Cosmian · p0wline · May 18, 2026 · May 20, 2026 · May 21, 2026 · May 22, 2026
diff --git a/.github/reusable_scripts b/.github/reusable_scripts
diff --git a/.github/scripts/nix.sh b/.github/scripts/nix.sh
@@ -447,109 +447,132 @@ docker_command() {
 
 test_command() {
   case "$TEST_TYPE" in
+  all)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_all.sh"
+    ;;
+  aws_xks)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_xks.sh"
+    ;;
+  wasm)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_wasm.sh"
+    ;;
+  sqlite)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_sqlite.sh"
+    ;;
+  mysql)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_mysql.sh"
+    ;;
+  percona)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_percona.sh"
+    ;;
+  otel_export)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_otel_export.sh"
+    ;;
+  mariadb)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_maria.sh"
+    ;;
+  psql)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_psql.sh"
+    ;;
+  redis)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_redis.sh"
+    ;;
+  azure_ekm)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_azure_ekm.sh"
+    ;;
+  gcp_cmek)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_gcp_cmek.sh"
+    ;;
+  google_cse)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_google_cse.sh"
+    # Validate required Google OAuth credentials before entering nix-shell
+    for var in TEST_GOOGLE_OAUTH_CLIENT_ID TEST_GOOGLE_OAUTH_CLIENT_SECRET \
+      TEST_GOOGLE_OAUTH_REFRESH_TOKEN GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY; do
+      if [ -z "${!var:-}" ]; then
+        echo "Error: Required environment variable $var is not set" >&2
+        echo "Google CSE tests require valid OAuth credentials." >&2
+        echo "Please set the following environment variables:" >&2
+        echo "  - TEST_GOOGLE_OAUTH_CLIENT_ID" >&2
+        echo "  - TEST_GOOGLE_OAUTH_CLIENT_SECRET" >&2
+        echo "  - TEST_GOOGLE_OAUTH_REFRESH_TOKEN" >&2
+        echo "  - GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY" >&2
+        exit 1
+      fi
+    done
+    ;;
+  pykmip)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_pykmip.sh"
+    ;;
+  openssh)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_openssh.sh"
+    ;;
+  luks)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_luks.sh"
+    ;;
+  secret_vault)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_secret_vault.sh"
+    ;;
+  secret_aws)
+    for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION; do
+      if [ -z "${!var:-}" ]; then
+        echo "Error: Required environment variable $var is not set" >&2
+        echo "AWS SSM secret backend tests require AWS credentials." >&2
+        exit 1
+      fi
+    done
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_secret_aws.sh"
+    ;;
+  secret_azure)
+    for var in AZURE_TENANT_ID AZURE_CLIENT_ID AZURE_CLIENT_SECRET AZURE_KV_NAME; do
+      if [ -z "${!var:-}" ]; then
+        echo "Error: Required environment variable $var is not set" >&2
+        echo "Azure KV secret backend tests require Azure credentials." >&2
+        exit 1
+      fi
+    done
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_secret_azure.sh"
+    ;;
+  ui)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_ui.sh"
+    ;;
+  jose)
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_jose.sh"
+    ;;
+  hsm)
+    # Optional backend argument: softhsm2 | utimaco | proteccio | all (default)
+    HSM_BACKEND="${1:-all}"
+    case "$HSM_BACKEND" in
     all)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_all.sh"
-      ;;
-    aws_xks)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_xks.sh"
-      ;;
-    wasm)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_wasm.sh"
+      SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm.sh"
       ;;
-    sqlite)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_sqlite.sh"
+    softhsm2)
+      SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm_softhsm2.sh"
+      shift
       ;;
-    mysql)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_mysql.sh"
+    utimaco)
+      SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm_utimaco.sh"
+      shift
       ;;
-    percona)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_percona.sh"
+    proteccio)
+      SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm_proteccio.sh"
+      shift
       ;;
-    otel_export)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_otel_export.sh"
-      ;;
-    mariadb)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_maria.sh"
-      ;;
-    psql)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_psql.sh"
-      ;;
-    redis)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_redis.sh"
-      ;;
-    azure_ekm)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_azure_ekm.sh"
-      ;;
-    jose)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_jose.sh"
-      ;;
-    gcp_cmek)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_gcp_cmek.sh"
-      ;;
-    google_cse)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_google_cse.sh"
-      # Validate required Google OAuth credentials before entering nix-shell
-      for var in TEST_GOOGLE_OAUTH_CLIENT_ID TEST_GOOGLE_OAUTH_CLIENT_SECRET \
-        TEST_GOOGLE_OAUTH_REFRESH_TOKEN GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY; do
-        if [ -z "${!var:-}" ]; then
-          echo "Error: Required environment variable $var is not set" >&2
-          echo "Google CSE tests require valid OAuth credentials." >&2
-          echo "Please set the following environment variables:" >&2
-          echo "  - TEST_GOOGLE_OAUTH_CLIENT_ID" >&2
-          echo "  - TEST_GOOGLE_OAUTH_CLIENT_SECRET" >&2
-          echo "  - TEST_GOOGLE_OAUTH_REFRESH_TOKEN" >&2
-          echo "  - GOOGLE_SERVICE_ACCOUNT_PRIVATE_KEY" >&2
-          exit 1
-        fi
-      done
-      ;;
-    pykmip)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_pykmip.sh"
-      ;;
-    openssh)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_openssh.sh"
-      ;;
-    luks)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_luks.sh"
-      ;;
-    ui)
-      SCRIPT="$REPO_ROOT/.github/scripts/test/test_ui.sh"
-      ;;
-    hsm)
-      # Optional backend argument: softhsm2 | utimaco | proteccio | all (default)
-      HSM_BACKEND="${1:-all}"
-      case "$HSM_BACKEND" in
-        all)
-          SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm.sh"
-          ;;
-        softhsm2)
-          SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm_softhsm2.sh"
-          shift
-          ;;
-        utimaco)
-          SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm_utimaco.sh"
-          shift
-          ;;
-        proteccio)
-          SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm_proteccio.sh"
-          shift
-          ;;
-        crypt2pay)
-          SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm_crypt2pay.sh"
-          shift
-          ;;
-        *)
-          echo "Error: Unknown HSM backend '$HSM_BACKEND'" >&2
-          echo "Valid backends for 'hsm': softhsm2, utimaco, proteccio, all" >&2
-          usage
-          ;;
-      esac
+    crypt2pay)
+      SCRIPT="$REPO_ROOT/.github/scripts/test/test_hsm_crypt2pay.sh"
+      shift
       ;;
     *)
-      echo "Error: Unknown test type '$TEST_TYPE'" >&2
-      echo "Valid types: aws_xks, sqlite, mysql, percona, mariadb, psql, redis, google_cse, gcp_cmek, pykmip, openssh, luks, otel_export, jose, hsm [softhsm2|utimaco|proteccio|all], ui" >&2
+      echo "Error: Unknown HSM backend '$HSM_BACKEND'" >&2
+      echo "Valid backends for 'hsm': softhsm2, utimaco, proteccio, crypt2pay, all" >&2
       usage
       ;;
+    esac
+    ;;
+  *)
+    echo "Error: Unknown test type '$TEST_TYPE'" >&2
+    echo "Valid types: aws_xks, sqlite, mysql, percona, mariadb, psql, redis, google_cse, gcp_cmek, pykmip, openssh, luks, otel_export, jose, secret_vault, secret_aws, secret_azure, hsm [softhsm2|utimaco|proteccio|crypt2pay|all], ui" >&2
+    usage
+    ;;
   esac
 
   # Signal to shell.nix to include extra tools for tests (wget, softhsm2, psmisc)
@@ -572,6 +595,20 @@ test_command() {
   if [ "$TEST_TYPE" = "luks" ]; then
     export WITH_LUKS=1
   fi
+  # AWS secret backend test: awscli2 is needed to create/delete SSM parameters
+  if [ "$TEST_TYPE" = "secret_aws" ]; then
+    export WITH_AWS=1
+  fi
+  # Vault secret backend test: Docker is needed to start the Vault dev container; curl for readiness checks
+  if [ "$TEST_TYPE" = "secret_vault" ]; then
+    export WITH_DOCKER=1
+    export WITH_CURL=1
+  fi
+  # Azure KV secret backend test: curl + python3 are needed for REST API calls and JSON parsing
+  if [ "$TEST_TYPE" = "secret_azure" ]; then
+    export WITH_CURL=1
+    export WITH_PYTHON=1
+  fi
   # Ensure curl is present for test types that use HTTP readiness probes
   # or curl-based integration helpers inside the nix-shell.
   if [ "$TEST_TYPE" = "azure_ekm" ] || [ "$TEST_TYPE" = "ui" ] || [ "$TEST_TYPE" = "all" ] || [ "$TEST_TYPE" = "gcp_cmek" ] || [ "$TEST_TYPE" = "openssh" ] || [ "$TEST_TYPE" = "luks" ] || [ "$TEST_TYPE" = "jose" ]; then
@@ -607,6 +644,14 @@ test_command() {
         --keep WITH_PYTHON \
         --keep WITH_OPENSSH \
         --keep WITH_LUKS \
+        --keep WITH_AWS \
+        --keep AWS_ACCESS_KEY_ID \
+        --keep AWS_SECRET_ACCESS_KEY \
+        --keep AWS_REGION \
+        --keep AZURE_TENANT_ID \
+        --keep AZURE_CLIENT_ID \
+        --keep AZURE_CLIENT_SECRET \
+        --keep AZURE_KV_NAME \
         --keep VARIANT \
         --keep LINK \
         --keep RELEASE_FLAG \

diff --git a/.github/scripts/test/test_secret_aws.sh b/.github/scripts/test/test_secret_aws.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+set -euo pipefail
+set -x
+
+# Secret backend integration test — AWS Systems Manager Parameter Store
+#
+# Creates a SecureString parameter in SSM, runs the Rust #[ignore] integration
+# test, then deletes the parameter.
+#
+# Required env vars (from GitHub secrets):
+#   AWS_ACCESS_KEY_ID      — IAM credentials with ssm:GetParameter / ssm:PutParameter
+#   AWS_SECRET_ACCESS_KEY  — (or AWS_PROFILE / instance role)
+#   AWS_REGION             — region where the parameter is created (e.g. eu-west-1)
+#   KMS_TEST_AWS_KMS_KEY_ID — (optional) KMS key ID for SecureString encryption;
+#                             defaults to "alias/aws/ssm"
+#
+# Feature flag: secret-aws
+
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+source "${SCRIPT_DIR}/../common.sh"
+
+init_build_env "$@"
+setup_test_logging
+
+require_cmd cargo "Cargo is required."
+require_cmd aws "AWS CLI v2 is required."
+
+echo "========================================="
+echo "Running secret backend test: AWS SSM Parameter Store"
+echo "Variant: ${VARIANT_NAME}"
+echo "========================================="
+
+AWS_REGION="${AWS_REGION:-eu-west-1}"
+PARAM_NAME="/kms/ci/secret-backend-test"
+SECRET_VALUE="ci-secret-value"
+KMS_KEY="${KMS_TEST_AWS_KMS_KEY_ID:-alias/aws/ssm}"
+
+cleanup() {
+  echo "Deleting SSM parameter ${PARAM_NAME}..."
+  aws ssm delete-parameter \
+    --name "${PARAM_NAME}" \
+    --region "${AWS_REGION}" 2>/dev/null || true
+}
+trap cleanup EXIT
+
+echo "Creating SSM SecureString parameter ${PARAM_NAME} in ${AWS_REGION}..."
+aws ssm put-parameter \
+  --name "${PARAM_NAME}" \
+  --value "${SECRET_VALUE}" \
+  --type SecureString \
+  --key-id "${KMS_KEY}" \
+  --region "${AWS_REGION}" \
+  --overwrite
+
+echo "Building cosmian_kms_server with secret-aws feature..."
+cargo build -p cosmian_kms_server --features secret-aws
+
+echo "Running AWS SSM integration test..."
+AWS_REGION="${AWS_REGION}" \
+KMS_TEST_AWS_SSM_URI="aws-ssm://${AWS_REGION}${PARAM_NAME}" \
+KMS_TEST_AWS_SSM_EXPECTED="${SECRET_VALUE}" \
+cargo test -p cosmian_kms_server --features secret-aws --lib -- \
+  --ignored --nocapture test_secret_aws_ssm
+
+echo "AWS SSM secret backend test completed successfully."