Reference: AWS: KMS

dependencies {
    
    implementation(platform("org.http4k:http4k-connect-bom:5.25.1.0"))

    implementation("org.http4k:http4k-connect-amazon-kms")
    implementation("org.http4k:http4k-connect-amazon-kms-fake")
}

The KMS connector provides the following Actions:

 *  CreateKey
 *  DescribeKey
 *  Decrypt
 *  Encrypt
 *  GetPublicKey
 *  ListKeys
 *  ScheduleKeyDeletion
 *  Sign
 *  Verify

Example usage

const val USE_REAL_CLIENT = false

fun main() {
    // we can connect to the real service or the fake (drop in replacement)
    val http: HttpHandler = if(USE_REAL_CLIENT) JavaHttpClient() else FakeKMS()

    // create a client
    val client = KMS.Http(Region.of("us-east-1"), { AwsCredentials("accessKeyId", "secretKey") }, http.debug())

    // all operations return a Result monad of the API type
    val createdKeyResult: Result<KeyCreated, RemoteFailure> = client.createKey(ECC_NIST_P384, ENCRYPT_DECRYPT)
    val key: KeyCreated = createdKeyResult.valueOrNull()!!
    println(key)

    // we can encrypt some text...
    val encrypted: Encrypted = client.encrypt(keyId = key.KeyMetadata.KeyId, Base64Blob.encoded("hello"))
        .valueOrNull()!!
    println(encrypted.CiphertextBlob.decoded())

    // and decrypt it again!
    val decrypted: Decrypted = client.decrypt(keyId = key.KeyMetadata.KeyId, encrypted.CiphertextBlob).valueOrNull()!!
    println(decrypted.Plaintext.decoded())
}

The client APIs utilise the http4k-aws module for request signing, which means no dependencies on the incredibly fat Amazon-SDK JARs. This means this integration is perfect for running Serverless Lambdas where binary size is a performance factor.

The FakeKMS implementation currently does not properly encrypt/decrypt or sign/verify the contents of messages - it uses a trivially simple (and fast) reversible algorithm which simulates this functionality.

Default Fake port: 45302

To start:

FakeKMS().start()