Merge pull request #136 from ApplauseOSS/feat/migrate-2-aws-sdk2

feat: migrate to aws-sdk-go-v2

Author: verbotenj

.github/workflows/golangci-lint.yaml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-          go-version: 1.21
+          go-version: 1.25
       - uses: actions/checkout@v5
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v8

.github/workflows/publish.yml

@@ -54,7 +54,7 @@ jobs:
       - uses: actions/checkout@v5
       - uses: actions/setup-go@v5
         with:
-          go-version: 1.21
+          go-version: 1.25
       - name: Build binary
         run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} make build
       - name: Upload release asset

README.md

@@ -17,17 +17,17 @@ supplied shell script, `decrypt-and-start`.
 It can be run as:
 
 ```bash
-$ decrypt-and-start some other program
+decrypt-and-start some other program
 ```
 
 It can also take an optional flag to control the number of parallel workers:
 
 ```bash
-$ decrypt-and-start -p 20 -- some other program
+decrypt-and-start -p 20 -- some other program
 ```
 
 Tool can also assume other role for kms access
 
 ```bash
-$ decrypt-and-start --assume-role arn:aws:iam::XXXXXXXXX:role/YYYY some other program
+decrypt-and-start --assume-role arn:aws:iam::XXXXXXXXX:role/YYYY some other program
 ```

ci/test.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
 
 ENC_VAR=$(go run test/encrypt-string.go)
-./decrypt-and-start env | grep ENV_VAR
+echo $ENC_VAR
+export ENC_VAR="decrypt:$ENC_VAR"
+./decrypt-and-start env | grep ENC_VAR

go.mod

@@ -1,12 +1,24 @@
 module github.com/applauseoss/decrypt-and-start
 
-go 1.23.0
-
-toolchain go1.23.6
+go 1.25.0
 
 require (
-	github.com/aws/aws-sdk-go v1.55.7
+	github.com/aws/aws-sdk-go-v2 v1.38.0
+	github.com/aws/aws-sdk-go-v2/config v1.31.0
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3
+	github.com/aws/aws-sdk-go-v2/service/kms v1.44.0
+	github.com/aws/aws-sdk-go-v2/service/sts v1.37.0
 	golang.org/x/crypto v0.41.0
 )
 
-require github.com/jmespath/go-jmespath v0.4.0 // indirect
+require (
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 // indirect
+	github.com/aws/smithy-go v1.22.5 // indirect
+)

go.sum

@@ -1,16 +1,30 @@
-github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
-github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/aws/aws-sdk-go-v2 v1.38.0 h1:UCRQ5mlqcFk9HJDIqENSLR3wiG1VTWlyUfLDEvY7RxU=
+github.com/aws/aws-sdk-go-v2 v1.38.0/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg=
+github.com/aws/aws-sdk-go-v2/config v1.31.0 h1:9yH0xiY5fUnVNLRWO0AtayqwU1ndriZdN78LlhruJR4=
+github.com/aws/aws-sdk-go-v2/config v1.31.0/go.mod h1:VeV3K72nXnhbe4EuxxhzsDc/ByrCSlZwUnWH52Nde/I=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.4 h1:IPd0Algf1b+Qy9BcDp0sCUcIWdCQPSzDoMK3a8pcbUM=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.4/go.mod h1:nwg78FjH2qvsRM1EVZlX9WuGUJOL5od+0qvm0adEzHk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 h1:GicIdnekoJsjq9wqnvyi2elW6CGMSYKhdozE7/Svh78=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3/go.mod h1:R7BIi6WNC5mc1kfRM7XM/VHC3uRWkjc396sfabq4iOo=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 h1:o9RnO+YZ4X+kt5Z7Nvcishlz0nksIt2PIzDglLMP0vA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3/go.mod h1:+6aLJzOG1fvMOyzIySYjOFjcguGvVRL68R+uoRencN4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 h1:joyyUFhiTQQmVK6ImzNU9TQSNRNeD9kOklqTzyk5v6s=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3/go.mod h1:+vNIyZQP3b3B1tSLI0lxvrU9cfM7gpdRXMFfm67ZcPc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0/go.mod h1:eb3gfbVIxIoGgJsi9pGne19dhCBpK6opTYpQqAmdy44=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 h1:ieRzyHXypu5ByllM7Sp4hC5f/1Fy5wqxqY0yB85hC7s=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3/go.mod h1:O5ROz8jHiOAKAwx179v+7sHMhfobFVi6nZt8DEyiYoM=
+github.com/aws/aws-sdk-go-v2/service/kms v1.44.0 h1:Z95XCqqSnwXr0AY7PgsiOUBhUG2GoDM5getw6RfD1Lg=
+github.com/aws/aws-sdk-go-v2/service/kms v1.44.0/go.mod h1:DqcSngL7jJeU1fOzh5Ll5rSvX/MlMV6OZlE4mVdFAQc=
+github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 h1:Mc/MKBf2m4VynyJkABoVEN+QzkfLqGj0aiJuEe7cMeM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.28.0/go.mod h1:iS5OmxEcN4QIPXARGhavH7S8kETNL11kym6jhoS7IUQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 h1:6csaS/aJmqZQbKhi1EyEMM7yBW653Wy/B9hnBofW+sw=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0/go.mod h1:59qHWaY5B+Rs7HGTuVGaC32m0rdpQ68N8QCN3khYiqs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 h1:MG9VFW43M4A8BYeAfaJJZWrroinxeTi2r3+SnmLQfSA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.37.0/go.mod h1:JdeBDPgpJfuS6rU/hNglmOigKhyEZtBmbraLE4GK1J8=
+github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw=
+github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
 golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

lib/aws_encryption_sdk/kms_helper.go

@@ -2,35 +2,71 @@ package aws_encryption_sdk
 
 import (
 	"bytes"
+	"context"
 	"crypto/aes"
 	"crypto/cipher"
 	"encoding/binary"
 	"errors"
 	"strings"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"golang.org/x/crypto/hkdf"
 )
 
 type KmsHelper struct {
-	client *kms.KMS
+	client *kms.Client
 }
 
 func NewKmsHelper(region string, assumedRole string) *KmsHelper {
-	k := &KmsHelper{}
-	// Set up AWS KMS session
-	conf := aws.NewConfig().WithRegion(region)
-	sess := session.Must(session.NewSession(conf))
+	ctx := context.Background()
+	var cfg aws.Config
+	var err error
 	if assumedRole != "" {
-		creds := stscreds.NewCredentials(sess, assumedRole)
-		k.client = kms.New(sess, &aws.Config{Credentials: creds})
+		// Load default config
+		cfg, err = config.LoadDefaultConfig(ctx, config.WithRegion(region))
+		if err != nil {
+			panic(err)
+		}
+		// Assume role
+		stsClient := sts.NewFromConfig(cfg)
+		resp, err := stsClient.AssumeRole(ctx, &sts.AssumeRoleInput{
+			RoleArn:         aws.String(assumedRole),
+			RoleSessionName: aws.String("decrypt-and-start-session"),
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		// Get a new config with the assumed role credentials
+		var optFns []func(*config.LoadOptions) error
+		optFns = append(optFns, config.WithRegion(region))
+		optFns = append(optFns, config.WithCredentialsProvider(
+			aws.CredentialsProviderFunc(func(ctx context.Context) (aws.Credentials, error) {
+				return aws.Credentials{
+					AccessKeyID:     *resp.Credentials.AccessKeyId,
+					SecretAccessKey: *resp.Credentials.SecretAccessKey,
+					SessionToken:    *resp.Credentials.SessionToken,
+					CanExpire:       true,
+					Expires:         *resp.Credentials.Expiration,
+				}, nil
+			}),
+		))
+
+		newCfg, err := config.LoadDefaultConfig(ctx, optFns...)
+		if err != nil {
+			panic(err)
+		}
+		cfg = newCfg
 	} else {
-		k.client = kms.New(sess)
+		cfg, err = config.LoadDefaultConfig(ctx, config.WithRegion(region))
+		if err != nil {
+			panic(err)
+		}
 	}
-	return k
+	return &KmsHelper{client: kms.NewFromConfig(cfg)}
 }
 
 // Decrypt encrypted data keys
@@ -88,17 +124,15 @@ func (k *KmsHelper) buildContentAAD(m *Message, f *Frame) ([]byte, error) {
 
 // Decrypt using KMS
 func (k *KmsHelper) kmsDecrypt(data []byte, m *Message) ([]byte, error) {
-	input := &kms.DecryptInput{
+	ctx := context.Background()
+	in := &kms.DecryptInput{
 		CiphertextBlob: data,
 	}
-	if m != nil {
-		context := make(map[string]*string)
-		for key, value := range m.EncContext {
-			context[key] = &value
-		}
-		input.EncryptionContext = context
+	if m != nil && len(m.EncContext) > 0 {
+		in.EncryptionContext = m.EncContext
 	}
-	result, err := k.client.Decrypt(input)
+
+	result, err := k.client.Decrypt(ctx, in)
 	if err != nil {
 		return nil, err
 	}
@@ -114,7 +148,7 @@ func (k *KmsHelper) Decrypt(data []byte) ([]byte, error) {
 	// Try simple KMS decryption first
 	if plaintext, err = k.kmsDecrypt(data, nil); err == nil {
 		return plaintext, nil
-	} else if strings.HasPrefix(err.Error(), kms.ErrCodeInvalidCiphertextException) {
+	} else if strings.Contains(err.Error(), "InvalidCiphertextException") {
 		// Do nothing for an InvalidCiphertextException error
 	} else {
 		// Unknown error

lib/region.go

@@ -1,9 +1,11 @@
 package lib
 
 import (
-	"github.com/aws/aws-sdk-go/aws/ec2metadata"
-	"github.com/aws/aws-sdk-go/aws/session"
+	"context"
 	"os"
+
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 )
 
 func GetRegion() string {
@@ -12,11 +14,14 @@ func GetRegion() string {
 		return region
 	}
 	// EC2 instance metadata
-	metaSession, _ := session.NewSession()
-	metaClient := ec2metadata.New(metaSession)
-	region, _ := metaClient.Region()
-	if region != "" {
-		return region
+	ctx := context.Background()
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err == nil {
+		metaClient := imds.NewFromConfig(cfg)
+		regionOut, err := metaClient.GetRegion(ctx, nil)
+		if err == nil && regionOut.Region != "" {
+			return regionOut.Region
+		}
 	}
 	// Sensible fallback
 	return "us-east-1"

test/encrypt-string.go

@@ -1,17 +1,19 @@
 package main
 
 import (
+	"context"
 	"encoding/base64"
 	"flag"
 	"fmt"
-	"github.com/applauseoss/decrypt-and-start/lib"
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/kms"
 	"log"
 	"os"
 	"os/exec"
 	"syscall"
+
+	"github.com/applauseoss/decrypt-and-start/lib"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
 )
 
 // This function should work like an entrypoint: exec "${@}"
@@ -30,26 +32,26 @@ func Exec() {
 }
 
 func main() {
-	// Initialize KMS session
-	// sess := session.Must(session.NewSessionWithOptions(session.Options{
-	//	SharedConfigState: session.SharedConfigEnable,
-	// }))
+	ctx := context.Background()
 	region := lib.GetRegion()
-	sess := session.Must(session.NewSession(&aws.Config{
-		Region: &region,
-	}))
-	cmk_arn := "arn:aws:kms:us-east-1:873559269338:key/1b03c937-31f8-4fa5-a5cf-42e9f437bda2"
+	cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(region))
+	if err != nil {
+		log.Fatalf("unable to load SDK config, %v", err)
+	}
+
 	// KMS service client
-	svc := kms.New(sess)
+	client := kms.NewFromConfig(cfg)
+	cmk_arn := "arn:aws:kms:us-east-1:873559269338:alias/dev-secret-encryption"
 
 	text := "some-encrypted-string"
+	// fmt.Println("Encrypting:", text)
 
-	result, err := svc.Encrypt(&kms.EncryptInput{
+	result, err := client.Encrypt(ctx, &kms.EncryptInput{
 		KeyId:     aws.String(cmk_arn),
 		Plaintext: []byte(text),
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
-	fmt.Println(base64.URLEncoding.EncodeToString(result.CiphertextBlob))
+	fmt.Println(base64.StdEncoding.EncodeToString(result.CiphertextBlob))
 }