diff --git a/key-import-export/key_exchange/README.md b/key-import-export/key_exchange/README.md index ad42f72..b6861fa 100644 --- a/key-import-export/key_exchange/README.md +++ b/key-import-export/key_exchange/README.md @@ -6,6 +6,14 @@ KDH : Key Distribution Host KRD : Key Receiving Device Futurex : HSM is configured using PMK +## Configure AWS credentials +AWS credentials needed for the scripts can be configured in 2 ways : +* Configure environment variables for credentials : https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html +** To do this, leave 'assume_role' key in input_config.json file empty for 'apc' in either 'krd' or 'kdh' section. +* Use an IAM role to assume. +** To do this, add the IAM role arn to assume in 'assume_role' key in input_config.json file for 'apc' in either 'krd' or 'kdh' section. +** Configure environment variables for credentials for the account which will be used to assume this role. Make sure to add the calling account in the trust relationship of the assuming account. + ## Key Exchange using TR34 The script will establish a KEK (Key Encryption Key) between the chosen KDH and KRD. A set of options are supported for KDH and KRD type. @@ -50,3 +58,9 @@ Using this path, you can import/export upto AES-256 keys. ``` python3 import_export_ecdh.py --kdh --krd ``` + +To transport a key from 1 APC account to another APC account, add 'assume_role' of Account1 in 'apc' section of 'kdh' and 'assume_role' of Account2 in 'apc' section of 'krd'. +Configure environment variables for credentials of the central account with trust relationships added both in Account1 and Account2. +Central account credentials will be used to assume roles in Account1 and Account2. + + diff --git a/key-import-export/key_exchange/input_config.json b/key-import-export/key_exchange/input_config.json index a4ecddd..218e914 100644 --- a/key-import-export/key_exchange/input_config.json +++ b/key-import-export/key_exchange/input_config.json @@ -19,6 +19,7 @@ }, "apc": { "region": "us-west-2", + "assume_role": "arn:aws:iam::111111111111:role/Admin", "ecdh": { "transport_key": "", "transport_key_kcv": "" @@ -27,7 +28,7 @@ "payshield": { "host": "127.0.0.1", "port": 9150, - "variant_lmk": true, + "variant_lmk": false, "variant_lmk_identifier": "02", "tr34": { "transport_key": "", @@ -47,6 +48,7 @@ "krd": { "apc": { "region": "us-east-2", + "assume_role": "arn:aws:iam::111111111111:role/Admin", "tr31": { "kek": "" } diff --git a/key-import-export/key_exchange/utils/apc.py b/key-import-export/key_exchange/utils/apc.py index 02eaf30..b57bc35 100644 --- a/key-import-export/key_exchange/utils/apc.py +++ b/key-import-export/key_exchange/utils/apc.py @@ -17,7 +17,24 @@ class Apc(object): def __init__(self, config): - self.apc_client = boto3.client("payment-cryptography", region_name=config["region"]) + if not config.get('assume_role'): + # Use environment credentials + self.apc_client = boto3.client("payment-cryptography", region_name=config["region"]) + else: + sts_client = boto3.client('sts') + assumed_role = sts_client.assume_role( + RoleArn=config['assume_role'], + RoleSessionName='ApcSession' + ) + credentials = assumed_role['Credentials'] + self.apc_client = boto3.client( + 'payment-cryptography', + region_name=config['region'], + aws_access_key_id=credentials['AccessKeyId'], + aws_secret_access_key=credentials['SecretAccessKey'], + aws_session_token=credentials['SessionToken'] + ) + def create_symmetric_key( self, key_algorithm: SymmetricKeyAlgorithm, key_usage: SymmetricKeyUsage