proposal: Key Store Admin #282
Conversation
| `Key Management` is a union, | ||
| such that additional options maybe added at a later date. | ||
|
|
||
| Members of `Kms Management` are elements that |
There was a problem hiding this comment.
Is that supposed to say Key Management?
| @@ -0,0 +1,172 @@ | |||
| // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. | |||
There was a problem hiding this comment.
Where is this going?
Is it a new MPL subproject? i.e. <MPL root>/KeyStoreAdmin
Or is it a new localService inside the MPL-Core subproject? i.e. <MPL root>/AwsCryptographicMaterialProviders/KeyStoreAdmin
There was a problem hiding this comment.
Discussed in meeting.
New Local Service of the MPL, alongside the Key Store.
| This allows MPL Consumers to configure different | ||
| credentials or request headers for the KMS Operations. | ||
|
|
||
| # Modified Operations from the original [Branch Key Store Specification](../../framework/branch-key-store.md#operations) |
There was a problem hiding this comment.
any reason why the mutation operations are not part of this Key Store Admin?
There was a problem hiding this comment.
What Mutation Operations? ;)
| Crypto Tools could refactor the existing | ||
| Key Store Client to behave in the manner described below. | ||
|
|
||
| This would be a breaking change, |
There was a problem hiding this comment.
if we're adding new API operations,
then it isn't necessarily a breaking change
There was a problem hiding this comment.
it seems like there are better reasons why it makes sense to have separate Admin vs. Cryptography/Dataplane/whatever,
for the sake of allowing customers to more easily enable separation of permissions between the two.
|
|
||
| The CreateKey caller MUST provide: | ||
|
|
||
| - A `KMS Identifier` |
There was a problem hiding this comment.
Should we abstract this away,
in case the Key Management is not KMS?
There was a problem hiding this comment.
Hmm... this could be Key Identifier... we can come back to this before we GA.
There was a problem hiding this comment.
Why don't we put this in the key store directory?
| The Operation behaves identically to the [Key Store Client's CreateKey](../branch-key-store.md#createkey), | ||
| with the following caveats: |
There was a problem hiding this comment.
Do we want to move the operation here, and then point the key store here?
Co-authored-by: Lucas McDonald <[email protected]> Co-authored-by: seebees <[email protected]>
texastony
force-pushed
the
tony/change-key-store-admin
branch
from
e8c9f98 to
af1bccf
Compare
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Check any applicable: