AWS Java SDK:为EBS指定KMS密钥ID

时间:2016-04-18 14:33:30

标签: java amazon-web-services aws-sdk amazon-kms

在AWS Java SDK 1.10.69中,我可以启动实例并为实例指定EBS卷映射:

    RunInstancesRequest runInstancesRequest = new RunInstancesRequest();

    String userDataString = Base64.encodeBase64String(userData.toString().getBytes());

    runInstancesRequest
            .withImageId(machineImageId)
            .withInstanceType(instanceType.toString())
            .withMinCount(minCount)
            .withMaxCount(maxCount)
            .withKeyName(sshKeyName)
            .withSecurityGroupIds(securityGroupIds)
            .withSubnetId(subnetId)
            .withUserData(userDataString)
            .setEbsOptimized(true);


    final EbsBlockDevice ebsBlockDevice = new EbsBlockDevice();
    ebsBlockDevice.setDeleteOnTermination(true);
    ebsBlockDevice.setVolumeType(VolumeType.Gp2);
    ebsBlockDevice.setVolumeSize(256);
    ebsBlockDevice.setEncrypted(true);

    final BlockDeviceMapping mapping = new BlockDeviceMapping();
    mapping.setDeviceName("/dev/sdb");
    mapping.setEbs(ebsBlockDevice);

目前我似乎只能在卷上启用/禁用加密,而不是指定要用于卷的KMS客户主密钥。

有解决方法吗?

2 个答案:

答案 0 :(得分:2)

编辑:请参阅下面的其他答案(https://stackoverflow.com/a/47602790/7692970),了解现有的更简单的解决方案

要为实例指定EBS卷的客户主密钥(CMK),您必须将RunInstancesRequestCreateVolumeRequestAttachVolumeRequest合并。否则,如果您只是在true上指定加密EbsBlockDevice,它将使用默认的CMK。

首先创建实例,而不在RunInstancesRequest的块设备映射中指定EBS卷,然后单独create the volumes,然后attach them

CreateVolumeRequestwithKmsKeyId() / setKmsKeyId()个选项。

例如,更新代码可能如下所示:

RunInstancesRequest runInstancesRequest = new RunInstancesRequest();

String userDataString = Base64.encodeBase64String(userData.toString().getBytes());

runInstancesRequest
        .withImageId(machineImageId)
        .withInstanceType(instanceType.toString())
        .withMinCount(minCount)
        .withMaxCount(maxCount)
        .withKeyName(sshKeyName)
        .withSecurityGroupIds(securityGroupIds)
        .withSubnetId(subnetId)
        .withUserData(userDataString)
        .setEbsOptimized(true);
RunInstancesResult runInstancesResult = ec2Client.runInstances(runInstancesRequest);

for (Instance instance : runInstancesResult.getReservation()) {
    CreateVolumeRequest volumeRequest = new CreateVolumeRequest()
            .withAvailabilityZone(instance.getPlacement().getAvailabilityZone())
            .withKmsKeyId(/* CMK id or alias/yourkeyaliashere */)
            .withEncrypted(true)
            .withSize(256)
            .withVolumeType(VolumeType.Gp2);
    CreateVolumeResult volumeResult = ec2Client.createVolume(volumeRequest);
    AttachVolumeRequest attachRequest = new AttachVolumeRequest()
            .withDevice("/dev/sdb")
            .withInstanceId(instance.getInstanceId())
            .withVolumeId(volumeResult.getVolume().getVolumeId());
    ec2Client.attachVolume(attachRequest);
}

注意:如果在实例元数据中使用块设备映射,则在将卷附加到正在运行的实例时,它不会更新。要使其保持最新,您可以停止/启动实例。

答案 1 :(得分:0)

好消息! AWS刚刚添加了在启动实例时在块设备映射中指定CMK密钥ID的功能。

https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/ec2/model/EbsBlockDevice.html#setKmsKeyId-java.lang.String-

这已添加到版本1.11.237的AWS Java SDK中。

因此,在您的原始代码中,您现在只需添加

ebsBlockDevice.setKmsKeyId(keyId);

其中keyId可以是CMK别名(格式为alias/<alias name>),密钥ID(看起来像1234abcd-12ab-34cd-56ef-1234567890ab)或完整CMK ARN(arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab)。

相关问题
最新问题