Die vorliegende Übersetzung wurde maschinell erstellt. Im Falle eines Konflikts oder eines Widerspruchs zwischen dieser übersetzten Fassung und der englischen Fassung (einschließlich infolge von Verzögerungen bei der Übersetzung) ist die englische Fassung maßgeblich.
AWS KMS Beispiele SDK für die Verwendung von Java 2.x
Die folgenden Codebeispiele zeigen Ihnen, wie Sie mithilfe von AWS SDK for Java 2.x with Aktionen ausführen und allgemeine Szenarien implementieren AWS KMS.
Aktionen sind Codeauszüge aus größeren Programmen und müssen im Kontext ausgeführt werden. Während Aktionen Ihnen zeigen, wie Sie einzelne Servicefunktionen aufrufen, können Sie Aktionen im Kontext der zugehörigen Szenarien und serviceübergreifenden Beispiele sehen.
Szenarien sind Codebeispiele, die Ihnen zeigen, wie Sie eine bestimmte Aufgabe ausführen können, indem Sie mehrere Funktionen innerhalb desselben Services aufrufen.
Jedes Beispiel enthält einen Link zu GitHub, wo Sie Anweisungen zum Einrichten und Ausführen des Codes im Kontext finden.
Erste Schritte
Das folgende Codebeispiel zeigt, wie Sie mit der Verwendung von KMS key beginnen.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysIterable keysResponse = kmsClient.listKeysPaginator(listKeysRequest); keysResponse.stream() .flatMap(r -> r.keys().stream()) .forEach(key -> System.out .println(" The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }-
APIEinzelheiten finden Sie listKeysPaginatorunter AWS SDK for Java 2.x APIReferenz.
-
Aktionen
Das folgende Codebeispiel zeigt die VerwendungCreateAlias.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); System.out.println(aliasName + " was successfully created."); } catch (ResourceExistsException e) { System.err.println("Alias already exists: " + e.getMessage()); System.err.println("Moving on..."); } catch (Exception e) { System.err.println("An unexpected error occurred: " + e.getMessage()); System.err.println("Moving on..."); } }-
APIEinzelheiten finden Sie CreateAliasunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungCreateGrant.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static String grantKey(KmsClient kmsClient, String keyId, String granteePrincipal) { try { // Add the desired KMS Grant permissions. List<GrantOperation> grantPermissions = new ArrayList<>(); grantPermissions.add(GrantOperation.ENCRYPT); grantPermissions.add(GrantOperation.DECRYPT); grantPermissions.add(GrantOperation.DESCRIBE_KEY); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
APIEinzelheiten finden Sie CreateGrantunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungCreateKey.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.println("Symmetric key with ARN [" + result.keyMetadata().arn() + "] has been created."); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
APIEinzelheiten finden Sie CreateKeyunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungDecrypt.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static String decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); return decryptResponse.plaintext().asString(StandardCharsets.UTF_8); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
APIEinzelheiten finden Sie unter Decrypt in AWS SDK for Java 2.x APIReference.
-
Das folgende Codebeispiel zeigt die VerwendungDeleteAlias.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void deleteSpecificAlias(KmsClient kmsClient, String aliasName) { try { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); kmsClient.deleteAlias(deleteAliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
APIEinzelheiten finden Sie DeleteAliasunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungDescribeKey.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static boolean isKeyEnabled(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); KeyState keyState = response.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { System.out.println("The key is enabled."); return true; } else { System.out.println("The key is not enabled. Key state: " + keyState); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return false; }-
APIEinzelheiten finden Sie DescribeKeyunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungDisableKey.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
APIEinzelheiten finden Sie DisableKeyunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungEnableKey.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. // Enable the KMS key. public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
APIEinzelheiten finden Sie EnableKeyunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungEncrypt.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static SdkBytes encryptData(KmsClient kmsClient, String keyId, String text) { try { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The string was encrypted with algorithm " + algorithm + "."); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; }-
APIEinzelheiten finden Sie unter Encrypt in AWS SDK for Java 2.x APIReference.
-
Das folgende Codebeispiel zeigt die VerwendungListAliases.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesIterable aliasesResponse = kmsClient.listAliasesPaginator(aliasesRequest); aliasesResponse.stream() .flatMap(r -> r.aliases().stream()) .forEach(alias -> System.out .println("The alias name is: " + alias.aliasName())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
APIEinzelheiten finden Sie ListAliasesunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungListGrants.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsIterable response = kmsClient.listGrantsPaginator(grantsRequest); response.stream() .flatMap(r -> r.grants().stream()) .forEach(grant -> { System.out.println("The grant Id is : " + grant.grantId()); List<GrantOperation> ops = grant.operations(); for (GrantOperation op : ops) { System.out.println(op.name()); } }); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
APIEinzelheiten finden Sie ListGrantsunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungListKeyPolicies.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void getKeyPolicy(KmsClient kmsClient, String keyId, String policyName) { try { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); GetKeyPolicyResponse response = kmsClient.getKeyPolicy(policyRequest); System.out.println("The response is "+response.policy()); } catch (KmsException e) { if (e.getMessage().contains("No such policy exists")) { System.out.println("The policy cannot be found. Error message: " + e.getMessage()); } else { throw e; } } }-
APIEinzelheiten finden Sie ListKeyPoliciesunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungListKeys.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysIterable keysResponse = kmsClient.listKeysPaginator(listKeysRequest); keysResponse.stream() .flatMap(r -> r.keys().stream()) .forEach(key -> System.out .println(" The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }-
APIEinzelheiten finden Sie ListKeysunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungRevokeGrant.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void revokeKeyGrant(KmsClient kmsClient, String keyId, String grantId) { try { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); kmsClient.revokeGrant(grantRequest); System.out.println("Grant ID: [" + grantId +"] was successfully revoked!"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
APIEinzelheiten finden Sie RevokeGrantunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungScheduleKeyDeletion.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void deleteKey(KmsClient kmsClient, String keyId) { try { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); kmsClient.scheduleKeyDeletion(deletionRequest); System.out.println("The key will be deleted in 7 days."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
APIEinzelheiten finden Sie ScheduleKeyDeletionunter AWS SDK for Java 2.x APIReferenz.
-
Das folgende Codebeispiel zeigt die VerwendungSign.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void signVerifyData(KmsClient kmsClient) { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest request = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) // Specify key spec .keyUsage(KeyUsageType.SIGN_VERIFY) // Specify key usage .origin(OriginType.AWS_KMS) // Specify key origin .build(); CreateKeyResponse response = kmsClient.createKey(request); String keyId2 = response.keyMetadata().keyId(); System.out.println("Created KMS key with ID: " + keyId2); SdkBytes bytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId2) .message(bytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); SignResponse signResponse = kmsClient.sign(signRequest); byte[] signedBytes = signResponse.signature().asByteArray(); // Verify the digital signature. VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId2) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); VerifyResponse verifyResponse = kmsClient.verify(verifyRequest); System.out.println("Signature verification result: " + verifyResponse.signatureValid()); }-
APIEinzelheiten finden Sie unter AWS SDK for Java 2.x APIAnmeldereferenz.
-
Das folgende Codebeispiel zeigt die VerwendungTagResource.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. public static void tagKMSKey(KmsClient kmsClient, String keyId) { try { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); kmsClient.tagResource(tagResourceRequest); System.out.println("The key has been tagged."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
APIEinzelheiten finden Sie TagResourceunter AWS SDK for Java 2.x APIReferenz.
-
Szenarien
Wie das aussehen kann, sehen Sie am nachfolgenden Beispielcode:
Erstellen Sie einen KMS-Schlüssel.
Listen Sie die KMS Schlüssel für Ihr Konto auf und informieren Sie sich über sie.
KMSSchlüssel aktivieren und deaktivieren.
Generieren Sie einen symmetrischen Datenschlüssel, der für die clientseitige Verschlüsselung verwendet werden kann.
Generieren Sie einen asymmetrischen Schlüssel, der zum digitalen Signieren von Daten verwendet wird.
Tag-Schlüssel.
KMSSchlüssel löschen.
- SDKfür Java 2.x
-
Anmerkung
Es gibt noch mehr dazu. GitHub Sie sehen das vollständige Beispiel und erfahren, wie Sie das AWS -Code-Beispiel-Repository
einrichten und ausführen. import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.AliasListEntry; import software.amazon.awssdk.services.kms.model.AlreadyExistsException; import software.amazon.awssdk.services.kms.model.CreateAliasRequest; import software.amazon.awssdk.services.kms.model.CreateGrantRequest; import software.amazon.awssdk.services.kms.model.CreateGrantResponse; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; import software.amazon.awssdk.services.kms.model.CreateKeyResponse; import software.amazon.awssdk.services.kms.model.CustomerMasterKeySpec; import software.amazon.awssdk.services.kms.model.DecryptRequest; import software.amazon.awssdk.services.kms.model.DecryptResponse; import software.amazon.awssdk.services.kms.model.DeleteAliasRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; import software.amazon.awssdk.services.kms.model.DisableKeyRequest; import software.amazon.awssdk.services.kms.model.EnableKeyRequest; import software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest; import software.amazon.awssdk.services.kms.model.EncryptRequest; import software.amazon.awssdk.services.kms.model.EncryptResponse; import software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest; import software.amazon.awssdk.services.kms.model.GetKeyPolicyResponse; import software.amazon.awssdk.services.kms.model.GrantOperation; import software.amazon.awssdk.services.kms.model.KeySpec; import software.amazon.awssdk.services.kms.model.KeyState; import software.amazon.awssdk.services.kms.model.KeyUsageType; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.LimitExceededException; import software.amazon.awssdk.services.kms.model.ListAliasesRequest; import software.amazon.awssdk.services.kms.model.ListGrantsRequest; import software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest; import software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse; import software.amazon.awssdk.services.kms.model.OriginType; import software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest; import software.amazon.awssdk.services.kms.model.RevokeGrantRequest; import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; import software.amazon.awssdk.services.kms.model.SignRequest; import software.amazon.awssdk.services.kms.model.SignResponse; import software.amazon.awssdk.services.kms.model.SigningAlgorithmSpec; import software.amazon.awssdk.services.kms.model.Tag; import software.amazon.awssdk.services.kms.model.TagResourceRequest; import software.amazon.awssdk.services.kms.model.VerifyRequest; import software.amazon.awssdk.services.kms.model.VerifyResponse; import software.amazon.awssdk.services.kms.paginators.ListAliasesIterable; import software.amazon.awssdk.services.kms.paginators.ListGrantsIterable; import software.amazon.awssdk.services.secretsmanager.model.ResourceExistsException; import software.amazon.awssdk.services.sts.StsClient; import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse; import java.nio.ByteBuffer; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; import java.util.List; import java.util.ArrayList; import java.util.Scanner; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class KMSScenario { public static final String DASHES = new String(new char[80]).replace("\0", "-"); private static final String accountId = getAccountId(); public static void main(String[] args) { final String usage = """ Usage: <granteePrincipal> Where: granteePrincipal - The principal (user, service account, or group) to whom the grant or permission is being given. """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String granteePrincipal = args[0]; String policyName = "default"; Scanner scanner = new Scanner(System.in); String keyDesc = "Created by the AWS KMS API"; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); System.out.println(DASHES); System.out.println(""" Welcome to the AWS Key Management SDK Getting Started scenario. This program demonstrates how to interact with AWS Key Management using the AWS SDK for Java (v2). The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create and manage AWS KMS keys and control their use across a wide range of AWS services and applications. KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your data protection and regulatory compliance requirements. This Getting Started scenario creates two key types. A symmetric encryption key is used to encrypt and decrypt data, and an asymmetric key used to digitally sign data. Let's get started... """); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("1. Create a symmetric KMS key\n"); System.out.println("First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data."); waitForInputToContinue(scanner); String targetKeyId = createKey(kmsClient, keyDesc); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println(""" 2. Enable a KMS key By default, when the SDK creates an AWS key it is enabled. The next bit of code checks to determine if the key is enabled. If it is not enabled, the code enables it. """); waitForInputToContinue(scanner); boolean isEnabled = isKeyEnabled(kmsClient, targetKeyId); if (!isEnabled) enableKey(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("3. Encrypt data using the symmetric KMS key"); String plaintext = "Hello, AWS KMS!"; System.out.printf(""" One of the main uses of symmetric keys is to encrypt and decrypt data. Next, the code encrypts the string '%s' with the SYMMETRIC_DEFAULT encryption algorithm. %n""", plaintext); waitForInputToContinue(scanner); SdkBytes ciphertext = encryptData(kmsClient, targetKeyId, plaintext); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("4. Create an alias"); System.out.println(""" Enter an alias name for the key. The name should be prefixed with 'alias/'. For example, 'alias/myFirstKey'. """); String aliasName = scanner.nextLine(); String fullAliasName = aliasName.isEmpty() ? "alias/dev-encryption-key" : aliasName; createCustomAlias(kmsClient, targetKeyId, fullAliasName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("5. List all of your aliases"); waitForInputToContinue(scanner); listAllAliases(kmsClient); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("6. Enable automatic rotation of the KMS key"); System.out.println(""" By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. """); waitForInputToContinue(scanner); enableKeyRotation(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println(""" 7. Create a grant A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. """); waitForInputToContinue(scanner); String grantId = grantKey(kmsClient, targetKeyId, granteePrincipal); System.out.println("The code granted principal with ARN [" + granteePrincipal + "] "); System.out.println("use of the symmetric key. The grant ID is [" + grantId + "]"); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("8. List grants for the KMS key"); waitForInputToContinue(scanner); displayGrantIds(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("9. Revoke the grant"); waitForInputToContinue(scanner); revokeKeyGrant(kmsClient, targetKeyId, grantId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("10. Decrypt the data\n"); System.out.println(""" Lets decrypt the data that was encrypted in an early step. The code uses the same key to decrypt the string that we encrypted earlier in the program. """); waitForInputToContinue(scanner); String decryptText = decryptData(kmsClient, ciphertext, targetKeyId); System.out.println("Decrypted text is: " + decryptText); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("11. Replace a key policy\n"); System.out.println(""" A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. By default, when you create a key by using the SDK, a policy is created that gives the AWS account that owns the KMS key full access to the KMS key. Let's try to replace the automatically created policy with the following policy. "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::0000000000:root"}, "Action": "kms:*", "Resource": "*" }] """); waitForInputToContinue(scanner); boolean polAdded = replacePolicy(kmsClient, targetKeyId, policyName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("12. Get the key policy\n"); System.out.println("The next bit of code that runs gets the key policy to make sure it exists."); waitForInputToContinue(scanner); getKeyPolicy(kmsClient, targetKeyId, policyName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("13. Create an asymmetric KMS key and sign your data\n"); System.out.println(""" Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs. By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization. """); waitForInputToContinue(scanner); signVerifyData(kmsClient); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("14. Tag your symmetric KMS Key\n"); System.out.println(""" By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment """); waitForInputToContinue(scanner); tagKMSKey(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("15. Schedule the deletion of the KMS key\n"); System.out.println(""" By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations. It remains in this state for the duration of the waiting period. Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable.\s """); System.out.println("Would you like to delete the Key Management resources? (y/n)"); String delAns = scanner.nextLine().trim(); if (delAns.equalsIgnoreCase("y")) { System.out.println("You selected to delete the AWS KMS resources."); waitForInputToContinue(scanner); deleteSpecificAlias(kmsClient, fullAliasName); disableKey(kmsClient, targetKeyId); deleteKey(kmsClient, targetKeyId); } else { System.out.println("The Key Management resources will not be deleted"); } System.out.println(DASHES); System.out.println("This concludes the AWS Key Management SDK Getting Started scenario"); System.out.println(DASHES); } public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesIterable aliasesResponse = kmsClient.listAliasesPaginator(aliasesRequest); aliasesResponse.stream() .flatMap(r -> r.aliases().stream()) .forEach(alias -> System.out .println("The alias name is: " + alias.aliasName())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void signVerifyData(KmsClient kmsClient) { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest request = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) // Specify key spec .keyUsage(KeyUsageType.SIGN_VERIFY) // Specify key usage .origin(OriginType.AWS_KMS) // Specify key origin .build(); CreateKeyResponse response = kmsClient.createKey(request); String keyId2 = response.keyMetadata().keyId(); System.out.println("Created KMS key with ID: " + keyId2); SdkBytes bytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId2) .message(bytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); SignResponse signResponse = kmsClient.sign(signRequest); byte[] signedBytes = signResponse.signature().asByteArray(); // Verify the digital signature. VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId2) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); VerifyResponse verifyResponse = kmsClient.verify(verifyRequest); System.out.println("Signature verification result: " + verifyResponse.signatureValid()); } public static void tagKMSKey(KmsClient kmsClient, String keyId) { try { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); kmsClient.tagResource(tagResourceRequest); System.out.println("The key has been tagged."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void getKeyPolicy(KmsClient kmsClient, String keyId, String policyName) { try { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); GetKeyPolicyResponse response = kmsClient.getKeyPolicy(policyRequest); System.out.println("The response is "+response.policy()); } catch (KmsException e) { if (e.getMessage().contains("No such policy exists")) { System.out.println("The policy cannot be found. Error message: " + e.getMessage()); } else { throw e; } } } public static boolean replacePolicy(KmsClient kmsClient, String keyId, String policyName) { // Change the principle in the below JSON. String policy = """ { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::%s:root"}, "Action": "kms:*", "Resource": "*" }] } """.formatted(accountId); try { PutKeyPolicyRequest keyPolicyRequest = PutKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .policy(policy) .build(); kmsClient.putKeyPolicy(keyPolicyRequest); System.out.println("The key policy has been replaced."); } catch (LimitExceededException e) { System.out.println("Policy limit reached. Unable to create the policy."); return false; } catch (AlreadyExistsException e) { System.out.println("Only one policy per key is supported. Unable to create the policy."); return false; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return true; } public static boolean doesKeyHavePolicy(KmsClient kmsClient, String keyId, String policyName){ ListKeyPoliciesRequest policiesRequest = ListKeyPoliciesRequest.builder() .keyId(keyId) .build(); boolean hasPolicy = false; ListKeyPoliciesResponse response = kmsClient.listKeyPolicies(policiesRequest); List<String>policyNames = response.policyNames(); for (String pol : policyNames) { hasPolicy = true; } return hasPolicy; } public static void deleteKey(KmsClient kmsClient, String keyId) { try { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); kmsClient.scheduleKeyDeletion(deletionRequest); System.out.println("The key will be deleted in 7 days."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void deleteSpecificAlias(KmsClient kmsClient, String aliasName) { try { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); kmsClient.deleteAlias(deleteAliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static boolean isKeyEnabled(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); KeyState keyState = response.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { System.out.println("The key is enabled."); return true; } else { System.out.println("The key is not enabled. Key state: " + keyState); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return false; } public static String decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); return decryptResponse.plaintext().asString(StandardCharsets.UTF_8); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } public static void revokeKeyGrant(KmsClient kmsClient, String keyId, String grantId) { try { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); kmsClient.revokeGrant(grantRequest); System.out.println("Grant ID: [" + grantId +"] was successfully revoked!"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsIterable response = kmsClient.listGrantsPaginator(grantsRequest); response.stream() .flatMap(r -> r.grants().stream()) .forEach(grant -> { System.out.println("The grant Id is : " + grant.grantId()); List<GrantOperation> ops = grant.operations(); for (GrantOperation op : ops) { System.out.println(op.name()); } }); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static String grantKey(KmsClient kmsClient, String keyId, String granteePrincipal) { try { // Add the desired KMS Grant permissions. List<GrantOperation> grantPermissions = new ArrayList<>(); grantPermissions.add(GrantOperation.ENCRYPT); grantPermissions.add(GrantOperation.DECRYPT); grantPermissions.add(GrantOperation.DESCRIBE_KEY); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } public static void enableKeyRotation(KmsClient kmsClient, String keyId) { try { EnableKeyRotationRequest enableKeyRotationRequest = EnableKeyRotationRequest.builder() .keyId(keyId) .build(); kmsClient.enableKeyRotation(enableKeyRotationRequest); System.out.println("Key rotation has been enabled for key with id [" + keyId + "]"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); System.out.println(aliasName + " was successfully created."); } catch (ResourceExistsException e) { System.err.println("Alias already exists: " + e.getMessage()); System.err.println("Moving on..."); } catch (Exception e) { System.err.println("An unexpected error occurred: " + e.getMessage()); System.err.println("Moving on..."); } } public static SdkBytes encryptData(KmsClient kmsClient, String keyId, String text) { try { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The string was encrypted with algorithm " + algorithm + "."); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; } public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.println("Symmetric key with ARN [" + result.keyMetadata().arn() + "] has been created."); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } // Enable the KMS key. public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } private static void waitForInputToContinue(Scanner scanner) { while (true) { System.out.println(""); System.out.println("Enter 'c' followed by <ENTER> to continue:"); String input = scanner.nextLine(); if (input.trim().equalsIgnoreCase("c")) { System.out.println("Continuing with the program..."); System.out.println(""); break; } else { // Handle invalid input. System.out.println("Invalid input. Please try again."); } } } private static String getAccountId(){ try (StsClient stsClient = StsClient.create()){ GetCallerIdentityResponse callerIdentity = stsClient.getCallerIdentity(); return callerIdentity.account(); } } }-
APIEinzelheiten finden Sie unter den folgenden Themen in der AWS SDK for Java 2.x APIReferenz.
-
