| Title: | 'AWS Key Management Service' Client Package |
|---|---|
| Description: | Client package for the 'AWS Key Management Service' <https://aws.amazon.com/kms/>, a cloud service for managing encryption keys. |
| Authors: | Thomas J. Leeper [aut] (ORCID: <https://orcid.org/0000-0003-4097-6326>), Simon Urbanek [cre, ctb] |
| Maintainer: | Simon Urbanek <[email protected]> |
| License: | GPL (>= 2) |
| Version: | 0.1.4 |
| Built: | 2026-06-05 07:32:16 UTC |
| Source: | https://github.com/cloudyr/aws.kms |
AWS Key Management Service (KMS) Client.
This is a client for the AWS Key Management Service (KMS), which can be used to create and manage encryption keys used by AWS services or to setup a secure HTTP-based encryption service using encrypt and decrypt. KMS is also used natively by other AWS services.
Thomas J. Leeper <[email protected]>
https://docs.aws.amazon.com/kms/latest/developerguide/overview.html https://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
create_kms_key, list_kms_keys, generate_blob, encrypt
Manage KMS key aliases.
create_kms_alias(key, alias, ...) delete_kms_alias(alias, ...) update_kms_alias(key, alias, ...) list_kms_aliases(n, marker, ...)create_kms_alias(key, alias, ...) delete_kms_alias(alias, ...) update_kms_alias(key, alias, ...) list_kms_aliases(n, marker, ...)
key |
A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”. |
alias |
A character string specifying an alias name. |
... |
Additional arguments passed to |
n |
For |
marker |
For |
create_kms_alias creates an alias for KMS key, which can be used in place of the KeyId or ARN. A given key can have multiple aliases. delete_kms_alias deletes an named alias. update_kms_alias reassigns an alias to a new key.
create_kms_key, delete_kms_key, encrypt
Create/update/retrieve/delete a KMS encryption key
create_kms_key( description = NULL, origin = c("AWS_KMS", "EXTERNAL"), usage = "ENCRYPT_DECRYPT", ... ) update_kms_key(key, description, ...) get_kms_key(key, ...) delete_kms_key(key, delay = 7, ...) undelete_kms_key(key, ...)create_kms_key( description = NULL, origin = c("AWS_KMS", "EXTERNAL"), usage = "ENCRYPT_DECRYPT", ... ) update_kms_key(key, description, ...) get_kms_key(key, ...) delete_kms_key(key, delay = 7, ...) undelete_kms_key(key, ...)
description |
Optionally, a character string describing the key. This can be updated later using |
origin |
A character string specifying the origin. Default is “AWS_KMS”. If “EXTERNAL”, use |
usage |
Ignored. |
... |
Additional arguments passed to |
key |
A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”. |
delay |
An integer specifying a number of delays to wait before deleting key. Minimum 7 and maximum 30. |
create_kms_key and get_kms_key return a list of class “aws_kms_key”. delete_kms_key and undelete_kms_key return a logical.
list_kms_keys, create_kms_alias, disable_kms_key, encrypt
## Not run: # create key k <- create_kms_key(description = "example") # get key get_kms_key(k) # delete in 30 days delete_kms_key(k, delay = 30) ## End(Not run)## Not run: # create key k <- create_kms_key(description = "example") # get key get_kms_key(k) # delete in 30 days delete_kms_key(k, delay = 30) ## End(Not run)
Enable or disable a KMS encryption key
enable_kms_key(key, ...) disable_kms_key(key, ...)enable_kms_key(key, ...) disable_kms_key(key, ...)
key |
A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”. |
... |
Additional arguments passed to |
## Not run: # create key k <- create_kms_key(description = "example") # disable key disable_kms_key(k) # enable key enable_kms_key(k) # delete in 7 days delete_kms_key(k) ## End(Not run)## Not run: # create key k <- create_kms_key(description = "example") # disable key disable_kms_key(k) # enable key enable_kms_key(k) # delete in 7 days delete_kms_key(k) ## End(Not run)
Enable or disable a encryption key rotation
enable_kms_rotation(key, ...) disable_kms_rotation(key, ...) get_kms_rotation(key, ...)enable_kms_rotation(key, ...) disable_kms_rotation(key, ...) get_kms_rotation(key, ...)
key |
A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”. |
... |
Additional arguments passed to |
## Not run: # create key k <- create_kms_key(description = "example") # enable rotation enable_kms_rotation(k) # disable rotation disable_kms_rotation(k) # confirm rotation is disabled get_kms_rotation(k) # delete in 7 days delete_kms_key(k) ## End(Not run)## Not run: # create key k <- create_kms_key(description = "example") # enable rotation enable_kms_rotation(k) # disable rotation disable_kms_rotation(k) # confirm rotation is disabled get_kms_rotation(k) # delete in 7 days delete_kms_key(k) ## End(Not run)
Encrypt plain text into ciphertext, or the reverse
encrypt(text, key, encode = TRUE, ...) decrypt(text, key, encode = TRUE, ...) reencrypt(text, key, encode = TRUE, ...)encrypt(text, key, encode = TRUE, ...) decrypt(text, key, encode = TRUE, ...) reencrypt(text, key, encode = TRUE, ...)
text |
For |
key |
A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”. |
encode |
A logical specifying whether to base 64 encode |
... |
Additional arguments passed to |
encrypt encrypts source text using a KMS key. decrypt reverses this process using the same key. reencrypt reencrypts an (encrypted) ciphertext using a new key. The purpose of these functions, according to AWS, to is encrypt and decrypt data keys (of the source created with generate_data_key) rather than general purpose encryption given the relatively low upper limit on the size of text.
encrypt returns a base64-encoded binary object as a character string.
create_kms_key, generate_data_key, generate_blob
## Not run: # create a key k <- create_kms_key() # encrypt tmp <- tempfile() cat("example test", file = tmp) (etext <- encrypt(tmp, k)) # decrypt (dtext <- decrypt(etext, k, encode = FALSE)) if (require("base64enc")) { rawToChar(base64enc::base64decode(dtext)) } # cleanup delete_kms_key(k) ## End(Not run)## Not run: # create a key k <- create_kms_key() # encrypt tmp <- tempfile() cat("example test", file = tmp) (etext <- encrypt(tmp, k)) # decrypt (dtext <- decrypt(etext, k, encode = FALSE)) if (require("base64enc")) { rawToChar(base64enc::base64decode(dtext)) } # cleanup delete_kms_key(k) ## End(Not run)
Generate a random byte string
generate_blob(bytes = 1, ...)generate_blob(bytes = 1, ...)
bytes |
An integer specifying a number of bytes between 1 and 1024. |
... |
Additional arguments passed to |
create_kms_alias creates an alias for KMS key, which can be used in place of the KeyId or ARN. A given key can have multiple aliases. delete_kms_alias deletes an named alias. update_kms_alias reassigns an alias to a new key.
A base64-encoded character string.
## Not run: b <- generate_blob() if (require("base64enc")) { base64enc::base64decode(b) } ## End(Not run)## Not run: b <- generate_blob() if (require("base64enc")) { base64enc::base64decode(b) } ## End(Not run)
Generate data keys for local encryption
generate_data_key(key, spec = c("AES_256", "AES_128"), plaintext = TRUE, ...)generate_data_key(key, spec = c("AES_256", "AES_128"), plaintext = TRUE, ...)
key |
A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”. |
spec |
A character string specifying the length of the data encryption key, either “AES_256” or “AES_128”. |
plaintext |
A logical indicating whether to return the data key in plain text, as well as in encrypted form. |
... |
Additional arguments passed to |
This function generates and returns a “data key” for use in local encrption. The suggested workflow from AWS is to encrypt, do the following:
Use this operation (generate_data_key) to get a data encryption key.
Use the plaintext data encryption key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.
Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the locally encrypted data.
Then to decrypt locally:
Use decrypt to decrypt the encrypted data key into a plaintext copy of the data key.
Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.
encrypt returns a base64-encoded binary object as a character string.
https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html
## Not run: # create a (CMK) key k <- create_kms_key() # generate a data key for local encryption datakey <- generate_data_key(key = k) ## encrypt something locally using datakey$Plaintext ## then delete the plaintext key datakey$Plaintext <- NULL # decrypt the encrypted data key datakey$Plaintext <- decrypt(datakey$CiphertextBlob, k, encode = FALSE) ## then use this to decrypt locally # cleanup delete_kms_key(k) ## End(Not run)## Not run: # create a (CMK) key k <- create_kms_key() # generate a data key for local encryption datakey <- generate_data_key(key = k) ## encrypt something locally using datakey$Plaintext ## then delete the plaintext key datakey$Plaintext <- NULL # decrypt the encrypted data key datakey$Plaintext <- decrypt(datakey$CiphertextBlob, k, encode = FALSE) ## then use this to decrypt locally # cleanup delete_kms_key(k) ## End(Not run)
This is the workhorse function to execute calls to the KMS API.
kmsHTTP( action, query = list(), headers = list(), body = NULL, verbose = getOption("verbose", FALSE), region = Sys.getenv("AWS_DEFAULT_REGION", "us-east-1"), key = NULL, secret = NULL, session_token = NULL, ... )kmsHTTP( action, query = list(), headers = list(), body = NULL, verbose = getOption("verbose", FALSE), region = Sys.getenv("AWS_DEFAULT_REGION", "us-east-1"), key = NULL, secret = NULL, session_token = NULL, ... )
action |
A character string specifying the API action to take |
query |
An optional named list containing query string parameters and their character values. |
headers |
A list of headers to pass to the HTTP request. |
body |
A request body |
verbose |
A logical indicating whether to be verbose. Default is given by |
region |
A character string specifying an AWS region. See |
key |
A character string specifying an AWS Access Key. See |
secret |
A character string specifying an AWS Secret Key. See |
session_token |
Optionally, a character string specifying an AWS temporary Session Token to use in signing a request. See |
... |
Additional arguments passed to |
This function constructs and signs a KMS API request and returns the results thereof, or relevant debugging information in the case of error.
If successful, a named list. Otherwise, a data structure of class “aws-error” containing any error message(s) from AWS and information about the request attempt.
Thomas J. Leeper
List encryption keys in KMS
list_kms_keys(n = 100, marker = NULL, ...)list_kms_keys(n = 100, marker = NULL, ...)
n |
An integer specifying a number of keys to return (for pagination). |
marker |
A pagination marker. |
... |
Additional arguments passed to |
A data frame
get_kms_key, create_kms_key, delete_kms_key
## Not run: list_kms_keys() ## End(Not run)## Not run: list_kms_keys() ## End(Not run)
Manage key material for “external” keys.
put_kms_material(key, material, token, expires = TRUE, valid_to = NULL, ...) delete_kms_material(key, ...) get_material_parameters( key, algorithm = c("RSAES_PKCS1_V1_5", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"), spec = "RSA_2048", ... )put_kms_material(key, material, token, expires = TRUE, valid_to = NULL, ...) delete_kms_material(key, ...) get_material_parameters( key, algorithm = c("RSAES_PKCS1_V1_5", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"), spec = "RSA_2048", ... )
key |
A character string specifying a key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with “alias/”. |
material |
A character string specifying the base64-encoded key material (encrypted according to parameters returned by |
token |
A character string returned in |
expires |
Optionally, a logical indicating whether the key material expires. If |
valid_to |
Optionally (if |
... |
Additional arguments passed to |
algorithm |
A character string specifying an encryption algorithm used to encrypt the key material. |
spec |
Ignored. |
put_kms_material adds key material to an “external” KMS key, which can be created using create_kms_key. The import requires delete_kms_material deletes the imported material (but not the key itself).
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html