Skip to content

docs: add keyring examples#221

Merged
mattsb42-aws merged 38 commits intoaws:keyringfrom
mattsb42-aws:moar-examples
Mar 31, 2020
Merged

docs: add keyring examples#221
mattsb42-aws merged 38 commits intoaws:keyringfrom
mattsb42-aws:moar-examples

Conversation

@mattsb42-aws
Copy link
Member

@mattsb42-aws mattsb42-aws commented Mar 12, 2020
edited
Loading

Issue #, if available: #156 #146

Description of changes:

This adds several examples that show how to use keyrings to solve some common problems.

These new examples all follow the format set in #219.

Who reviews what

Everyone is of course welcome to review anything else, but these are the things that I'm specifically looking for from each tagged person.

@SalusaSecondus : The example scenario description and framing for the multi-keyring escrow example.
@WesleyRosenblum : Keyring use and any additional example use-cases you can think of. We'll also be translating these examples to Java once these are merged.
@acioc : Python good-ness and any thoughts on example use-cases.
@juneb : Descriptions of example use-cases and the in-line comments where they diverge from the template.

What this is not

Things I intentionally left out of this PR:

  • Master key providers : Once this batch of keyring examples is merged, I'll go through and translate all that can be to use MKPs.
  • Cryptographic materials managers : To avoid an even larger PR, I did not include any examples of CMMs. I'll be adding several such examples in a later PR.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

@mattsb42-aws
docs: add raw RSA keyring examples
558563f
@mattsb42-aws
fix: fix type signatures in raw RSA keyring
7b6b920
@mattsb42-aws
docs: add raw AES keyring example
05266a8
@mattsb42-aws
chore: move single-CMK example to new location
f368f09
@mattsb42-aws
docs: update single-CMK example to match new template
4709409
@mattsb42-aws
fix: fix docstring in raw AES keyring example
5fb2d3e
@mattsb42-aws
chore: move multi-region KMS example to new location
f6af7ee
@mattsb42-aws
chore: update multi-region AWS keyring example to new format
52f8312
@mattsb42-aws
docs: add multi-keyring example
0047ddf
@mattsb42-aws
docs: add custom KMS client config keyring example
5925b77
@mattsb42-aws
docs: add multi-partition client supplier example
a6519d2
@mattsb42-aws
docs: clarify custom client supplier example intro
2fb99d0
@mattsb42-aws
docs: add reference to in-region-discovery example
154ce5d
@mattsb42-aws
docs: add basic KMS discovery keyring example
3fc892a
@mattsb42-aws
docs: add examples showing region-scoped discovery keyrings
47351a7
@mattsb42-aws
docs: add listing of keyring examples
7770186
@mattsb42-aws
chore: remove reminder to write more because I already did
0186e61
@mattsb42-aws
docs: clean up multikeyring description
23c3766
@mattsb42-aws
docs: rearrange examples readme
59b09df
@mattsb42-aws
Copy link
Member Author

mattsb42-aws commented Mar 12, 2020

doh; looks like I need to seed the environment with a default AWS region :/

acioc
acioc reviewed Mar 13, 2020
View reviewed changes
Copy link

@acioc acioc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just had a few questions/ np's below

@WesleyRosenblum
Copy link
Contributor

WesleyRosenblum commented Mar 13, 2020

Once this batch of keyring examples is merged, I'll go through and translate all that can be to use MKPs.

What is the value of doing that? The way I see it, all current customers are already using MKPs and don't really need example code to follow for doing something with MKPs, and if they want to try out a new use case they should just use Keyrings anyway? I could see an argument to do it for completeness, but it still seems like the lowest priority to me.

WesleyRosenblum
WesleyRosenblum reviewed Mar 13, 2020
View reviewed changes
juneb
juneb reviewed Mar 13, 2020
View reviewed changes
Copy link
Contributor

@juneb juneb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review in progress (back later).

SalusaSecondus
SalusaSecondus previously approved these changes Mar 24, 2020
View reviewed changes
acioc
acioc previously approved these changes Mar 24, 2020
View reviewed changes
Copy link

@acioc acioc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looked over all diffs since my last review. Looks good! Would be great to also get an example of how to handle errors/ failing to encrypt/decrypt, but that can be out of scope for this PR.

juneb
juneb reviewed Mar 25, 2020
View reviewed changes
examples/src/keyring/aws_kms/discovery_decrypt_in_region_only.py
}

# Create the keyring that determines how your data keys are protected.
encrypt_keyring = KmsKeyring(generator_key_id=aws_kms_cmk)
Copy link
Contributor

@juneb juneb Mar 25, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@mattsb42-aws @juneb
docs: apply suggestions from code review
dd59a36 
Co-Authored-By: June Blender <juneb@users.noreply.github.com>
juneb
juneb reviewed Mar 29, 2020
View reviewed changes
Copy link
Contributor

@juneb juneb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of general comments.

  • The example readme is a nice description of the ESDK. But it needs a table with the name and description of each example.

  • The examples all use (one?) CMK that's passed to the function. Please show at least one example with multiple CMKs (generator, additional) and different keyrings for encrypt and decrypt.

  • Show examples for discovery keyring and client supplier variants. (I suspect that's coming.)

@mattsb42-aws
Copy link
Member Author

mattsb42-aws commented Mar 31, 2020

The example readme is a nice description of the ESDK. But it needs a table with the name and description of each example.

Let's look at that separately from this PR. I opened #232 to track this.

The examples all use (one?) CMK that's passed to the function. Please show at least one example with multiple CMKs (generator, additional) and different keyrings for encrypt and decrypt.

https://github.com/aws/aws-encryption-sdk-python/pull/221/files#diff-473fcd9a070a3379cefee9a26242b882

Show examples for discovery keyring and client supplier variants. (I suspect that's coming.)

@mattsb42-aws mattsb42-aws merged commit 8d84ff5 into aws:keyring Mar 31, 2020
@mattsb42-aws mattsb42-aws deleted the moar-examples branch March 31, 2020 18:48
@ttjsu-aws ttjsu-aws mentioned this pull request Apr 7, 2020
Closed
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

4 more reviewers

@juneb juneb juneb approved these changes

@SalusaSecondus SalusaSecondus SalusaSecondus left review comments

@acioc acioc acioc left review comments

@WesleyRosenblum WesleyRosenblum WesleyRosenblum left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

keyrings

Development

Successfully merging this pull request may close these issues.

5 participants

@mattsb42-aws @WesleyRosenblum @SalusaSecondus @juneb @acioc