main/
create_keystore_key.rs

1// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
2// SPDX-License-Identifier: Apache-2.0
3
4use crate::test_utils;
5use aws_db_esdk::key_store::client as keystore_client;
6use aws_db_esdk::key_store::types::key_store_config::KeyStoreConfig;
7use aws_db_esdk::key_store::types::KmsConfiguration;
8
9/*
10 The Hierarchical Keyring Example and Searchable Encryption Examples
11 rely on the existence of a DDB-backed key store with pre-existing
12 branch key material or beacon key material.
13
14 See the "Create KeyStore Table Example" for how to first set up
15 the DDB Table that will back this KeyStore.
16
17 This example demonstrates configuring a KeyStore and then
18 using a helper method to create a branch key and beacon key
19 that share the same Id, then return that Id.
20 We will always create a new beacon key alongside a new branch key,
21 even if you are not using searchable encryption.
22
23 This key creation should occur within your control plane.
24*/
25pub async fn keystore_create_key() -> Result<String, crate::BoxError> {
26    let key_store_table_name = test_utils::TEST_KEYSTORE_NAME;
27    let logical_key_store_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
28    let kms_key_arn = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
29
30    // 1. Configure your KeyStore resource.
31    //    This SHOULD be the same configuration that was used to create the DDB table
32    //    in the "Create KeyStore Table Example".
33    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
34    let key_store_config = KeyStoreConfig::builder()
35        .kms_client(aws_sdk_kms::Client::new(&sdk_config))
36        .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
37        .ddb_table_name(key_store_table_name)
38        .logical_key_store_name(logical_key_store_name)
39        .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
40        .build()?;
41
42    let keystore = keystore_client::Client::from_conf(key_store_config)?;
43
44    // 2. Create a new branch key and beacon key in our KeyStore.
45    //    Both the branch key and the beacon key will share an Id.
46    //    This creation is eventually consistent.
47
48    let new_key = keystore.create_key().send().await?;
49    Ok(new_key.branch_key_identifier.unwrap())
50}