Main
Project Documentation
You can use any KMS methods (API, CLI, etc) to generate the cipher text.
Once you have generated a customer master key and add your IAM user as a user of that key, you can generate the cipher text. Using the AWS CLI is the simplist method. The output from the following command is the ENCRYPTEDPASSPHRASE which can be read from a file (via scheme awskms:file:) or used directly (via scheme awskms:literal:):
aws kms encrypt --key-id arn:aws:kms:us-east-1:XXXXXXXXXXXX:key/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --plaintext "PASSPHRASE" --output text --query CiphertextBlob
In the command above, replace PASSPHRASE with the passphrase for your key and make sure to replace the key-id arn (starts with arn:aws:kms…..) with your key-id (available via the AWS console or CLI ‘aws kms list-keys’).
NOTE: Do not use the cipher text generated by the AWS Encryption SDK. The cipher text generated is not directly compatible with the KMS service.
Currently, the plugin uses the default credential handler from the aws-java-sdk. Configuration and initialization priorities are described here. The ability to supply credentials via the PASSPHRASE_SPECIFIER is coming in a future release.
If you are running within the AWS infrastructure, it is highly recommended to use roles for managing access keys/secrets. The combination of roles and this plugin eliminates the need to have plaintext signing secrets in a non-interactive build environment (like CodePipeline).