KMS
Protocol: JSON 1.1 (X-Amz-Target: TrentService.*)
Endpoint: POST http://localhost:4566/
Supported Actions
| Action |
Description |
CreateKey |
Create a new KMS key |
DescribeKey |
Get key metadata |
ListKeys |
List all keys |
Encrypt |
Encrypt plaintext with a key |
Decrypt |
Decrypt ciphertext |
ReEncrypt |
Re-encrypt under a different key |
GenerateDataKey |
Generate a data key (plaintext + encrypted) |
GenerateDataKeyWithoutPlaintext |
Generate only the encrypted data key |
Sign |
Sign a message with an asymmetric key |
Verify |
Verify a signature |
CreateAlias |
Create a friendly name for a key |
DeleteAlias |
Remove an alias |
ListAliases |
List all aliases |
ScheduleKeyDeletion |
Mark a key for deletion |
CancelKeyDeletion |
Cancel pending deletion |
TagResource |
Tag a key |
UntagResource |
Remove tags |
ListResourceTags |
List tags |
GetKeyPolicy |
Get a key's resource policy |
PutKeyPolicy |
Update a key's resource policy |
GetKeyRotationStatus |
Check if automatic key rotation is enabled |
EnableKeyRotation |
Enable automatic key rotation (symmetric keys only) |
DisableKeyRotation |
Disable automatic key rotation |
Configuration
| Variable |
Default |
Description |
FLOCI_SERVICES_KMS_ENABLED |
true |
Enable or disable the service |
Examples
export AWS_ENDPOINT_URL=http://localhost:4566
# Create a symmetric key
KEY_ID=$(aws kms create-key \
--description "My encryption key" \
--query KeyMetadata.KeyId --output text \
--endpoint-url $AWS_ENDPOINT_URL)
# Create an alias
aws kms create-alias \
--alias-name alias/my-key \
--target-key-id $KEY_ID \
--endpoint-url $AWS_ENDPOINT_URL
# Encrypt
CIPHER=$(aws kms encrypt \
--key-id alias/my-key \
--plaintext "Hello, World!" \
--query CiphertextBlob --output text \
--endpoint-url $AWS_ENDPOINT_URL)
# Decrypt
aws kms decrypt \
--ciphertext-blob $CIPHER \
--query Plaintext --output text \
--endpoint-url $AWS_ENDPOINT_URL | base64 --decode
# Generate a data key (envelope encryption)
aws kms generate-data-key \
--key-id alias/my-key \
--key-spec AES_256 \
--endpoint-url $AWS_ENDPOINT_URL
CreateKey also accepts a reserved creation-time tag key, floci:override-id, when tests need a deterministic KeyId. Floci uses the tag value as the created key id, strips the reserved tag from stored resource tags, and rejects attempts to add floci:* tags later via TagResource.