Categorygithub.com/srinandan/cloudkms-encryption
modulepackage
1.0.0
Repository: https://github.com/srinandan/cloudkms-encryption.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
9
Dependents
0
Files
77 SLOC

# README

cloudkms-encryption

Go Report Card

This service is meant to run as a sidecar to the Apigee hybrid API gateway (also known as Message Processor). The service takes a Google Cloud Service Account as a parameter and is used to encrypt or decrypt text using Cloud KMS. The service can also store and retrieve data from GCP Secret Manager.

Use Case

This service is meant to be used with the Apigee hybrid API Runtime. When developing API Proxies on Apigee, a developer may want to encrypt or decrypt parts of the payload. Google Cloud provides Cloud KMS. The services uses Cloud KMS libraries to encrypt or decrpyt data.

Sensitive information often needs to be stored in a secure location. GCP Secret Manager provides a service (like a vault) to store sensitive information.

Prerequisites

  • Apigee hybrid runtime installed on GKE or GKE on-premises (v1.13.x)
  • A GCP Project with Cloud KMS and Secret Manager APIs enabled
  • A Service Account with the following roles: a. Cloud KMS CryptoKey Encrypter/Decrypter b. Secret Manager Admin c. Secret Manager Secret Accessor

Installation

Modify the kubernetes manifest and deploy it to Kubernetes. For example:


kubectl create secret -n {namespace} generic cloudkms-encryption-svc-account --from-file client_secret.json
kubectl apply -n {namespace} -f cloudkms-encryption.yaml

Supported Operations

Encrypt data

Path: /encrypt Method: POST Accept: text/plain Content-Type: application/json

The response is base64 encoded


curl 0.0.0.0:8080/encrypt -d 'sample clear text data'

Output:


< HTTP/1.1 200 OK
< Content-Type: application/json; charset=UTF-8
<
{"payload":"CiQATxZWh3Ky1nUed8+Uzfy1rrZ0hUrvt8J0OZUyauXbrvv2TwwSLwCPcW8BdQBpa9PXMWdOUk1c8SLNPG7J4NCyVXNfF8FLBnhgXYMGNCeY4B0673bf"}

Decrypt data

Path: /decrypt Method: POST Accept: text/plain Content-Type: application/json


curl 0.0.0.0:8080/decrypt -d 'CiQATxZWh3Ky1nUed8+Uzfy1rrZ0hUrvt8J0OZUyauXbrvv2TwwSLwCPcW8BdQBpa9PXMWdOUk1c8SLNPG7J4NCyVXNfF8FLBnhgXYMGNCeY4B0673bf'

Output:


< HTTP/1.1 200 OK
< Content-Type: application/json; charset=UTF-8
<
{"payload":"sample clear text data"}

Create Secret

Creates a new secret in Secret Manager.

Path: /secrets Method: POST Accept: application/json Content-Type: application/json


curl localhost:8080/secrets -H "Content-Type: application/json" -d '{"secretId":"test"}'

Store Secret

Stores a secret in Secret Manager, optionally encrypts and stores a section in Secret Manager

Path: /storesecrets Method: POST Accept: application/json Content-Type: application/json


curl localhost:8080/storesecrets -H "Content-Type: application/json" -d '{"secretId":"test","payload":"test data"}'

The same method can be used to encrypt first with Cloud KMS and then store in Secret Manager.


{
  "secretId":"test",
  "payload":"test data",
  "encrypted": true
}

Access a secret

Access a secret in Secret Manager, optionally decrypts the secret first and retrieves in clear text

Path: /secrets/{secretName}/{version} Method: GET Accept: application/json Content-Type: application/json


curl localhost:8080/secrets/test/1

The same method can be used to access the data from Secret Manager and them decrypt with Cloud KMS


curl localhost:8080/secrets/test/1?ecrypted=true

Access patterns from Apigee hyrid

A typical pattern/example would be to use a Service Callout policy to access operations supported by the service.

# Packages

No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author