This document describes how to use docker-compose to start a container with KMS locally, seed it and connect to it from .NET Core.
Read up about local-kms before reading further https://github.com/nsmithuk/local-kms
Below is the service description for using KMS with added comments. This refers to version 3.7 of the compose file.
kms:
build:
context: ../Infrastructure/Docker/KMS/ # Location of the Dockerfile
environment:
- ACCOUNT_ID=111122223333 # AWS account number
- REGION=ap-southeast-2 # AWS region
- PORT=8688 # Number of port to use
ports:
- "8688:8688" # Number of port to expose externally
Below are the commands used to create the container with added comments.
# Image to use.
FROM nsmithuk/local-kms
# Number of port to expose externally
EXPOSE 8688
# Copy in seed defintion. The directory below should be in the same directory as the Dockerfile
COPY ./init /init
local-kms will attempt to load seed.yaml from the init directory
Create a seed.yaml file with the following contents:
Keys:
- Metadata:
KeyId: bc436485-5092-42b8-92a3-0aa8b93536dc
BackingKeys:
- 5cdaead27fe7da2de47945d73cd6d79e36494e73802f3cd3869f1d2cb0b5d7a9
Aliases:
- AliasName: alias/testing
TargetKeyId: bc436485-5092-42b8-92a3-0aa8b93536dcYou can now start MKS using:
docker-compose --file docker-compose.yml up --buildBy default all amazon clients try to connect to AWS in the cloud. You will need to pass in a service URL to configure the client to use the container.
services.AddSingleton<IAmazonKeyManagementService>(client =>
{
if(string.IsNullOrEmpty(awsConfig.KmsServiceUrl))
{
return new AmazonKeyManagementServiceClient(credentials, region);
}
// kms-local support
var config = new AmazonKeyManagementServiceConfig
{
ServiceURL = awsConfig.KmsServiceUrl
};
return new AmazonKeyManagementServiceClient(new BasicAWSCredentials("", ""), config);
});