Branch | Status |
---|---|
Master | |
Develop |
This plugin adds support to pgp-maven-plugin for decrypting a pgp passphrase via AWS Key Management Service. It wraps other passphrase loaders with KMS decryption.
You need to configure your pom.xml to add the pgp-maven-plugin-awskms as a dependency to pgp-maven-plugin.
<plugin>
<groupId>org.kohsuke</groupId>
<artifactId>pgp-maven-plugin</artifactId>
<dependencies>
<dependency>
<groupId>com.lasmanis</groupId>
<artifactId>pgp-maven-plugin-awskms</artifactId>
</dependency>
</dependencies>
<configuration>
<secretkey>SECRET_KEY_SPECIFIER</secretkey>
<passphrase>PASSPHRASE_SPECIFIER</passphrase>
</configuration>
<executions>
<execution>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
Specifiy the passphrase cipher text as literal text
awskms:literal:ENCRYPTEDPASSPHRASE
This lets you specify the encrypted passphrase inline directly.
Store the passphrase cipher text is a file
awskms:file:PATH/TO/FILE
This lets you specify store the encrypted passphrase in the local filesystem.
Wrapping any PassphraseLoader (including custom loaders)
awskms:SCHEME:PATH/TO/FILE
This lets you call any included PassphraseLoader configured in the pom (built-in and custom).
You can use any KMS methods (API, CLI, etc) to generate the cipher text.
Once you have generated a customer master key and add your IAM user as a user of that key, you can generate the cipher text. Using the AWS CLI is the simplist method. The output from the following command is the ENCRYPTEDPASSPHRASE which can be read from a file (via scheme awskms:file:) or used directly (via scheme awskms:literal:):
aws kms encrypt --key-id arn:aws:kms:us-east-1:XXXXXXXXXXXX:key/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --plaintext "PASSPHRASE" --output text --query CiphertextBlob
In the command above, replace PASSPHRASE with the passphrase for your key and make sure to replace the key-id arn (starts with arn:aws:kms.....) with your key-id (available via the AWS console or CLI 'aws kms list-keys').
NOTE: Do not use the cipher text generated by the AWS Encryption SDK. The cipher text generated is not directly compatible with the KMS service.
Currently, the plugin uses the default credential handler from the aws-java-sdk. Configuration and initialization priorities are described here. The ability to supply credentials via the PASSPHRASE_SPECIFIER is coming in a future release.
If you are running within the AWS infrastructure, it is highly recommended to use roles for managing access keys/secrets. The combination of roles and this plugin eliminates the need to have plaintext signing secrets in a non-interactive build environment (like CodePipeline).
Copyright 2017 Michael Lasmanis.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.