@confluentinc/schemaregistry/dist/rules/encryption/awskms/aws-driver.js

Node.js client for Confluent Schema Registry

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.AwsKmsDriver = void 0;
const kms_registry_1 = require("../kms-registry");
const aws_client_1 = require("./aws-client");
const credential_providers_1 = require("@aws-sdk/credential-providers");
class AwsKmsDriver {
    /**
     * Register the AWS KMS driver with the KMS registry.
     */
    static register() {
        (0, kms_registry_1.registerKmsDriver)(new AwsKmsDriver());
    }
    getKeyUrlPrefix() {
        return AwsKmsDriver.PREFIX;
    }
    newKmsClient(config, keyUrl) {
        const uriPrefix = keyUrl != null ? keyUrl : AwsKmsDriver.PREFIX;
        const key = config.get(AwsKmsDriver.ACCESS_KEY_ID);
        const secret = config.get(AwsKmsDriver.SECRET_ACCESS_KEY);
        const profile = config.get(AwsKmsDriver.PROFILE);
        let roleArn = config.get(AwsKmsDriver.ROLE_ARN);
        if (roleArn == null) {
            roleArn = process.env['AWS_ROLE_ARN'];
        }
        let roleSessionName = config.get(AwsKmsDriver.ROLE_SESSION_NAME);
        if (roleSessionName == null) {
            roleSessionName = process.env['AWS_ROLE_SESSION_NAME'];
        }
        let roleExternalId = config.get(AwsKmsDriver.ROLE_EXTERNAL_ID);
        if (roleExternalId == null) {
            roleExternalId = process.env['AWS_ROLE_EXTERNAL_ID'];
        }
        let creds;
        if (key != null && secret != null) {
            creds = { accessKeyId: key, secretAccessKey: secret };
        }
        else if (profile != null) {
            creds = (0, credential_providers_1.fromIni)({ profile });
        }
        if (roleArn != null) {
            let keyId = uriPrefix.substring(AwsKmsDriver.PREFIX.length);
            const tokens = keyId.split(':');
            if (tokens.length < 4) {
                throw new Error(`invalid key uri ${keyId}`);
            }
            const regionName = tokens[3];
            creds = (0, credential_providers_1.fromTemporaryCredentials)({
                ...creds && { masterCredentials: creds },
                params: {
                    RoleArn: roleArn,
                    RoleSessionName: roleSessionName ?? "confluent-encrypt",
                    ...roleExternalId && { ExternalId: roleExternalId },
                },
                clientConfig: { region: regionName },
            });
        }
        return new aws_client_1.AwsKmsClient(uriPrefix, creds);
    }
}
exports.AwsKmsDriver = AwsKmsDriver;
AwsKmsDriver.PREFIX = 'aws-kms://';
AwsKmsDriver.ACCESS_KEY_ID = 'access.key.id';
AwsKmsDriver.SECRET_ACCESS_KEY = 'secret.access.key';
AwsKmsDriver.PROFILE = 'profile';
AwsKmsDriver.ROLE_ARN = 'role.arn';
AwsKmsDriver.ROLE_SESSION_NAME = 'role.session.name';
AwsKmsDriver.ROLE_EXTERNAL_ID = 'role.external.id';