# Encrypt/decrypt sample application for AWS Lambda
The encrypt/decrypt sample application demonstrates the use of Asherah SDK to perform application-level encryption
operations in an AWS Lambda function.
> This example is based on the [Blank function sample application](https://github.com/awsdocs/aws-lambda-developer-guide/tree/main/sample-apps/blank-go) found in the
[AWS Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html).
### Prerequisites
* [The AWS CLI (version 2)](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) and access to an AWS account
* [Go v1.15+](https://golang.org/doc/install)
* The Bash shell
* [jq](https://stedolan.github.io/jq/) - a lightweight and flexible command-line JSON processor
In addition, the steps that follow assume the `lambda-exec` role already exists within your AWS account. If you know this function
execution role already exists, you're ready to [get started](#setup). Otherwise, see
[this section](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-awscli.html#with-userapp-walkthrough-custom-events-create-iam-role)
of the AWS Lambda tutorial for more information.
Likewise, the sample application is configured to use AWS KMS for master key operations and DynamoDB as a metastore. You
will need to ensure the above role has sufficient access to these services and associated resources or function execution
will result in error. For more information on these topics see [Key Management Service](/docs/KeyManagementService.md)
and [Metastore](/docs/Metastore.md) in the Asherah documentation.
## Setup
Clone this repository and navigate to the sample application's root directory.
```console
$ git clone git@github.com:godaddy/asherah.git
$ cd asherah/samples/go/aws/lambda
```
Add the following to your
[configuration file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) (`~/.aws/config`) to
enable loading of raw JSON events with the AWS CLI v2:
```
cli_binary_format=raw-in-base64-out
```
Create the `lambda-exec` role, if needed.
```console
$ aws iam create-role --role-name lambda-exec --assume-role-policy-document file://policy.json
{
"Role": {
"Path": "/",
"RoleName": "lambda-exec",
"RoleId": "AROAWOYE3S3E7IEJN54CD",
"Arn": "arn:aws:iam::123456789012:role/lambda-exec",
"CreateDate": "2021-01-10T20:05:52+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
}
```
The file `policy.json` is a JSON document in the current directory that defines the trust policy for the role. In this
case the policy allows Lambda to use the role's permissions via the `AssumeRole` action.
Example `policy.json`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
Now you can add permissions to the role, starting with the `AWSLambdaBasicExecutionRole` managed policy.
```console
$ aws iam attach-role-policy \
--role-name lambda-exec \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
```
The above command will need to be repeated for any additional permissions. The sample application will also need
permissions granted by the following policies:
* `arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess`: a managed policy granting write only permissions to AWS X-Ray
* `arn:aws:iam::123456789012:policy/asherah-kms-access`: a customer managed policy granting access to a customer master
key, see [KMS Permissions](/docs/KeyManagementService.md#creating-an-aws-kms-key).
* `arn:aws:iam::123456789012:policy/asherah-dynamodb-access`: a customer managed policy granting access to a DynamoDB
table, see [Metastore: DynamoDB](/docs/Metastore.md#dynamodb)
Modify the provided [template.yml](template.yml) file by replacing the placeholder KMS Key and Role ARNs. Your updated
`template.yml` file should now resemble the following:
```yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: An AWS Lambda application that demonstrates Asherah encrypt/decrypt operations.
Resources:
function:
Type: AWS::Serverless::Function
Properties:
Environment:
Variables:
ASHERAH_KMS_KEY_ARN: arn:aws:kms:us-west-2:123456789012:key/1234abcd-56ef-78ab-90cd-1a2b3c4d5e6f
ASHERAH_METASTORE_TABLE_NAME: EncryptionKey
Handler: main
Runtime: go1.x
CodeUri: function/.
Description: Performs encrypt/decrypt operations via the Asherah SDK
Timeout: 5
# Function's execution role
Role: arn:aws:iam::123456789012:role/lambda-exec
Tracing: Active
```
Create a new bucket for deployment artifacts, run `1-create-bucket.sh`.
```console
$ ./1-create-bucket.sh
make_bucket: lambda-artifacts-dc816d4fef315985
```
## Deploy
To deploy the application, run `2-deploy.sh`.
```console
$ ./2-deploy.sh
Successfully packaged artifacts and wrote output template to file out/out.yml.
Waiting for changeset to be created..
Waiting for stack create/update to complete
Successfully created/updated stack - sample-lambda-go
```
This script uses AWS CloudFormation to deploy the Lambda function. If the AWS CloudFormation stack that contains the
resources already exists, the script updates it with any changes to the template or function code.
## Test
To invoke the function, run `3-invoke.sh`.
```console
$ ./3-invoke.sh
Encrypt
=======
invoking function with encrypt payload:
{"Name":"encrypt-partition-1","Partition":"partition-1","Payload":"bXlzdXBlcnNlY3JldHRleHQ="}
-------
Response received (modified):
{"Results":{"Key":{"Created":1610062226,"Key":"Uz4jvKT4EiRMfee7pmgW/r1etnLvu/vChsGGsQ3dJHvm8OXK9eeODxP+mPJoM/0i/yytwA48wP1jsM03","ParentKeyMeta":{"KeyId":"_IK_partition-1_asherah-samples_lambda-sample-app","Created":1607473080}},"Data":"gapc/YbQrhAgCAmovpI/Q64ICs3kQSv2QVNkcaCtsIFy3fAIV1C4+11ObOHO"},"Metrics":{"InvocationCount":1,"SecretsAllocated":3,"SecretsInUse":2}}
Decrypt
=======
invoking function with decrypt payload:
{"Name":"decrypt-partition-1","Partition":"partition-1","DRR":{"Key":{"Created":1610062226,"Key":"Uz4jvKT4EiRMfee7pmgW/r1etnLvu/vChsGGsQ3dJHvm8OXK9eeODxP+mPJoM/0i/yytwA48wP1jsM03","ParentKeyMeta":{"KeyId":"_IK_partition-1_asherah-samples_lambda-sample-app","Created":1607473080}},"Data":"gapc/YbQrhAgCAmovpI/Q64ICs3kQSv2QVNkcaCtsIFy3fAIV1C4+11ObOHO"}}
-------
Response received (modified):
{"Results":"mysupersecrettext","Metrics":{"InvocationCount":2,"SecretsAllocated":3,"SecretsInUse":2}}
```
Now, assuming all went as planned, your console output should resemble the above. Cool, but what just happened?
### Taking a closer look...
The script invokes the function two times, printing the results as it goes, then exits.
As seen above, the payload used for the first is a string that contains an event in JSON format.
```json
{"Name":"encrypt-partition-1","Partition":"partition-1","Payload":"bXlzdXBlcnNlY3JldHRleHQ="}
```
This event is handled by the sample application as an _encryption request_, prompting the app to use the Asherah SDK to
encrypt the provided payload and return the encryption result.
Next, the script invokes the function with the following:
```json
{"Name":"decrypt-partition-1","Partition":"partition-1","DRR":{...}}
```
This time the event handled as a _decryption request_, prompting the app to use the Asherah SDK to decrypt the cyphertext
contained in this payload's DRR. Note that the DRR embedded in this payload is the same DRR provided by the encryption
result above.
## The code
The Go module containing
没有合适的资源?快使用搜索试试~ 我知道了~
Asherah是一款多语言、跨平台的应用加密SDK.zip
共712个文件
cs:189个
java:155个
go:80个
需积分: 9 0 下载量 173 浏览量
2023-03-23
22:15:58
上传
评论
收藏 999KB ZIP 举报
温馨提示
Asherah是一款多语言、跨平台的应用加密SDK
资源推荐
资源详情
资源评论
收起资源包目录
Asherah是一款多语言、跨平台的应用加密SDK.zip (712个子文件)
wss-unified-agent.config 6KB
EnvelopeEncryptionJsonImplTest.cs 83KB
SessionFactoryTest.cs 36KB
EnvelopeEncryptionJsonImpl.cs 30KB
SessionFactory.cs 22KB
AwsKeyManagementServiceImplTest.cs 20KB
AwsKeyManagementServiceImpl.cs 17KB
AdoMetastoreImplTest.cs 16KB
SecureMemorySecretTest.cs 16KB
DynamoDbMetastoreImpl.cs 14KB
DynamoDbMetastoreImplTest.cs 14KB
SecureMemorySecretFactory.cs 13KB
BasicExpiringCryptoPolicy.cs 12KB
SecureMemorySecret.cs 10KB
AppEncryptionParameterizedTest.cs 10KB
AdoMetastoreImpl.cs 10KB
SecureCryptoKeyDictionaryTest.cs 10KB
OpenSSLCryptProtectMemory.cs 10KB
Json.cs 10KB
LibcProtectedMemoryAllocatorTest.cs 10KB
ReferenceApp.cs 9KB
SecureCryptoKeyDictionary.cs 8KB
LinuxOpenSSL11ProtectedMemoryAllocatorLP64.cs 7KB
DynamoDbGlobalTableTest.cs 7KB
MultiPartitionMultiThreadedTest.cs 7KB
SecureMemorySecretFactoryTest.cs 7KB
AeadCrypto.cs 7KB
LibcSecureMemoryAllocatorTest.cs 7KB
LibcLP64.cs 7KB
LinuxOpenSSL11ProtectedMemoryAllocatorTest.cs 6KB
AeadEnvelopeCryptoTest.cs 6KB
OpenSSLCrypto.cs 6KB
JsonTest.cs 6KB
EnvelopeKeyRecordTest.cs 6KB
LinuxOpenSSL11LP64.cs 5KB
MultiFactoryThreadedTest.cs 5KB
CryptoPolicy.cs 5KB
AeadEnvelopeCrypto.cs 5KB
RlimitResource.cs 5KB
EnvelopeKeyRecord.cs 5KB
CustomerController.cs 5KB
AeadCryptoTest.cs 4KB
SessionJsonTest.cs 4KB
ConfigFixture.cs 4KB
SessionBytesTest.cs 4KB
AppJsonEncryptionImplTest.cs 4KB
BasicExpiringCryptoPolicyTest.cs 4KB
InMemoryMetastoreImpl.cs 4KB
SessionTest.cs 4KB
LibcMemoryAllocatorTest.cs 4KB
Session.cs 3KB
LibcProtectedMemoryAllocatorLP64.cs 3KB
ProtectedMemoryAllocatorTest.cs 3KB
InMemoryMetastoreImplTest.cs 3KB
LinuxProtectedMemoryAllocatorLP64.cs 3KB
MetastoreMock.cs 3KB
BouncyAeadCrypto.cs 3KB
MmapFlags.cs 3KB
SuffixedPartitionTest.cs 3KB
SecureMemoryAllocatorTest.cs 3KB
LinuxSecureMemoryAllocatorLP64.cs 3KB
Madvice.cs 3KB
WindowsProtectedMemoryAllocatorLLP64.cs 3KB
EncryptMetastoreInteractions.cs 3KB
KeyMetaTest.cs 3KB
WindowsProtectedMemoryAllocatorVirtualAlloc.cs 3KB
SecretTest.cs 3KB
SecretCryptoKeyTest.cs 3KB
EncryptDefinitions.cs 3KB
GenericAeadCryptoTest.cs 3KB
KeyMeta.cs 3KB
MacOSProtectedMemoryAllocatorLP64.cs 3KB
WindowsProtectedMemoryAllocatorTest.cs 3KB
EndToEndTests.cs 3KB
EnvelopeEncryptionBytesImplTest.cs 3KB
DecryptDefinitions.cs 3KB
MacOSSecureMemoryAllocatorLP64.cs 3KB
CacheMock.cs 3KB
LibcMemoryAllocatorLP64.cs 3KB
DefaultPartitionTest.cs 3KB
KeyManagementService.cs 3KB
SessionJsonMultiThreadedTest.cs 3KB
SessionByteMultiThreadedTest.cs 3KB
CryptoPolicyTest.cs 2KB
Options.cs 2KB
SessionJsonImplTest.cs 2KB
LinuxProtectedMemoryAllocatorTest.cs 2KB
LinuxProtectedMemoryAllocatorTest.cs 2KB
Check.cs 2KB
SecretCryptoKey.cs 2KB
Madvice.cs 2KB
OpenSSLCryptProtectMemoryTests.cs 2KB
MmapFlags.cs 2KB
SharedCryptoKeyTest.cs 2KB
SessionBytesImplTest.cs 2KB
WindowsInterop.cs 2KB
AllocatorGenerator.cs 2KB
Persistence.cs 2KB
IMetastore.cs 2KB
EnvelopeEncryptionBytesImpl.cs 2KB
共 712 条
- 1
- 2
- 3
- 4
- 5
- 6
- 8
资源评论
快撑死的鱼
- 粉丝: 1w+
- 资源: 9156
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功