Package org.apache.iceberg.aws

Class AwsKeyManagementClient

java.lang.Object
org.apache.iceberg.aws.AwsKeyManagementClient
All Implemented Interfaces:
Closeable, Serializable, AutoCloseable, KeyManagementClient
public class AwsKeyManagementClient extends Object implements KeyManagementClient
Key management client implementation that uses AWS Key Management Service. To be used for encrypting/decrypting keys with a KMS-managed master key, (by referencing its key ID), and for the generation of new encryption keys.
See Also:

  • Constructor Details

    • AwsKeyManagementClient

      public AwsKeyManagementClient()

  • Method Details

    • initialize

      public void initialize(Map<String,String> properties)
      Description copied from interface: KeyManagementClient
      Initialize the KMS client with given properties.
      Specified by:
      initialize in interface KeyManagementClient
      Parameters:
      properties - kms client properties

    • wrapKey

      public ByteBuffer wrapKey(ByteBuffer key, String wrappingKeyId)
      Description copied from interface: KeyManagementClient
      Wrap a secret key, using a wrapping/master key which is stored in KMS and referenced by an ID. Wrapping means encryption of the secret key with the master key, and adding optional KMS-specific metadata that allows the KMS to decrypt the secret key in an unwrapping call.
      Specified by:
      wrapKey in interface KeyManagementClient
      Parameters:
      key - a secret key being wrapped
      wrappingKeyId - a key ID that represents a wrapping key stored in KMS
      Returns:
      wrapped key material

    • supportsKeyGeneration

      public boolean supportsKeyGeneration()
      Description copied from interface: KeyManagementClient
      Some KMS systems support generation of secret keys inside the KMS server.
      Specified by:
      supportsKeyGeneration in interface KeyManagementClient
      Returns:
      true if KMS server supports key generation and KeyManagementClient implementation is interested to leverage this capability. Otherwise, return false - Iceberg will then generate secret keys locally (using the SecureRandom mechanism) and call KeyManagementClient.wrapKey(ByteBuffer, String) to wrap them in KMS.

    • generateKey

      public KeyManagementClient.KeyGenerationResult generateKey(String wrappingKeyId)
      Description copied from interface: KeyManagementClient
      Generate a new secret key in the KMS server, and wrap it using a wrapping/master key which is stored in KMS and referenced by an ID. This method will be called only if supportsKeyGeneration returns true.
      Specified by:
      generateKey in interface KeyManagementClient
      Parameters:
      wrappingKeyId - a key ID that represents a wrapping key stored in KMS
      Returns:
      key in two forms: raw, and wrapped with the given wrappingKeyId

    • unwrapKey

      public ByteBuffer unwrapKey(ByteBuffer wrappedKey, String wrappingKeyId)
      Description copied from interface: KeyManagementClient
      Unwrap a secret key, using a wrapping/master key which is stored in KMS and referenced by an ID.
      Specified by:
      unwrapKey in interface KeyManagementClient
      Parameters:
      wrappedKey - wrapped key material (encrypted key and optional KMS metadata, returned by the wrapKey method)
      wrappingKeyId - a key ID that represents a wrapping key stored in KMS
      Returns:
      raw key bytes

    • close

      public void close()
      Description copied from interface: KeyManagementClient
      Close KMS Client to release underlying resources, this could be triggered in different threads when KmsClient is shared by multiple encryption managers.
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
      Specified by:
      close in interface KeyManagementClient