Wip

Author: connorwstein

keystore/kms/client.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	kmslib "github.com/aws/aws-sdk-go/service/kms"
 )
@@ -36,3 +37,19 @@ func NewClient(awsProfile string) (Client, error) {
 	}
 	return kmslib.New(sess), nil
 }
+
+// NewClientWithDefaultCredentials constructs a new kmslib.KMS instance using the default AWS
+// credential chain. This is suitable for use in Kubernetes with IRSA (IAM Roles for Service Accounts),
+// EC2 instance profiles, or environment variables.
+func NewClientWithDefaultCredentials(region string) (Client, error) {
+	if region == "" {
+		return nil, errors.New("region is required")
+	}
+	sess, err := session.NewSessionWithOptions(session.Options{
+		Config: aws.Config{Region: aws.String(region)},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create AWS session: %w", err)
+	}
+	return kmslib.New(sess), nil
+}