AWS KMS KeyProvider for Swarmauri
Project description
Swarmauri AWS KMS Key Provider
Community plugin providing an AWS Key Management Service (KMS) backed KeyProvider for Swarmauri. It manages non-exportable customer managed keys (CMKs), exposes JWKS for downstream services, and handles key rotation workflows aligned with AWS best practices.
Features
- Create RSA, ECC, and AES-256 keys in AWS KMS with deterministic aliasing per
kidand version. - Rotate keys by minting new KMS key versions and updating aliases, while preserving previous versions for auditing or staged cutovers.
- Describe keys through
KeyRefobjects, including public PEM material when the key spec allows export, and RFC 7517-compliant JWKs viaget_public_jwk/jwks. - Generate cryptographically secure random bytes and perform HKDF expansion with SHA-256 to support envelope encryption and symmetric derivation flows.
- Destroy keys by scheduling deletion through the KMS API, maintaining Swarmauri tagging metadata for traceability.
Prerequisites
- Python 3.10 or newer.
boto3(installed automatically with this package) and network access to the target AWS region.- AWS credentials with permissions such as
kms:CreateKey,kms:CreateAlias,kms:UpdateAlias,kms:DescribeKey,kms:GetPublicKey,kms:ListAliases,kms:ListResourceTags, andkms:ScheduleKeyDeletion. - Optional: a custom key policy if you need to delegate key administration to non-root principals; pass it through the
key_policyconstructor argument.
Installation
# pip
pip install swarmauri_keyprovider_aws_kms
# poetry
poetry add swarmauri_keyprovider_aws_kms
# uv (pyproject-based projects)
uv add swarmauri_keyprovider_aws_kms
Quickstart: Create, Rotate, and Publish Keys
import asyncio
from swarmauri_keyprovider_aws_kms import AwsKmsKeyProvider
from swarmauri_core.key_providers.types import KeyAlg, KeyClass, KeySpec, ExportPolicy
async def main() -> None:
provider = AwsKmsKeyProvider(region="us-east-1", alias_prefix="swarmauri-demo")
rsa_spec = KeySpec(
klass=KeyClass.asymmetric,
alg=KeyAlg.RSA_PSS_SHA256,
size_bits=3072,
export_policy=ExportPolicy.never_export_secret,
label="api-signing",
)
# Create the initial version (aliases: alias/swarmauri-demo/<kid> and .../v1)
key_ref = await provider.create_key(rsa_spec)
print("KID", key_ref.kid, "version", key_ref.version)
# Surface the public JWK for JWT signing or JWKS endpoints
jwk = await provider.get_public_jwk(key_ref.kid)
print("Public JWK", jwk)
# Rotate the key – new CMK in KMS, version alias bump, old alias retained
rotated = await provider.rotate_key(key_ref.kid)
print("Rotated to version", rotated.version)
# Publish the aggregate JWKS (includes the latest version per kid)
jwks_payload = await provider.jwks()
print("JWKS keys", [k["kid"] for k in jwks_payload["keys"]])
if __name__ == "__main__":
asyncio.run(main())
Symmetric Utilities: Random Bytes and HKDF
import asyncio
from swarmauri_keyprovider_aws_kms import AwsKmsKeyProvider
async def derive_data_key() -> bytes:
provider = AwsKmsKeyProvider(region="us-east-1")
master_salt = await provider.random_bytes(32)
info = b"swarmauri/example"
pseudo_random_key = await provider.random_bytes(32)
derived = await provider.hkdf(
pseudo_random_key,
salt=master_salt,
info=info,
length=32,
)
return derived
# asyncio.run(derive_data_key())
Operational Tips
list_versions(kid)inspects versioned aliases (alias/<prefix>/<kid>/vN); use it before destructive actions to ensure you capture all active CMKs.- Destroying a key schedules deletion for 7 days. Plan rotations ahead of time so dependent systems can migrate to the new version before you call
destroy_key. - Tag metadata persisted by the provider (
saur:kid,saur:version,saur:alg, optionalsaur:label) enables inventory checks—query them from the AWS console or CLI when auditing. - For high-throughput signing, ensure your IAM policies, KMS quotas, and region placement match latency expectations; consider caching public JWKs from
jwks()in your verifier services.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_keyprovider_aws_kms-0.3.3.dev17.tar.gz.
File metadata
- Download URL: swarmauri_keyprovider_aws_kms-0.3.3.dev17.tar.gz
- Upload date:
- Size: 11.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0236affb544127270c8cbe721ec39e96755604d5c5c4902e04042d0979fdd333
|
|
| MD5 |
cff31b0f475074557a0e99750f10b6d5
|
|
| BLAKE2b-256 |
6dea6b1f0dfca59e1094eb46fa160f3aa6b530972065554d388b7daaf01efb65
|
File details
Details for the file swarmauri_keyprovider_aws_kms-0.3.3.dev17-py3-none-any.whl.
File metadata
- Download URL: swarmauri_keyprovider_aws_kms-0.3.3.dev17-py3-none-any.whl
- Upload date:
- Size: 12.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d1ddd7cce85e9d6f3be28d0478e3765486c13971b89760f0d62186c87110e433
|
|
| MD5 |
fb5c1f54db8ef250d9c974683642e7a0
|
|
| BLAKE2b-256 |
e4243dd92c1e582045d8b44a1d9100cb05301a8b7053d47e6696337a156b220a
|
