文件 AWS 開發套件範例 GitHub 儲存庫中有更多可用的 [AWS SDK 範例](https://github.com/awsdocs/aws-doc-sdk-examples)。 本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # AWS KMS 使用 AWS SDKs的基本範例 下列程式碼範例示範如何 AWS Key Management Service 搭配 AWS SDKs 使用 的基本概念。 **Contents** + [您好 AWS KMS](kms_example_kms_Hello_section.md) + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) + [動作](kms_code_examples_actions.md) + [`CreateAlias`](kms_example_kms_CreateAlias_section.md) + [`CreateGrant`](kms_example_kms_CreateGrant_section.md) + [`CreateKey`](kms_example_kms_CreateKey_section.md) + [`Decrypt`](kms_example_kms_Decrypt_section.md) + [`DeleteAlias`](kms_example_kms_DeleteAlias_section.md) + [`DescribeKey`](kms_example_kms_DescribeKey_section.md) + [`DisableKey`](kms_example_kms_DisableKey_section.md) + [`EnableKey`](kms_example_kms_EnableKey_section.md) + [`EnableKeyRotation`](kms_example_kms_EnableKeyRotation_section.md) + [`Encrypt`](kms_example_kms_Encrypt_section.md) + [`GenerateDataKey`](kms_example_kms_GenerateDataKey_section.md) + [`GenerateDataKeyWithoutPlaintext`](kms_example_kms_GenerateDataKeyWithoutPlaintext_section.md) + [`GenerateRandom`](kms_example_kms_GenerateRandom_section.md) + [`GetKeyPolicy`](kms_example_kms_GetKeyPolicy_section.md) + [`ListAliases`](kms_example_kms_ListAliases_section.md) + [`ListGrants`](kms_example_kms_ListGrants_section.md) + [`ListKeyPolicies`](kms_example_kms_ListKeyPolicies_section.md) + [`ListKeys`](kms_example_kms_ListKeys_section.md) + [`PutKeyPolicy`](kms_example_kms_PutKeyPolicy_section.md) + [`ReEncrypt`](kms_example_kms_ReEncrypt_section.md) + [`RetireGrant`](kms_example_kms_RetireGrant_section.md) + [`RevokeGrant`](kms_example_kms_RevokeGrant_section.md) + [`ScheduleKeyDeletion`](kms_example_kms_ScheduleKeyDeletion_section.md) + [`Sign`](kms_example_kms_Sign_section.md) + [`TagResource`](kms_example_kms_TagResource_section.md) + [`UpdateAlias`](kms_example_kms_UpdateAlias_section.md) + [`Verify`](kms_example_kms_Verify_section.md) # 您好 AWS Key Management Service 下列程式碼範例示範如何開始使用 AWS Key Management Service。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` import software.amazon.awssdk.services.kms.KmsAsyncClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.paginators.ListKeysPublisher; import java.util.concurrent.CompletableFuture; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { listAllKeys(); } public static void listAllKeys() { KmsAsyncClient kmsAsyncClient = KmsAsyncClient.builder() .build(); ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); /* * The `subscribe` method is required when using paginator methods in the AWS SDK * because paginator methods return an instance of a `ListKeysPublisher`, which is * based on a reactive stream. This allows asynchronous retrieval of paginated * results as they become available. By subscribing to the stream, we can process * each page of results as they are emitted. */ ListKeysPublisher keysPublisher = kmsAsyncClient.listKeysPaginator(listKeysRequest); CompletableFuture future = keysPublisher .subscribe(r -> r.keys().forEach(key -> System.out.println("The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId()))) .whenComplete((result, exception) -> { if (exception != null) { System.err.println("Error occurred: " + exception.getMessage()); } else { System.out.println("Successfully listed all keys."); } }); try { future.join(); } catch (Exception e) { System.err.println("Failed to list keys: " + e.getMessage()); } } } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ListKeys](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListKeys)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` include "vendor/autoload.php"; use Aws\Kms\KmsClient; echo "This file shows how to connect to the KmsClient, uses a paginator to get the keys for the account, and lists the KeyIds for up to 10 keys.\n"; $client = new KmsClient([]); $pageLength = 10; // Change this value to change the number of records shown, or to break up the result into pages. $keys = []; $keysPaginator = $client->getPaginator("ListKeys", ['Limit' => $pageLength]); foreach($keysPaginator as $page){ foreach($page['Keys'] as $index => $key){ echo "The $index index Key's ID is: {$key['KeyId']}\n"; } echo "End of page one of results. Alter the \$pageLength variable to see more results.\n"; break; } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [ListKeys](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListKeys)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. oo_result = lo_kms->listkeys( ). MESSAGE 'Retrieved KMS keys list.' TYPE 'I'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListKeys](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # AWS KMS 使用 AWS SDK 了解 的基本概念 下列程式碼範例示範如何: + 建立 KMS 金鑰。 + 列出您帳戶的 KMS 金鑰,並取得其詳細資訊。 + 啟用和停用 KMS 金鑰。 + 產生可用於用戶端加密的對稱資料金鑰。 + 產生用於數位簽署資料的非對稱金鑰。 + 標籤索引鍵。 + 刪除 KMS 金鑰。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 在命令提示中執行案例。 ``` import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.regions.Region; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import software.amazon.awssdk.services.kms.model.AlreadyExistsException; import software.amazon.awssdk.services.kms.model.DisabledException; import software.amazon.awssdk.services.kms.model.EnableKeyRotationResponse; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.NotFoundException; import software.amazon.awssdk.services.kms.model.RevokeGrantResponse; import java.util.List; import java.util.Scanner; import java.util.concurrent.CompletableFuture; import java.util.concurrent.CompletionException; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class KMSScenario { public static final String DASHES = new String(new char[80]).replace("\0", "-"); private static String accountId = ""; private static final Logger logger = LoggerFactory.getLogger(KMSScenario.class); static KMSActions kmsActions = new KMSActions(); static Scanner scanner = new Scanner(System.in); static String aliasName = "alias/dev-encryption-key"; public static void main(String[] args) { final String usage = """ Usage: Where: granteePrincipal - The principal (user, service account, or group) to whom the grant or permission is being given. """; if (args.length != 1) { logger.info(usage); return; } String granteePrincipal = args[0]; String policyName = "default"; accountId = kmsActions.getAccountId(); String keyDesc = "Created by the AWS KMS API"; logger.info(DASHES); logger.info(""" Welcome to the AWS Key Management SDK Basics scenario. This program demonstrates how to interact with AWS Key Management using the AWS SDK for Java (v2). The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create and manage AWS KMS keys and control their use across a wide range of AWS services and applications. KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your data protection and regulatory compliance requirements. This Basics scenario creates two key types: - A symmetric encryption key is used to encrypt and decrypt data. - An asymmetric key used to digitally sign data. Let's get started... """); waitForInputToContinue(scanner); try { // Run the methods that belong to this scenario. String targetKeyId = runScenario(granteePrincipal, keyDesc, policyName); requestDeleteResources(aliasName, targetKeyId); } catch (Throwable rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } } private static String runScenario(String granteePrincipal, String keyDesc, String policyName) throws Throwable { logger.info(DASHES); logger.info("1. Create a symmetric KMS key\n"); logger.info("First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data."); waitForInputToContinue(scanner); String targetKeyId; try { CompletableFuture futureKeyId = kmsActions.createKeyAsync(keyDesc); targetKeyId = futureKeyId.join(); logger.info("A symmetric key was successfully created " + targetKeyId); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info(""" 2. Enable a KMS key By default, when the SDK creates an AWS key, it is enabled. The next bit of code checks to determine if the key is enabled. """); waitForInputToContinue(scanner); boolean isEnabled; try { CompletableFuture futureIsKeyEnabled = kmsActions.isKeyEnabledAsync(targetKeyId); isEnabled = futureIsKeyEnabled.join(); logger.info("Is the key enabled? {}", isEnabled); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } throw cause; } if (!isEnabled) try { CompletableFuture future = kmsActions.enableKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("3. Encrypt data using the symmetric KMS key"); String plaintext = "Hello, AWS KMS!"; logger.info(""" One of the main uses of symmetric keys is to encrypt and decrypt data. Next, the code encrypts the string {} with the SYMMETRIC_DEFAULT encryption algorithm. """, plaintext); waitForInputToContinue(scanner); SdkBytes encryptedData; try { CompletableFuture future = kmsActions.encryptDataAsync(targetKeyId, plaintext); encryptedData = future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof DisabledException kmsDisabledEx) { logger.info("KMS error occurred due to a disabled key: Error message: {}, Error code {}", kmsDisabledEx.getMessage(), kmsDisabledEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("4. Create an alias"); logger.info(""" The alias name should be prefixed with 'alias/'. The default, 'alias/dev-encryption-key'. """); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.createCustomAliasAsync(targetKeyId, aliasName); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof AlreadyExistsException kmsExistsEx) { if (kmsExistsEx.getMessage().contains("already exists")) { logger.info("The alias '" + aliasName + "' already exists. Moving on..."); } } else { logger.error("An unexpected error occurred: " + rt.getMessage(), rt); deleteKey(targetKeyId); throw cause; } } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("5. List all of your aliases"); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.listAllAliasesAsync(); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("6. Enable automatic rotation of the KMS key"); logger.info(""" By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. """); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.enableKeyRotationAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info(""" 7. Create a grant A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. """); waitForInputToContinue(scanner); String grantId = null; try { CompletableFuture futureGrantId = kmsActions.grantKeyAsync(targetKeyId, granteePrincipal); grantId = futureGrantId.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info(DASHES); logger.info("8. List grants for the KMS key"); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.displayGrantIdsAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("9. Revoke the grant"); logger.info(""" The revocation of a grant immediately removes the permissions and access that the grant had provided. This means that any principal (user, role, or service) that was granted access to perform specific KMS operations on a KMS key will no longer be able to perform those operations. """); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.revokeKeyGrantAsync(targetKeyId, grantId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { if (kmsEx.getMessage().contains("Grant does not exist")) { logger.info("The grant ID '" + grantId + "' does not exist. Moving on..."); } else { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); throw cause; } } else { logger.info("An unexpected error occurred: " + rt.getMessage()); deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("10. Decrypt the data\n"); logger.info(""" Lets decrypt the data that was encrypted in an early step. The code uses the same key to decrypt the string that we encrypted earlier in the program. """); waitForInputToContinue(scanner); String decryptedData = ""; try { CompletableFuture future = kmsActions.decryptDataAsync(encryptedData, targetKeyId); decryptedData = future.join(); logger.info("Decrypted data: " + decryptedData); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } logger.info("Decrypted text is: " + decryptedData); waitForInputToContinue(scanner); logger.info(DASHES); logger.info("11. Replace a key policy\n"); logger.info(""" A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. By default, when you create a key by using the SDK, a policy is created that gives the AWS account that owns the KMS key full access to the KMS key. Let's try to replace the automatically created policy with the following policy. "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::0000000000:root"}, "Action": "kms:*", "Resource": "*" }] """); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.replacePolicyAsync(targetKeyId, policyName, accountId); boolean success = future.join(); if (success) { logger.info("Key policy replacement succeeded."); } else { logger.error("Key policy replacement failed."); } } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("12. Get the key policy\n"); logger.info("The next bit of code that runs gets the key policy to make sure it exists."); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.getKeyPolicyAsync(targetKeyId, policyName); String policy = future.join(); if (!policy.isEmpty()) { logger.info("Retrieved policy: " + policy); } } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("13. Create an asymmetric KMS key and sign your data\n"); logger.info(""" Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs. By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization. """); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.signVerifyDataAsync(); boolean success = future.join(); if (success) { logger.info("Sign and verify data operation succeeded."); } else { logger.error("Sign and verify data operation failed."); } } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); logger.info(DASHES); logger.info("14. Tag your symmetric KMS Key\n"); logger.info(""" By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment """); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.tagKMSKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } deleteAliasName(aliasName); deleteKey(targetKeyId); throw cause; } waitForInputToContinue(scanner); return targetKeyId; } // Deletes KMS resources with user input. private static void requestDeleteResources(String aliasName, String targetKeyId) { logger.info(DASHES); logger.info("15. Schedule the deletion of the KMS key\n"); logger.info(""" By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations. It remains in this state for the duration of the waiting period. Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. """); logger.info("Would you like to delete the Key Management resources? (y/n)"); String delAns = scanner.nextLine().trim(); if (delAns.equalsIgnoreCase("y")) { logger.info("You selected to delete the AWS KMS resources."); waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.deleteSpecificAliasAsync(aliasName); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } waitForInputToContinue(scanner); try { CompletableFuture future = kmsActions.disableKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } try { CompletableFuture future = kmsActions.deleteKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } } else { logger.info("The Key Management resources will not be deleted"); } logger.info(DASHES); logger.info("This concludes the AWS Key Management SDK scenario"); logger.info(DASHES); } // This method is invoked from Exceptions to clean up the resources. private static void deleteKey(String targetKeyId) { try { CompletableFuture future = kmsActions.disableKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } try { CompletableFuture future = kmsActions.deleteKeyAsync(targetKeyId); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } } // This method is invoked from Exceptions to clean up the resources. private static void deleteAliasName(String aliasName) { try { CompletableFuture future = kmsActions.deleteSpecificAliasAsync(aliasName); future.join(); } catch (RuntimeException rt) { Throwable cause = rt.getCause(); if (cause instanceof KmsException kmsEx) { logger.info("KMS error occurred: Error message: {}, Error code {}", kmsEx.getMessage(), kmsEx.awsErrorDetails().errorCode()); } else { logger.info("An unexpected error occurred: " + rt.getMessage()); } } } private static void waitForInputToContinue(Scanner scanner) { while (true) { logger.info(""); logger.info("Enter 'c' followed by to continue:"); String input = scanner.nextLine(); if (input.trim().equalsIgnoreCase("c")) { logger.info("Continuing with the program..."); logger.info(""); break; } else { // Handle invalid input. logger.info("Invalid input. Please try again."); } } } } ``` 定義包裝 KMS 動作的類別。 ``` public class KMSActions { private static final Logger logger = LoggerFactory.getLogger(KMSActions.class); private static KmsAsyncClient kmsAsyncClient; /** * Retrieves an asynchronous AWS Key Management Service (KMS) client. *

* This method creates and returns a singleton instance of the KMS async client, with the following configurations: *

    *
  • Max concurrency: 100
    • *
  • Connection timeout: 60 seconds
    • *
  • Read timeout: 60 seconds
    • *
  • Write timeout: 60 seconds
    • *
  • API call timeout: 2 minutes
    • *
  • API call attempt timeout: 90 seconds
    • *
  • Retry policy: up to 3 retries
    • *
  • Credentials provider: environment variable credentials provider
    • *
*

* If the client instance has already been created, it is returned instead of creating a new one. * * @return the KMS async client instance */ private static KmsAsyncClient getAsyncClient() { if (kmsAsyncClient == null) { SdkAsyncHttpClient httpClient = NettyNioAsyncHttpClient.builder() .maxConcurrency(100) .connectionTimeout(Duration.ofSeconds(60)) .readTimeout(Duration.ofSeconds(60)) .writeTimeout(Duration.ofSeconds(60)) .build(); ClientOverrideConfiguration overrideConfig = ClientOverrideConfiguration.builder() .apiCallTimeout(Duration.ofMinutes(2)) .apiCallAttemptTimeout(Duration.ofSeconds(90)) .retryPolicy(RetryPolicy.builder() .numRetries(3) .build()) .build(); kmsAsyncClient = KmsAsyncClient.builder() .httpClient(httpClient) .overrideConfiguration(overrideConfig) .build(); } return kmsAsyncClient; } /** * Creates a new symmetric encryption key asynchronously. * * @param keyDesc the description of the key to be created * @return a {@link CompletableFuture} that completes with the ID of the newly created key * @throws RuntimeException if an error occurs while creating the key */ public CompletableFuture createKeyAsync(String keyDesc) { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .keySpec(KeySpec.SYMMETRIC_DEFAULT) .keyUsage(KeyUsageType.ENCRYPT_DECRYPT) .build(); return getAsyncClient().createKey(keyRequest) .thenApply(resp -> resp.keyMetadata().keyId()) .exceptionally(ex -> { throw new RuntimeException("An error occurred while creating the key: " + ex.getMessage(), ex); }); } /** * Asynchronously checks if a specified key is enabled. * * @param keyId the ID of the key to check * @return a {@link CompletableFuture} that, when completed, indicates whether the key is enabled or not * * @throws RuntimeException if an exception occurs while checking the key state */ public CompletableFuture isKeyEnabledAsync(String keyId) { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); CompletableFuture responseFuture = getAsyncClient().describeKey(keyRequest); return responseFuture.whenComplete((resp, ex) -> { if (resp != null) { KeyState keyState = resp.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { logger.info("The key is enabled."); } else { logger.info("The key is not enabled. Key state: {}", keyState); } } else { throw new RuntimeException(ex); } }).thenApply(resp -> resp.keyMetadata().keyState() == KeyState.ENABLED); } /** * Asynchronously enables the specified key. * * @param keyId the ID of the key to enable * @return a {@link CompletableFuture} that completes when the key has been enabled */ public CompletableFuture enableKeyAsync(String keyId) { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); CompletableFuture responseFuture = getAsyncClient().enableKey(enableKeyRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Key with ID [{}] has been enabled.", keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while enabling key: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while enabling key: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(response -> null); } /** * Encrypts the given text asynchronously using the specified KMS client and key ID. * * @param keyId the ID of the KMS key to use for encryption * @param text the text to encrypt * @return a CompletableFuture that completes with the encrypted data as an SdkBytes object */ public CompletableFuture encryptDataAsync(String keyId, String text) { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); CompletableFuture responseFuture = getAsyncClient().encrypt(encryptRequest).toCompletableFuture(); return responseFuture.whenComplete((response, ex) -> { if (response != null) { String algorithm = response.encryptionAlgorithm().toString(); logger.info("The string was encrypted with algorithm {}.", algorithm); } else { throw new RuntimeException(ex); } }).thenApply(EncryptResponse::ciphertextBlob); } /** * Creates a custom alias for the specified target key asynchronously. * * @param targetKeyId the ID of the target key for the alias * @param aliasName the name of the alias to create * @return a {@link CompletableFuture} that completes when the alias creation operation is finished */ public CompletableFuture createCustomAliasAsync(String targetKeyId, String aliasName) { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); CompletableFuture responseFuture = getAsyncClient().createAlias(aliasRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("{} was successfully created.", aliasName); } else { if (exception instanceof ResourceExistsException) { logger.info("Alias [{}] already exists. Moving on...", aliasName); } else if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while creating alias: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while creating alias: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(response -> null); } /** * Asynchronously lists all the aliases in the current AWS account. * * @return a {@link CompletableFuture} that completes when the list of aliases has been processed */ public CompletableFuture listAllAliasesAsync() { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesPublisher paginator = getAsyncClient().listAliasesPaginator(aliasesRequest); return paginator.subscribe(response -> { response.aliases().forEach(alias -> logger.info("The alias name is: " + alias.aliasName()) ); }) .thenApply(v -> null) .exceptionally(ex -> { if (ex.getCause() instanceof KmsException) { KmsException e = (KmsException) ex.getCause(); throw new RuntimeException("A KMS exception occurred: " + e.getMessage()); } else { throw new RuntimeException("An unexpected error occurred: " + ex.getMessage()); } }); } /** * Enables key rotation asynchronously for the specified key ID. * * @param keyId the ID of the key for which to enable key rotation * @return a CompletableFuture that represents the asynchronous operation of enabling key rotation * @throws RuntimeException if there was an error enabling key rotation, either due to a KMS exception or an unexpected error */ public CompletableFuture enableKeyRotationAsync(String keyId) { EnableKeyRotationRequest enableKeyRotationRequest = EnableKeyRotationRequest.builder() .keyId(keyId) .build(); CompletableFuture responseFuture = getAsyncClient().enableKeyRotation(enableKeyRotationRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Key rotation has been enabled for key with id [{}]", keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("Failed to enable key rotation: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception); } } }); return responseFuture; } /** * Grants permissions to a specified principal on a customer master key (CMK) asynchronously. * * @param keyId The unique identifier for the customer master key (CMK) that the grant applies to. * @param granteePrincipal The principal that is given permission to perform the operations that the grant permits on the CMK. * @return A {@link CompletableFuture} that, when completed, contains the ID of the created grant. * @throws RuntimeException If an error occurs during the grant creation process. */ public CompletableFuture grantKeyAsync(String keyId, String granteePrincipal) { List grantPermissions = List.of( GrantOperation.ENCRYPT, GrantOperation.DECRYPT, GrantOperation.DESCRIBE_KEY ); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CompletableFuture responseFuture = getAsyncClient().createGrant(grantRequest); responseFuture.whenComplete((response, ex) -> { if (ex == null) { logger.info("Grant created successfully with ID: " + response.grantId()); } else { if (ex instanceof KmsException kmsEx) { throw new RuntimeException("Failed to create grant: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred: " + ex.getMessage(), ex); } } }); return responseFuture.thenApply(CreateGrantResponse::grantId); } /** * Asynchronously displays the grant IDs for the specified key ID. * * @param keyId the ID of the AWS KMS key for which to list the grants * @return a {@link CompletableFuture} that, when completed, will be null if the operation succeeded, or will throw a {@link RuntimeException} if the operation failed * @throws RuntimeException if there was an error listing the grants, either due to an {@link KmsException} or an unexpected error */ public CompletableFuture displayGrantIdsAsync(String keyId) { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsPublisher paginator = getAsyncClient().listGrantsPaginator(grantsRequest); return paginator.subscribe(response -> { response.grants().forEach(grant -> { logger.info("The grant Id is: " + grant.grantId()); }); }) .thenApply(v -> null) .exceptionally(ex -> { Throwable cause = ex.getCause(); if (cause instanceof KmsException) { throw new RuntimeException("Failed to list grants: " + cause.getMessage(), cause); } else { throw new RuntimeException("An unexpected error occurred: " + cause.getMessage(), cause); } }); } /** * Revokes a grant for the specified AWS KMS key asynchronously. * * @param keyId The ID or key ARN of the AWS KMS key. * @param grantId The identifier of the grant to be revoked. * @return A {@link CompletableFuture} representing the asynchronous operation of revoking the grant. * The {@link CompletableFuture} will complete with a {@link RevokeGrantResponse} object * if the operation is successful, or with a {@code null} value if an error occurs. */ public CompletableFuture revokeKeyGrantAsync(String keyId, String grantId) { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); CompletableFuture responseFuture = getAsyncClient().revokeGrant(grantRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Grant ID: [" + grantId + "] was successfully revoked!"); } else { if (exception instanceof KmsException kmsEx) { if (kmsEx.getMessage().contains("Grant does not exist")) { logger.info("The grant ID '" + grantId + "' does not exist. Moving on..."); } else { throw new RuntimeException("KMS error occurred: " + kmsEx.getMessage(), kmsEx); } } else { throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception); } } }); return responseFuture; } /** * Asynchronously decrypts the given encrypted data using the specified key ID. * * @param encryptedData The encrypted data to be decrypted. * @param keyId The ID of the key to be used for decryption. * @return A CompletableFuture that, when completed, will contain the decrypted data as a String. * If an error occurs during the decryption process, the CompletableFuture will complete * exceptionally with the error, and the method will return an empty String. */ public CompletableFuture decryptDataAsync(SdkBytes encryptedData, String keyId) { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); CompletableFuture responseFuture = getAsyncClient().decrypt(decryptRequest); responseFuture.whenComplete((decryptResponse, exception) -> { if (exception == null) { logger.info("Data decrypted successfully for key ID: " + keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while decrypting data: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while decrypting data: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(decryptResponse -> decryptResponse.plaintext().asString(StandardCharsets.UTF_8)); } /** * Asynchronously replaces the policy for the specified KMS key. * * @param keyId the ID of the KMS key to replace the policy for * @param policyName the name of the policy to be replaced * @param accountId the AWS account ID to be used in the policy * @return a {@link CompletableFuture} that completes with a boolean indicating * whether the policy replacement was successful or not */ public CompletableFuture replacePolicyAsync(String keyId, String policyName, String accountId) { String policy = """ { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::%s:root"}, "Action": "kms:*", "Resource": "*" }] } """.formatted(accountId); PutKeyPolicyRequest keyPolicyRequest = PutKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .policy(policy) .build(); // First, get the current policy to check if it exists return getAsyncClient().getKeyPolicy(r -> r.keyId(keyId).policyName(policyName)) .thenCompose(response -> { logger.info("Current policy exists. Replacing it..."); return getAsyncClient().putKeyPolicy(keyPolicyRequest); }) .thenApply(putPolicyResponse -> { logger.info("The key policy has been replaced."); return true; }) .exceptionally(throwable -> { if (throwable.getCause() instanceof LimitExceededException) { logger.error("Cannot replace policy, as only one policy is allowed per key."); return false; } throw new RuntimeException("Error replacing policy", throwable); }); } /** * Asynchronously retrieves the key policy for the specified key ID and policy name. * * @param keyId the ID of the AWS KMS key for which to retrieve the policy * @param policyName the name of the key policy to retrieve * @return a {@link CompletableFuture} that, when completed, contains the key policy as a {@link String} */ public CompletableFuture getKeyPolicyAsync(String keyId, String policyName) { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); return getAsyncClient().getKeyPolicy(policyRequest) .thenApply(response -> { String policy = response.policy(); logger.info("The response is: " + policy); return policy; }) .exceptionally(ex -> { throw new RuntimeException("Failed to get key policy", ex); }); } /** * Asynchronously signs and verifies data using AWS KMS. * *

The method performs the following steps: *

    *
  1. Creates an AWS KMS key with the specified key spec, key usage, and origin.
    2. *
  2. Signs the provided message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
    3. *
  3. Verifies the signature of the message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
    4. *
* * @return a {@link CompletableFuture} that completes with the result of the signature verification, * {@code true} if the signature is valid, {@code false} otherwise. * @throws KmsException if any error occurs during the KMS operations. * @throws RuntimeException if an unexpected error occurs. */ public CompletableFuture signVerifyDataAsync() { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest createKeyRequest = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) .keyUsage(KeyUsageType.SIGN_VERIFY) .origin(OriginType.AWS_KMS) .build(); return getAsyncClient().createKey(createKeyRequest) .thenCompose(createKeyResponse -> { String keyId = createKeyResponse.keyMetadata().keyId(); SdkBytes messageBytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId) .message(messageBytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().sign(signRequest) .thenCompose(signResponse -> { byte[] signedBytes = signResponse.signature().asByteArray(); VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().verify(verifyRequest) .thenApply(verifyResponse -> { return (boolean) verifyResponse.signatureValid(); }); }); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to sign or verify data", throwable); }); } /** * Asynchronously tags a KMS key with a specific tag. * * @param keyId the ID of the KMS key to be tagged * @return a {@link CompletableFuture} that completes when the tagging operation is finished */ public CompletableFuture tagKMSKeyAsync(String keyId) { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); return getAsyncClient().tagResource(tagResourceRequest) .thenRun(() -> { logger.info("{} key was tagged", keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to tag the KMS key", throwable); }); } /** * Deletes a specific KMS alias asynchronously. * * @param aliasName the name of the alias to be deleted * @return a {@link CompletableFuture} representing the asynchronous operation of deleting the specified alias */ public CompletableFuture deleteSpecificAliasAsync(String aliasName) { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); return getAsyncClient().deleteAlias(deleteAliasRequest) .thenRun(() -> { logger.info("Alias {} has been deleted successfully", aliasName); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to delete alias: " + aliasName, throwable); }); } /** * Asynchronously disables the specified AWS Key Management Service (KMS) key. * * @param keyId the ID or Amazon Resource Name (ARN) of the KMS key to be disabled * @return a CompletableFuture that, when completed, indicates that the key has been disabled successfully */ public CompletableFuture disableKeyAsync(String keyId) { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); return getAsyncClient().disableKey(keyRequest) .thenRun(() -> { logger.info("Key {} has been disabled successfully",keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to disable key: " + keyId, throwable); }); } /** * Deletes a KMS key asynchronously. * *

Warning: Deleting a KMS key is a destructive and potentially dangerous operation. * When a KMS key is deleted, all data that was encrypted under the KMS key becomes unrecoverable. * This means that any files, databases, or other data that were encrypted using the deleted KMS key * will become permanently inaccessible. Exercise extreme caution when deleting KMS keys.

* * @param keyId the ID of the KMS key to delete * @return a {@link CompletableFuture} that completes when the key deletion is scheduled */ public CompletableFuture deleteKeyAsync(String keyId) { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); return getAsyncClient().scheduleKeyDeletion(deletionRequest) .thenRun(() -> { logger.info("Key {} will be deleted in 7 days", keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to schedule key deletion for key ID: " + keyId, throwable); }); } public String getAccountId(){ try (StsClient stsClient = StsClient.create()){ GetCallerIdentityResponse callerIdentity = stsClient.getCallerIdentity(); return callerIdentity.account(); } } } ``` + 如需 API 詳細資訊,請參閱《*AWS SDK for Java 2.x API 參考*》中的下列主題。 + [CreateAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateAlias) + [CreateGrant](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateGrant) + [CreateKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateKey) + [解密](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Decrypt) + [DescribeKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DescribeKey) + [DisableKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DisableKey) + [EnableKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/EnableKey) + [加密](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Encrypt) + [GetKeyPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/GetKeyPolicy) + [ListAliases](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListAliases) + [ListGrants](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListGrants) + [ListKeys](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListKeys) + [RevokeGrant](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/RevokeGrant) + [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ScheduleKeyDeletion) + [符號](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Sign) + [TagResource](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/TagResource) ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` echo "\n"; echo "--------------------------------------\n"; echo <<pressEnter(); $this->kmsClient = new KmsClient([]); // Initialize the KmsService class with the client. This allows you to override any defaults in the client before giving it to the service class. $this->kmsService = new KmsService($this->kmsClient); // 1. Create a symmetric KMS key. echo "\n"; echo "1. Create a symmetric KMS key.\n"; echo "First, we will create a symmetric KMS key that is used to encrypt and decrypt data by invoking createKey().\n"; $this->pressEnter(); $key = $this->kmsService->createKey(); $this->resources['symmetricKey'] = $key['KeyId']; echo "Created a customer key with ARN {$key['Arn']}.\n"; $this->pressEnter(); // 2. Enable a KMS key. echo "\n"; echo "2. Enable a KMS key.\n"; echo "By default when you create an AWS key, it is enabled. The code checks to determine if the key is enabled. If it is not enabled, the code enables it.\n"; $this->pressEnter(); $keyInfo = $this->kmsService->describeKey($key['KeyId']); if(!$keyInfo['Enabled']){ echo "The key was not enabled, so we will enable it.\n"; $this->pressEnter(); $this->kmsService->enableKey($key['KeyId']); echo "The key was successfully enabled.\n"; }else{ echo "The key was already enabled, so there was no need to enable it.\n"; } $this->pressEnter(); // 3. Encrypt data using the symmetric KMS key. echo "\n"; echo "3. Encrypt data using the symmetric KMS key.\n"; echo "One of the main uses of symmetric keys is to encrypt and decrypt data.\n"; echo "Next, we'll encrypt the string 'Hello, AWS KMS!' with the SYMMETRIC_DEFAULT encryption algorithm.\n"; $this->pressEnter(); $text = "Hello, AWS KMS!"; $encryption = $this->kmsService->encrypt($key['KeyId'], $text); echo "The plaintext data was successfully encrypted with the algorithm: {$encryption['EncryptionAlgorithm']}.\n"; $this->pressEnter(); // 4. Create an alias. echo "\n"; echo "4. Create an alias.\n"; $aliasInput = testable_readline("Please enter an alias prefixed with \"alias/\" or press enter to use a default value: "); if($aliasInput == ""){ $aliasInput = "alias/dev-encryption-key"; } $this->kmsService->createAlias($key['KeyId'], $aliasInput); $this->resources['alias'] = $aliasInput; echo "The alias \"$aliasInput\" was successfully created.\n"; $this->pressEnter(); // 5. List all of your aliases. $aliasPageSize = 10; echo "\n"; echo "5. List all of your aliases, up to $aliasPageSize.\n"; $this->pressEnter(); $aliasPaginator = $this->kmsService->listAliases(); foreach($aliasPaginator as $pages){ foreach($pages['Aliases'] as $alias){ echo $alias['AliasName'] . "\n"; } break; } $this->pressEnter(); // 6. Enable automatic rotation of the KMS key. echo "\n"; echo "6. Enable automatic rotation of the KMS key.\n"; echo "By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter."; $this->pressEnter(); $this->kmsService->enableKeyRotation($key['KeyId']); echo "The key's rotation was successfully set for key: {$key['KeyId']}\n"; $this->pressEnter(); // 7. Create a grant. echo "7. Create a grant.\n"; echo "\n"; echo "A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies.\n"; $granteeARN = testable_readline("Please enter the Amazon Resource Name (ARN) of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed role users. For help with the ARN syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide. \nTo skip this step, press enter without any other values: "); if($granteeARN){ $operations = [ "ENCRYPT", "DECRYPT", "DESCRIBE_KEY", ]; $grant = $this->kmsService->createGrant($key['KeyId'], $granteeARN, $operations); echo "The grant Id is: {$grant['GrantId']}\n"; }else{ echo "Steps 7, 8, and 9 will be skipped.\n"; } $this->pressEnter(); // 8. List grants for the KMS key. if($granteeARN){ echo "8. List grants for the KMS key.\n\n"; $grantsPaginator = $this->kmsService->listGrants($key['KeyId']); foreach($grantsPaginator as $page){ foreach($page['Grants'] as $grant){ echo $grant['GrantId'] . "\n"; } } }else{ echo "Skipping step 8...\n"; } $this->pressEnter(); // 9. Revoke the grant. if($granteeARN) { echo "\n"; echo "9. Revoke the grant.\n"; $this->pressEnter(); $this->kmsService->revokeGrant($grant['GrantId'], $keyInfo['KeyId']); echo "{$grant['GrantId']} was successfully revoked!\n"; }else{ echo "Skipping step 9...\n"; } $this->pressEnter(); // 10. Decrypt the data. echo "\n"; echo "10. Decrypt the data.\n"; echo "Let's decrypt the data that was encrypted before.\n"; echo "We'll use the same key to decrypt the string that we encrypted earlier in the program.\n"; $this->pressEnter(); $decryption = $this->kmsService->decrypt($keyInfo['KeyId'], $encryption['CiphertextBlob'], $encryption['EncryptionAlgorithm']); echo "The decrypted text is: {$decryption['Plaintext']}\n"; $this->pressEnter(); // 11. Replace a Key Policy. echo "\n"; echo "11. Replace a Key Policy.\n"; echo "A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys.\n"; echo "Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it.\n"; echo " You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy.\n"; echo "We will replace the key's policy with a new one:\n"; $stsClient = new StsClient([]); $result = $stsClient->getCallerIdentity(); $accountId = $result['Account']; $keyPolicy = <<< KEYPOLICY { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::$accountId:root"}, "Action": "kms:*", "Resource": "*" }] } KEYPOLICY; echo $keyPolicy; $this->pressEnter(); $this->kmsService->putKeyPolicy($keyInfo['KeyId'], $keyPolicy); echo "The Key Policy was successfully replaced!\n"; $this->pressEnter(); // 12. Retrieve the key policy. echo "\n"; echo "12. Retrieve the key policy.\n"; echo "Let's get some information about the new policy and print it to the screen.\n"; $this->pressEnter(); $policyInfo = $this->kmsService->getKeyPolicy($keyInfo['KeyId']); echo "We got the info! Here is the policy: \n"; echo $policyInfo['Policy'] . "\n"; $this->pressEnter(); // 13. Create an asymmetric KMS key and sign data. echo "\n"; echo "13. Create an asymmetric KMS key and sign data.\n"; echo "Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs.\n"; echo "By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization.\n"; echo "First we'll create the asymmetric key.\n"; $this->pressEnter(); $keySpec = "RSA_2048"; $keyUsage = "SIGN_VERIFY"; $asymmetricKey = $this->kmsService->createKey($keySpec, $keyUsage); $this->resources['asymmetricKey'] = $asymmetricKey['KeyId']; echo "Created the key with ID: {$asymmetricKey['KeyId']}\n"; echo "Next, we'll sign the data.\n"; $this->pressEnter(); $algorithm = "RSASSA_PSS_SHA_256"; $sign = $this->kmsService->sign($asymmetricKey['KeyId'], $text, $algorithm); $verify = $this->kmsService->verify($asymmetricKey['KeyId'], $text, $sign['Signature'], $algorithm); echo "Signature verification result: {$sign['signature']}\n"; $this->pressEnter(); // 14. Tag the symmetric KMS key. echo "\n"; echo "14. Tag the symmetric KMS key.\n"; echo "By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment.\n"; echo "Let's tag our symmetric key as Environment->Production\n"; $this->pressEnter(); $this->kmsService->tagResource($key['KeyId'], [ [ 'TagKey' => "Environment", 'TagValue' => "Production", ], ]); echo "The key was successfully tagged!\n"; $this->pressEnter(); // 15. Schedule the deletion of the KMS key echo "\n"; echo "15. Schedule the deletion of the KMS key.\n"; echo "By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days.\n"; echo "When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations.\n"; echo "It remains in this state for the duration of the waiting period.\n\n"; echo "Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable.\n\n"; $cleanUp = testable_readline("Would you like to delete the resources created during this scenario, including the keys? (y/n): "); if($cleanUp == "Y" || $cleanUp == "y"){ $this->cleanUp(); } echo "--------------------------------------------------------------------------------\n"; echo "This concludes the AWS Key Management SDK Basics scenario\n"; echo "--------------------------------------------------------------------------------\n"; namespace Kms; use Aws\Kms\Exception\KmsException; use Aws\Kms\KmsClient; use Aws\Result; use Aws\ResultPaginator; use AwsUtilities\AWSServiceClass; class KmsService extends AWSServiceClass { protected KmsClient $client; protected bool $verbose; /*** * @param KmsClient|null $client * @param bool $verbose */ public function __construct(KmsClient $client = null, bool $verbose = false) { $this->verbose = $verbose; if($client){ $this->client = $client; return; } $this->client = new KmsClient([]); } /*** * @param string $keySpec * @param string $keyUsage * @param string $description * @return array */ public function createKey(string $keySpec = "", string $keyUsage = "", string $description = "Created by the SDK for PHP") { $parameters = ['Description' => $description]; if($keySpec && $keyUsage){ $parameters['KeySpec'] = $keySpec; $parameters['KeyUsage'] = $keyUsage; } try { $result = $this->client->createKey($parameters); return $result['KeyMetadata']; }catch(KmsException $caught){ // Check for error specific to createKey operations if ($caught->getAwsErrorMessage() == "LimitExceededException"){ echo "The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide."; } throw $caught; } } /*** * @param string $keyId * @param string $ciphertext * @param string $algorithm * @return Result */ public function decrypt(string $keyId, string $ciphertext, string $algorithm = "SYMMETRIC_DEFAULT") { try{ return $this->client->decrypt([ 'CiphertextBlob' => $ciphertext, 'EncryptionAlgorithm' => $algorithm, 'KeyId' => $keyId, ]); }catch(KmsException $caught){ echo "There was a problem decrypting the data: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $keyId * @param string $text * @return Result */ public function encrypt(string $keyId, string $text) { try { return $this->client->encrypt([ 'KeyId' => $keyId, 'Plaintext' => $text, ]); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "DisabledException"){ echo "The request was rejected because the specified KMS key is not enabled.\n"; } throw $caught; } } /*** * @param string $keyId * @param int $limit * @return ResultPaginator */ public function listAliases(string $keyId = "", int $limit = 0) { $args = []; if($keyId){ $args['KeyId'] = $keyId; } if($limit){ $args['Limit'] = $limit; } try{ return $this->client->getPaginator("ListAliases", $args); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "InvalidMarkerException"){ echo "The request was rejected because the marker that specifies where pagination should next begin is not valid.\n"; } throw $caught; } } /*** * @param string $keyId * @param string $alias * @return void */ public function createAlias(string $keyId, string $alias) { try{ $this->client->createAlias([ 'TargetKeyId' => $keyId, 'AliasName' => $alias, ]); }catch (KmsException $caught){ if($caught->getAwsErrorMessage() == "InvalidAliasNameException"){ echo "The request was rejected because the specified alias name is not valid."; } throw $caught; } } /*** * @param string $keyId * @param string $granteePrincipal * @param array $operations * @param array $grantTokens * @return Result */ public function createGrant(string $keyId, string $granteePrincipal, array $operations, array $grantTokens = []) { $args = [ 'KeyId' => $keyId, 'GranteePrincipal' => $granteePrincipal, 'Operations' => $operations, ]; if($grantTokens){ $args['GrantTokens'] = $grantTokens; } try{ return $this->client->createGrant($args); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "InvalidGrantTokenException"){ echo "The request was rejected because the specified grant token is not valid.\n"; } throw $caught; } } /*** * @param string $keyId * @return array */ public function describeKey(string $keyId) { try { $result = $this->client->describeKey([ "KeyId" => $keyId, ]); return $result['KeyMetadata']; }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "NotFoundException"){ echo "The request was rejected because the specified entity or resource could not be found.\n"; } throw $caught; } } /*** * @param string $keyId * @return void */ public function disableKey(string $keyId) { try { $this->client->disableKey([ 'KeyId' => $keyId, ]); }catch(KmsException $caught){ echo "There was a problem disabling the key: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $keyId * @return void */ public function enableKey(string $keyId) { try { $this->client->enableKey([ 'KeyId' => $keyId, ]); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "NotFoundException"){ echo "The request was rejected because the specified entity or resource could not be found.\n"; } throw $caught; } } /*** * @return array */ public function listKeys() { try { $contents = []; $paginator = $this->client->getPaginator("ListKeys"); foreach($paginator as $result){ foreach ($result['Content'] as $object) { $contents[] = $object; } } return $contents; }catch(KmsException $caught){ echo "There was a problem listing the keys: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $keyId * @return Result */ public function listGrants(string $keyId) { try{ return $this->client->listGrants([ 'KeyId' => $keyId, ]); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "NotFoundException"){ echo " The request was rejected because the specified entity or resource could not be found.\n"; } throw $caught; } } /*** * @param string $keyId * @return Result */ public function getKeyPolicy(string $keyId) { try { return $this->client->getKeyPolicy([ 'KeyId' => $keyId, ]); }catch(KmsException $caught){ echo "There was a problem getting the key policy: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $grantId * @param string $keyId * @return void */ public function revokeGrant(string $grantId, string $keyId) { try{ $this->client->revokeGrant([ 'GrantId' => $grantId, 'KeyId' => $keyId, ]); }catch(KmsException $caught){ echo "There was a problem with revoking the grant: {$caught->getAwsErrorMessage()}.\n"; throw $caught; } } /*** * @param string $keyId * @param int $pendingWindowInDays * @return void */ public function scheduleKeyDeletion(string $keyId, int $pendingWindowInDays = 7) { try { $this->client->scheduleKeyDeletion([ 'KeyId' => $keyId, 'PendingWindowInDays' => $pendingWindowInDays, ]); }catch(KmsException $caught){ echo "There was a problem scheduling the key deletion: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $keyId * @param array $tags * @return void */ public function tagResource(string $keyId, array $tags) { try { $this->client->tagResource([ 'KeyId' => $keyId, 'Tags' => $tags, ]); }catch(KmsException $caught){ echo "There was a problem applying the tag(s): {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $keyId * @param string $message * @param string $algorithm * @return Result */ public function sign(string $keyId, string $message, string $algorithm) { try { return $this->client->sign([ 'KeyId' => $keyId, 'Message' => $message, 'SigningAlgorithm' => $algorithm, ]); }catch(KmsException $caught){ echo "There was a problem signing the data: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $keyId * @param int $rotationPeriodInDays * @return void */ public function enableKeyRotation(string $keyId, int $rotationPeriodInDays = 365) { try{ $this->client->enableKeyRotation([ 'KeyId' => $keyId, 'RotationPeriodInDays' => $rotationPeriodInDays, ]); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "NotFoundException"){ echo "The request was rejected because the specified entity or resource could not be found.\n"; } throw $caught; } } /*** * @param string $keyId * @param string $policy * @return void */ public function putKeyPolicy(string $keyId, string $policy) { try { $this->client->putKeyPolicy([ 'KeyId' => $keyId, 'Policy' => $policy, ]); }catch(KmsException $caught){ echo "There was a problem replacing the key policy: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $aliasName * @return void */ public function deleteAlias(string $aliasName) { try { $this->client->deleteAlias([ 'AliasName' => $aliasName, ]); }catch(KmsException $caught){ echo "There was a problem deleting the alias: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } /*** * @param string $keyId * @param string $message * @param string $signature * @param string $signingAlgorithm * @return bool */ public function verify(string $keyId, string $message, string $signature, string $signingAlgorithm) { try { $result = $this->client->verify([ 'KeyId' => $keyId, 'Message' => $message, 'Signature' => $signature, 'SigningAlgorithm' => $signingAlgorithm, ]); return $result['SignatureValid']; }catch(KmsException $caught){ echo "There was a problem verifying the signature: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } } ``` + 如需 API 詳細資訊,請參閱《*適用於 PHP 的 AWS SDK API 參考*》中的下列主題。 + [CreateAlias](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateAlias) + [CreateGrant](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateGrant) + [CreateKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateKey) + [解密](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Decrypt) + [DescribeKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DescribeKey) + [DisableKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DisableKey) + [EnableKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/EnableKey) + [加密](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Encrypt) + [GetKeyPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/GetKeyPolicy) + [ListAliases](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListAliases) + [ListGrants](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListGrants) + [ListKeys](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListKeys) + [RevokeGrant](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/RevokeGrant) + [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ScheduleKeyDeletion) + [符號](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Sign) + [TagResource](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/TagResource) ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KMSScenario: """Runs an interactive scenario that shows how to get started with KMS.""" def __init__( self, key_manager: KeyManager, key_encryption: KeyEncrypt, alias_manager: AliasManager, grant_manager: GrantManager, key_policy: KeyPolicy, ): self.key_manager = key_manager self.key_encryption = key_encryption self.alias_manager = alias_manager self.grant_manager = grant_manager self.key_policy = key_policy self.key_id = "" self.alias_name = "" self.asymmetric_key_id = "" def kms_scenario(self): key_description = "Created by the AWS KMS API" print(DASHES) print( """ Welcome to the AWS Key Management SDK Basics scenario. This program demonstrates how to interact with AWS Key Management using the AWS SDK for Python (Boto3). The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create and manage AWS KMS keys and control their use across a wide range of AWS services and applications. KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your data protection and regulatory compliance requirements. This Basics scenario creates two key types: - A symmetric encryption key is used to encrypt and decrypt data. - An asymmetric key used to digitally sign data. Let's get started... """ ) q.ask("Press Enter to continue...") print(DASHES) print(f"1. Create a symmetric KMS key\n") print( f"First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data." ) q.ask("Press Enter to continue...") self.key_id = self.key_manager.create_key(key_description)["KeyId"] print(f"A symmetric key was successfully created {self.key_id}.") q.ask("Press Enter to continue...") print(DASHES) print( """ 2. Enable a KMS key By default, when the SDK creates an AWS key, it is enabled. The next bit of code checks to determine if the key is enabled. """ ) q.ask("Press Enter to continue...") is_enabled = self.is_key_enabled(self.key_id) print(f"Is the key enabled? {is_enabled}") if not is_enabled: self.key_manager.enable_key(self.key_id) q.ask("Press Enter to continue...") print(DASHES) print(f"3. Encrypt data using the symmetric KMS key") plain_text = "Hello, AWS KMS!" print( f""" One of the main uses of symmetric keys is to encrypt and decrypt data. Next, the code encrypts the string "{plain_text}" with the SYMMETRIC_DEFAULT encryption algorithm. """ ) q.ask("Press Enter to continue...") encrypted_text = self.key_encryption.encrypt(self.key_id, plain_text) print(DASHES) print(f"4. Create an alias") print( """ Now, the program will create an alias for the KMS key. An alias is a friendly name that you can associate with a KMS key. The alias name should be prefixed with 'alias/'. """ ) alias_name = q.ask("Enter an alias name: ", q.non_empty) self.alias_manager.create_alias(self.key_id, alias_name) print(f"{alias_name} was successfully created.") self.alias_name = alias_name print(DASHES) print(f"5. List all of your aliases") q.ask("Press Enter to continue...") self.alias_manager.list_aliases(10) q.ask("Press Enter to continue...") print(DASHES) print(f"6. Enable automatic rotation of the KMS key") print( """ By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. """ ) q.ask("Press Enter to continue...") self.key_manager.enable_key_rotation(self.key_id) print(DASHES) print(f"Key rotation has been enabled for key with id {self.key_id}") print( """ 7. Create a grant A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. """ ) print( """ To create a grant you must specify a account_id. To specify the grantee account_id, use the Amazon Resource Name (ARN) of an AWS account_id. Valid principals include AWS accounts, IAM users, IAM roles, federated users, and assumed role users. """ ) account_id = q.ask( "Enter an account_id, or press enter to skip creating a grant... " ) grant = None if account_id != "": grant = self.grant_manager.create_grant( self.key_id, account_id, [ "Encrypt", "Decrypt", "DescribeKey", ], ) print(f"Grant created successfully with ID: {grant['GrantId']}") q.ask("Press Enter to continue...") print(DASHES) print(DASHES) print(f"8. List grants for the KMS key") q.ask("Press Enter to continue...") self.grant_manager.list_grants(self.key_id) q.ask("Press Enter to continue...") print(DASHES) print(f"9. Revoke the grant") print( """ The revocation of a grant immediately removes the permissions and access that the grant had provided. This means that any account_id (user, role, or service) that was granted access to perform specific KMS operations on a KMS key will no longer be able to perform those operations. """ ) q.ask("Press Enter to continue...") if grant is not None: self.grant_manager.revoke_grant(self.key_id, grant["GrantId"]) print(f"Grant ID: {grant['GrantId']} was successfully revoked!") q.ask("Press Enter to continue...") print(DASHES) print(f"10. Decrypt the data\n") print( """ Lets decrypt the data that was encrypted in an early step. The code uses the same key to decrypt the string that we encrypted earlier in the program. """ ) q.ask("Press Enter to continue...") decrypted_data = self.key_encryption.decrypt(self.key_id, encrypted_text) print(f"Data decrypted successfully for key ID: {self.key_id}") print(f"Decrypted data: {decrypted_data}") q.ask("Press Enter to continue...") print(DASHES) print(f"11. Replace a key policy\n") print( """ A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. By default, when you create a key by using the SDK, a policy is created that gives the AWS account that owns the KMS key full access to the KMS key. Let's try to replace the automatically created policy with the following policy. { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::0000000000:root"}, "Action": "kms:*", "Resource": "*" }] } """ ) account_id = q.ask("Enter your account ID or press enter to skip: ") if account_id != "": policy = { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": f"arn:aws:iam::{account_id}:root"}, "Action": "kms:*", "Resource": "*", } ], } self.key_policy.set_new_policy(self.key_id, policy) print("Key policy replacement succeeded.") q.ask("Press Enter to continue...") else: print("Skipping replacing the key policy.") print(DASHES) print(f"12. Get the key policy\n") print( f"The next bit of code that runs gets the key policy to make sure it exists." ) q.ask("Press Enter to continue...") policy = self.key_policy.get_policy(self.key_id) print(f"The key policy is: {policy}") q.ask("Press Enter to continue...") print(DASHES) print(f"13. Create an asymmetric KMS key and sign your data\n") print( """ Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs. By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization. """ ) q.ask("Press Enter to continue...") print(f"Sign and verify data operation succeeded.") self.asymmetric_key_id = self.key_manager.create_asymmetric_key() message = "Here is the message that will be digitally signed" signature = self.key_encryption.sign(self.asymmetric_key_id, message) if self.key_encryption.verify(self.asymmetric_key_id, message, signature): print("Signature verification succeeded.") else: print("Signature verification failed.") q.ask("Press Enter to continue...") print(DASHES) print(f"14. Tag your symmetric KMS Key\n") print( """ By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment """ ) q.ask("Press Enter to continue...") self.key_manager.tag_resource(self.key_id, "Environment", "Production") self.clean_up() def is_key_enabled(self, key_id: str) -> bool: """ Check if the key is enabled or not. :param key_id: The key to check. :return: True if the key is enabled, otherwise False. """ response = self.key_manager.describe_key(key_id) return response["Enabled"] is True def clean_up(self): """ Delete resources created by this scenario. """ if self.alias_name != "": print(f"Deleting the alias {self.alias_name}.") self.alias_manager.delete_alias(self.alias_name) window = 7 # The window in days for a scheduled deletion. if self.key_id != "": print( """ Warning: Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. """ ) if q.ask( f"Do you want to delete the key with ID {self.key_id} (y/n)?", q.is_yesno, ): print( f"The key {self.key_id} will be deleted with a window of {window} days. You can cancel the deletion before" ) print("the window expires.") self.key_manager.delete_key(self.key_id, window) self.key_id = "" if self.asymmetric_key_id != "": if q.ask( f"Do you want to delete the asymmetric key with ID {self.asymmetric_key_id} (y/n)?", q.is_yesno, ): print( f"The key {self.asymmetric_key_id} will be deleted with a window of {window} days. You can cancel the deletion before" ) print("the window expires.") self.key_manager.delete_key(self.asymmetric_key_id, window) self.asymmetric_key_id = "" if __name__ == "__main__": kms_scenario = None try: kms_client = boto3.client("kms") a_key_manager = KeyManager(kms_client) a_key_encrypt = KeyEncrypt(kms_client) an_alias_manager = AliasManager(kms_client) a_grant_manager = GrantManager(kms_client) a_key_policy = KeyPolicy(kms_client) kms_scenario = KMSScenario( key_manager=a_key_manager, key_encryption=a_key_encrypt, alias_manager=an_alias_manager, grant_manager=a_grant_manager, key_policy=a_key_policy, ) kms_scenario.kms_scenario() except Exception: logging.exception("Something went wrong with the demo!") if kms_scenario is not None: kms_scenario.clean_up() ``` 適用於 KMS 金鑰管理的包裝函式類別和方法。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_key(self, key_description: str) -> dict[str, any]: """ Creates a key with a user-provided description. :param key_description: A description for the key. :return: The key ID. """ try: key = self.kms_client.create_key(Description=key_description)["KeyMetadata"] self.created_keys.append(key) return key except ClientError as err: logging.error( "Couldn't create your key. Here's why: %s", err.response["Error"]["Message"], ) raise def describe_key(self, key_id: str) -> dict[str, any]: """ Describes a key. :param key_id: The ARN or ID of the key to describe. :return: Information about the key. """ try: key = self.kms_client.describe_key(KeyId=key_id)["KeyMetadata"] return key except ClientError as err: logging.error( "Couldn't get key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def enable_key_rotation(self, key_id: str) -> None: """ Enables rotation for a key. :param key_id: The ARN or ID of the key to enable rotation for. """ try: self.kms_client.enable_key_rotation(KeyId=key_id) except ClientError as err: logging.error( "Couldn't enable rotation for key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def create_asymmetric_key(self) -> str: """ Creates an asymmetric key in AWS KMS for signing messages. :return: The ID of the created key. """ try: key = self.kms_client.create_key( KeySpec="RSA_2048", KeyUsage="SIGN_VERIFY", Origin="AWS_KMS" )["KeyMetadata"] self.created_keys.append(key) return key["KeyId"] except ClientError as err: logger.error( "Couldn't create your key. Here's why: %s", err.response["Error"]["Message"], ) raise def tag_resource(self, key_id: str, tag_key: str, tag_value: str) -> None: """ Add or edit tags on a customer managed key. :param key_id: The ARN or ID of the key to enable rotation for. :param tag_key: Key for the tag. :param tag_value: Value for the tag. """ try: self.kms_client.tag_resource( KeyId=key_id, Tags=[{"TagKey": tag_key, "TagValue": tag_value}] ) except ClientError as err: logging.error( "Couldn't add a tag for the key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def delete_key(self, key_id: str, window: int) -> None: """ Deletes a list of keys. Warning: Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. :param key_id: The ARN or ID of the key to delete. :param window: The waiting period, in days, before the KMS key is deleted. """ try: self.kms_client.schedule_key_deletion( KeyId=key_id, PendingWindowInDays=window ) except ClientError as err: logging.error( "Couldn't delete key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` 適用於 KMS 金鑰別名的包裝函式類別和方法。 ``` class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_alias(self, key_id: str, alias: str) -> None: """ Creates an alias for the specified key. :param key_id: The ARN or ID of a key to give an alias. :param alias: The alias to assign to the key. """ try: self.kms_client.create_alias(AliasName=alias, TargetKeyId=key_id) except ClientError as err: if err.response["Error"]["Code"] == "AlreadyExistsException": logger.error( "Could not create the alias %s because it already exists.", key_id ) else: logger.error( "Couldn't encrypt text. Here's why: %s", err.response["Error"]["Message"], ) raise def list_aliases(self, page_size: int) -> None: """ Lists aliases for the current account. :param page_size: The number of aliases to list per page. """ try: alias_paginator = self.kms_client.get_paginator("list_aliases") for alias_page in alias_paginator.paginate( PaginationConfig={"PageSize": page_size} ): print(f"Here are {page_size} aliases:") pprint(alias_page["Aliases"]) if alias_page["Truncated"]: answer = input( f"Do you want to see the next {page_size} aliases (y/n)? " ) if answer.lower() != "y": break else: print("That's all your aliases!") except ClientError as err: logging.error( "Couldn't list your aliases. Here's why: %s", err.response["Error"]["Message"], ) raise def delete_alias(self, alias: str) -> None: """ Deletes an alias. :param alias: The alias to delete. """ try: self.kms_client.delete_alias(AliasName=alias) except ClientError as err: logger.error( "Couldn't delete alias %s. Here's why: %s", alias, err.response["Error"]["Message"], ) raise ``` 適用於 KMS 金鑰加密的包裝函式類別和方法。 ``` class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def encrypt(self, key_id: str, text: str) -> bytes: """ Encrypts text by using the specified key. :param key_id: The ARN or ID of the key to use for encryption. :param text: The text to encrypt. :return: The encrypted version of the text. """ try: response = self.kms_client.encrypt(KeyId=key_id, Plaintext=text.encode()) print( f"The string was encrypted with algorithm {response['EncryptionAlgorithm']}" ) return response["CiphertextBlob"] except ClientError as err: if err.response["Error"]["Code"] == "DisabledException": logger.error( "Could not encrypt because the key %s is disabled.", key_id ) else: logger.error( "Couldn't encrypt text. Here's why: %s", err.response["Error"]["Message"], ) raise def decrypt(self, key_id: str, cipher_text: bytes) -> str: """ Decrypts text previously encrypted with a key. :param key_id: The ARN or ID of the key used to decrypt the data. :param cipher_text: The encrypted text to decrypt. :return: The decrypted text. """ try: return self.kms_client.decrypt(KeyId=key_id, CiphertextBlob=cipher_text)[ "Plaintext" ].decode() except ClientError as err: logger.error( "Couldn't decrypt your ciphertext. Here's why: %s", err.response["Error"]["Message"], ) raise def sign(self, key_id: str, message: str) -> str: """ Signs a message with a key. :param key_id: The ARN or ID of the key to use for signing. :param message: The message to sign. :return: The signature of the message. """ try: return self.kms_client.sign( KeyId=key_id, Message=message.encode(), SigningAlgorithm="RSASSA_PSS_SHA_256", )["Signature"] except ClientError as err: logger.error( "Couldn't sign your message. Here's why: %s", err.response["Error"]["Message"], ) raise def verify(self, key_id: str, message: str, signature: str) -> bool: """ Verifies a signature against a message. :param key_id: The ARN or ID of the key used to sign the message. :param message: The message to verify. :param signature: The signature to verify. :return: True when the signature matches the message, otherwise False. """ try: response = self.kms_client.verify( KeyId=key_id, Message=message.encode(), Signature=signature, SigningAlgorithm="RSASSA_PSS_SHA_256", ) valid = response["SignatureValid"] print(f"The signature is {'valid' if valid else 'invalid'}.") return valid except ClientError as err: if err.response["Error"]["Code"] == "SignatureDoesNotMatchException": print("The signature is not valid.") else: logger.error( "Couldn't verify your signature. Here's why: %s", err.response["Error"]["Message"], ) raise ``` 適用於 KMS 金鑰授權的包裝函式類別和方法。 ``` class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_grant( self, key_id: str, principal: str, operations: [str] ) -> dict[str, str]: """ Creates a grant for a key that lets a principal generate a symmetric data encryption key. :param key_id: The ARN or ID of the key. :param principal: The principal to grant permission to. :param operations: The operations to grant permission for. :return: The grant that is created. """ try: return self.kms_client.create_grant( KeyId=key_id, GranteePrincipal=principal, Operations=operations, ) except ClientError as err: logger.error( "Couldn't create a grant on key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def list_grants(self, key_id): """ Lists grants for a key. :param key_id: The ARN or ID of the key to query. :return: The grants for the key. """ try: paginator = self.kms_client.get_paginator("list_grants") grants = [] page_iterator = paginator.paginate(KeyId=key_id) for page in page_iterator: grants.extend(page["Grants"]) print(f"Grants for key {key_id}:") pprint(grants) return grants except ClientError as err: logger.error( "Couldn't list grants for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise def revoke_grant(self, key_id: str, grant_id: str) -> None: """ Revokes a grant so that it can no longer be used. :param key_id: The ARN or ID of the key associated with the grant. :param grant_id: The ID of the grant to revoke. """ try: self.kms_client.revoke_grant(KeyId=key_id, GrantId=grant_id) except ClientError as err: logger.error( "Couldn't revoke grant %s. Here's why: %s", grant_id, err.response["Error"]["Message"], ) raise ``` 適用於 KMS 金鑰政策的包裝函式類別和方法。 ``` class KeyPolicy: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyPolicy": """ Creates a KeyPolicy instance with a default KMS client. :return: An instance of KeyPolicy initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def set_new_policy(self, key_id: str, policy: dict[str, any]) -> None: """ Sets the policy of a key. Setting a policy entirely overwrites the existing policy, so care is taken to add a statement to the existing list of statements rather than simply writing a new policy. :param key_id: The ARN or ID of the key to set the policy to. :param policy: A new key policy. The key policy must allow the calling principal to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable """ try: self.kms_client.put_key_policy(KeyId=key_id, Policy=json.dumps(policy)) except ClientError as err: logger.error( "Couldn't set policy for key %s. Here's why %s", key_id, err.response["Error"]["Message"], ) raise def get_policy(self, key_id: str) -> dict[str, str]: """ Gets the policy of a key. :param key_id: The ARN or ID of the key to query. :return: The key policy as a dict. """ if key_id != "": try: response = self.kms_client.get_key_policy( KeyId=key_id, ) policy = json.loads(response["Policy"]) except ClientError as err: logger.error( "Couldn't get policy for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise else: pprint(policy) return policy else: print("Skipping get policy demo.") ``` + 如需 API 詳細資訊,請參閱《適用於 Python (Boto3) 的AWS SDK API 參考》**中的下列主題。 + [CreateAlias](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateAlias) + [CreateGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateGrant) + [CreateKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateKey) + [解密](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Decrypt) + [DescribeKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DescribeKey) + [DisableKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DisableKey) + [EnableKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/EnableKey) + [加密](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Encrypt) + [GetKeyPolicy](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GetKeyPolicy) + [ListAliases](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListAliases) + [ListGrants](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListGrants) + [ListKeys](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListKeys) + [RevokeGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/RevokeGrant) + [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ScheduleKeyDeletion) + [符號](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Sign) + [TagResource](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/TagResource) ------ # AWS KMS 使用 AWS SDKs的動作 下列程式碼範例示範如何使用 AWS SDKs執行個別 AWS KMS 動作。每個範例均包含 GitHub 的連結,您可以在連結中找到設定和執行程式碼的相關說明。 這些摘錄會呼叫 AWS KMS API,是必須在內容中執行之大型程式的程式碼摘錄。您可以在 [AWS KMS 使用 AWS SDKs案例](kms_code_examples_scenarios.md) 中查看內容中的動作。 下列範例僅包含最常使用的動作。如需完整清單,請參閱《[AWS Key Management Service API 參考](https://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html)》。 **Topics** + [`CreateAlias`](kms_example_kms_CreateAlias_section.md) + [`CreateGrant`](kms_example_kms_CreateGrant_section.md) + [`CreateKey`](kms_example_kms_CreateKey_section.md) + [`Decrypt`](kms_example_kms_Decrypt_section.md) + [`DeleteAlias`](kms_example_kms_DeleteAlias_section.md) + [`DescribeKey`](kms_example_kms_DescribeKey_section.md) + [`DisableKey`](kms_example_kms_DisableKey_section.md) + [`EnableKey`](kms_example_kms_EnableKey_section.md) + [`EnableKeyRotation`](kms_example_kms_EnableKeyRotation_section.md) + [`Encrypt`](kms_example_kms_Encrypt_section.md) + [`GenerateDataKey`](kms_example_kms_GenerateDataKey_section.md) + [`GenerateDataKeyWithoutPlaintext`](kms_example_kms_GenerateDataKeyWithoutPlaintext_section.md) + [`GenerateRandom`](kms_example_kms_GenerateRandom_section.md) + [`GetKeyPolicy`](kms_example_kms_GetKeyPolicy_section.md) + [`ListAliases`](kms_example_kms_ListAliases_section.md) + [`ListGrants`](kms_example_kms_ListGrants_section.md) + [`ListKeyPolicies`](kms_example_kms_ListKeyPolicies_section.md) + [`ListKeys`](kms_example_kms_ListKeys_section.md) + [`PutKeyPolicy`](kms_example_kms_PutKeyPolicy_section.md) + [`ReEncrypt`](kms_example_kms_ReEncrypt_section.md) + [`RetireGrant`](kms_example_kms_RetireGrant_section.md) + [`RevokeGrant`](kms_example_kms_RevokeGrant_section.md) + [`ScheduleKeyDeletion`](kms_example_kms_ScheduleKeyDeletion_section.md) + [`Sign`](kms_example_kms_Sign_section.md) + [`TagResource`](kms_example_kms_TagResource_section.md) + [`UpdateAlias`](kms_example_kms_UpdateAlias_section.md) + [`Verify`](kms_example_kms_Verify_section.md) # `CreateAlias` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `CreateAlias`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` using System; using System.Threading.Tasks; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; /// /// Creates an alias for an AWS Key Management Service (AWS KMS) key. /// public class CreateAlias { public static async Task Main() { var client = new AmazonKeyManagementServiceClient(); // The alias name must start with alias/ and can be // up to 256 alphanumeric characters long. var aliasName = "alias/ExampleAlias"; // The value supplied as the TargetKeyId can be either // the key ID or key Amazon Resource Name (ARN) of the // AWS KMS key. var keyId = "1234abcd-12ab-34cd-56ef-1234567890ab"; var request = new CreateAliasRequest { AliasName = aliasName, TargetKeyId = keyId, }; var response = await client.CreateAliasAsync(request); if (response.HttpStatusCode == System.Net.HttpStatusCode.OK) { Console.WriteLine($"Alias, {aliasName}, successfully created."); } else { Console.WriteLine($"Could not create alias."); } } } ``` + 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [CreateAlias](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateAlias)。 ------ #### [ CLI ] **AWS CLI** **建立 KMS 金鑰的別名** 下列 `create-alias` 命令會為金鑰 ID `1234abcd-12ab-34cd-56ef-1234567890ab` 所識別的 KMS 金鑰建立一個名為 `example-alias` 的別名。 別名的開頭不可為 `alias/`。請勿使用以 開頭的別名;`alias/aws`這些名稱會保留供 使用 AWS。 ``` aws kms create-alias \ --alias-name alias/example-alias \ --target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 此命令不會傳回任何輸出。若要查看新的別名,請使用 `list-aliases` 命令。 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[使用別名](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateAlias](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Creates a custom alias for the specified target key asynchronously. * * @param targetKeyId the ID of the target key for the alias * @param aliasName the name of the alias to create * @return a {@link CompletableFuture} that completes when the alias creation operation is finished */ public CompletableFuture createCustomAliasAsync(String targetKeyId, String aliasName) { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); CompletableFuture responseFuture = getAsyncClient().createAlias(aliasRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("{} was successfully created.", aliasName); } else { if (exception instanceof ResourceExistsException) { logger.info("Alias [{}] already exists. Moving on...", aliasName); } else if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while creating alias: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while creating alias: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(response -> null); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [CreateAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateAlias)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun createCustomAlias( targetKeyIdVal: String?, aliasNameVal: String?, ) { val request = CreateAliasRequest { aliasName = aliasNameVal targetKeyId = targetKeyIdVal } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> kmsClient.createAlias(request) println("$aliasNameVal was successfully created") } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [CreateAlias](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param string $alias * @return void */ public function createAlias(string $keyId, string $alias) { try{ $this->client->createAlias([ 'TargetKeyId' => $keyId, 'AliasName' => $alias, ]); }catch (KmsException $caught){ if($caught->getAwsErrorMessage() == "InvalidAliasNameException"){ echo "The request was rejected because the specified alias name is not valid."; } throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [CreateAlias](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateAlias)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_alias(self, key_id: str, alias: str) -> None: """ Creates an alias for the specified key. :param key_id: The ARN or ID of a key to give an alias. :param alias: The alias to assign to the key. """ try: self.kms_client.create_alias(AliasName=alias, TargetKeyId=key_id) except ClientError as err: if err.response["Error"]["Code"] == "AlreadyExistsException": logger.error( "Could not create the alias %s because it already exists.", key_id ) else: logger.error( "Couldn't encrypt text. Here's why: %s", err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [CreateAlias](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateAlias)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_alias_name = 'alias/my-key-alias' " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' lo_kms->createalias( iv_aliasname = iv_alias_name iv_targetkeyid = iv_key_id ). MESSAGE 'Alias created successfully.' TYPE 'I'. CATCH /aws1/cx_kmsalreadyexistsex. MESSAGE 'Alias already exists.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmsinvalidaliasnameex. MESSAGE 'Invalid alias name.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreateAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `CreateGrant` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `CreateGrant`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` public static async Task Main() { var client = new AmazonKeyManagementServiceClient(); // The identity that is given permission to perform the operations // specified in the grant. var grantee = "arn:aws:iam::111122223333:role/ExampleRole"; // The identifier of the AWS KMS key to which the grant applies. You // can use the key ID or the Amazon Resource Name (ARN) of the KMS key. var keyId = "7c9eccc2-38cb-4c4f-9db3-766ee8dd3ad4"; var request = new CreateGrantRequest { GranteePrincipal = grantee, KeyId = keyId, // A list of operations that the grant allows. Operations = new List { "Encrypt", "Decrypt", }, }; var response = await client.CreateGrantAsync(request); string grantId = response.GrantId; // The unique identifier of the grant. string grantToken = response.GrantToken; // The grant token. Console.WriteLine($"Id: {grantId}, Token: {grantToken}"); } } ``` + 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [CreateGrant](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateGrant)。 ------ #### [ CLI ] **AWS CLI** **建立授權** 下列 `create-grant` 範例會建立授權,其允許 `exampleUser` 使用者在 `1234abcd-12ab-34cd-56ef-1234567890ab` 範例 KMS 金鑰上使用 `decrypt` 命令。淘汰主體是 `adminRole` 角色。授權使用 `EncryptionContextSubset` 授權限制條件,允許只在 `decrypt` 請求中的加密內容包含 `"Department": "IT"` 鍵值對時,才授予此權限。 ``` aws kms create-grant \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --grantee-principal arn:aws:iam::123456789012:user/exampleUser \ --operations Decrypt \ --constraints EncryptionContextSubset={Department=IT} \ --retiring-principal arn:aws:iam::123456789012:role/adminRole ``` 輸出: ``` { "GrantId": "1a2b3c4d2f5e69f440bae30eaec9570bb1fb7358824f9ddfa1aa5a0dab1a59b2", "GrantToken": "" } ``` 若要檢視授權的詳細資訊,請使用 `list-grants` 命令。 如需詳細資訊,請參閱 *AWS Key Management Service 開發人員指南*中的 [AWS KMS 中的授權](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateGrant](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-grant.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Grants permissions to a specified principal on a customer master key (CMK) asynchronously. * * @param keyId The unique identifier for the customer master key (CMK) that the grant applies to. * @param granteePrincipal The principal that is given permission to perform the operations that the grant permits on the CMK. * @return A {@link CompletableFuture} that, when completed, contains the ID of the created grant. * @throws RuntimeException If an error occurs during the grant creation process. */ public CompletableFuture grantKeyAsync(String keyId, String granteePrincipal) { List grantPermissions = List.of( GrantOperation.ENCRYPT, GrantOperation.DECRYPT, GrantOperation.DESCRIBE_KEY ); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CompletableFuture responseFuture = getAsyncClient().createGrant(grantRequest); responseFuture.whenComplete((response, ex) -> { if (ex == null) { logger.info("Grant created successfully with ID: " + response.grantId()); } else { if (ex instanceof KmsException kmsEx) { throw new RuntimeException("Failed to create grant: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred: " + ex.getMessage(), ex); } } }); return responseFuture.thenApply(CreateGrantResponse::grantId); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [CreateGrant](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateGrant)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun createNewGrant( keyIdVal: String?, granteePrincipalVal: String?, operation: String, ): String? { val operationOb = GrantOperation.fromValue(operation) val grantOperationList = ArrayList() grantOperationList.add(operationOb) val request = CreateGrantRequest { keyId = keyIdVal granteePrincipal = granteePrincipalVal operations = grantOperationList } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> val response = kmsClient.createGrant(request) return response.grantId } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [CreateGrant](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param string $granteePrincipal * @param array $operations * @param array $grantTokens * @return Result */ public function createGrant(string $keyId, string $granteePrincipal, array $operations, array $grantTokens = []) { $args = [ 'KeyId' => $keyId, 'GranteePrincipal' => $granteePrincipal, 'Operations' => $operations, ]; if($grantTokens){ $args['GrantTokens'] = $grantTokens; } try{ return $this->client->createGrant($args); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "InvalidGrantTokenException"){ echo "The request was rejected because the specified grant token is not valid.\n"; } throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [CreateGrant](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateGrant)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_grant( self, key_id: str, principal: str, operations: [str] ) -> dict[str, str]: """ Creates a grant for a key that lets a principal generate a symmetric data encryption key. :param key_id: The ARN or ID of the key. :param principal: The principal to grant permission to. :param operations: The operations to grant permission for. :return: The grant that is created. """ try: return self.kms_client.create_grant( KeyId=key_id, GranteePrincipal=principal, Operations=operations, ) except ClientError as err: logger.error( "Couldn't create a grant on key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [CreateGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateGrant)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_grantee_principal = 'arn:aws:iam::123456789012:role/my-role' " it_operations contains 'Encrypt', 'Decrypt', 'GenerateDataKey' oo_result = lo_kms->creategrant( iv_keyid = iv_key_id iv_granteeprincipal = iv_grantee_principal it_operations = it_operations ). MESSAGE 'Grant created successfully.' TYPE 'I'. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreateGrant](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `CreateKey` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `CreateKey`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) + [使用資料表加密](kms_example_dynamodb_Scenario_EncryptionExamples_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` using System; using System.Threading.Tasks; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; /// /// Shows how to create a new AWS Key Management Service (AWS KMS) /// key. /// public class CreateKey { public static async Task Main() { // Note that if you need to create a Key in an AWS Region // other than the Region defined for the default user, you need to // pass the Region to the client constructor. var client = new AmazonKeyManagementServiceClient(); // The call to CreateKeyAsync will create a symmetrical AWS KMS // key. For more information about symmetrical and asymmetrical // keys, see: // // https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html var response = await client.CreateKeyAsync(new CreateKeyRequest()); // The KeyMetadata object contains information about the new AWS KMS key. KeyMetadata keyMetadata = response.KeyMetadata; if (keyMetadata is not null) { Console.WriteLine($"KMS Key: {keyMetadata.KeyId} was successfully created."); } else { Console.WriteLine("Could not create KMS Key."); } } } ``` + 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [CreateKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateKey)。 ------ #### [ CLI ] **AWS CLI** **範例 1:在 KMS 中建立客戶受管 AWS KMS 金鑰** 以下 `create-key` 範例會建立對稱加密 KMS 金鑰。 若要建立基本 KMS 金鑰 (對稱加密金鑰),您不需要指定任何參數。這些參數的預設值會建立對稱加密金鑰。 由於此命令未指定金鑰政策,KMS 金鑰會取得適用於以程式設計方式建立之 KMS 金鑰的[預設金鑰政策](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default)。若要檢視金鑰政策,請使用 `get-key-policy` 命令。若要變更金鑰政策,請使用 `put-key-policy` 命令。 ``` aws kms create-key ``` `create-key` 命令會傳回金鑰中繼資料,包括新 KMS 金鑰的金鑰 ID 和 ARN。您可以使用這些值來識別其他 KMS 操作中的 AWS KMS 金鑰。輸出不包含標籤。若要檢視 KMS 金鑰的標籤,請使用 `list-resource-tags command`。 輸出: ``` { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2017-07-05T14:04:55-07:00", "CurrentKeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_KMS" "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] } } ``` 注意:`create-key` 命令不允許您指定別名。若要為新的 KMS 金鑰建立別名,請使用 `create-alias` 命令。 如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的[建立金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html)。 **範例 2:建立用於加密和解密的非對稱 RSA KMS 金鑰** 下列 `create-key` 範例會建立 KMS 金鑰,其中包含用於加密和解密的非對稱 RSA 金鑰對。建立金鑰之後,就無法變更金鑰規格和金鑰用量: ``` aws kms create-key \ --key-spec RSA_4096 \ --key-usage ENCRYPT_DECRYPT ``` 輸出: ``` { "KeyMetadata": { "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": "2021-04-05T14:04:55-07:00", "CustomerMasterKeySpec": "RSA_4096", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "RSA_4096", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_KMS" } } ``` 如需詳細資訊,請參閱 [Key Management Service 開發人員指南中的 AWS KMS 中的非對稱](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)金鑰。 *AWS * **範例 3:建立用於簽署和驗證的非對稱橢圓曲線 KMS 金鑰** 建立非對稱 KMS 金鑰,其中包含用於簽署和驗證的非對稱橢圓曲線 (ECC) 金鑰對。即使 `SIGN_VERIFY` 是 ECC KMS 金鑰的唯一有效值,仍需要 `--key-usage` 參數。建立金鑰之後,就無法變更金鑰規格和金鑰用量: ``` aws kms create-key \ --key-spec ECC_NIST_P521 \ --key-usage SIGN_VERIFY ``` 輸出: ``` { "KeyMetadata": { "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": "2019-12-02T07:48:55-07:00", "CustomerMasterKeySpec": "ECC_NIST_P521", "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "ECC_NIST_P521", "KeyState": "Enabled", "KeyUsage": "SIGN_VERIFY", "MultiRegion": false, "Origin": "AWS_KMS", "SigningAlgorithms": [ "ECDSA_SHA_512" ] } } ``` 如需詳細資訊,請參閱 [Key Management Service 開發人員指南中的 AWS KMS 中的非對稱](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)金鑰。 *AWS * **範例 4:建立用於簽署和驗證的非對稱 ML-DSA KMS 金鑰** 此範例會建立用於簽署和驗證的模組格線數位簽章演算法 (ML-DSA) 金鑰。即使 `SIGN_VERIFY` 是 ML-DSA 金鑰的唯一有效值,仍需要 key-usage 參數。 ``` aws kms create-key \ --key-spec ML_DSA_65 \ --key-usage SIGN_VERIFY ``` 輸出: ``` { "KeyMetadata": { "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": "2019-12-02T07:48:55-07:00", "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "ML_DSA_65", "KeyState": "Enabled", "KeyUsage": "SIGN_VERIFY", "MultiRegion": false, "Origin": "AWS_KMS", "SigningAlgorithms": [ "ML_DSA_SHAKE_256" ] } } ``` 如需詳細資訊,請參閱 [Key Management Service 開發人員指南中的 AWS KMS 中的非對稱](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)金鑰。 *AWS * **範例 5:建立 HMAC KMS 金鑰** 以下 `create-key` 範例會建立 384 位元 HMAC KMS 金鑰。`--key-usage` 參數的 `GENERATE_VERIFY_MAC` 值是必要的,即使它是 HMAC KMS 金鑰的唯一有效值。 ``` aws kms create-key \ --key-spec HMAC_384 \ --key-usage GENERATE_VERIFY_MAC ``` 輸出: ``` { "KeyMetadata": { "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": "2022-04-05T14:04:55-07:00", "CustomerMasterKeySpec": "HMAC_384", "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "HMAC_384", "KeyState": "Enabled", "KeyUsage": "GENERATE_VERIFY_MAC", "MacAlgorithms": [ "HMAC_SHA_384" ], "MultiRegion": false, "Origin": "AWS_KMS" } } ``` 如需詳細資訊,請參閱 [Key Management Service 開發人員指南中的 AWS KMS 中的 HMAC](https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html) 金鑰。 *AWS * **範例 6:建立多區域主要 KMS 金鑰** 以下 `create-key` 範例會建立多區域主要對稱加密金鑰。由於所有參數的預設值都會建立對稱加密金鑰,此 KMS 金鑰只需要 `--multi-region` 參數。在 AWS CLI 中,若要指出布林值參數為 true,只要指定參數名稱即可。 ``` aws kms create-key \ --multi-region ``` 輸出: ``` { "KeyMetadata": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab", "AWSAccountId": "111122223333", "CreationDate": "2021-09-02T016:15:21-09:00", "CurrentKeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "mrk-1234abcd12ab34cd56ef12345678990ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab", "Region": "us-west-2" }, "ReplicaKeys": [] }, "Origin": "AWS_KMS" } } ``` 如需詳細資訊,請參閱 [Key Management Service 開發人員指南中的 AWS KMS 中的非對稱](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)金鑰。 *AWS * **範例 7:為匯入的金鑰材料建立 KMS 金鑰** 下列 `create-key` 範例會建立不含金鑰材料的 KMS 金鑰。完成操作後,您可以將自己的金鑰材料匯入 KMS 金鑰。若要建立此 KMS 金鑰,請將 `--origin` 參數設定為 `EXTERNAL`。 ``` aws kms create-key \ --origin EXTERNAL ``` 輸出: ``` { "KeyMetadata": { "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": "2019-12-02T07:48:55-07:00", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "Description": "", "Enabled": false, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "PendingImport", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "EXTERNAL" } } ``` 如需詳細資訊,請參閱 [Key Management Service 開發人員指南中的在 AWS KMS 金鑰中匯入金鑰材料](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)。 *AWS * **範例 6:在 an AWS CloudHSM 金鑰存放區中建立 KMS 金鑰** 下列`create-key`範例會在指定的 AWS CloudHSM 金鑰存放區中建立 KMS 金鑰。操作會在 KMS 中建立 AWS KMS 金鑰及其中繼資料,並在與自訂金鑰存放區相關聯的 AWS CloudHSM 叢集中建立金鑰材料。`--custom-key-store-id` 和 `--origin` 是必要參數。 ``` aws kms create-key \ --origin AWS_CLOUDHSM \ --custom-key-store-id cks-1234567890abcdef0 ``` 輸出: ``` { "KeyMetadata": { "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CloudHsmClusterId": "cluster-1a23b4cdefg", "CreationDate": "2019-12-02T07:48:55-07:00", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "CustomKeyStoreId": "cks-1234567890abcdef0", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_CLOUDHSM" } } ``` 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的 [AWS CloudHSM 金鑰存放區](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html)。 **範例 8:在外部金鑰存放區中建立 KMS 金鑰** 下列 `create-key` 範例會在指定的外部金鑰存放區中建立 KMS 金鑰。此命令需要用到 `--custom-key-store-id`、`--origin` 和 `--xks-key-id` 參數。 `--xks-key-id` 參數會在外部金鑰管理員中,指定現有對稱加密金鑰的 ID。此金鑰用作 KMS 金鑰的外部金鑰材料。`--origin` 參數的值必須是 `EXTERNAL_KEY_STORE`。`custom-key-store-id` 參數必須識別連接到其外部金鑰存放區代理的外部金鑰存放區。 ``` aws kms create-key \ --origin EXTERNAL_KEY_STORE \ --custom-key-store-id cks-9876543210fedcba9 \ --xks-key-id bb8562717f809024 ``` 輸出: ``` { "KeyMetadata": { "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": "2022-12-02T07:48:55-07:00", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "CustomKeyStoreId": "cks-9876543210fedcba9", "Description": "", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "EXTERNAL_KEY_STORE", "XksKeyConfiguration": { "Id": "bb8562717f809024" } } } ``` 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[外部金鑰存放區](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Creates a new symmetric encryption key asynchronously. * * @param keyDesc the description of the key to be created * @return a {@link CompletableFuture} that completes with the ID of the newly created key * @throws RuntimeException if an error occurs while creating the key */ public CompletableFuture createKeyAsync(String keyDesc) { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .keySpec(KeySpec.SYMMETRIC_DEFAULT) .keyUsage(KeyUsageType.ENCRYPT_DECRYPT) .build(); return getAsyncClient().createKey(keyRequest) .thenApply(resp -> resp.keyMetadata().keyId()) .exceptionally(ex -> { throw new RuntimeException("An error occurred while creating the key: " + ex.getMessage(), ex); }); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [CreateKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/CreateKey)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun createKey(keyDesc: String?): String? { val request = CreateKeyRequest { description = keyDesc customerMasterKeySpec = CustomerMasterKeySpec.SymmetricDefault keyUsage = KeyUsageType.fromValue("ENCRYPT_DECRYPT") } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> val result = kmsClient.createKey(request) println("Created a customer key with id " + result.keyMetadata?.arn) return result.keyMetadata?.keyId } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [CreateKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keySpec * @param string $keyUsage * @param string $description * @return array */ public function createKey(string $keySpec = "", string $keyUsage = "", string $description = "Created by the SDK for PHP") { $parameters = ['Description' => $description]; if($keySpec && $keyUsage){ $parameters['KeySpec'] = $keySpec; $parameters['KeyUsage'] = $keyUsage; } try { $result = $this->client->createKey($parameters); return $result['KeyMetadata']; }catch(KmsException $caught){ // Check for error specific to createKey operations if ($caught->getAwsErrorMessage() == "LimitExceededException"){ echo "The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide."; } throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [CreateKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateKey)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def create_key(self, key_description: str) -> dict[str, any]: """ Creates a key with a user-provided description. :param key_description: A description for the key. :return: The key ID. """ try: key = self.kms_client.create_key(Description=key_description)["KeyMetadata"] self.created_keys.append(key) return key except ClientError as err: logging.error( "Couldn't create your key. Here's why: %s", err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [CreateKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateKey)。 ------ #### [ Ruby ] **SDK for Ruby** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/kms#code-examples)中設定和執行。 ``` require 'aws-sdk-kms' # v2: require 'aws-sdk' # Create a AWS KMS key. # As long we are only encrypting small amounts of data (4 KiB or less) directly, # a KMS key is fine for our purposes. # For larger amounts of data, # use the KMS key to encrypt a data encryption key (DEK). client = Aws::KMS::Client.new resp = client.create_key({ tags: [ { tag_key: 'CreatedBy', tag_value: 'ExampleUser' } ] }) puts resp.key_metadata.key_id ``` + 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》**中的 [CreateKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/kms-2014-11-01/CreateKey)。 ------ #### [ Rust ] **適用於 Rust 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples)中設定和執行。 ``` async fn make_key(client: &Client) -> Result<(), Error> { let resp = client.create_key().send().await?; let id = resp.key_metadata.as_ref().unwrap().key_id(); println!("Key: {}", id); Ok(()) } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [CreateKey](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.create_key)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_description = 'Created by the AWS SDK for SAP ABAP' oo_result = lo_kms->createkey( iv_description = iv_description ). MESSAGE 'KMS key created successfully.' TYPE 'I'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. CATCH /aws1/cx_kmslimitexceededex. MESSAGE 'Limit exceeded for KMS resources.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [CreateKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `Decrypt` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `Decrypt`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ CLI ] **AWS CLI** **範例 1:使用對稱 KMS 金鑰 (Linux 和 macOS) 將加密的訊息解密** 下列`decrypt`命令範例示範使用 CLI AWS 解密資料的建議方法。此版本示範如何在對稱 KMS 金鑰下解密資料。 在檔案中提供密文。`--ciphertext-blob` 參數的值中,使用 `fileb://` 字首,其會告知 CLI 從二進位檔案讀取資料。如果檔案不在目前的目錄中,請輸入檔案的完整路徑。如需從檔案讀取 AWS CLI 參數值的詳細資訊,請參閱《 *AWS 命令列界面使用者指南*》中的從檔案 載入 AWS CLI 參數,以及《 *AWS 命令列工具部落格*》中的本機檔案參數 的最佳實務。指定 KMS 金鑰以解密加密文字。使用對稱 KMS 金鑰解密時,不需要 `--key-id` 參數。 AWS KMS 可以取得用於加密加密加密加密文字中中繼資料之 KMS 金鑰的金鑰 ID。但是指定您正在使用的 KMS 金鑰永遠是最佳實務。此實務可確保您使用想要的 KMS 金鑰,並防止不小心使用您不信任的 KMS 金鑰來解密加密文字。請求純文字輸出做為文字值。`--query` 參數會告知 CLI 僅從輸出取得 `Plaintext` 欄位的值。`--output` 參數會以純文字傳回輸出。Base64 將純文字解碼,並儲存在檔案中。下列範例會將 `Plaintext` 參數的管道符號 (\$1) 值輸送至 Base64 公用程式,以將其解碼。然後,將解碼的輸出重新導向 (>) 至 `ExamplePlaintext` 檔案。 執行此命令之前,請將範例金鑰 ID 取代為來自您 AWS 帳戶的有效金鑰 ID。 ``` aws kms decrypt \ --ciphertext-blob fileb://ExampleEncryptedFile \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --output text \ --query Plaintext | base64 \ --decode > ExamplePlaintextFile ``` 此命令不會產生輸出。來自 `decrypt` 命令的輸出經過 base64 解碼,並儲存在檔案中。 如需詳細資訊,請參閱《*AWS Key Management Service API 參考*》中的[解密](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)。 **範例 2:使用對稱 KMS 金鑰解密加密的訊息 (Windows 命令提示)** 下列範例與上一個範例相同,唯一不同的是它使用 `certutil` 公用程式對純文字資料進行 Base64 解碼。此程序需要兩個命令,如下列範例所示。 執行此命令之前,請將範例金鑰 ID 取代為來自您 AWS 帳戶的有效金鑰 ID。 ``` aws kms decrypt ^ --ciphertext-blob fileb://ExampleEncryptedFile ^ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ^ --output text ^ --query Plaintext > ExamplePlaintextFile.base64 ``` 執行 `certutil` 命令。 ``` certutil -decode ExamplePlaintextFile.base64 ExamplePlaintextFile ``` 輸出: ``` Input Length = 18 Output Length = 12 CertUtil: -decode command completed successfully. ``` 如需詳細資訊,請參閱《*AWS Key Management Service API 參考*》中的[解密](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)。 **範例 3:使用非對稱 KMS 金鑰 (Linux 和 macOS) 解密加密的訊息** 下列 `decrypt` 命令範例示範如何將以 RSA 非對稱 KMS 金鑰加密的資料解密。 使用非對稱 KMS 金鑰時,需要指定用於加密純文字的演算法的 `encryption-algorithm` 參數。 執行此命令之前,請將範例金鑰 ID 取代為來自您 AWS 帳戶的有效金鑰 ID。 ``` aws kms decrypt \ --ciphertext-blob fileb://ExampleEncryptedFile \ --key-id 0987dcba-09fe-87dc-65ba-ab0987654321 \ --encryption-algorithm RSAES_OAEP_SHA_256 \ --output text \ --query Plaintext | base64 \ --decode > ExamplePlaintextFile ``` 此命令不會產生輸出。來自 `decrypt` 命令的輸出經過 base64 解碼,並儲存在檔案中。 如需詳細資訊,請參閱 [Key Management Service 開發人員指南中的 AWS KMS 中的非對稱](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)金鑰。 *AWS * + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [Decrypt](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously decrypts the given encrypted data using the specified key ID. * * @param encryptedData The encrypted data to be decrypted. * @param keyId The ID of the key to be used for decryption. * @return A CompletableFuture that, when completed, will contain the decrypted data as a String. * If an error occurs during the decryption process, the CompletableFuture will complete * exceptionally with the error, and the method will return an empty String. */ public CompletableFuture decryptDataAsync(SdkBytes encryptedData, String keyId) { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); CompletableFuture responseFuture = getAsyncClient().decrypt(decryptRequest); responseFuture.whenComplete((decryptResponse, exception) -> { if (exception == null) { logger.info("Data decrypted successfully for key ID: " + keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while decrypting data: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while decrypting data: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(decryptResponse -> decryptResponse.plaintext().asString(StandardCharsets.UTF_8)); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [Decrypt](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Decrypt)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun encryptData(keyIdValue: String): ByteArray? { val text = "This is the text to encrypt by using the AWS KMS Service" val myBytes: ByteArray = text.toByteArray() val encryptRequest = EncryptRequest { keyId = keyIdValue plaintext = myBytes } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> val response = kmsClient.encrypt(encryptRequest) val algorithm: String = response.encryptionAlgorithm.toString() println("The encryption algorithm is $algorithm") // Return the encrypted data. return response.ciphertextBlob } } suspend fun decryptData( encryptedDataVal: ByteArray?, keyIdVal: String?, ) { val decryptRequest = DecryptRequest { ciphertextBlob = encryptedDataVal keyId = keyIdVal } KmsClient { region = "us-west-2" }.use { kmsClient -> val decryptResponse = kmsClient.decrypt(decryptRequest) val myVal = decryptResponse.plaintext // Print the decrypted data. print(myVal) } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [Decrypt](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param string $ciphertext * @param string $algorithm * @return Result */ public function decrypt(string $keyId, string $ciphertext, string $algorithm = "SYMMETRIC_DEFAULT") { try{ return $this->client->decrypt([ 'CiphertextBlob' => $ciphertext, 'EncryptionAlgorithm' => $algorithm, 'KeyId' => $keyId, ]); }catch(KmsException $caught){ echo "There was a problem decrypting the data: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [Decrypt](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Decrypt)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def decrypt(self, key_id: str, cipher_text: bytes) -> str: """ Decrypts text previously encrypted with a key. :param key_id: The ARN or ID of the key used to decrypt the data. :param cipher_text: The encrypted text to decrypt. :return: The decrypted text. """ try: return self.kms_client.decrypt(KeyId=key_id, CiphertextBlob=cipher_text)[ "Plaintext" ].decode() except ClientError as err: logger.error( "Couldn't decrypt your ciphertext. Here's why: %s", err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [Decrypt](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Decrypt)。 ------ #### [ Ruby ] **SDK for Ruby** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/kms#code-examples)中設定和執行。 ``` require 'aws-sdk-kms' # v2: require 'aws-sdk' # Decrypted blob blob = '01020200785d68faeec386af1057904926253051eb2919d3c16078badf65b808b26dd057c101747cadf3593596e093d4ffbf22434a6d00000068306606092a864886f70d010706a0593057020100305206092a864886f70d010701301e060960864801650304012e3011040c9d629e573683972cdb7d94b30201108025b20b060591b02ca0deb0fbdfc2f86c8bfcb265947739851ad56f3adce91eba87c59691a9a1' blob_packed = [blob].pack('H*') client = Aws::KMS::Client.new(region: 'us-west-2') resp = client.decrypt({ ciphertext_blob: blob_packed }) puts 'Raw text: ' puts resp.plaintext ``` + 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》**中的 [Decrypt](https://docs.aws.amazon.com/goto/SdkForRubyV3/kms-2014-11-01/Decrypt)。 ------ #### [ Rust ] **適用於 Rust 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples)中設定和執行。 ``` async fn decrypt_key(client: &Client, key: &str, filename: &str) -> Result<(), Error> { // Open input text file and get contents as a string // input is a base-64 encoded string, so decode it: let data = fs::read_to_string(filename) .map(|input| { base64::decode(input).expect("Input file does not contain valid base 64 characters.") }) .map(Blob::new); let resp = client .decrypt() .key_id(key) .ciphertext_blob(data.unwrap()) .send() .await?; let inner = resp.plaintext.unwrap(); let bytes = inner.as_ref(); let s = String::from_utf8(bytes.to_vec()).expect("Could not convert to UTF-8"); println!(); println!("Decoded string:"); println!("{}", s); Ok(()) } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [Decrypt](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.decrypt)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_ciphertext_blob contains the encrypted data oo_result = lo_kms->decrypt( iv_keyid = iv_key_id iv_ciphertextblob = iv_ciphertext_blob ). MESSAGE 'Text decrypted successfully.' TYPE 'I'. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsincorrectkeyex. MESSAGE 'Incorrect key for decryption.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的[解密](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `DeleteAlias` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `DeleteAlias`。 ------ #### [ CLI ] **AWS CLI** **刪除 AWS KMS 別名** 以下 `delete-alias` 範例會刪除別名 `alias/example-alias`。別名名稱必須以別名/ 開頭。 ``` aws kms delete-alias \ --alias-name alias/example-alias ``` 此命令不會產生輸出。要尋找別名,請使用 `list-aliases` 命令。 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[刪除別名](https://docs.aws.amazon.com/kms/latest/developerguide/alias-manage.html#alias-delete)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteAlias](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/delete-alias.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Deletes a specific KMS alias asynchronously. * * @param aliasName the name of the alias to be deleted * @return a {@link CompletableFuture} representing the asynchronous operation of deleting the specified alias */ public CompletableFuture deleteSpecificAliasAsync(String aliasName) { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); return getAsyncClient().deleteAlias(deleteAliasRequest) .thenRun(() -> { logger.info("Alias {} has been deleted successfully", aliasName); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to delete alias: " + aliasName, throwable); }); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [DeleteAlias](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DeleteAlias)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $aliasName * @return void */ public function deleteAlias(string $aliasName) { try { $this->client->deleteAlias([ 'AliasName' => $aliasName, ]); }catch(KmsException $caught){ echo "There was a problem deleting the alias: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [DeleteAlias](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DeleteAlias)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def delete_alias(self, alias: str) -> None: """ Deletes an alias. :param alias: The alias to delete. """ try: self.kms_client.delete_alias(AliasName=alias) except ClientError as err: logger.error( "Couldn't delete alias %s. Here's why: %s", alias, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [DeleteAlias](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DeleteAlias)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_alias_name = 'alias/my-key-alias' lo_kms->deletealias( iv_aliasname = iv_alias_name ). MESSAGE 'Alias deleted successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Alias not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DeleteAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `DescribeKey` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `DescribeKey`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` using System; using System.Threading.Tasks; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; /// /// Retrieve information about an AWS Key Management Service (AWS KMS) key. /// You can supply either the key Id or the key Amazon Resource Name (ARN) /// to the DescribeKeyRequest KeyId property. /// public class DescribeKey { public static async Task Main() { var keyId = "7c9eccc2-38cb-4c4f-9db3-766ee8dd3ad4"; var request = new DescribeKeyRequest { KeyId = keyId, }; var client = new AmazonKeyManagementServiceClient(); var response = await client.DescribeKeyAsync(request); var metadata = response.KeyMetadata; Console.WriteLine($"{metadata.KeyId} created on: {metadata.CreationDate}"); Console.WriteLine($"State: {metadata.KeyState}"); Console.WriteLine($"{metadata.Description}"); } } ``` + 如需 API 詳細資訊,請參閱《*適用於 .NET 的 AWS SDK API 參考*》中的 [DescribeKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DescribeKey)。 ------ #### [ CLI ] **AWS CLI** **範例 1:尋找 KMS 金鑰的詳細資訊** 下列`describe-key`範例會取得範例帳戶和區域中 Amazon S3 AWS 受管金鑰的詳細資訊。您可以使用此命令來尋找 AWS 受管金鑰和客戶受管金鑰的詳細資訊。 若要指定 KMS 金鑰,請使用 `key-id` 參數。此範例使用別名的名稱值,但您可以在此命令中使用金鑰 ID、金鑰 ARN、別名的名稱或別名 ARN。 ``` aws kms describe-key \ --key-id alias/aws/s3 ``` 輸出: ``` { "KeyMetadata": { "AWSAccountId": "846764612917", "KeyId": "b8a9477d-836c-491f-857e-07937918959b", "Arn": "arn:aws:kms:us-west-2:846764612917:key/b8a9477d-836c-491f-857e-07937918959b", "CurrentKeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", "CreationDate": 2017-06-30T21:44:32.140000+00:00, "Enabled": true, "Description": "Default KMS key that protects my S3 objects when no other key is defined", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "AWS", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] } } ``` 如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的[檢視金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html)。 **範例 2:取得 RSA 非對稱 KMS 金鑰的詳細資訊** 下列 `describe-key` 範例會取得用於簽署和驗證的非對稱 RSA KMS 金鑰的詳細資訊。 ``` aws kms describe-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 輸出: ``` { "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2019-12-02T19:47:14.861000+00:00", "CustomerMasterKeySpec": "RSA_2048", "Enabled": false, "Description": "", "KeyState": "Disabled", "Origin": "AWS_KMS", "MultiRegion": false, "KeyManager": "CUSTOMER", "KeySpec": "RSA_2048", "KeyUsage": "SIGN_VERIFY", "SigningAlgorithms": [ "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512" ] } } ``` **範例 3:取得多區域複本金鑰的詳細資訊** 下列 `describe-key` 範例會取得多區域複本金鑰的中繼資料。此多區域金鑰是對稱加密金鑰。任何多區域金鑰的 `describe-key` 命令輸出,都會傳回主金鑰及其所有複本的相關資訊。 ``` aws kms describe-key \ --key-id arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab ``` 輸出: ``` { "KeyMetadata": { "MultiRegion": true, "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "CreationDate": "2021-06-28T21:09:16.114000+00:00", "CurrentKeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", "Description": "", "Enabled": true, "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_KMS", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "us-west-2" }, "ReplicaKeys": [ { "Arn": "arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "eu-west-1" }, { "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "ap-northeast-1" }, { "Arn": "arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", "Region": "sa-east-1" } ] } } } ``` **範例 4:取得 HMAC KMS 金鑰的詳細資訊** 下列 `describe-key` 範例會取得 HMAC KMS 金鑰的詳細資訊。 ``` aws kms describe-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 輸出: ``` { "KeyMetadata": { "AWSAccountId": "123456789012", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2022-04-03T22:23:10.194000+00:00", "Enabled": true, "Description": "Test key", "KeyUsage": "GENERATE_VERIFY_MAC", "KeyState": "Enabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "HMAC_256", "MacAlgorithms": [ "HMAC_SHA_256" ], "MultiRegion": false } } ``` + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/describe-key.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously checks if a specified key is enabled. * * @param keyId the ID of the key to check * @return a {@link CompletableFuture} that, when completed, indicates whether the key is enabled or not * * @throws RuntimeException if an exception occurs while checking the key state */ public CompletableFuture isKeyEnabledAsync(String keyId) { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); CompletableFuture responseFuture = getAsyncClient().describeKey(keyRequest); return responseFuture.whenComplete((resp, ex) -> { if (resp != null) { KeyState keyState = resp.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { logger.info("The key is enabled."); } else { logger.info("The key is not enabled. Key state: {}", keyState); } } else { throw new RuntimeException(ex); } }).thenApply(resp -> resp.keyMetadata().keyState() == KeyState.ENABLED); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [DescribeKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DescribeKey)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun describeSpecifcKey(keyIdVal: String?) { val request = DescribeKeyRequest { keyId = keyIdVal } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> val response = kmsClient.describeKey(request) println("The key description is ${response.keyMetadata?.description}") println("The key ARN is ${response.keyMetadata?.arn}") } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [DescribeKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @return array */ public function describeKey(string $keyId) { try { $result = $this->client->describeKey([ "KeyId" => $keyId, ]); return $result['KeyMetadata']; }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "NotFoundException"){ echo "The request was rejected because the specified entity or resource could not be found.\n"; } throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [DescribeKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DescribeKey)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def describe_key(self, key_id: str) -> dict[str, any]: """ Describes a key. :param key_id: The ARN or ID of the key to describe. :return: Information about the key. """ try: key = self.kms_client.describe_key(KeyId=key_id)["KeyMetadata"] return key except ClientError as err: logging.error( "Couldn't get key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [DescribeKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DescribeKey)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' oo_result = lo_kms->describekey( iv_keyid = iv_key_id ). DATA(lo_key) = oo_result->get_keymetadata( ). MESSAGE 'Retrieved key information successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DescribeKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `DisableKey` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `DisableKey`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` using System; using System.Threading.Tasks; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; /// /// Disable an AWS Key Management Service (AWS KMS) key and then retrieve /// the key's status to show that it has been disabled. /// public class DisableKey { public static async Task Main() { var client = new AmazonKeyManagementServiceClient(); // The identifier of the AWS KMS key to disable. You can use the // key Id or the Amazon Resource Name (ARN) of the AWS KMS key. var keyId = "1234abcd-12ab-34cd-56ef-1234567890ab"; var request = new DisableKeyRequest { KeyId = keyId, }; var response = await client.DisableKeyAsync(request); if (response.HttpStatusCode == System.Net.HttpStatusCode.OK) { // Retrieve information about the key to show that it has now // been disabled. var describeResponse = await client.DescribeKeyAsync(new DescribeKeyRequest { KeyId = keyId, }); Console.WriteLine($"{describeResponse.KeyMetadata.KeyId} - state: {describeResponse.KeyMetadata.KeyState}"); } } } ``` + 如需 API 詳細資訊,請參閱《*適用於 .NET 的 AWS SDK API 參考*》中的 [DisableKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DisableKey)。 ------ #### [ CLI ] **AWS CLI** **暫時停用 KMS 金鑰** 下列 `disable-key` 命令會停用客戶自管 KMS 金鑰。若要重新啟用 KMS 金鑰,請使用 `enable-key` 命令。 ``` aws kms disable-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 此命令不會產生輸出。 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[啟用和停用金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DisableKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/disable-key.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously disables the specified AWS Key Management Service (KMS) key. * * @param keyId the ID or Amazon Resource Name (ARN) of the KMS key to be disabled * @return a CompletableFuture that, when completed, indicates that the key has been disabled successfully */ public CompletableFuture disableKeyAsync(String keyId) { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); return getAsyncClient().disableKey(keyRequest) .thenRun(() -> { logger.info("Key {} has been disabled successfully",keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to disable key: " + keyId, throwable); }); } ``` + 如需詳細資訊,請參閱《*AWS SDK for Java 2.x API 參考*》中的 [DisableKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/DisableKey)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun disableKey(keyIdVal: String?) { val request = DisableKeyRequest { keyId = keyIdVal } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> kmsClient.disableKey(request) println("$keyIdVal was successfully disabled") } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [DisableKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @return void */ public function disableKey(string $keyId) { try { $this->client->disableKey([ 'KeyId' => $keyId, ]); }catch(KmsException $caught){ echo "There was a problem disabling the key: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《*適用於 PHP 的 AWS SDK API 參考*》中的 [DisableKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DisableKey)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def disable_key(self, key_id: str) -> None: try: self.kms_client.disable_key(KeyId=key_id) except ClientError as err: logging.error( "Couldn't disable key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [DisableKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DisableKey)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' lo_kms->disablekey( iv_keyid = iv_key_id ). MESSAGE 'KMS key disabled successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DisableKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `EnableKey` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `EnableKey`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` using System; using System.Threading.Tasks; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; /// /// Enable an AWS Key Management Service (AWS KMS) key. /// public class EnableKey { public static async Task Main() { var client = new AmazonKeyManagementServiceClient(); // The identifier of the AWS KMS key to enable. You can use the // key Id or the Amazon Resource Name (ARN) of the AWS KMS key. var keyId = "1234abcd-12ab-34cd-56ef-1234567890ab"; var request = new EnableKeyRequest { KeyId = keyId, }; var response = await client.EnableKeyAsync(request); if (response.HttpStatusCode == System.Net.HttpStatusCode.OK) { // Retrieve information about the key to show that it has now // been enabled. var describeResponse = await client.DescribeKeyAsync(new DescribeKeyRequest { KeyId = keyId, }); Console.WriteLine($"{describeResponse.KeyMetadata.KeyId} - state: {describeResponse.KeyMetadata.KeyState}"); } } } ``` + 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [EnableKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/EnableKey)。 ------ #### [ CLI ] **AWS CLI** **啟用 KMS 金鑰** 下列 `enable-key` 範例會啟用客戶自管金鑰。您可以使用像這樣的命令,來啟用使用 `disable-key` 命令暫時停用的 KMS 金鑰。您也可以使用它來啟用已停用的 KMS 金鑰,因為其已排定刪除的時程,且已取消刪除。 若要指定 KMS 金鑰,請使用 `key-id` 參數。此範例使用金鑰 ID 值,但您可以在此命令中使用金鑰 ID 或金鑰 ARN 值。 執行此命令之前,請將範例金鑰 ID 取代為有效的代碼。 ``` aws kms enable-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 此命令不會產生輸出。若要確認 KMS 金鑰已啟用,請使用 `describe-key` 命令。查看 `describe-key` 輸出中 `KeyState` 和 `Enabled` 欄位的值。 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[啟用和停用金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [EnableKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/enable-key.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously enables the specified key. * * @param keyId the ID of the key to enable * @return a {@link CompletableFuture} that completes when the key has been enabled */ public CompletableFuture enableKeyAsync(String keyId) { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); CompletableFuture responseFuture = getAsyncClient().enableKey(enableKeyRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Key with ID [{}] has been enabled.", keyId); } else { if (exception instanceof KmsException kmsEx) { throw new RuntimeException("KMS error occurred while enabling key: " + kmsEx.getMessage(), kmsEx); } else { throw new RuntimeException("An unexpected error occurred while enabling key: " + exception.getMessage(), exception); } } }); return responseFuture.thenApply(response -> null); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [EnableKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/EnableKey)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun enableKey(keyIdVal: String?) { val request = EnableKeyRequest { keyId = keyIdVal } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> kmsClient.enableKey(request) println("$keyIdVal was successfully enabled.") } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [EnableKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @return void */ public function enableKey(string $keyId) { try { $this->client->enableKey([ 'KeyId' => $keyId, ]); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "NotFoundException"){ echo "The request was rejected because the specified entity or resource could not be found.\n"; } throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [EnableKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/EnableKey)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def enable_key(self, key_id: str) -> None: """ Enables a key. Gets the key state after each state change. :param key_id: The ARN or ID of the key to enable. """ try: self.kms_client.enable_key(KeyId=key_id) except ClientError as err: logging.error( "Couldn't enable key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [EnableKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/EnableKey)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' lo_kms->enablekey( iv_keyid = iv_key_id ). MESSAGE 'KMS key enabled successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [EnableKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `EnableKeyRotation` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `EnableKeyRotation`。 ------ #### [ CLI ] **AWS CLI** **啟用 KMS 金鑰的自動輪換** 下列 `enable-key-rotation` 範例會啟用客戶自管 KMS 金鑰的自動輪換,輪換期間為 180 天。KMS 金鑰將從此命令完成之日起一年 (大約 365 天) 輪換,之後每年輪換一次。 `--key-id` 參數可識別 KMS 金鑰。此範例使用金鑰 ARN 值,但您可以使用金鑰 ID 或 KMS 金鑰的 ARN。`--rotation-period-in-days` 參數會指定每個輪換日期之間的天數。指定介於 90 到 2560 之間的值。如未指定任何值,則預設值為 365 天。 ``` aws kms enable-key-rotation \ --key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab \ --rotation-period-in-days 180 ``` 此命令不會產生輸出。若要確認 KMS 金鑰已啟用,請使用 `get-key-rotation-status` 命令。 如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的[輪換金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [EnableKeyRotation](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/enable-key-rotation.html)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def enable_key_rotation(self, key_id: str) -> None: """ Enables rotation for a key. :param key_id: The ARN or ID of the key to enable rotation for. """ try: self.kms_client.enable_key_rotation(KeyId=key_id) except ClientError as err: logging.error( "Couldn't enable rotation for key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [EnableKeyRotation](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/EnableKeyRotation)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' lo_kms->enablekeyrotation( iv_keyid = iv_key_id ). MESSAGE 'Key rotation enabled successfully.' TYPE 'I'. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmsunsupportedopex. MESSAGE 'Operation not supported for this key.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [EnableKeyRotation](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `Encrypt` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `Encrypt`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ CLI ] **AWS CLI** **範例 1:在 Linux 或 MacOS 上加密檔案的內容** 下列`encrypt`命令示範使用 CLI AWS 加密資料的建議方法。 ``` aws kms encrypt \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --plaintext fileb://ExamplePlaintextFile \ --output text \ --query CiphertextBlob | base64 \ --decode > ExampleEncryptedFile ``` 命令會執行數個動作: 使用 `--plaintext` 參數來指示要加密的資料。此參數值必須是 base64 編碼。 `plaintext` 參數的值必須是 base64 編碼,或者您必須使用 `fileb://`字首,指示 AWS CLI 從 檔案讀取二進位資料。如果檔案不在目前的目錄中,請輸入檔案的完整路徑。例如:`fileb:///var/tmp/ExamplePlaintextFile` 或 `fileb://C:\Temp\ExamplePlaintextFile`。如需有關從檔案讀取 AWS CLI 參數值的詳細資訊,請參閱《 *AWS 命令列界面使用者指南*》中的[從檔案載入參數](https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-file),以及 AWS 《 命令列工具部落格上的[本機檔案參數的最佳實務](https://blogs.aws.amazon.com/cli/post/TxLWWN1O25V1HE/Best-Practices-for-Local-File-Parameters)。使用 `--output`和 `--query` 參數來控制命令的輸出。這些參數會從命令的輸出擷取加密的資料,稱為*加密文字*。如需控制輸出的詳細資訊,請參閱《 命令*AWS 列界面使用者指南*》中的[控制命令輸出](https://docs.aws.amazon.com/cli/latest/userguide/controlling-output.html)。使用 `base64`公用程式將擷取的輸出解碼為二進位資料。成功`encrypt`命令傳回的加密文字為 base64 編碼文字。您必須先解碼此文字,才能使用 AWS CLI 將其解密。將二進位加密文字儲存到 檔案。命令 (`> ExampleEncryptedFile`) 的最終部分會將二進位加密文字儲存到 檔案,讓解密更容易。如需使用 CLI AWS 解密資料的範例命令,請參閱解密範例。 **範例 2:使用 AWS CLI 加密 Windows 上的資料** 此範例與上一個範例相同,但它使用 `certutil` 工具而非 `base64`。此程序需要兩個命令,如下列範例所示。 ``` aws kms encrypt \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --plaintext fileb://ExamplePlaintextFile \ --output text \ --query CiphertextBlob > C:\Temp\ExampleEncryptedFile.base64 certutil -decode C:\Temp\ExampleEncryptedFile.base64 C:\Temp\ExampleEncryptedFile ``` **範例 3:使用非對稱 KMS 金鑰加密** 下列 `encrypt` 命令顯示如何使用非對稱 KMS 金鑰加密純文字。`--encryption-algorithm` 參數是必要參數。如同所有 `encrypt` CLI 命令, `plaintext` 參數必須是 base64 編碼,或者您必須使用 `fileb://`字首,告知 AWS CLI 從 檔案讀取二進位資料。 ``` aws kms encrypt \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --encryption-algorithm RSAES_OAEP_SHA_256 \ --plaintext fileb://ExamplePlaintextFile \ --output text \ --query CiphertextBlob | base64 \ --decode > ExampleEncryptedFile ``` 此命令不會產生輸出。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [Encrypt](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/encrypt.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Encrypts the given text asynchronously using the specified KMS client and key ID. * * @param keyId the ID of the KMS key to use for encryption * @param text the text to encrypt * @return a CompletableFuture that completes with the encrypted data as an SdkBytes object */ public CompletableFuture encryptDataAsync(String keyId, String text) { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); CompletableFuture responseFuture = getAsyncClient().encrypt(encryptRequest).toCompletableFuture(); return responseFuture.whenComplete((response, ex) -> { if (response != null) { String algorithm = response.encryptionAlgorithm().toString(); logger.info("The string was encrypted with algorithm {}.", algorithm); } else { throw new RuntimeException(ex); } }).thenApply(EncryptResponse::ciphertextBlob); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [Encrypt](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Encrypt)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun encryptData(keyIdValue: String): ByteArray? { val text = "This is the text to encrypt by using the AWS KMS Service" val myBytes: ByteArray = text.toByteArray() val encryptRequest = EncryptRequest { keyId = keyIdValue plaintext = myBytes } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> val response = kmsClient.encrypt(encryptRequest) val algorithm: String = response.encryptionAlgorithm.toString() println("The encryption algorithm is $algorithm") // Return the encrypted data. return response.ciphertextBlob } } suspend fun decryptData( encryptedDataVal: ByteArray?, keyIdVal: String?, ) { val decryptRequest = DecryptRequest { ciphertextBlob = encryptedDataVal keyId = keyIdVal } KmsClient { region = "us-west-2" }.use { kmsClient -> val decryptResponse = kmsClient.decrypt(decryptRequest) val myVal = decryptResponse.plaintext // Print the decrypted data. print(myVal) } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [Encrypt](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param string $text * @return Result */ public function encrypt(string $keyId, string $text) { try { return $this->client->encrypt([ 'KeyId' => $keyId, 'Plaintext' => $text, ]); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "DisabledException"){ echo "The request was rejected because the specified KMS key is not enabled.\n"; } throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [Encrypt](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Encrypt)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def encrypt(self, key_id: str, text: str) -> bytes: """ Encrypts text by using the specified key. :param key_id: The ARN or ID of the key to use for encryption. :param text: The text to encrypt. :return: The encrypted version of the text. """ try: response = self.kms_client.encrypt(KeyId=key_id, Plaintext=text.encode()) print( f"The string was encrypted with algorithm {response['EncryptionAlgorithm']}" ) return response["CiphertextBlob"] except ClientError as err: if err.response["Error"]["Code"] == "DisabledException": logger.error( "Could not encrypt because the key %s is disabled.", key_id ) else: logger.error( "Couldn't encrypt text. Here's why: %s", err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [Encrypt](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Encrypt)。 ------ #### [ Ruby ] **SDK for Ruby** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/kms#code-examples)中設定和執行。 ``` require 'aws-sdk-kms' # v2: require 'aws-sdk' # ARN of the AWS KMS key. # # Replace the fictitious key ARN with a valid key ID keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' text = '1234567890' client = Aws::KMS::Client.new(region: 'us-west-2') resp = client.encrypt({ key_id: keyId, plaintext: text }) # Display a readable version of the resulting encrypted blob. puts 'Blob:' puts resp.ciphertext_blob.unpack('H*') ``` + 如需 API 詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》**中的 [Encrypt](https://docs.aws.amazon.com/goto/SdkForRubyV3/kms-2014-11-01/Encrypt)。 ------ #### [ Rust ] **適用於 Rust 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples)中設定和執行。 ``` async fn encrypt_string( verbose: bool, client: &Client, text: &str, key: &str, out_file: &str, ) -> Result<(), Error> { let blob = Blob::new(text.as_bytes()); let resp = client.encrypt().key_id(key).plaintext(blob).send().await?; // Did we get an encrypted blob? let blob = resp.ciphertext_blob.expect("Could not get encrypted text"); let bytes = blob.as_ref(); let s = base64::encode(bytes); let mut ofile = File::create(out_file).expect("unable to create file"); ofile.write_all(s.as_bytes()).expect("unable to write"); if verbose { println!("Wrote the following to {:?}", out_file); println!("{}", s); } Ok(()) } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [Encrypt](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.encrypt)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_plaintext contains the data to encrypt oo_result = lo_kms->encrypt( iv_keyid = iv_key_id iv_plaintext = iv_plaintext ). MESSAGE 'Text encrypted successfully.' TYPE 'I'. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的[加密](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `GenerateDataKey` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `GenerateDataKey`。 ------ #### [ CLI ] **AWS CLI** **範例 1:產生 256 位元對稱資料金鑰** 下列`generate-data-key`範例會請求在 外部使用的 256 位元對稱資料金鑰 AWS。命令會傳回純文字資料金鑰,以供立即使用和刪除,以及在指定的 KMS 金鑰下加密的資料金鑰複本。加密的資料金鑰可以安全地跟加密資料一起存放。 若要請求 256 位元資料金鑰,請使用值為 `AES_256` 的 `key-spec` 參數。若要請求 128 位元資料金鑰,請使用值為 `AES_128` 的 `key-spec` 參數。對於所有其他資料金鑰長度,請使用 `number-of-bytes` 參數。 您指定的 KMS 金鑰必須是對稱加密 KMS 金鑰,也就是金鑰規格值為 SYMMETRIC\$1DEFAULT 的 KMS 金鑰。 ``` aws kms generate-data-key \ --key-id alias/ExampleAlias \ --key-spec AES_256 ``` 輸出: ``` { "Plaintext": "VdzKNHGzUAzJeRBVY+uUmofUGGiDzyB3+i9fVkh3piw=", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "KeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6", "CiphertextBlob": "AQEDAHjRYf5WytIc0C857tFSnBaPn2F8DgfmThbJlGfR8P3WlwAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDEFogLqPWZconQhwHAIBEIA7d9AC7GeJJM34njQvg4Wf1d5sw0NIo1MrBqZa+YdhV8MrkBQPeac0ReRVNDt9qleAt+SHgIRF8P0H+7U=" } ``` `Plaintext` (純文字資料金鑰) 和 `CiphertextBlob`(加密的資料金鑰) 會以 base64 編碼格式傳回。 如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的[資料金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/data-keys.html)。**範例 2:產生 512 位元對稱資料金鑰** 下列 `generate-data-key` 範例會請求 512 位元對稱資料金鑰,以進行加密和解密。命令會傳回純文字資料金鑰,以供立即使用和刪除,以及在指定的 KMS 金鑰下加密的資料金鑰複本。加密的資料金鑰可以安全地跟加密資料一起存放。 若要請求 128 或 256 位元以外的金鑰長度,請使用 `number-of-bytes` 參數。若要請求 512 位元資料金鑰,下列範例會使用值為 64 (位元組) 的 `number-of-bytes` 參數。 您指定的 KMS 金鑰必須是對稱加密 KMS 金鑰,也就是金鑰規格值為 SYMMETRIC\$1DEFAULT 的 KMS 金鑰。 注意:此範例輸出中的值會截斷以方便顯示。 ``` aws kms generate-data-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --number-of-bytes 64 ``` 輸出: ``` { "CiphertextBlob": "AQIBAHi6LtupRpdKl2aJTzkK6FbhOtQkMlQJJH3PdtHvS/y+hAEnX/QQNmMwDfg2korNMEc8AAACaDCCAmQGCSqGSIb3DQEHBqCCAlUwggJRAgEAMIICSgYJKoZ...", "Plaintext": "ty8Lr0Bk6OF07M2BWt6qbFdNB+G00ZLtf5MSEb4al3R2UKWGOp06njAwy2n72VRm2m7z/Pm9Wpbvttz6a4lSo9hgPvKhZ5y6RTm4OovEXiVfBveyX3DQxDzRSwbKDPk/...", "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "KeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6" } ``` `Plaintext` (純文字資料金鑰) 和 `CiphertextBlob`(加密的資料金鑰) 會以 base64 編碼格式傳回。 如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的[資料金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/data-keys.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GenerateDataKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/generate-data-key.html)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def generate_data_key(self, key_id): """ Generates a symmetric data key that can be used for client-side encryption. """ answer = input( f"Do you want to generate a symmetric data key from key {key_id} (y/n)? " ) if answer.lower() == "y": try: data_key = self.kms_client.generate_data_key( KeyId=key_id, KeySpec="AES_256" ) except ClientError as err: logger.error( "Couldn't generate a data key for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) else: pprint(data_key) ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [GenerateDataKey](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GenerateDataKey)。 ------ #### [ Rust ] **適用於 Rust 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples)中設定和執行。 ``` async fn make_key(client: &Client, key: &str) -> Result<(), Error> { let resp = client .generate_data_key() .key_id(key) .key_spec(DataKeySpec::Aes256) .send() .await?; // Did we get an encrypted blob? let blob = resp.ciphertext_blob.expect("Could not get encrypted text"); let bytes = blob.as_ref(); let s = base64::encode(bytes); println!(); println!("Data key:"); println!("{}", s); Ok(()) } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [GenerateDataKey](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.generate_data_key)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_keyspec = 'AES_256' oo_result = lo_kms->generatedatakey( iv_keyid = iv_key_id iv_keyspec = 'AES_256' ). MESSAGE 'Data key generated successfully.' TYPE 'I'. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GenerateDataKey](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `GenerateDataKeyWithoutPlaintext` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `GenerateDataKeyWithoutPlaintext`。 ------ #### [ CLI ] **AWS CLI** **產生不含純文字金鑰的 256 位元對稱資料金鑰** 下列 `generate-data-key-without-plaintext` 範例會請求 256 位元對稱資料金鑰的加密複本,以供在 AWS之外使用。當您準備好要使用資料金鑰時,您可以呼叫 AWS KMS 來解密資料金鑰。 若要請求 256 位元資料金鑰,請使用值為 `AES_256` 的 `key-spec` 參數。若要請求 128 位元資料金鑰,請使用值為 `AES_128` 的 `key-spec` 參數。對於所有其他資料金鑰長度,請使用 `number-of-bytes` 參數。 您指定的 KMS 金鑰必須是對稱加密 KMS 金鑰,也就是金鑰規格值為 SYMMETRIC\$1DEFAULT 的 KMS 金鑰。 ``` aws kms generate-data-key-without-plaintext \ --key-id "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" \ --key-spec AES_256 ``` 輸出: ``` { "CiphertextBlob": "AQEDAHjRYf5WytIc0C857tFSnBaPn2F8DgfmThbJlGfR8P3WlwAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDEFogL", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "KeyMaterialId": "0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6" } ``` `CiphertextBlob` (加密的資料金鑰) 會以 base64 編碼格式傳回。 如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的[資料金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GenerateDataKeyWithoutPlaintext](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/generate-data-key-without-plaintext.html)。 ------ #### [ Rust ] **適用於 Rust 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples)中設定和執行。 ``` async fn make_key(client: &Client, key: &str) -> Result<(), Error> { let resp = client .generate_data_key_without_plaintext() .key_id(key) .key_spec(DataKeySpec::Aes256) .send() .await?; // Did we get an encrypted blob? let blob = resp.ciphertext_blob.expect("Could not get encrypted text"); let bytes = blob.as_ref(); let s = base64::encode(bytes); println!(); println!("Data key:"); println!("{}", s); Ok(()) } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [GenerateDataKeyWithoutPlaintext](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.generate_data_key_without_plaintext)。 ------ # `GenerateRandom` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `GenerateRandom`。 ------ #### [ CLI ] **AWS CLI** **範例 1:產生 256 位元隨機位元組字串 (Linux 或 macOs)** 下列 `generate-random` 範例會產生 256 位元 (32 位元組) 的 base64 編碼隨機位元組字串。此範例會解碼位元組字串,並將其儲存在隨機檔案中。 執行此命令時,您必須使用 `number-of-bytes` 參數來指定以位元組為單位的隨機值長度。 當您執行此命令時,不會指定 KMS 金鑰。隨機位元組字串與任何 KMS 金鑰無關。 根據預設, AWS KMS 會產生隨機數字。不過,如果您指定[自訂金鑰存放區](https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),隨機位元組字串會在與自訂金鑰存放區相關聯的 AWS CloudHSM 叢集中產生。 此範例使用下列參數和值: 它使用值為 的必要`--number-of-bytes`參數`32`來請求 32 位元組 (256 位元) 的 string.It 使用值為 的 `--output` 參數`text`來指示 AWS CLI 將輸出傳回為文字,而不是 JSON.It 使用 從 response.It 管道 ( \$1 ) `--query parameter`擷取`Plaintext`屬性的值 命令的輸出到`base64`公用程式,這會解碼擷取的 output.It 使用重新導向運算子 ( > ) 將解碼的位元組字串儲存到 `ExampleRandom` file.It 使用重新導向運算子 ( > ) 將二進位加密文字儲存到檔案。 ``` aws kms generate-random \ --number-of-bytes 32 \ --output text \ --query Plaintext | base64 --decode > ExampleRandom ``` 此命令不會產生輸出。 如需詳細資訊,請參閱《*AWS Key Management Service API 參考*》中的 [GenerateRandom](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html)。 **範例 2:產生 256 位元隨機數字 (Windows 命令提示)** 以下範例使用 `generate-random` 命令來產生 256 位元 (32 位元組) 的 base64 編碼隨機位元組字串。此範例會解碼位元組字串,並將其儲存在隨機檔案中。此範例與先前的範例相同,不過它會在 Windows 中使用 `certutil` 公用程式將隨機位元組字串進行 base64 解碼,然後再將其儲存在檔案中。 首先,產生 base64 編碼的隨機位元組字串,並將其儲存在暫存檔案 `ExampleRandom.base64` 中。 ``` aws kms generate-random \ --number-of-bytes 32 \ --output text \ --query Plaintext > ExampleRandom.base64 ``` 由於 `generate-random` 命令的輸出會儲存在檔案中,此範例不會產生輸出。 現在,請使用 `certutil -decode` 命令來解碼 `ExampleRandom.base64` 檔案中的 base64 編碼位元組字串。然後,它會將解碼後的位元組字串儲存在 `ExampleRandom` 檔案中。 ``` certutil -decode ExampleRandom.base64 ExampleRandom ``` 輸出: ``` Input Length = 18 Output Length = 12 CertUtil: -decode command completed successfully. ``` 如需詳細資訊,請參閱《*AWS Key Management Service API 參考*》中的 [GenerateRandom](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html)。 + 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GenerateRandom](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/generate-random.html)。 ------ #### [ Rust ] **適用於 Rust 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples)中設定和執行。 ``` async fn make_string(client: &Client, length: i32) -> Result<(), Error> { let resp = client .generate_random() .number_of_bytes(length) .send() .await?; // Did we get an encrypted blob? let blob = resp.plaintext.expect("Could not get encrypted text"); let bytes = blob.as_ref(); let s = base64::encode(bytes); println!(); println!("Data key:"); println!("{}", s); Ok(()) } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [GenerateRandom](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.generate_random)。 ------ # `GetKeyPolicy` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `GetKeyPolicy`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ CLI ] **AWS CLI** **將金鑰政策從一個 KMS 金鑰複製到另一個 KMS 金鑰** 下列 `get-key-policy` 範例會從一個 KMS 金鑰取得金鑰政策,並將其儲存在文字檔中。然後,它會使用文字檔取代不同 KMS 金鑰的政策,做為政策輸入。 由於 `put-key-policy` 的 `--policy` 參數需要字串,您必須使用 `--output text` 選項將輸出以文字字串傳回,而非 JSON。 ``` aws kms get-key-policy \ --policy-name default \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --query Policy \ --output text > policy.txt aws kms put-key-policy \ --policy-name default \ --key-id 0987dcba-09fe-87dc-65ba-ab0987654321 \ --policy file://policy.txt ``` 此命令不會產生輸出。 如需詳細資訊,請參閱《AWS KMS API 參考》**中的《[PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html)》。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetKeyPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-policy.html)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyPolicy: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyPolicy": """ Creates a KeyPolicy instance with a default KMS client. :return: An instance of KeyPolicy initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def get_policy(self, key_id: str) -> dict[str, str]: """ Gets the policy of a key. :param key_id: The ARN or ID of the key to query. :return: The key policy as a dict. """ if key_id != "": try: response = self.kms_client.get_key_policy( KeyId=key_id, ) policy = json.loads(response["Policy"]) except ClientError as err: logger.error( "Couldn't get policy for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise else: pprint(policy) return policy else: print("Skipping get policy demo.") ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [GetKeyPolicy](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GetKeyPolicy)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' oo_result = lo_kms->getkeypolicy( iv_keyid = iv_key_id iv_policyname = 'default' ). MESSAGE 'Retrieved key policy successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [GetKeyPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `ListAliases` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `ListAliases`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` using System; using System.Threading.Tasks; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; /// /// List the AWS Key Management Service (AWS KMS) aliases that have been defined for /// the keys in the same AWS Region as the default user. If you want to list /// the aliases in a different Region, pass the Region to the client /// constructor. /// public class ListAliases { public static async Task Main() { var client = new AmazonKeyManagementServiceClient(); var request = new ListAliasesRequest(); var response = new ListAliasesResponse(); do { response = await client.ListAliasesAsync(request); response.Aliases.ForEach(alias => { Console.WriteLine($"Created: {alias.CreationDate} Last Update: {alias.LastUpdatedDate} Name: {alias.AliasName}"); }); request.Marker = response.NextMarker; } while (response.Truncated); } } ``` + 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [ListAliases](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListAliases)。 ------ #### [ CLI ] **AWS CLI** **範例 1:列出 AWS 帳戶和區域中的所有別名** 下列範例使用 `list-aliases`命令列出 AWS 帳戶預設區域中的所有別名。輸出包含與 AWS 受管 KMS 金鑰和客戶受管 KMS 金鑰相關聯的別名。 ``` aws kms list-aliases ``` 輸出: ``` { "Aliases": [ { "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/testKey", "AliasName": "alias/testKey", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, { "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/FinanceDept", "AliasName": "alias/FinanceDept", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" }, { "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/dynamodb", "AliasName": "alias/aws/dynamodb", "TargetKeyId": "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d" }, { "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/ebs", "AliasName": "alias/aws/ebs", "TargetKeyId": "0987ab65-43cd-21ef-09ab-87654321cdef" }, ... ] } ``` **範例 2:列出特定 KMS 金鑰的所有別名** 以下範例使用 `list-aliases` 命令及其 `key-id` 參數來列出與特定 KMS 金鑰相關聯的所有別名。 每個別名只會與一個 KMS 金鑰相關聯,但 KMS 金鑰可以有多個別名。此命令非常有用,因為 AWS KMS 主控台只會為每個 KMS 金鑰列出一個別名。若要尋找 KMS 金鑰的所有別名,您必須使用 `list-aliases` 命令。 此範例使用 `--key-id` 參數之 KMS 金鑰的金鑰 ID,但您可以在此命令中使用金鑰 ID、金鑰 ARN、別名的名稱,或別名 ARN。 ``` aws kms list-aliases --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 輸出: ``` { "Aliases": [ { "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/oregon-test-key", "AliasName": "alias/oregon-test-key" }, { "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/project121-test", "AliasName": "alias/project121-test" } ] } ``` 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[使用別名](https://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListAliases](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-aliases.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously lists all the aliases in the current AWS account. * * @return a {@link CompletableFuture} that completes when the list of aliases has been processed */ public CompletableFuture listAllAliasesAsync() { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesPublisher paginator = getAsyncClient().listAliasesPaginator(aliasesRequest); return paginator.subscribe(response -> { response.aliases().forEach(alias -> logger.info("The alias name is: " + alias.aliasName()) ); }) .thenApply(v -> null) .exceptionally(ex -> { if (ex.getCause() instanceof KmsException) { KmsException e = (KmsException) ex.getCause(); throw new RuntimeException("A KMS exception occurred: " + e.getMessage()); } else { throw new RuntimeException("An unexpected error occurred: " + ex.getMessage()); } }); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ListAliases](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListAliases)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun listAllAliases() { val request = ListAliasesRequest { limit = 15 } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> val response = kmsClient.listAliases(request) response.aliases?.forEach { alias -> println("The alias name is ${alias.aliasName}") } } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [ListAliases](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param int $limit * @return ResultPaginator */ public function listAliases(string $keyId = "", int $limit = 0) { $args = []; if($keyId){ $args['KeyId'] = $keyId; } if($limit){ $args['Limit'] = $limit; } try{ return $this->client->getPaginator("ListAliases", $args); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "InvalidMarkerException"){ echo "The request was rejected because the marker that specifies where pagination should next begin is not valid.\n"; } throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [ListAliases](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListAliases)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def list_aliases(self, page_size: int) -> None: """ Lists aliases for the current account. :param page_size: The number of aliases to list per page. """ try: alias_paginator = self.kms_client.get_paginator("list_aliases") for alias_page in alias_paginator.paginate( PaginationConfig={"PageSize": page_size} ): print(f"Here are {page_size} aliases:") pprint(alias_page["Aliases"]) if alias_page["Truncated"]: answer = input( f"Do you want to see the next {page_size} aliases (y/n)? " ) if answer.lower() != "y": break else: print("That's all your aliases!") except ClientError as err: logging.error( "Couldn't list your aliases. Here's why: %s", err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ListAliases](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListAliases)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. oo_result = lo_kms->listaliases( ). MESSAGE 'Retrieved KMS aliases list.' TYPE 'I'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListAliases](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `ListGrants` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `ListGrants`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` using System; using System.Threading.Tasks; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; /// /// List the AWS Key Management Service (AWS KMS) grants that are associated with /// a specific key. /// public class ListGrants { public static async Task Main() { // The identifier of the AWS KMS key to disable. You can use the // key Id or the Amazon Resource Name (ARN) of the AWS KMS key. var keyId = "1234abcd-12ab-34cd-56ef-1234567890ab"; var client = new AmazonKeyManagementServiceClient(); var request = new ListGrantsRequest { KeyId = keyId, }; var response = new ListGrantsResponse(); do { response = await client.ListGrantsAsync(request); response.Grants.ForEach(grant => { Console.WriteLine($"{grant.GrantId}"); }); request.Marker = response.NextMarker; } while (response.Truncated); } } ``` + 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [ListGrants](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListGrants)。 ------ #### [ CLI ] **AWS CLI** **檢視 AWS KMS 金鑰上的授予** 下列`list-grants`範例顯示您帳戶中 Amazon DynamoDB 指定之 AWS 受管 KMS 金鑰上的所有授予。此授權可讓 DynamoDB 代表您使用 KMS 金鑰加密 DynamoDB 資料表,然後再寫入磁碟。您可以使用像這樣的命令來檢視 AWS 帳戶和區域中 AWS 受管 KMS 金鑰和客戶受管 KMS 金鑰的授予。 此命令搭配使用 `key-id` 參數和金鑰 ID 來識別 KMS 金鑰。您可以使用金鑰 ID 或金鑰 ARN 來識別 KMS 金鑰。若要取得 AWS 受管 KMS 金鑰的金鑰 ID 或金鑰 ARN,請使用 `list-keys`或 `list-aliases`命令。 ``` aws kms list-grants \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 輸出顯示,授權包括為 Amazon DynamoDB 提供使用 KMS 金鑰進行密碼編譯操作的許可權,並提供讓其檢視 KMS 金鑰 (`DescribeKey`) 詳細資訊,和淘汰授予 (`RetireGrant`) 的權限。`EncryptionContextSubset` 限制條件會將這些許可權限制為包含指定加密內容對的請求。因此,授予的許可權僅在指定的帳戶和 DynamoDB 資料表上有效。 ``` { "Grants": [ { "Constraints": { "EncryptionContextSubset": { "aws:dynamodb:subscriberId": "123456789012", "aws:dynamodb:tableName": "Services" } }, "IssuingAccount": "arn:aws:iam::123456789012:root", "Name": "8276b9a6-6cf0-46f1-b2f0-7993a7f8c89a", "Operations": [ "Decrypt", "Encrypt", "GenerateDataKey", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "DescribeKey" ], "GrantId": "1667b97d27cf748cf05b487217dd4179526c949d14fb3903858e25193253fe59", "KeyId": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "RetiringPrincipal": "dynamodb.us-west-2.amazonaws.com", "GranteePrincipal": "dynamodb.us-west-2.amazonaws.com", "CreationDate": "2021-05-13T18:32:45.144000+00:00" } ] } ``` 如需詳細資訊,請參閱 *AWS Key Management Service 開發人員指南*中的 [AWS KMS 中的授權](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListGrants](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-grants.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously displays the grant IDs for the specified key ID. * * @param keyId the ID of the AWS KMS key for which to list the grants * @return a {@link CompletableFuture} that, when completed, will be null if the operation succeeded, or will throw a {@link RuntimeException} if the operation failed * @throws RuntimeException if there was an error listing the grants, either due to an {@link KmsException} or an unexpected error */ public CompletableFuture displayGrantIdsAsync(String keyId) { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsPublisher paginator = getAsyncClient().listGrantsPaginator(grantsRequest); return paginator.subscribe(response -> { response.grants().forEach(grant -> { logger.info("The grant Id is: " + grant.grantId()); }); }) .thenApply(v -> null) .exceptionally(ex -> { Throwable cause = ex.getCause(); if (cause instanceof KmsException) { throw new RuntimeException("Failed to list grants: " + cause.getMessage(), cause); } else { throw new RuntimeException("An unexpected error occurred: " + cause.getMessage(), cause); } }); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ListGrants](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListGrants)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun displayGrantIds(keyIdVal: String?) { val request = ListGrantsRequest { keyId = keyIdVal limit = 15 } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> val response = kmsClient.listGrants(request) response.grants?.forEach { grant -> println("The grant Id is ${grant.grantId}") } } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [ListGrants](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @return Result */ public function listGrants(string $keyId) { try{ return $this->client->listGrants([ 'KeyId' => $keyId, ]); }catch(KmsException $caught){ if($caught->getAwsErrorMessage() == "NotFoundException"){ echo " The request was rejected because the specified entity or resource could not be found.\n"; } throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [ListGrants](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListGrants)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def list_grants(self, key_id): """ Lists grants for a key. :param key_id: The ARN or ID of the key to query. :return: The grants for the key. """ try: paginator = self.kms_client.get_paginator("list_grants") grants = [] page_iterator = paginator.paginate(KeyId=key_id) for page in page_iterator: grants.extend(page["Grants"]) print(f"Grants for key {key_id}:") pprint(grants) return grants except ClientError as err: logger.error( "Couldn't list grants for key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ListGrants](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListGrants)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' oo_result = lo_kms->listgrants( iv_keyid = iv_key_id ). MESSAGE 'Retrieved grants list.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListGrants](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `ListKeyPolicies` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `ListKeyPolicies`。 ------ #### [ CLI ] **AWS CLI** **取得 KMS 金鑰的金鑰政策名稱** 下列 `list-key-policies` 範例會取得範例帳戶和區域中客戶自管金鑰的金鑰政策名稱。您可以使用此命令來尋找 AWS 受管金鑰和客戶受管金鑰的金鑰政策名稱。 由於唯一有效的金鑰政策名稱是 `default`,因此這個命令沒有作用。 若要指定 KMS 金鑰,請使用 `key-id` 參數。此範例使用金鑰 ID 值,但您可以在此命令中使用金鑰 ID 或金鑰 ARN。 ``` aws kms list-key-policies \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 輸出: ``` { "PolicyNames": [ "default" ] } ``` 如需 AWS KMS 金鑰政策的詳細資訊,請參閱 [Key Management Service 開發人員指南中的在 AWS KMS 中使用金鑰政策](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)。 *AWS * + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListKeyPolicies](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-key-policies.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously retrieves the key policy for the specified key ID and policy name. * * @param keyId the ID of the AWS KMS key for which to retrieve the policy * @param policyName the name of the key policy to retrieve * @return a {@link CompletableFuture} that, when completed, contains the key policy as a {@link String} */ public CompletableFuture getKeyPolicyAsync(String keyId, String policyName) { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); return getAsyncClient().getKeyPolicy(policyRequest) .thenApply(response -> { String policy = response.policy(); logger.info("The response is: " + policy); return policy; }) .exceptionally(ex -> { throw new RuntimeException("Failed to get key policy", ex); }); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ListKeyPolicies](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListKeyPolicies)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyPolicy: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyPolicy": """ Creates a KeyPolicy instance with a default KMS client. :return: An instance of KeyPolicy initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def list_policies(self, key_id): """ Lists the names of the policies for a key. :param key_id: The ARN or ID of the key to query. """ try: policy_names = self.kms_client.list_key_policies(KeyId=key_id)[ "PolicyNames" ] except ClientError as err: logging.error( "Couldn't list your policies. Here's why: %s", err.response["Error"]["Message"], ) raise else: print(f"The policies for key {key_id} are:") pprint(policy_names) ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ListKeyPolicies](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListKeyPolicies)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' oo_result = lo_kms->listkeypolicies( iv_keyid = iv_key_id ). MESSAGE 'Retrieved key policies list.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListKeyPolicies](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `ListKeys` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `ListKeys`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ .NET ] **適用於 .NET 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/KMS#code-examples)中設定和執行。 ``` using System; using System.Threading.Tasks; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; /// /// List the AWS Key Managements Service (AWS KMS) keys for the AWS Region /// of the default user. To list keys in another AWS Region, supply the Region /// as a parameter to the client constructor. /// public class ListKeys { public static async Task Main() { var client = new AmazonKeyManagementServiceClient(); var request = new ListKeysRequest(); var response = new ListKeysResponse(); do { response = await client.ListKeysAsync(request); response.Keys.ForEach(key => { Console.WriteLine($"ID: {key.KeyId}, {key.KeyArn}"); }); // Set the Marker property when response.Truncated is true // in order to get the next keys. request.Marker = response.NextMarker; } while (response.Truncated); } } ``` + 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [ListKeys](https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListKeys)。 ------ #### [ CLI ] **AWS CLI** **取得帳戶和區域中的 KMS 金鑰** 下列 `list-keys` 範例取得帳戶和區域中的 KMS 金鑰。此命令會同時傳回 AWS 受管金鑰和客戶受管金鑰。 ``` aws kms list-keys ``` 輸出: ``` { "Keys": [ { "KeyArn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, { "KeyArn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" }, { "KeyArn": "arn:aws:kms:us-east-2:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d", "KeyId": "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d" } ] } ``` 如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的[檢視金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListKeys](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-keys.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` import software.amazon.awssdk.services.kms.KmsAsyncClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.paginators.ListKeysPublisher; import java.util.concurrent.CompletableFuture; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { listAllKeys(); } public static void listAllKeys() { KmsAsyncClient kmsAsyncClient = KmsAsyncClient.builder() .build(); ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); /* * The `subscribe` method is required when using paginator methods in the AWS SDK * because paginator methods return an instance of a `ListKeysPublisher`, which is * based on a reactive stream. This allows asynchronous retrieval of paginated * results as they become available. By subscribing to the stream, we can process * each page of results as they are emitted. */ ListKeysPublisher keysPublisher = kmsAsyncClient.listKeysPaginator(listKeysRequest); CompletableFuture future = keysPublisher .subscribe(r -> r.keys().forEach(key -> System.out.println("The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId()))) .whenComplete((result, exception) -> { if (exception != null) { System.err.println("Error occurred: " + exception.getMessage()); } else { System.out.println("Successfully listed all keys."); } }); try { future.join(); } catch (Exception e) { System.err.println("Failed to list keys: " + e.getMessage()); } } } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ListKeys](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ListKeys)。 ------ #### [ Kotlin ] **適用於 Kotlin 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/kms#code-examples)中設定和執行。 ``` suspend fun listAllKeys() { val request = ListKeysRequest { limit = 15 } KmsClient.fromEnvironment { region = "us-west-2" }.use { kmsClient -> val response = kmsClient.listKeys(request) response.keys?.forEach { key -> println("The key ARN is ${key.keyArn}") println("The key Id is ${key.keyId}") } } } ``` + 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [ListKeys](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @return array */ public function listKeys() { try { $contents = []; $paginator = $this->client->getPaginator("ListKeys"); foreach($paginator as $result){ foreach ($result['Content'] as $object) { $contents[] = $object; } } return $contents; }catch(KmsException $caught){ echo "There was a problem listing the keys: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [ListKeys](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListKeys)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def list_keys(self): """ Lists the keys for the current account by using a paginator. """ try: page_size = 10 print("\nLet's list your keys.") key_paginator = self.kms_client.get_paginator("list_keys") for key_page in key_paginator.paginate(PaginationConfig={"PageSize": 10}): print(f"Here are {len(key_page['Keys'])} keys:") pprint(key_page["Keys"]) if key_page["Truncated"]: answer = input( f"Do you want to see the next {page_size} keys (y/n)? " ) if answer.lower() != "y": break else: print("That's all your keys!") except ClientError as err: logging.error( "Couldn't list your keys. Here's why: %s", err.response["Error"]["Message"], ) ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ListKeys](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListKeys)。 ------ #### [ Rust ] **適用於 Rust 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples)中設定和執行。 ``` async fn show_keys(client: &Client) -> Result<(), Error> { let resp = client.list_keys().send().await?; let keys = resp.keys.unwrap_or_default(); let len = keys.len(); for key in keys { println!("Key ARN: {}", key.key_arn.as_deref().unwrap_or_default()); } println!(); println!("Found {} keys", len); Ok(()) } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [ListKeys](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.list_keys)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. oo_result = lo_kms->listkeys( ). MESSAGE 'Retrieved KMS keys list.' TYPE 'I'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListKeys](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `PutKeyPolicy` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `PutKeyPolicy`。 ------ #### [ CLI ] **AWS CLI** **變更 KMS 金鑰的金鑰政策** 下列 `put-key-policy` 範例會變更客戶自管金鑰的金鑰政策。 一開始,請建立金鑰政策,並將其儲存在本機 JSON 檔案中。在此範例中,檔案是 `key_policy.json`。您也可以將金鑰政策指定為 `policy` 參數的字串值。 此金鑰政策中的第一個陳述式提供 AWS 帳戶使用 IAM 政策控制 KMS 金鑰存取的許可。第二個陳述式提供 `test-user` 使用者在 KMS 金鑰上執行 `describe-key` 和 `list-keys` 命令的許可權。 `key_policy.json` 的內容: ``` { "Version":"2012-10-17", "Id" : "key-default-1", "Statement" : [ { "Sid" : "Enable IAM User Permissions", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : "kms:*", "Resource" : "*" }, { "Sid" : "Allow Use of Key", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:user/test-user" }, "Action" : [ "kms:DescribeKey", "kms:ListKeys" ], "Resource" : "*" } ] } ``` 若要識別 KMS 金鑰,此範例會使用金鑰 ID,但您也可以使用金鑰 ARN。為指定金鑰政策,命令使用 `policy` 參數。為了指出政策位於檔案中,它會使用必要的 `file://` 字首。要識別所有支援的作業系統上的檔案,需要此字首。最後,命令會使用值為 `default` 的 `policy-name` 參數。若未指定政策名稱,預設值為 `default`。唯一有效的值為 `default`。 ``` aws kms put-key-policy \ --policy-name default \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --policy file://key_policy.json ``` 此命令不會產生任何輸出。若要驗證命令是否有效,請使用 `get-key-policy` 命令。下列範例命令會取得相同 KMS 金鑰的金鑰政策。值為 `text` 的 `output` 參數會傳回易於讀取的文字格式。 ``` aws kms get-key-policy \ --policy-name default \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --output text ``` 輸出: ``` { "Version":"2012-10-17", "Id" : "key-default-1", "Statement" : [ { "Sid" : "Enable IAM User Permissions", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : "kms:*", "Resource" : "*" }, { "Sid" : "Allow Use of Key", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:user/test-user" }, "Action" : [ "kms:Describe", "kms:List" ], "Resource" : "*" } ] } ``` 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[變更金鑰政策](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [PutKeyPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/put-key-policy.html)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param string $policy * @return void */ public function putKeyPolicy(string $keyId, string $policy) { try { $this->client->putKeyPolicy([ 'KeyId' => $keyId, 'Policy' => $policy, ]); }catch(KmsException $caught){ echo "There was a problem replacing the key policy: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [PutKeyPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/PutKeyPolicy)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyPolicy: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyPolicy": """ Creates a KeyPolicy instance with a default KMS client. :return: An instance of KeyPolicy initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def set_policy(self, key_id: str, policy: dict[str, any]) -> None: """ Sets the policy of a key. Setting a policy entirely overwrites the existing policy, so care is taken to add a statement to the existing list of statements rather than simply writing a new policy. :param key_id: The ARN or ID of the key to set the policy to. :param policy: The existing policy of the key. :return: None """ principal = input( "Enter the ARN of an IAM role to set as the principal on the policy: " ) if key_id != "" and principal != "": # The updated policy replaces the existing policy. Add a new statement to # the list along with the original policy statements. policy["Statement"].append( { "Sid": "Allow access for ExampleRole", "Effect": "Allow", "Principal": {"AWS": principal}, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey", "kms:ReEncrypt*", ], "Resource": "*", } ) try: self.kms_client.put_key_policy(KeyId=key_id, Policy=json.dumps(policy)) except ClientError as err: logger.error( "Couldn't set policy for key %s. Here's why %s", key_id, err.response["Error"]["Message"], ) raise else: print(f"Set policy for key {key_id}.") else: print("Skipping set policy demo.") ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [PutKeyPolicy](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/PutKeyPolicy)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_policy = '{"Version":"2012-10-17", "Statement": [...]}' lo_kms->putkeypolicy( iv_keyid = iv_key_id iv_policyname = 'default' iv_policy = iv_policy ). MESSAGE 'Key policy updated successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmsmalformedplydocex. MESSAGE 'Malformed policy document.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [PutKeyPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `ReEncrypt` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `ReEncrypt`。 ------ #### [ CLI ] **AWS CLI** **範例 1:在不同的對稱 KMS 金鑰 (Linux 和 macOS) 下,重新加密訊息。** 下列`re-encrypt`命令範例示範使用 AWS CLI 重新加密資料的建議方法。 在檔案中提供密文。`--ciphertext-blob` 參數的值中,使用 `fileb://` 字首,其會告知 CLI 從二進位檔案讀取資料。如果檔案不在目前的目錄中,請輸入檔案的完整路徑。如需從檔案讀取 AWS CLI 參數值的詳細資訊,請參閱《 *AWS 命令列界面使用者指南*》中的[從檔案載入 AWS CLI 參數](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters-file.html),以及《 *AWS 命令列工具部落格*》中的[本機檔案參數最佳實務](https://aws.amazon.com/blogs/developer/best-practices-for-local-file-parameters/)。指定解密加密文字的來源 KMS 金鑰。使用對稱加密 KMS 金鑰解密時,不需要 `--source-key-id` 參數。 AWS KMS 可以取得用於加密加密加密加密加密文字 Blob 中中繼資料資料的 KMS 金鑰。但是指定您正在使用的 KMS 金鑰永遠是最佳實務。此做法可確保使用您想要的 KMS 金鑰,並可防止不小心使用不信任的 KMS 金鑰解密加密文字。指定目的地 KMS 金鑰,這會重新加密資料。`--destination-key-id` 參數一律為必要項。此範例使用金鑰 ARN,但您可以使用任何有效的金鑰識別碼。請求純文字輸出做為文字值。`--query` 參數會告知 CLI 僅從輸出取得 `Plaintext` 欄位的值。`--output` 參數會以純文字傳回輸出。Base64 將純文字解碼,並儲存在檔案中。下列範例會將 `Plaintext` 參數的管道符號 (\$1) 值輸送至 Base64 公用程式,以將其解碼。然後,將解碼的輸出重新導向 (>) 至 `ExamplePlaintext` 檔案。 執行此命令之前,請將範例金鑰 IDs 取代為 AWS 帳戶中有效的金鑰識別符。 ``` aws kms re-encrypt \ --ciphertext-blob fileb://ExampleEncryptedFile \ --source-key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --destination-key-id 0987dcba-09fe-87dc-65ba-ab0987654321 \ --query CiphertextBlob \ --output text | base64 --decode > ExampleReEncryptedFile ``` 此命令不會產生輸出。來自 `re-encrypt` 命令的輸出經過 base64 解碼,並儲存在檔案中。 如需詳細資訊,請參閱《*AWS Key Management Service API 參考*》中的 [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html)。 **範例 2:在不同的對稱 KMS 金鑰 (Windows 命令提示) 下,重新加密已加密的訊息。** 下列 `re-encrypt` 命令範例與上一個範例相同,唯一不同的是它使用 `certutil` 公用程式對純文字資料進行 Base64 解碼。此程序需要兩個命令,如下列範例所示。 執行此命令之前,請將範例金鑰 ID 取代為來自您 AWS 帳戶的有效金鑰 ID。 ``` aws kms re-encrypt ^ --ciphertext-blob fileb://ExampleEncryptedFile ^ --source-key-id 1234abcd-12ab-34cd-56ef-1234567890ab ^ --destination-key-id 0987dcba-09fe-87dc-65ba-ab0987654321 ^ --query CiphertextBlob ^ --output text > ExampleReEncryptedFile.base64 ``` 然後使用 `certutil` 公用程式 ``` certutil -decode ExamplePlaintextFile.base64 ExamplePlaintextFile ``` 輸出: ``` Input Length = 18 Output Length = 12 CertUtil: -decode command completed successfully. ``` 如需詳細資訊,請參閱《*AWS Key Management Service API 參考*》中的 [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ReEncrypt](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/re-encrypt.html)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def re_encrypt(self, source_key_id, cipher_text): """ Takes ciphertext previously encrypted with one key and reencrypt it by using another key. :param source_key_id: The ARN or ID of the original key used to encrypt the ciphertext. :param cipher_text: The encrypted ciphertext. :return: The ciphertext encrypted by the second key. """ destination_key_id = input( f"Your ciphertext is currently encrypted with key {source_key_id}. " f"Enter another key ID or ARN to reencrypt it: " ) if destination_key_id != "": try: cipher_text = self.kms_client.re_encrypt( SourceKeyId=source_key_id, DestinationKeyId=destination_key_id, CiphertextBlob=cipher_text, )["CiphertextBlob"] except ClientError as err: logger.error( "Couldn't reencrypt your ciphertext. Here's why: %s", err.response["Error"]["Message"], ) else: print(f"Reencrypted your ciphertext as: {cipher_text}") return cipher_text else: print("Skipping reencryption demo.") ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ReEncrypt](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ReEncrypt)。 ------ #### [ Ruby ] **SDK for Ruby** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/kms#code-examples)中設定和執行。 ``` require 'aws-sdk-kms' # v2: require 'aws-sdk' # Human-readable version of the ciphertext of the data to reencrypt. blob = '01020200785d68faeec386af1057904926253051eb2919d3c16078badf65b808b26dd057c101747cadf3593596e093d4ffbf22434a6d00000068306606092a864886f70d010706a0593057020100305206092a864886f70d010701301e060960864801650304012e3011040c9d629e573683972cdb7d94b30201108025b20b060591b02ca0deb0fbdfc2f86c8bfcb265947739851ad56f3adce91eba87c59691a9a1' sourceCiphertextBlob = [blob].pack('H*') # Replace the fictitious key ARN with a valid key ID destinationKeyId = 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321' client = Aws::KMS::Client.new(region: 'us-west-2') resp = client.re_encrypt({ ciphertext_blob: sourceCiphertextBlob, destination_key_id: destinationKeyId }) # Display a readable version of the resulting re-encrypted blob. puts 'Blob:' puts resp.ciphertext_blob.unpack('H*') ``` + 如需詳細資訊,請參閱《適用於 Ruby 的 AWS SDK API 參考》**中的 [ReEncrypt](https://docs.aws.amazon.com/goto/SdkForRubyV3/kms-2014-11-01/ReEncrypt)。 ------ #### [ Rust ] **適用於 Rust 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/kms#code-examples)中設定和執行。 ``` async fn reencrypt_string( verbose: bool, client: &Client, input_file: &str, output_file: &str, first_key: &str, new_key: &str, ) -> Result<(), Error> { // Get blob from input file // Open input text file and get contents as a string // input is a base-64 encoded string, so decode it: let data = fs::read_to_string(input_file) .map(|input_file| base64::decode(input_file).expect("invalid base 64")) .map(Blob::new); let resp = client .re_encrypt() .ciphertext_blob(data.unwrap()) .source_key_id(first_key) .destination_key_id(new_key) .send() .await?; // Did we get an encrypted blob? let blob = resp.ciphertext_blob.expect("Could not get encrypted text"); let bytes = blob.as_ref(); let s = base64::encode(bytes); let o = &output_file; let mut ofile = File::create(o).expect("unable to create file"); ofile.write_all(s.as_bytes()).expect("unable to write"); if verbose { println!("Wrote the following to {}:", output_file); println!("{}", s); } else { println!("Wrote base64-encoded output to {}", output_file); } Ok(()) } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [ReEncrypt](https://docs.rs/aws-sdk-kms/latest/aws_sdk_kms/client/struct.Client.html#method.re_encrypt)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_source_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_destination_key_id = 'arn:aws:kms:us-east-1:123456789012:key/5678dcba-56cd-78ef-90ab-5678901234cd' " iv_ciphertext_blob contains the encrypted data oo_result = lo_kms->reencrypt( iv_sourcekeyid = iv_source_key_id iv_destinationkeyid = iv_destination_key_id iv_ciphertextblob = iv_ciphertext_blob ). MESSAGE 'Ciphertext reencrypted successfully.' TYPE 'I'. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsincorrectkeyex. MESSAGE 'Incorrect source key for decryption.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ReEncrypt](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `RetireGrant` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `RetireGrant`。 ------ #### [ CLI ] **AWS CLI** **淘汰客戶主金鑰的授予** 下列 `retire-grant` 範例會從 KMS 金鑰刪除授予。 下列範例命令會指定 `grant-id` 和 `key-id` 參數。`key-id` 參數的值必須是 KMS 金鑰的金鑰 ARN。 ``` aws kms retire-grant \ --grant-id 1234a2345b8a4e350500d432bccf8ecd6506710e1391880c4f7f7140160c9af3 \ --key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab ``` 此命令不會產生輸出。若要確認授予已淘汰,請使用 `list-grants` 命令。 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[淘汰和撤銷授予](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [RetireGrant](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/retire-grant.html)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def retire_grant(self, grant): """ Retires a grant so that it can no longer be used. :param grant: The grant to retire. """ try: self.kms_client.retire_grant(GrantToken=grant["GrantToken"]) except ClientError as err: logger.error( "Couldn't retire grant %s. Here's why: %s", grant["GrantId"], err.response["Error"]["Message"], ) else: print(f"Grant {grant['GrantId']} retired.") ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [RetireGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/RetireGrant)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_grant_token = 'AQpAM2RhZ...' lo_kms->retiregrant( iv_granttoken = iv_grant_token ). MESSAGE 'Grant retired successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Grant not found.' TYPE 'E'. CATCH /aws1/cx_kmsinvgranttokenex. MESSAGE 'Invalid grant token.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [RetireGrant](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `RevokeGrant` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `RevokeGrant`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ CLI ] **AWS CLI** **撤銷客戶主金鑰的授予** 下列 `revoke-grant` 範例會從 KMS 金鑰刪除授予。下列範例命令會指定 `grant-id` 和 `key-id` 參數。`key-id` 參數的值可以是 KMS 金鑰的金鑰 ID 或金鑰 ARN。 ``` aws kms revoke-grant \ --grant-id 1234a2345b8a4e350500d432bccf8ecd6506710e1391880c4f7f7140160c9af3 \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 此命令不會產生輸出。若要確認授予已撤銷,請使用 `list-grants` 命令。 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[淘汰和撤銷授予](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [RevokeGrant](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/revoke-grant.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Revokes a grant for the specified AWS KMS key asynchronously. * * @param keyId The ID or key ARN of the AWS KMS key. * @param grantId The identifier of the grant to be revoked. * @return A {@link CompletableFuture} representing the asynchronous operation of revoking the grant. * The {@link CompletableFuture} will complete with a {@link RevokeGrantResponse} object * if the operation is successful, or with a {@code null} value if an error occurs. */ public CompletableFuture revokeKeyGrantAsync(String keyId, String grantId) { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); CompletableFuture responseFuture = getAsyncClient().revokeGrant(grantRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Grant ID: [" + grantId + "] was successfully revoked!"); } else { if (exception instanceof KmsException kmsEx) { if (kmsEx.getMessage().contains("Grant does not exist")) { logger.info("The grant ID '" + grantId + "' does not exist. Moving on..."); } else { throw new RuntimeException("KMS error occurred: " + kmsEx.getMessage(), kmsEx); } } else { throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception); } } }); return responseFuture; } ``` + 如需詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [RevokeGrant](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/RevokeGrant)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $grantId * @param string $keyId * @return void */ public function revokeGrant(string $grantId, string $keyId) { try{ $this->client->revokeGrant([ 'GrantId' => $grantId, 'KeyId' => $keyId, ]); }catch(KmsException $caught){ echo "There was a problem with revoking the grant: {$caught->getAwsErrorMessage()}.\n"; throw $caught; } } ``` + 如需詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [RevokeGrant](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/RevokeGrant)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "GrantManager": """ Creates a GrantManager instance with a default KMS client. :return: An instance of GrantManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def revoke_grant(self, key_id: str, grant_id: str) -> None: """ Revokes a grant so that it can no longer be used. :param key_id: The ARN or ID of the key associated with the grant. :param grant_id: The ID of the grant to revoke. """ try: self.kms_client.revoke_grant(KeyId=key_id, GrantId=grant_id) except ClientError as err: logger.error( "Couldn't revoke grant %s. Here's why: %s", grant_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [RevokeGrant](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/RevokeGrant)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_grant_id = '1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p' lo_kms->revokegrant( iv_keyid = iv_key_id iv_grantid = iv_grant_id ). MESSAGE 'Grant revoked successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Grant or key not found.' TYPE 'E'. CATCH /aws1/cx_kmsinvalidgrantidex. MESSAGE 'Invalid grant ID.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [RevokeGrant](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `ScheduleKeyDeletion` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `ScheduleKeyDeletion`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ CLI ] **AWS CLI** **為客戶自管 KMS 金鑰刪除排程。** 下列 `schedule-key-deletion` 範例為需要在 15 天內刪除的指定客戶自管 KMS 金鑰排程。 `--key-id` 參數可識別 KMS 金鑰。此範例使用金鑰 ARN 值,但您可以使用金鑰 ID 或 KMS 金鑰的 ARN。`--pending-window-in-days` 參數會指定 7-30 天等待期的時間長度。預設等待期為 30 天。此範例會指定值 15,指示 AWS 命令完成後 15 天永久刪除 KMS 金鑰。 ``` aws kms schedule-key-deletion \ --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \ --pending-window-in-days 15 ``` 回應包含金鑰 ARN、金鑰狀態、等待期 (`PendingWindowInDays`),以及以 Unix 時間表示的刪除日期。若要以當地時間檢視刪除日期,請使用 AWS KMS 主控台。`PendingDeletion` 金鑰狀態中的 KMS 金鑰,無法在密碼編譯操作中使用。 ``` { "KeyId": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "DeletionDate": "2022-06-18T23:43:51.272000+00:00", "KeyState": "PendingDeletion", "PendingWindowInDays": 15 } ``` 如需詳細資訊,請參閱《AWS Key Management Service 開發人員指南》**中的[刪除金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ScheduleKeyDeletion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/schedule-key-deletion.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Deletes a KMS key asynchronously. * *

Warning: Deleting a KMS key is a destructive and potentially dangerous operation. * When a KMS key is deleted, all data that was encrypted under the KMS key becomes unrecoverable. * This means that any files, databases, or other data that were encrypted using the deleted KMS key * will become permanently inaccessible. Exercise extreme caution when deleting KMS keys.

* * @param keyId the ID of the KMS key to delete * @return a {@link CompletableFuture} that completes when the key deletion is scheduled */ public CompletableFuture deleteKeyAsync(String keyId) { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); return getAsyncClient().scheduleKeyDeletion(deletionRequest) .thenRun(() -> { logger.info("Key {} will be deleted in 7 days", keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to schedule key deletion for key ID: " + keyId, throwable); }); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/ScheduleKeyDeletion)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param int $pendingWindowInDays * @return void */ public function scheduleKeyDeletion(string $keyId, int $pendingWindowInDays = 7) { try { $this->client->scheduleKeyDeletion([ 'KeyId' => $keyId, 'PendingWindowInDays' => $pendingWindowInDays, ]); }catch(KmsException $caught){ echo "There was a problem scheduling the key deletion: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ScheduleKeyDeletion)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def delete_key(self, key_id: str, window: int) -> None: """ Deletes a list of keys. Warning: Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. :param key_id: The ARN or ID of the key to delete. :param window: The waiting period, in days, before the KMS key is deleted. """ try: self.kms_client.schedule_key_deletion( KeyId=key_id, PendingWindowInDays=window ) except ClientError as err: logging.error( "Couldn't delete key %s. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ScheduleKeyDeletion](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ScheduleKeyDeletion)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_pending_window_days = 7 oo_result = lo_kms->schedulekeydeletion( iv_keyid = iv_key_id iv_pendingwindowindays = iv_pending_window_days ). MESSAGE 'Key scheduled for deletion.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ScheduleKeyDeletion](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `Sign` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `Sign`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ CLI ] **AWS CLI** **範例 1:產生訊息的數位簽章** 下列 `sign` 範例會產生簡訊的密碼編譯簽章。命令的輸出包含 base-64 編碼 `Signature` 欄位,您可以使用 `verify` 命令進行驗證。 您必須指定要簽署的訊息,以及非對稱 KMS 金鑰支援的簽署演算法。若要取得 KMS 金鑰的簽署演算法,請使用 `describe-key` 命令。 在 AWS CLI v2 中, `message` 參數的值必須是 Base64-encoded。或者,您可以將訊息儲存在檔案中,並使用 `fileb://`字首,告知 AWS CLI 從檔案讀取二進位資料。 執行此命令之前,請將範例金鑰 ID 取代為來自您 AWS 帳戶的有效金鑰 ID。金鑰 ID 必須代表金鑰用量為 SIGN\$1VERIFY 的非對稱 KMS 金鑰。 ``` msg=(echo 'Hello World' | base64) aws kms sign \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --message fileb://UnsignedMessage \ --message-type RAW \ --signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 ``` 輸出: ``` { "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Signature": "ABCDEFhpyVYyTxbafE74ccSvEJLJr3zuoV1Hfymz4qv+/fxmxNLA7SE1SiF8lHw80fKZZ3bJ...", "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256" } ``` 如需在 AWS KMS 中使用非對稱 KMS 金鑰的詳細資訊,請參閱 Key Management Service 開發人員指南中的 [AWS KMS 中的非對稱](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)金鑰。 *AWS * **範例 2:在檔案 (Linux 和 macOs) 中儲存數位簽章** 下列 `sign` 範例會為儲存在本機檔案中的簡訊產生密碼編譯簽章。命令也會從回應取得 `Signature` 屬性,以 Base64 進行解碼,然後將其儲存在 ExampleSignature 檔案中。您可以在驗證簽章的 `verify` 命令中使用簽章檔案。 `sign` 命令需要以 Base64 編碼的訊息,以及非對稱 KMS 金鑰支援的簽署演算法。若要取得 KMS 金鑰支援的簽署演算法,請使用 `describe-key` 命令。 執行此命令之前,請將範例金鑰 ID 取代為來自您 AWS 帳戶的有效金鑰 ID。金鑰 ID 必須代表金鑰用量為 SIGN\$1VERIFY 的非對稱 KMS 金鑰。 ``` echo 'hello world' | base64 > EncodedMessage aws kms sign \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --message fileb://EncodedMessage \ --message-type RAW \ --signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 \ --output text \ --query Signature | base64 --decode > ExampleSignature ``` 此命令不會產生輸出。此範例會擷取輸出的 `Signature` 屬性,並將其儲存在檔案中。 如需在 AWS KMS 中使用非對稱 KMS 金鑰的詳細資訊,請參閱 Key Management Service 開發人員指南中的 [AWS KMS 中的非對稱](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)金鑰。 *AWS * + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [Sign](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/sign.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously signs and verifies data using AWS KMS. * *

The method performs the following steps: *

    *
  1. Creates an AWS KMS key with the specified key spec, key usage, and origin.
    2. *
  2. Signs the provided message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
    3. *
  3. Verifies the signature of the message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
    4. *
* * @return a {@link CompletableFuture} that completes with the result of the signature verification, * {@code true} if the signature is valid, {@code false} otherwise. * @throws KmsException if any error occurs during the KMS operations. * @throws RuntimeException if an unexpected error occurs. */ public CompletableFuture signVerifyDataAsync() { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest createKeyRequest = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) .keyUsage(KeyUsageType.SIGN_VERIFY) .origin(OriginType.AWS_KMS) .build(); return getAsyncClient().createKey(createKeyRequest) .thenCompose(createKeyResponse -> { String keyId = createKeyResponse.keyMetadata().keyId(); SdkBytes messageBytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId) .message(messageBytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().sign(signRequest) .thenCompose(signResponse -> { byte[] signedBytes = signResponse.signature().asByteArray(); VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().verify(verifyRequest) .thenApply(verifyResponse -> { return (boolean) verifyResponse.signatureValid(); }); }); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to sign or verify data", throwable); }); } ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [Sign](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Sign)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param string $message * @param string $algorithm * @return Result */ public function sign(string $keyId, string $message, string $algorithm) { try { return $this->client->sign([ 'KeyId' => $keyId, 'Message' => $message, 'SigningAlgorithm' => $algorithm, ]); }catch(KmsException $caught){ echo "There was a problem signing the data: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + 如需 API 詳細資訊,請參閱《適用於 PHP 的 AWS SDK API 參考》**中的 [Sign](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Sign)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def sign(self, key_id: str, message: str) -> str: """ Signs a message with a key. :param key_id: The ARN or ID of the key to use for signing. :param message: The message to sign. :return: The signature of the message. """ try: return self.kms_client.sign( KeyId=key_id, Message=message.encode(), SigningAlgorithm="RSASSA_PSS_SHA_256", )["Signature"] except ClientError as err: logger.error( "Couldn't sign your message. Here's why: %s", err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [Sign](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Sign)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' (asymmetric key) " iv_message contains the message to sign " iv_signing_algorithm = 'RSASSA_PSS_SHA_256' oo_result = lo_kms->sign( iv_keyid = iv_key_id iv_message = iv_message iv_signingalgorithm = iv_signing_algorithm ). MESSAGE 'Message signed successfully.' TYPE 'I'. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmsinvalidkeyusageex. MESSAGE 'Key cannot be used for signing.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱[登入](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)適用於 *AWS SAP ABAP 的 SDK API 參考*。 ------ # `TagResource` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `TagResource`。 動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作: + [了解基本概念](kms_example_kms_Scenario_Basics_section.md) ------ #### [ CLI ] **AWS CLI** **將標籤新增至 KMS 金鑰** 下列 `tag-resource` 範例會將 `"Purpose":"Test"` 和 `"Dept":"IT"` 標籤新增至客戶自管 KMS 金鑰。您可以使用這類標籤來標記 KMS 金鑰,並建立 KMS 金鑰類別以供許可和稽核之用。 若要指定 KMS 金鑰,請使用 `key-id` 參數。此範例使用金鑰 ID 值,但您可以在此命令中使用金鑰 ID 或金鑰 ARN。 ``` aws kms tag-resource \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --tags TagKey='Purpose',TagValue='Test' TagKey='Dept',TagValue='IT' ``` 此命令不會產生輸出。若要檢視 AWS KMS KMS 金鑰上的標籤,請使用 `list-resource-tags`命令。 如需在 AWS KMS 中使用標籤的詳細資訊,請參閱 *AWS Key Management Service 開發人員指南*中的[標記金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [TagResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/tag-resource.html)。 ------ #### [ Java ] **SDK for Java 2.x** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples)中設定和執行。 ``` /** * Asynchronously tags a KMS key with a specific tag. * * @param keyId the ID of the KMS key to be tagged * @return a {@link CompletableFuture} that completes when the tagging operation is finished */ public CompletableFuture tagKMSKeyAsync(String keyId) { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); return getAsyncClient().tagResource(tagResourceRequest) .thenRun(() -> { logger.info("{} key was tagged", keyId); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to tag the KMS key", throwable); }); } ``` + 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API 參考*中的 [TagResource](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/TagResource)。 ------ #### [ PHP ] **適用於 PHP 的 SDK** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples)中設定和執行。 ``` /*** * @param string $keyId * @param array $tags * @return void */ public function tagResource(string $keyId, array $tags) { try { $this->client->tagResource([ 'KeyId' => $keyId, 'Tags' => $tags, ]); }catch(KmsException $caught){ echo "There was a problem applying the tag(s): {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + 如需 API 詳細資訊,請參閱 *適用於 PHP 的 AWS SDK API 參考*中的 [TagResource](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/TagResource)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_keys = [] @classmethod def from_client(cls) -> "KeyManager": """ Creates a KeyManager instance with a default KMS client. :return: An instance of KeyManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def tag_resource(self, key_id: str, tag_key: str, tag_value: str) -> None: """ Add or edit tags on a customer managed key. :param key_id: The ARN or ID of the key to enable rotation for. :param tag_key: Key for the tag. :param tag_value: Value for the tag. """ try: self.kms_client.tag_resource( KeyId=key_id, Tags=[{"TagKey": tag_key, "TagValue": tag_value}] ) except ClientError as err: logging.error( "Couldn't add a tag for the key '%s'. Here's why: %s", key_id, err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [TagResource](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/TagResource)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` DATA lt_tags TYPE /aws1/cl_kmstag=>tt_taglist. TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' " iv_tag_key = 'Environment' " iv_tag_value = 'Production' APPEND NEW /aws1/cl_kmstag( iv_tagkey = iv_tag_key iv_tagvalue = iv_tag_value ) TO lt_tags. lo_kms->tagresource( iv_keyid = iv_key_id it_tags = lt_tags ). MESSAGE 'Tag added to KMS key successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmstagexception. MESSAGE 'Invalid tag format.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [TagResource](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `UpdateAlias` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `UpdateAlias`。 ------ #### [ CLI ] **AWS CLI** **將別名與不同的 KMS 金鑰相關聯** 下列 `update-alias` 範例會將別名 `alias/test-key` 與不同的 KMS 金鑰相關聯。 請注意,`--alias-name` 參數會指定別名。別名的名稱值必須以 `alias/` 開頭。`--target-key-id` 參數會指定要與別名建立關聯的 KMS 金鑰。您不需要為別名指定目前的 KMS 金鑰。 ``` aws kms update-alias \ --alias-name alias/test-key \ --target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab ``` 此命令不會產生輸出。要尋找別名,請使用 `list-aliases` 命令。 如需詳細資訊,請參閱《*AWS Key Management Service 開發人員指南*》中的[更新別名](https://docs.aws.amazon.com/kms/latest/developerguide/alias-manage.html#alias-update)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [UpdateAlias](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/update-alias.html)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class AliasManager: def __init__(self, kms_client): self.kms_client = kms_client self.created_key = None @classmethod def from_client(cls) -> "AliasManager": """ Creates an AliasManager instance with a default KMS client. :return: An instance of AliasManager initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def update_alias(self, alias, current_key_id): """ Updates an alias by assigning it to another key. :param alias: The alias to reassign. :param current_key_id: The ARN or ID of the key currently associated with the alias. """ new_key_id = input( f"Alias {alias} is currently associated with {current_key_id}. " f"Enter another key ID or ARN that you want to associate with {alias}: " ) if new_key_id != "": try: self.kms_client.update_alias(AliasName=alias, TargetKeyId=new_key_id) except ClientError as err: logger.error( "Couldn't associate alias %s with key %s. Here's why: %s", alias, new_key_id, err.response["Error"]["Message"], ) else: print(f"Alias {alias} is now associated with key {new_key_id}.") else: print("Skipping alias update.") ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [UpdateAlias](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/UpdateAlias)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_alias_name = 'alias/my-key-alias' " iv_target_key_id = 'arn:aws:kms:us-east-1:123456789012:key/5678dcba-56cd-78ef-90ab-5678901234cd' lo_kms->updatealias( iv_aliasname = iv_alias_name iv_targetkeyid = iv_target_key_id ). MESSAGE 'Alias updated successfully.' TYPE 'I'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Alias or key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [UpdateAlias](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------ # `Verify` 搭配 AWS SDK 或 CLI 使用 下列程式碼範例示範如何使用 `Verify`。 ------ #### [ CLI ] **AWS CLI** **驗證數位簽章** 下列 `verify` 命令會驗證以 Base64 編碼的簡短訊息的加密簽章。金鑰 ID、訊息、訊息類型和簽署演算法,必須與用來簽署訊息的演算法相同。 在 AWS CLI v2 中, `message` 參數的值必須是 Base64-encoded。或者,您可以將訊息儲存在檔案中,並使用 `fileb://`字首,告知 AWS CLI 從檔案讀取二進位資料。 您指定的簽章不能以 base64 編碼。如需將 `sign` 命令傳回的簽章解碼的說明,請參閱 `sign` 命令範例。 命令的輸出包含布林值 `SignatureValid` 欄位,指出簽章已驗證。如果簽章驗證失敗,`verify` 命令也會失敗。 執行此命令之前,請將範例金鑰 ID 取代為來自您 AWS 帳戶的有效金鑰 ID。 ``` aws kms verify \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --message fileb://EncodedMessage \ --message-type RAW \ --signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 \ --signature fileb://ExampleSignature ``` 輸出: ``` { "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "SignatureValid": true, "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256" } ``` 如需在 KMS 中使用非對稱 AWS KMS 金鑰的詳細資訊,請參閱 *AWS Key Management Service 開發人員指南*中的[使用非對稱金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)。 + 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [Verify](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/verify.html)。 ------ #### [ Python ] **適用於 Python 的 SDK (Boto3)** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples)中設定和執行。 ``` class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def verify(self, key_id: str, message: str, signature: str) -> bool: """ Verifies a signature against a message. :param key_id: The ARN or ID of the key used to sign the message. :param message: The message to verify. :param signature: The signature to verify. :return: True when the signature matches the message, otherwise False. """ try: response = self.kms_client.verify( KeyId=key_id, Message=message.encode(), Signature=signature, SigningAlgorithm="RSASSA_PSS_SHA_256", ) valid = response["SignatureValid"] print(f"The signature is {'valid' if valid else 'invalid'}.") return valid except ClientError as err: if err.response["Error"]["Code"] == "SignatureDoesNotMatchException": print("The signature is not valid.") else: logger.error( "Couldn't verify your signature. Here's why: %s", err.response["Error"]["Message"], ) raise ``` + 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [Verify](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Verify)。 ------ #### [ SAP ABAP ] **適用於 SAP ABAP 的開發套件** GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples)中設定和執行。 ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' (asymmetric key) " iv_message contains the original message " iv_signature contains the signature to verify " iv_signing_algorithm = 'RSASSA_PSS_SHA_256' oo_result = lo_kms->verify( iv_keyid = iv_key_id iv_message = iv_message iv_signature = iv_signature iv_signingalgorithm = iv_signing_algorithm ). DATA(lv_valid) = oo_result->get_signaturevalid( ). IF lv_valid = abap_true. MESSAGE 'Signature is valid.' TYPE 'I'. ELSE. MESSAGE 'Signature is invalid.' TYPE 'I'. ENDIF. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmskmsinvalidsigex. MESSAGE 'Invalid signature.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的[驗證](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。 ------