Is there a way to sign cloud access URLs using Amazon KAMA keys?
You should be able to request certificates for your domain through the certificate manager and everything will be taken care of by the backend. All key operations associated with these certificates are done in the backend.
KMS is keymanagement and you won't be able to pull keys out of the system. You need to link to AWS ARN wherever you want to encrypt or decrypt.
source to share
Using KMS, you can encrypt private keys, so you don't need to store them in your git repositories or on your filesystem. (This is considered more secure.)
Next, here are the conceptual steps for a signature,
- You would re-generate your private key using the KMS decryption feature
- Sign with private key
- Revoke your private key again because you don't want to keep it unsecured
Read more here:
The general idea in the first paragraph is here: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
Encryption: http://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html
Decrypt: http://docs.aws.amazon.com/cli/latest/reference/kms/decrypt.html
source to share