Add methods EncryptedTable::init_headless_with_zk_config and `Encry…
#92
Conversation
src/encrypted_table/mod.rs
Outdated
| Self::init_headless_with_zk_config(zerokms_config).await | ||
| } | ||
|
|
||
| pub async fn init_headless_with_zk_config( |
There was a problem hiding this comment.
Minor suggestion: mind spelling out zerokms here instead of abbreviating? This is more consistent with other areas of the code.
| pub async fn init_headless_with_zk_config( | |
| pub async fn init_headless_with_zerokms_config( |
src/encrypted_table/mod.rs
Outdated
| }) | ||
| } | ||
|
|
||
| pub async fn init_with_zk_config( |
There was a problem hiding this comment.
Same suggestion here: mind spelling out zerokms instead of abbreviating?
| pub async fn init_with_zk_config( | |
| pub async fn init_with_zerokms_config( |
There was a problem hiding this comment.
Thanks @nicklaswj. I left a couple of minor comments around naming, but this looks good to me otherwise.
We need this since we load the cipherstash credentials/client_key externally and wont have them in the environment.
Just to clarify, the use case is to avoid keeping secrets in the environment and load them from somewhere like AWS Secrets Manager? This looks very reasonable to me. Considering that it's best practice to keep secrets out of the environment in AWS Lambda in particular, maybe it's worth noting this as the preferred approach in our documentation as well.
What do you think @coderdan?
Fixed.
It's a bit more complex than that. But basically we have a AWS authorizer lambda that retrieves different cipherstash credentials depending on who is logged in. |
nicklaswj
force-pushed
the
init-with-config
branch
3 times, most recently
from
4cb62b4 to
dc8f7b0
Compare
…ptedTable::init_with_zk_config`
nicklaswj
force-pushed
the
init-with-config
branch
from
dc8f7b0 to
1aab7fd
Compare
|
I have rebased and signed the commits |
|
Even though I can, I don't really feel comfortable just pressing the merge button. Can I get a confirmation that this PR can be merged ? |
|
|
||
| impl EncryptedTable<Headless> { | ||
| pub async fn init_headless() -> Result<Self, InitError> { | ||
| info!("Initializing..."); |
There was a problem hiding this comment.
Any reason this was removed?
This PR adds the methods
EncryptedTable::init_headless_with_zk_configandEncryptedTable::init_with_zk_config, to make it possible to initialize aEncryptedTablewith a customZeroKmsConfig.We need this since we load the cipherstash credentials/client_key externally and wont have them in the environment.