Skip to content

Commit 7569ae4

Browse files
committed
Get region from key id when encrypting new keys
Without this change we basically required you to be on an AWS instance in order to encrypt a key. That didn't make a whole ton of sense. Now simply rip the region from the key id and use that. Foolproof? Fixes GH issue #26
1 parent 5c22404 commit 7569ae4

1 file changed

Lines changed: 12 additions & 5 deletions

File tree

encrypt.go

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,15 +10,20 @@ import (
1010
"encoding/pem"
1111
"fmt"
1212
"github.com/aws/aws-sdk-go/aws"
13-
"github.com/aws/aws-sdk-go/aws/ec2metadata"
1413
"github.com/aws/aws-sdk-go/aws/session"
1514
"github.com/aws/aws-sdk-go/service/kms"
1615
"github.com/codegangsta/cli"
1716
"golang.org/x/crypto/ssh"
1817
"io/ioutil"
1918
"os"
19+
"regexp"
2020
)
2121

22+
// If you update this regex know that despite my naming the match groups it's
23+
// the order that matters. See uses of keyIdRegex in this file and update
24+
// accordingly.
25+
var keyIdRegex = regexp.MustCompile("arn:aws:kms:(?P<region>[^:]+):(?P<accountid>[^:]+):(?P<keyname>[^:]+)")
26+
2227
func encryptFlags() []cli.Flag {
2328
return []cli.Flag{
2429
cli.StringFlag{
@@ -72,11 +77,13 @@ func generateEcdsa() ([]byte, error) {
7277
}
7378

7479
func cmdEncryptKey(c *cli.Context) error {
75-
region, err := ec2metadata.New(session.New(), aws.NewConfig()).Region()
76-
if err != nil {
77-
return cli.NewExitError(fmt.Sprintf("Unable to determine our region: %s", err), 1)
78-
}
80+
var err error
7981
keyId := c.String("key-id")
82+
regexResults := keyIdRegex.FindStringSubmatch(keyId)
83+
if regexResults == nil {
84+
return cli.NewExitError("--key-id doesn't look like an AWS KMS ARN.", 1)
85+
}
86+
region := regexResults[1]
8087

8188
var ciphertext []byte
8289
if c.Bool("generate-ecdsa") || c.Bool("generate-rsa") {

0 commit comments

Comments
 (0)