AWS KMS 用SDK于 Java 2.x 的示例 - AWS SDK for Java 2.x

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS KMS 用SDK于 Java 2.x 的示例

以下代码示例向您展示了如何使用with来执行操作和实现常见场景 AWS KMS。 AWS SDK for Java 2.x

基础知识是向您展示如何在服务中执行基本操作的代码示例。

操作是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景的上下文查看操作。

每个示例都包含一个指向完整源代码的链接,您可以在其中找到有关如何在上下文中设置和运行代码的说明。

开始使用

以下代码示例展示了如何开始使用 AWS Key Management Service。

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

import software.amazon.awssdk.services.kms.KmsAsyncClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.paginators.ListKeysPublisher; import java.util.concurrent.CompletableFuture; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { listAllKeys(); } public static void listAllKeys() { KmsAsyncClient kmsAsyncClient = KmsAsyncClient.builder() .build(); ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); /* * The `subscribe` method is required when using paginator methods in the AWS SDK * because paginator methods return an instance of a `ListKeysPublisher`, which is * based on a reactive stream. This allows asynchronous retrieval of paginated * results as they become available. By subscribing to the stream, we can process * each page of results as they are emitted. */ ListKeysPublisher keysPublisher = kmsAsyncClient.listKeysPaginator(listKeysRequest); CompletableFuture<Void> future = keysPublisher .subscribe(r -> r.keys().forEach(key -> System.out.println("The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId()))) .whenComplete((result, exception) -> { if (exception != null) { System.err.println("Error occurred: " + exception.getMessage()); } else { System.out.println("Successfully listed all keys."); } }); try { future.join(); } catch (Exception e) { System.err.println("Failed to list keys: " + e.getMessage()); } } }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 ListKeys” 中的。

基础知识

以下代码示例展示了如何:

  • 创建密KMS钥。

  • 列出您账户的KMS密钥并获取有关密钥的详细信息。

  • 启用和禁用KMS密钥。

  • 生成可用于客户端加密的对称数据密钥。

  • 生成用于对数据进行数字签名的非对称密钥。

  • 标签键。

  • 删除KMS密钥。

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

在命令提示符中运行场景。

import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.regions.Region; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import software.amazon.awssdk.services.kms.model.AlreadyExistsException; import software.amazon.awssdk.services.kms.model.DisabledException; import software.amazon.awssdk.services.kms.model.EnableKeyRotationResponse; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.NotFoundException; import software.amazon.awssdk.services.kms.model.RevokeGrantResponse; import java.util.List; import java.util.Scanner; import java.util.concurrent.CompletableFuture; import java.util.concurrent.CompletionException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class KMSScenario { public static final String DASHES = new String(new char[80]).replace("\0", "-"); private static String accountId = ""; private static final Logger logger = LoggerFactory.getLogger(KMSScenario.class); static KMSActions kmsActions = new KMSActions(); static Scanner scanner = new Scanner(System.in); static String aliasName = "alias/dev-encryption-key"; public static void main(String[] args) { final String usage = """ Usage: <granteePrincipal> Where: granteePrincipal - The principal (user, service account, or group) to whom the grant or permission is being given. """; if (args.length != 1) { logger.info(usage); return; } String granteePrincipal = args[0]; String policyName = "default"; accountId = kmsActions.getAccountId(); String keyDesc = "Created by the AWS KMS API"; logger.info(DASHES); logger.info(""" Welcome to the AWS Key Management SDK Basics scenario. This program demonstrates how to interact with AWS Key Management using the AWS SDK for Java (v2). The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create and manage AWS KMS keys and control their use across a wide range of AWS services and applications. KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your data protection and regulatory compliance requirements. This Basics scenario creates two key types: - A symmetric encryption key is used to encrypt and decrypt data. - An asymmetric key used to digitally sign data. Let's get started... """); waitForInputToContinue(scanner); try { // Run the methods that belong to this scenario. String targetKeyId = runScenario(granteePrincipal, keyDesc, policyName); requestDeleteResources(aliasName, targetKeyId); } catch (Throwable rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } } private static String runScenario(String granteePrincipal, String keyDesc, String policyName) throws Throwable { logger.info(DASHES); logger.info("1. Create a symmetric KMS key\n"); logger.info("First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data."); waitForInputToContinue(scanner); String targetKeyId; try { CompletableFuture<String> futureKeyId = kmsActions.createKeyAsync(keyDesc); targetKeyId = futureKeyId.join(); logger.info("A symmetric key was successfully created " + targetKeyId); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info(""" 2. Enable a KMS key By default, when the SDK creates an AWS key, it is enabled. The next bit of code checks to determine if the key is enabled. """); waitForInputToContinue(scanner); boolean isEnabled; try { CompletableFuture<Boolean> futureIsKeyEnabled = kmsActions.isKeyEnabledAsync(targetKeyId); isEnabled = futureIsKeyEnabled.join(); logger.info("Is the key enabled? {}", isEnabled); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } throw cause; } if (!isEnabled) try { CompletableFuture<Void> future = kmsActions.enableKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("3. Encrypt data using the symmetric KMS key"); String plaintext = "Hello, AWS KMS!"; logger.info(""" One of the main uses of symmetric keys is to encrypt and decrypt data. Next, the code encrypts the string {} with the SYMMETRIC_DEFAULT encryption algorithm. """, plaintext); waitForInputToContinue(scanner); SdkBytes encryptedData; try { CompletableFuture<SdkBytes> future = kmsActions.encryptDataAsync(targetKeyId, plaintext); encryptedData = future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof DisabledException kmsDisabledEx) { logger.info("KMS error occurred due to a disabled key: Error message: {}, Error code {}", kmsDisabledEx.getMessage(), kmsDisabledEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("4. Create an alias"); logger.info(""" The alias name should be prefixed with 'alias/'. The default, 'alias/dev-encryption-key'. """); waitForInputToContinue(scanner); try { CompletableFuture<Void> future = kmsActions.createCustomAliasAsync(targetKeyId, aliasName); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof AlreadyExistsException kmsExistsEx) { if (kmsExistsEx.getMessage().contains("already exists")) { logger.info("The alias '" + aliasName + "' already exists. Moving on..."); } } else { logger.error("An unexpected error occurred: " + rt.getMessage(), rt); deleteKey(targetKeyId); throw cause; } } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("5. List all of your aliases"); waitForInputToContinue(scanner); try { CompletableFuture<Object> future = kmsActions.listAllAliasesAsync(); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("6. Enable automatic rotation of the KMS key"); logger.info(""" By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. """); waitForInputToContinue(scanner); try { CompletableFuture<EnableKeyRotationResponse> future = kmsActions.enableKeyRotationAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info(""" 7. Create a grant A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. """); waitForInputToContinue(scanner); String grantId = null; try { CompletableFuture<String> futureGrantId = kmsActions.grantKeyAsync(targetKeyId, granteePrincipal); grantId = futureGrantId.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info(DASHES); logger.info("8. List grants for the KMS key"); waitForInputToContinue(scanner); try { CompletableFuture<Object> future = kmsActions.displayGrantIdsAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("9. Revoke the grant"); logger.info(""" The revocation of a grant immediately removes the permissions and access that the grant had provided. This means that any principal (user, role, or service) that was granted access to perform specific KMS operations on a KMS key will no longer be able to perform those operations. """); waitForInputToContinue(scanner); try { CompletableFuture<RevokeGrantResponse> future = kmsActions.revokeKeyGrantAsync(targetKeyId, grantId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { if (kmsEx.getMessage().contains("Grant does not exist")) { logger.info("The grant ID '" + grantId + "' does not exist. Moving on..."); } else { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); throw cause; } } else { logger.info("An unexpected error occurred: " + rt.getMessage()); deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("10. Decrypt the data\n"); logger.info(""" Lets decrypt the data that was encrypted in an early step. The code uses the same key to decrypt the string that we encrypted earlier in the program. """); waitForInputToContinue(scanner); String decryptedData = ""; try { CompletableFuture<String> future = kmsActions.decryptDataAsync(encryptedData, targetKeyId); decryptedData = future.join(); logger.info("Decrypted data: " + decryptedData); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } logger.info("Decrypted text is: " + decryptedData); waitForInputToContinue(scanner); logger.info(DASHES); logger.info("11. Replace a key policy\n"); logger.info(""" A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. By default, when you create a key by using the SDK, a policy is created that gives the AWS account that owns the KMS key full access to the KMS key. Let's try to replace the automatically created policy with the following policy. "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::0000000000:root"}, "Action": "kms:*", "Resource": "*" }] """); waitForInputToContinue(scanner); try { CompletableFuture<Boolean> future = kmsActions.replacePolicyAsync(targetKeyId, policyName, accountId); boolean success = future.join(); if (success) { logger.info("Key policy replacement succeeded."); } else { logger.error("Key policy replacement failed."); } } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("12. Get the key policy\n"); logger.info("The next bit of code that runs gets the key policy to make sure it exists."); waitForInputToContinue(scanner); try { CompletableFuture<String> future = kmsActions.getKeyPolicyAsync(targetKeyId, policyName); String policy = future.join(); if (!policy.isEmpty()) { logger.info("Retrieved policy: " + policy); } } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("13. Create an asymmetric KMS key and sign your data\n"); logger.info(""" Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs. By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization. """); waitForInputToContinue(scanner); try { CompletableFuture<Boolean> future = kmsActions.signVerifyDataAsync(); boolean success = future.join(); if (success) { logger.info("Sign and verify data operation succeeded."); } else { logger.error("Sign and verify data operation failed."); } } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("14. Tag your symmetric KMS Key\n"); logger.info(""" By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment """); waitForInputToContinue(scanner); try { CompletableFuture<Void> future = kmsActions.tagKMSKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); return targetKeyId; } // Deletes KMS resources with user input. private static void requestDeleteResources(String aliasName, String targetKeyId) { logger.info(DASHES); logger.info("15. Schedule the deletion of the KMS key\n"); logger.info(""" By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations. It remains in this state for the duration of the waiting period. Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. """); logger.info("Would you like to delete the Key Management resources? (y/n)"); String delAns = scanner.nextLine().trim(); if (delAns.equalsIgnoreCase("y")) { logger.info("You selected to delete the AWS KMS resources."); waitForInputToContinue(scanner); try { CompletableFuture<Void> future = kmsActions.deleteSpecificAliasAsync(aliasName); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } waitForInputToContinue(scanner); try { CompletableFuture<Void> future = kmsActions.disableKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } try { CompletableFuture<Void> future = kmsActions.deleteKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } } else { logger.info("The Key Management resources will not be deleted"); } logger.info(DASHES); logger.info("This concludes the AWS Key Management SDK scenario"); logger.info(DASHES); } // This method is invoked from Exceptions to clean up the resources. private static void deleteKey(String targetKeyId) { try { CompletableFuture<Void> future = kmsActions.disableKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } try { CompletableFuture<Void> future = kmsActions.deleteKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } } // This method is invoked from Exceptions to clean up the resources. private static void deleteAliasName(String aliasName) { try { CompletableFuture<Void> future = kmsActions.deleteSpecificAliasAsync(aliasName); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } } private static void waitForInputToContinue(Scanner scanner) { while (true) { logger.info(""); logger.info("Enter 'c' followed by <ENTER> to continue:"); String input = scanner.nextLine(); if (input.trim().equalsIgnoreCase("c")) { logger.info("Continuing with the program..."); logger.info(""); break; } else { // Handle invalid input. logger.info("Invalid input. Please try again."); } } } }

定义一个封装KMS动作的类。

public class KMSActions { private static final Logger logger = LoggerFactory.getLogger(KMSActions.class); private static KmsAsyncClient kmsAsyncClient; /** * Retrieves an asynchronous AWS Key Management Service (KMS) client. * <p> * This method creates and returns a singleton instance of the KMS async client, with the following configurations: * <ul> * <li>Max concurrency: 100</li> * <li>Connection timeout: 60 seconds</li> * <li>Read timeout: 60 seconds</li> * <li>Write timeout: 60 seconds</li> * <li>API call timeout: 2 minutes</li> * <li>API call attempt timeout: 90 seconds</li> * <li>Retry policy: up to 3 retries</li> * <li>Credentials provider: environment variable credentials provider</li> * </ul> * <p> * If the client instance has already been created, it is returned instead of creating a new one. * * @return the KMS async client instance */ private static KmsAsyncClient getAsyncClient() { if (kmsAsyncClient == null) { SdkAsyncHttpClient httpClient = NettyNioAsyncHttpClient.builder() .maxConcurrency(100) .connectionTimeout(Duration.ofSeconds(60)) .readTimeout(Duration.ofSeconds(60)) .writeTimeout(Duration.ofSeconds(60)) .build(); ClientOverrideConfiguration overrideConfig = ClientOverrideConfiguration.builder() .apiCallTimeout(Duration.ofMinutes(2)) .apiCallAttemptTimeout(Duration.ofSeconds(90)) .retryPolicy(RetryPolicy.builder() .numRetries(3) .build()) .build(); kmsAsyncClient = KmsAsyncClient.builder() .httpClient(httpClient) .overrideConfiguration(overrideConfig) .credentialsProvider(EnvironmentVariableCredentialsProvider.create()) .build(); } return kmsAsyncClient; } /** * Creates a new symmetric encryption key asynchronously. * * @param keyDesc the description of the key to be created * @return a {@link CompletableFuture} that completes with the ID of the newly created key * @throws RuntimeException if an error occurs while creating the key */ public CompletableFuture<String> createKeyAsync(String keyDesc) { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .keySpec(KeySpec.SYMMETRIC_DEFAULT) .keyUsage(KeyUsageType.ENCRYPT_DECRYPT) .build(); return getAsyncClient().createKey(keyRequest) .thenApply(resp -> resp.keyMetadata().keyId()) .exceptionally(ex -> { throw new RuntimeException("An error occurred while creating the key: " + ex.getMessage(), ex); }); } /** * Asynchronously checks if a specified key is enabled. * * @param keyId the ID of the key to check * @return a {@link CompletableFuture} that, when completed, indicates whether the key is enabled or not * * @throws RuntimeException if an exception occurs while checking the key state */ public CompletableFuture<Boolean> isKeyEnabledAsync(String keyId) { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); CompletableFuture<DescribeKeyResponse> responseFuture = getAsyncClient().describeKey(keyRequest); return responseFuture.whenComplete((resp, ex) -> { if (resp != null) { KeyState keyState = resp.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { logger.info("The key is enabled."); } else { logger.info("The key is not enabled. Key state: {}", keyState); } } else { throw new RuntimeException(ex); } }).thenApply(resp -> resp.keyMetadata().keyState() == KeyState.ENABLED); } /** * Asynchronously enables the specified key. * * @param keyId the ID of the key to enable * @return a {@link CompletableFuture} that completes when the key has been enabled */ public CompletableFuture<Void> enableKeyAsync(String keyId) { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); CompletableFuture<EnableKeyResponse> responseFuture = getAsyncClient().enableKey(enableKeyRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Key with ID [{}] has been enabled.", keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while enabling key: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while enabling key: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(response -> null); } /** * Encrypts the given text asynchronously using the specified KMS client and key ID. * * @param keyId the ID of the KMS key to use for encryption * @param text the text to encrypt * @return a CompletableFuture that completes with the encrypted data as an SdkBytes object */ public CompletableFuture<SdkBytes> encryptDataAsync(String keyId, String text) { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); CompletableFuture<EncryptResponse> responseFuture = getAsyncClient().encrypt(encryptRequest).toCompletableFuture(); return responseFuture.whenComplete((response, ex) -> { if (response != null) { String algorithm = response.encryptionAlgorithm().toString(); logger.info("The string was encrypted with algorithm {}.", algorithm); } else { throw new RuntimeException(ex); } }).thenApply(EncryptResponse::ciphertextBlob); } /** * Creates a custom alias for the specified target key asynchronously. * * @param targetKeyId the ID of the target key for the alias * @param aliasName the name of the alias to create * @return a {@link CompletableFuture} that completes when the alias creation operation is finished */ public CompletableFuture<Void> createCustomAliasAsync(String targetKeyId, String aliasName) { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); CompletableFuture<CreateAliasResponse> responseFuture = getAsyncClient().createAlias(aliasRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("{} was successfully created.", aliasName); } else { if (exception instanceof ResourceExistsException) { logger.info("Alias [{}] already exists. Moving on...", aliasName); } else if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while creating alias: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while creating alias: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(response -> null); } /** * Asynchronously lists all the aliases in the current AWS account. * * @return a {@link CompletableFuture} that completes when the list of aliases has been processed */ public CompletableFuture<Object> listAllAliasesAsync() { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesPublisher paginator = getAsyncClient().listAliasesPaginator(aliasesRequest); return paginator.subscribe(response -> { response.aliases().forEach(alias -> logger.info("The alias name is: " + alias.aliasName()) ); }) .thenApply(v -> null) .exceptionally(ex -> { if (ex.getCause() instanceof KmsException) { KmsException e = (KmsException) ex.getCause(); throw new RuntimeException("A KMS exception occurred: " + e.getMessage()); } else { throw new RuntimeException("An unexpected error occurred: " + ex.getMessage()); } }); } /** * Enables key rotation asynchronously for the specified key ID. * * @param keyId the ID of the key for which to enable key rotation * @return a CompletableFuture that represents the asynchronous operation of enabling key rotation * @throws RuntimeException if there was an error enabling key rotation, either due to a KMS exception or an unexpected error */ public CompletableFuture<EnableKeyRotationResponse> enableKeyRotationAsync(String keyId) { EnableKeyRotationRequest enableKeyRotationRequest = EnableKeyRotationRequest.builder() .keyId(keyId) .build(); CompletableFuture<EnableKeyRotationResponse> responseFuture = getAsyncClient().enableKeyRotation(enableKeyRotationRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Key rotation has been enabled for key with id [{}]", keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("Failed to enable key rotation: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception); } } }); return responseFuture; } /** * Grants permissions to a specified principal on a customer master key (CMK) asynchronously. * * @param keyId The unique identifier for the customer master key (CMK) that the grant applies to. * @param granteePrincipal The principal that is given permission to perform the operations that the grant permits on the CMK. * @return A {@link CompletableFuture} that, when completed, contains the ID of the created grant. * @throws RuntimeException If an error occurs during the grant creation process. */ public CompletableFuture<String> grantKeyAsync(String keyId, String granteePrincipal) { List<GrantOperation> grantPermissions = List.of( GrantOperation.ENCRYPT, GrantOperation.DECRYPT, GrantOperation.DESCRIBE_KEY ); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CompletableFuture<CreateGrantResponse> responseFuture = getAsyncClient().createGrant(grantRequest); responseFuture.whenComplete((response, ex) -> { if (ex == null) { logger.info("Grant created successfully with ID: " + response.grantId()); } else { if (ex instanceof KmsException kmsEx) { throw new RuntimeException("Failed to create grant: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred: " + ex.getMessage(), ex); } } }); return responseFuture.thenApply(CreateGrantResponse::grantId); } /** * Asynchronously displays the grant IDs for the specified key ID. * * @param keyId the ID of the AWS KMS key for which to list the grants * @return a {@link CompletableFuture} that, when completed, will be null if the operation succeeded, or will throw a {@link RuntimeException} if the operation failed * @throws RuntimeException if there was an error listing the grants, either due to an {@link KmsException} or an unexpected error */ public CompletableFuture<Object> displayGrantIdsAsync(String keyId) { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsPublisher paginator = getAsyncClient().listGrantsPaginator(grantsRequest); return paginator.subscribe(response -> { response.grants().forEach(grant -> { logger.info("The grant Id is: " + grant.grantId()); }); }) .thenApply(v -> null) .exceptionally(ex -> { Throwable cause = ex.getCause(); if (cause instanceof KmsException) { throw new RuntimeException("Failed to list grants: " + cause.getMessage(), cause); } else { throw new RuntimeException("An unexpected error occurred: " + cause.getMessage(), cause); } }); } /** * Revokes a grant for the specified AWS KMS key asynchronously. * * @param keyId The ID or key ARN of the AWS KMS key. * @param grantId The identifier of the grant to be revoked. * @return A {@link CompletableFuture} representing the asynchronous operation of revoking the grant. * The {@link CompletableFuture} will complete with a {@link RevokeGrantResponse} object * if the operation is successful, or with a {@code null} value if an error occurs. */ public CompletableFuture<RevokeGrantResponse> revokeKeyGrantAsync(String keyId, String grantId) { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); CompletableFuture<RevokeGrantResponse> responseFuture = getAsyncClient().revokeGrant(grantRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Grant ID: [" + grantId + "] was successfully revoked!"); } else { if (exception instanceof KmsException kmsEx) { if (kmsEx.getMessage().contains("Grant does not exist")) { logger.info("The grant ID '" + grantId + "' does not exist. Moving on..."); } else { throw new RuntimeException("KMS error occurred: " + kmsEx.getMessage(), kmsEx); } } else { throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception); } } }); return responseFuture; } /** * Asynchronously decrypts the given encrypted data using the specified key ID. * * @param encryptedData The encrypted data to be decrypted. * @param keyId The ID of the key to be used for decryption. * @return A CompletableFuture that, when completed, will contain the decrypted data as a String. * If an error occurs during the decryption process, the CompletableFuture will complete * exceptionally with the error, and the method will return an empty String. */ public CompletableFuture<String> decryptDataAsync(SdkBytes encryptedData, String keyId) { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); CompletableFuture<DecryptResponse> responseFuture = getAsyncClient().decrypt(decryptRequest); responseFuture.whenComplete((decryptResponse, exception) -> { if (exception == null) { logger.info("Data decrypted successfully for key ID: " + keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while decrypting data: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while decrypting data: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(decryptResponse -> decryptResponse.plaintext().asString(StandardCharsets.UTF_8)); } /** * Asynchronously replaces the policy for the specified KMS key. * * @param keyId the ID of the KMS key to replace the policy for * @param policyName the name of the policy to be replaced * @param accountId the AWS account ID to be used in the policy * @return a {@link CompletableFuture} that completes with a boolean indicating * whether the policy replacement was successful or not */ public CompletableFuture<Boolean> replacePolicyAsync(String keyId, String policyName, String accountId) { String policy = """ { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::%s:root"}, "Action": "kms:*", "Resource": "*" }] } """.formatted(accountId); PutKeyPolicyRequest keyPolicyRequest = PutKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .policy(policy) .build(); // First, get the current policy to check if it exists return getAsyncClient().getKeyPolicy(r -> r.keyId(keyId).policyName(policyName)) .thenCompose(response -> { logger.info("Current policy exists. Replacing it..."); return getAsyncClient().putKeyPolicy(keyPolicyRequest); }) .thenApply(putPolicyResponse -> { logger.info("The key policy has been replaced."); return true; }) .exceptionally(throwable -> { if (throwable.getCause() instanceof LimitExceededException) { logger.error("Cannot replace policy, as only one policy is allowed per key."); return false; } throw new RuntimeException("Error replacing policy", throwable); }); } /** * Asynchronously retrieves the key policy for the specified key ID and policy name. * * @param keyId the ID of the AWS KMS key for which to retrieve the policy * @param policyName the name of the key policy to retrieve * @return a {@link CompletableFuture} that, when completed, contains the key policy as a {@link String} */ public CompletableFuture<String> getKeyPolicyAsync(String keyId, String policyName) { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); return getAsyncClient().getKeyPolicy(policyRequest) .thenApply(response -> { String policy = response.policy(); logger.info("The response is: " + policy); return policy; }) .exceptionally(ex -> { throw new RuntimeException("Failed to get key policy", ex); }); } /** * Asynchronously signs and verifies data using AWS KMS. * * <p>The method performs the following steps: * <ol> * <li>Creates an AWS KMS key with the specified key spec, key usage, and origin.</li> * <li>Signs the provided message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.</li> * <li>Verifies the signature of the message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.</li> * </ol> * * @return a {@link CompletableFuture} that completes with the result of the signature verification, * {@code true} if the signature is valid, {@code false} otherwise. * @throws KmsException if any error occurs during the KMS operations. * @throws RuntimeException if an unexpected error occurs. */ public CompletableFuture<Boolean> signVerifyDataAsync() { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest createKeyRequest = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) .keyUsage(KeyUsageType.SIGN_VERIFY) .origin(OriginType.AWS_KMS) .build(); return getAsyncClient().createKey(createKeyRequest) .thenCompose(createKeyResponse -> { String keyId = createKeyResponse.keyMetadata().keyId(); SdkBytes messageBytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId) .message(messageBytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().sign(signRequest) .thenCompose(signResponse -> { byte[] signedBytes = signResponse.signature().asByteArray(); VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().verify(verifyRequest) .thenApply(verifyResponse -> { return (boolean) verifyResponse.signatureValid(); }); }); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to sign or verify data", throwable); }); } /** * Asynchronously tags a KMS key with a specific tag. * * @param keyId the ID of the KMS key to be tagged * @return a {@link CompletableFuture} that completes when the tagging operation is finished */ public CompletableFuture<Void> tagKMSKeyAsync(String keyId) { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); return getAsyncClient().tagResource(tagResourceRequest) .thenRun(() -> { logger.info("{} key was tagged", keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to tag the KMS key", throwable); }); } /** * Deletes a specific KMS alias asynchronously. * * @param aliasName the name of the alias to be deleted * @return a {@link CompletableFuture} representing the asynchronous operation of deleting the specified alias */ public CompletableFuture<Void> deleteSpecificAliasAsync(String aliasName) { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); return getAsyncClient().deleteAlias(deleteAliasRequest) .thenRun(() -> { logger.info("Alias {} has been deleted successfully", aliasName); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to delete alias: " + aliasName, throwable); }); } /** * Asynchronously disables the specified AWS Key Management Service (KMS) key. * * @param keyId the ID or Amazon Resource Name (ARN) of the KMS key to be disabled * @return a CompletableFuture that, when completed, indicates that the key has been disabled successfully */ public CompletableFuture<Void> disableKeyAsync(String keyId) { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); return getAsyncClient().disableKey(keyRequest) .thenRun(() -> { logger.info("Key {} has been disabled successfully",keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to disable key: " + keyId, throwable); }); } /** * Deletes a KMS key asynchronously. * * <p><strong>Warning:</strong> Deleting a KMS key is a destructive and potentially dangerous operation. * When a KMS key is deleted, all data that was encrypted under the KMS key becomes unrecoverable. * This means that any files, databases, or other data that were encrypted using the deleted KMS key * will become permanently inaccessible. Exercise extreme caution when deleting KMS keys.</p> * * @param keyId the ID of the KMS key to delete * @return a {@link CompletableFuture} that completes when the key deletion is scheduled */ public CompletableFuture<Void> deleteKeyAsync(String keyId) { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); return getAsyncClient().scheduleKeyDeletion(deletionRequest) .thenRun(() -> { logger.info("Key {} will be deleted in 7 days", keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to schedule key deletion for key ID: " + keyId, throwable); }); } public String getAccountId(){ try (StsClient stsClient = StsClient.create()){ GetCallerIdentityResponse callerIdentity = stsClient.getCallerIdentity(); return callerIdentity.account(); } } }

操作

以下代码示例演示如何使用 CreateAlias

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Creates a custom alias for the specified target key asynchronously. * * @param targetKeyId the ID of the target key for the alias * @param aliasName the name of the alias to create * @return a {@link CompletableFuture} that completes when the alias creation operation is finished */ public CompletableFuture<Void> createCustomAliasAsync(String targetKeyId, String aliasName) { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); CompletableFuture<CreateAliasResponse> responseFuture = getAsyncClient().createAlias(aliasRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("{} was successfully created.", aliasName); } else { if (exception instanceof ResourceExistsException) { logger.info("Alias [{}] already exists. Moving on...", aliasName); } else if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while creating alias: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while creating alias: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(response -> null); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 CreateAlias” 中的。

以下代码示例演示如何使用 CreateGrant

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Grants permissions to a specified principal on a customer master key (CMK) asynchronously. * * @param keyId The unique identifier for the customer master key (CMK) that the grant applies to. * @param granteePrincipal The principal that is given permission to perform the operations that the grant permits on the CMK. * @return A {@link CompletableFuture} that, when completed, contains the ID of the created grant. * @throws RuntimeException If an error occurs during the grant creation process. */ public CompletableFuture<String> grantKeyAsync(String keyId, String granteePrincipal) { List<GrantOperation> grantPermissions = List.of( GrantOperation.ENCRYPT, GrantOperation.DECRYPT, GrantOperation.DESCRIBE_KEY ); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CompletableFuture<CreateGrantResponse> responseFuture = getAsyncClient().createGrant(grantRequest); responseFuture.whenComplete((response, ex) -> { if (ex == null) { logger.info("Grant created successfully with ID: " + response.grantId()); } else { if (ex instanceof KmsException kmsEx) { throw new RuntimeException("Failed to create grant: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred: " + ex.getMessage(), ex); } } }); return responseFuture.thenApply(CreateGrantResponse::grantId); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 CreateGrant” 中的。

以下代码示例演示如何使用 CreateKey

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Creates a new symmetric encryption key asynchronously. * * @param keyDesc the description of the key to be created * @return a {@link CompletableFuture} that completes with the ID of the newly created key * @throws RuntimeException if an error occurs while creating the key */ public CompletableFuture<String> createKeyAsync(String keyDesc) { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .keySpec(KeySpec.SYMMETRIC_DEFAULT) .keyUsage(KeyUsageType.ENCRYPT_DECRYPT) .build(); return getAsyncClient().createKey(keyRequest) .thenApply(resp -> resp.keyMetadata().keyId()) .exceptionally(ex -> { throw new RuntimeException("An error occurred while creating the key: " + ex.getMessage(), ex); }); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 CreateKey” 中的。

以下代码示例演示如何使用 Decrypt

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously decrypts the given encrypted data using the specified key ID. * * @param encryptedData The encrypted data to be decrypted. * @param keyId The ID of the key to be used for decryption. * @return A CompletableFuture that, when completed, will contain the decrypted data as a String. * If an error occurs during the decryption process, the CompletableFuture will complete * exceptionally with the error, and the method will return an empty String. */ public CompletableFuture<String> decryptDataAsync(SdkBytes encryptedData, String keyId) { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); CompletableFuture<DecryptResponse> responseFuture = getAsyncClient().decrypt(decryptRequest); responseFuture.whenComplete((decryptResponse, exception) -> { if (exception == null) { logger.info("Data decrypted successfully for key ID: " + keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while decrypting data: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while decrypting data: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(decryptResponse -> decryptResponse.plaintext().asString(StandardCharsets.UTF_8)); }
  • 有关API详细信息,请参阅《参考资料》中的 “解密”。AWS SDK for Java 2.x API

以下代码示例演示如何使用 DeleteAlias

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Deletes a specific KMS alias asynchronously. * * @param aliasName the name of the alias to be deleted * @return a {@link CompletableFuture} representing the asynchronous operation of deleting the specified alias */ public CompletableFuture<Void> deleteSpecificAliasAsync(String aliasName) { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); return getAsyncClient().deleteAlias(deleteAliasRequest) .thenRun(() -> { logger.info("Alias {} has been deleted successfully", aliasName); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to delete alias: " + aliasName, throwable); }); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 DeleteAlias” 中的。

以下代码示例演示如何使用 DescribeKey

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously checks if a specified key is enabled. * * @param keyId the ID of the key to check * @return a {@link CompletableFuture} that, when completed, indicates whether the key is enabled or not * * @throws RuntimeException if an exception occurs while checking the key state */ public CompletableFuture<Boolean> isKeyEnabledAsync(String keyId) { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); CompletableFuture<DescribeKeyResponse> responseFuture = getAsyncClient().describeKey(keyRequest); return responseFuture.whenComplete((resp, ex) -> { if (resp != null) { KeyState keyState = resp.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { logger.info("The key is enabled."); } else { logger.info("The key is not enabled. Key state: {}", keyState); } } else { throw new RuntimeException(ex); } }).thenApply(resp -> resp.keyMetadata().keyState() == KeyState.ENABLED); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 DescribeKey” 中的。

以下代码示例演示如何使用 DisableKey

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously disables the specified AWS Key Management Service (KMS) key. * * @param keyId the ID or Amazon Resource Name (ARN) of the KMS key to be disabled * @return a CompletableFuture that, when completed, indicates that the key has been disabled successfully */ public CompletableFuture<Void> disableKeyAsync(String keyId) { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); return getAsyncClient().disableKey(keyRequest) .thenRun(() -> { logger.info("Key {} has been disabled successfully",keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to disable key: " + keyId, throwable); }); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 DisableKey” 中的。

以下代码示例演示如何使用 EnableKey

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously enables the specified key. * * @param keyId the ID of the key to enable * @return a {@link CompletableFuture} that completes when the key has been enabled */ public CompletableFuture<Void> enableKeyAsync(String keyId) { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); CompletableFuture<EnableKeyResponse> responseFuture = getAsyncClient().enableKey(enableKeyRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Key with ID [{}] has been enabled.", keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while enabling key: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while enabling key: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(response -> null); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 EnableKey” 中的。

以下代码示例演示如何使用 Encrypt

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Encrypts the given text asynchronously using the specified KMS client and key ID. * * @param keyId the ID of the KMS key to use for encryption * @param text the text to encrypt * @return a CompletableFuture that completes with the encrypted data as an SdkBytes object */ public CompletableFuture<SdkBytes> encryptDataAsync(String keyId, String text) { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); CompletableFuture<EncryptResponse> responseFuture = getAsyncClient().encrypt(encryptRequest).toCompletableFuture(); return responseFuture.whenComplete((response, ex) -> { if (response != null) { String algorithm = response.encryptionAlgorithm().toString(); logger.info("The string was encrypted with algorithm {}.", algorithm); } else { throw new RuntimeException(ex); } }).thenApply(EncryptResponse::ciphertextBlob); }
  • 有关API详细信息,请参阅AWS SDK for Java 2.x API参考中的加密

以下代码示例演示如何使用 ListAliases

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously lists all the aliases in the current AWS account. * * @return a {@link CompletableFuture} that completes when the list of aliases has been processed */ public CompletableFuture<Object> listAllAliasesAsync() { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesPublisher paginator = getAsyncClient().listAliasesPaginator(aliasesRequest); return paginator.subscribe(response -> { response.aliases().forEach(alias -> logger.info("The alias name is: " + alias.aliasName()) ); }) .thenApply(v -> null) .exceptionally(ex -> { if (ex.getCause() instanceof KmsException) { KmsException e = (KmsException) ex.getCause(); throw new RuntimeException("A KMS exception occurred: " + e.getMessage()); } else { throw new RuntimeException("An unexpected error occurred: " + ex.getMessage()); } }); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 ListAliases” 中的。

以下代码示例演示如何使用 ListGrants

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously displays the grant IDs for the specified key ID. * * @param keyId the ID of the AWS KMS key for which to list the grants * @return a {@link CompletableFuture} that, when completed, will be null if the operation succeeded, or will throw a {@link RuntimeException} if the operation failed * @throws RuntimeException if there was an error listing the grants, either due to an {@link KmsException} or an unexpected error */ public CompletableFuture<Object> displayGrantIdsAsync(String keyId) { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsPublisher paginator = getAsyncClient().listGrantsPaginator(grantsRequest); return paginator.subscribe(response -> { response.grants().forEach(grant -> { logger.info("The grant Id is: " + grant.grantId()); }); }) .thenApply(v -> null) .exceptionally(ex -> { Throwable cause = ex.getCause(); if (cause instanceof KmsException) { throw new RuntimeException("Failed to list grants: " + cause.getMessage(), cause); } else { throw new RuntimeException("An unexpected error occurred: " + cause.getMessage(), cause); } }); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 ListGrants” 中的。

以下代码示例演示如何使用 ListKeyPolicies

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously retrieves the key policy for the specified key ID and policy name. * * @param keyId the ID of the AWS KMS key for which to retrieve the policy * @param policyName the name of the key policy to retrieve * @return a {@link CompletableFuture} that, when completed, contains the key policy as a {@link String} */ public CompletableFuture<String> getKeyPolicyAsync(String keyId, String policyName) { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); return getAsyncClient().getKeyPolicy(policyRequest) .thenApply(response -> { String policy = response.policy(); logger.info("The response is: " + policy); return policy; }) .exceptionally(ex -> { throw new RuntimeException("Failed to get key policy", ex); }); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 ListKeyPolicies” 中的。

以下代码示例演示如何使用 ListKeys

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

import software.amazon.awssdk.services.kms.KmsAsyncClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.paginators.ListKeysPublisher; import java.util.concurrent.CompletableFuture; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { listAllKeys(); } public static void listAllKeys() { KmsAsyncClient kmsAsyncClient = KmsAsyncClient.builder() .build(); ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); /* * The `subscribe` method is required when using paginator methods in the AWS SDK * because paginator methods return an instance of a `ListKeysPublisher`, which is * based on a reactive stream. This allows asynchronous retrieval of paginated * results as they become available. By subscribing to the stream, we can process * each page of results as they are emitted. */ ListKeysPublisher keysPublisher = kmsAsyncClient.listKeysPaginator(listKeysRequest); CompletableFuture<Void> future = keysPublisher .subscribe(r -> r.keys().forEach(key -> System.out.println("The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId()))) .whenComplete((result, exception) -> { if (exception != null) { System.err.println("Error occurred: " + exception.getMessage()); } else { System.out.println("Successfully listed all keys."); } }); try { future.join(); } catch (Exception e) { System.err.println("Failed to list keys: " + e.getMessage()); } } }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 ListKeys” 中的。

以下代码示例演示如何使用 RevokeGrant

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Revokes a grant for the specified AWS KMS key asynchronously. * * @param keyId The ID or key ARN of the AWS KMS key. * @param grantId The identifier of the grant to be revoked. * @return A {@link CompletableFuture} representing the asynchronous operation of revoking the grant. * The {@link CompletableFuture} will complete with a {@link RevokeGrantResponse} object * if the operation is successful, or with a {@code null} value if an error occurs. */ public CompletableFuture<RevokeGrantResponse> revokeKeyGrantAsync(String keyId, String grantId) { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); CompletableFuture<RevokeGrantResponse> responseFuture = getAsyncClient().revokeGrant(grantRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Grant ID: [" + grantId + "] was successfully revoked!"); } else { if (exception instanceof KmsException kmsEx) { if (kmsEx.getMessage().contains("Grant does not exist")) { logger.info("The grant ID '" + grantId + "' does not exist. Moving on..."); } else { throw new RuntimeException("KMS error occurred: " + kmsEx.getMessage(), kmsEx); } } else { throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception); } } }); return responseFuture; }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 RevokeGrant” 中的。

以下代码示例演示如何使用 ScheduleKeyDeletion

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Deletes a KMS key asynchronously. * * <p><strong>Warning:</strong> Deleting a KMS key is a destructive and potentially dangerous operation. * When a KMS key is deleted, all data that was encrypted under the KMS key becomes unrecoverable. * This means that any files, databases, or other data that were encrypted using the deleted KMS key * will become permanently inaccessible. Exercise extreme caution when deleting KMS keys.</p> * * @param keyId the ID of the KMS key to delete * @return a {@link CompletableFuture} that completes when the key deletion is scheduled */ public CompletableFuture<Void> deleteKeyAsync(String keyId) { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); return getAsyncClient().scheduleKeyDeletion(deletionRequest) .thenRun(() -> { logger.info("Key {} will be deleted in 7 days", keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to schedule key deletion for key ID: " + keyId, throwable); }); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 ScheduleKeyDeletion” 中的。

以下代码示例演示如何使用 Sign

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously signs and verifies data using AWS KMS. * * <p>The method performs the following steps: * <ol> * <li>Creates an AWS KMS key with the specified key spec, key usage, and origin.</li> * <li>Signs the provided message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.</li> * <li>Verifies the signature of the message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.</li> * </ol> * * @return a {@link CompletableFuture} that completes with the result of the signature verification, * {@code true} if the signature is valid, {@code false} otherwise. * @throws KmsException if any error occurs during the KMS operations. * @throws RuntimeException if an unexpected error occurs. */ public CompletableFuture<Boolean> signVerifyDataAsync() { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest createKeyRequest = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) .keyUsage(KeyUsageType.SIGN_VERIFY) .origin(OriginType.AWS_KMS) .build(); return getAsyncClient().createKey(createKeyRequest) .thenCompose(createKeyResponse -> { String keyId = createKeyResponse.keyMetadata().keyId(); SdkBytes messageBytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId) .message(messageBytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().sign(signRequest) .thenCompose(signResponse -> { byte[] signedBytes = signResponse.signature().asByteArray(); VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().verify(verifyRequest) .thenApply(verifyResponse -> { return (boolean) verifyResponse.signatureValid(); }); }); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to sign or verify data", throwable); }); }

以下代码示例演示如何使用 TagResource

SDK适用于 Java 2.x
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 AWS 代码示例存储库中进行设置和运行。

/** * Asynchronously tags a KMS key with a specific tag. * * @param keyId the ID of the KMS key to be tagged * @return a {@link CompletableFuture} that completes when the tagging operation is finished */ public CompletableFuture<Void> tagKMSKeyAsync(String keyId) { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); return getAsyncClient().tagResource(tagResourceRequest) .thenRun(() -> { logger.info("{} key was tagged", keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to tag the KMS key", throwable); }); }
  • 有关API详细信息,请参阅 “AWS SDK for Java 2.x API参考 TagResource” 中的。