* Create a new bucket encryption key. * * This function is responsible for creating an encryption key for a bucket. * If the client supports using a default master encryption key per account * and one is configured, the key is managed at the account level by Vault. * Ot
(bucket, log, cb)
| 185 | * @callback called with (err, { masterKeyId: string, masterKeyArn: string, isAccountEncryptionEnabled: boolean }) |
| 186 | */ |
| 187 | static createBucketKey(bucket, log, cb) { |
| 188 | // always use current client for create |
| 189 | log.debug('creating a new bucket key'); |
| 190 | // Check if the client supports the use of a default master encryption key per account |
| 191 | // and one is configured. |
| 192 | // If so, retrieve or create the encryption key for the account from Vault. |
| 193 | // Later its id will be stored at the bucket metadata level. |
| 194 | if (client.supportsDefaultKeyPerAccount && config.defaultEncryptionKeyPerAccount) { |
| 195 | return vault.getOrCreateEncryptionKeyId(bucket.getOwner(), log, (err, data) => { |
| 196 | if (err) { |
| 197 | log.debug('error retrieving or creating the default encryption key at the account level from vault', |
| 198 | { implName, error: err }); |
| 199 | return cb(err); |
| 200 | } |
| 201 | |
| 202 | const { encryptionKeyId, action } = data; |
| 203 | log.trace('default encryption key retrieved or created at the account level from vault', |
| 204 | { implName, encryptionKeyId, action }); |
| 205 | return cb(null, { |
| 206 | // vault only return arn |
| 207 | masterKeyId: encryptionKeyId, |
| 208 | masterKeyArn: encryptionKeyId, |
| 209 | isAccountEncryptionEnabled: true, |
| 210 | }); |
| 211 | }); |
| 212 | } |
| 213 | // Otherwise, create a default master encryption key, later its id will be stored at the bucket metadata level. |
| 214 | return client.createBucketKey(bucket.getName(), log, (err, masterKeyId, masterKeyArn) => { |
| 215 | if (err) { |
| 216 | log.debug('error from kms', { implName, error: err }); |
| 217 | return cb(err); |
| 218 | } |
| 219 | log.trace('bucket key created in kms'); |
| 220 | return cb(null, { masterKeyId, masterKeyArn }); |
| 221 | }); |
| 222 | } |
| 223 | |
| 224 | /** |
| 225 | * |
no test coverage detected