interface {
Decrypt(cipherText string) (string, error)
}
kmsDecrypter struct {
kmsClient *kms.KMS
}
)
// MakeKMSDecrypter creates a new decrypter which uses the AWS KMS service to decrypt variables
func MakeKMSDecrypter() Decrypter {
return &kmsDecrypter{
kmsClient: kms.New(session.New(nil)),
}
}
func (kd *kmsDecrypter) Decrypt(cipherText string) (string, error) {
decodedBytes, err := base64.StdEncoding.DecodeString(cipherText)
if err != nil {
return "", fmt.Errorf("Failed to encode cipher text to base64: %v", err)
}
params := &kms.DecryptInput{
CiphertextBlob: decodedBytes,
}
response, err := kd.kmsClient.Decrypt(params)
if err != nil {
return "", fmt.Errorf("Failed to decrypt ciphertext with kms: %v", err)
}
// Plaintext is a byte array, so convert to string
decrypted := string(response.Plaintext[:])
return decrypted, nil
}