{"id":19242911,"url":"https://github.com/srinandan/cloudkms-encryption","last_synced_at":"2026-06-18T13:32:09.170Z","repository":{"id":57506793,"uuid":"228781152","full_name":"srinandan/cloudkms-encryption","owner":"srinandan","description":"A sidecar service for Apigee hybrid runtime to interact with Cloud KMS and Secret Manager","archived":false,"fork":false,"pushed_at":"2020-06-12T22:26:30.000Z","size":53,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-23T14:46:26.742Z","etag":null,"topics":["apigee","apigee-hybrid","cloudkms","encryption","google-cloud","secretsmanager","sidecar"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/srinandan.png","metadata":{"files":{"readme":"README.md","changelog":"change-project.sh","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-18T07:16:26.000Z","updated_at":"2022-01-10T14:39:24.000Z","dependencies_parsed_at":"2022-08-29T20:01:03.947Z","dependency_job_id":null,"html_url":"https://github.com/srinandan/cloudkms-encryption","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/srinandan/cloudkms-encryption","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srinandan%2Fcloudkms-encryption","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srinandan%2Fcloudkms-encryption/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srinandan%2Fcloudkms-encryption/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srinandan%2Fcloudkms-encryption/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/srinandan","download_url":"https://codeload.github.com/srinandan/cloudkms-encryption/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srinandan%2Fcloudkms-encryption/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34493360,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-18T02:00:06.871Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apigee","apigee-hybrid","cloudkms","encryption","google-cloud","secretsmanager","sidecar"],"created_at":"2024-11-09T17:16:00.270Z","updated_at":"2026-06-18T13:32:09.105Z","avatar_url":"https://github.com/srinandan.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cloudkms-encryption\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/srinandan/cloudkms-encryption)](https://goreportcard.com/report/github.com/srinandan/cloudkms-encryption)\n\nThis service is meant to run as a sidecar to the Apigee hybrid API gateway (also known as Message Processor). The service takes a Google Cloud Service Account as a parameter and is used to encrypt or decrypt text using [Cloud KMS](https://cloud.google.com/kms/). The service can also store and retrieve data from GCP [Secret Manager](https://cloud.google.com/secret-manager/docs/).\n\n## Use Case\n\nThis service is meant to be used with the Apigee hybrid [API Runtime](https://docs.apigee.com/hybrid). When developing API Proxies on Apigee, a developer may want to encrypt or decrypt parts of the payload. Google Cloud provides [Cloud KMS](https://cloud.google.com/kms/). The services uses Cloud KMS libraries to encrypt or decrpyt data.\n\nSensitive information often needs to be stored in a secure location. GCP Secret Manager provides a service (like a vault) to store sensitive information.\n\n## Prerequisites\n\n* Apigee hybrid runtime installed on GKE or GKE on-premises (v1.13.x)\n* A GCP Project with Cloud KMS and Secret Manager APIs enabled\n* A Service Account with the following roles:\n  a. Cloud KMS CryptoKey Encrypter/Decrypter\n  b. Secret Manager Admin\n  c. Secret Manager Secret Accessor\n  d. Cloud KMS CryptoKey Public Key Viewer\n\n## Prerequisites to build\n\n* kubectl 1.13 or higher\n* docker 19.x or higher (if not using skaffold)\n* skaffold 1.1.0 or higher (optional)\n\n## Installation\n\n### Installation via kubectl\n\n1. Build the [docker image](./Dockerfile) `docker build -t gcr.io/{project-id}/cloudkms-encryption`\n2. Push to a container registry `docker push gcr.io/{project-id}/cloudkms-encryption`\n3. Modify the kubernetes [manifest](./cloudkms-encryption.yaml)\n\n```bash\n\nkubectl create secret -n {namespace} generic cloudkms-encryption-svc-account --from-file client_secret.json\nkubectl apply -n {namespace} -f cloudkms-encryption.yaml\n```\n\n### Installation via Skaffold\n\nThis application can also be installed via [skaffold](https://skaffold.dev/). Modify the [skaffold.yaml](./skaffold.yaml) to set the appropriate project name.\n\n```bash\n\nskaffold run\n```\n\n#### Errors in Skaffold\n\nWhen rerunning/installing the application, you may observe errors like this:\n\n```bash\n\n - Error from server (Invalid): error when applying patch:\n ...\n ...\n `selector` does not match template `labels`\n ```\n\nThere is an open [issue](https://github.com/GoogleContainerTools/skaffold/issues/3133) for this in the skaffold project.\n\nWorkaound: first run `skaffold delete` and then `skaffold run`\n\n## Supported Operations\n\n### Environment Variables\n\nThe following environment variables are mandatory:\n\n* `GOOGLE_APPLICATION_CREDENTIALS` - Path to service account json\n* `PROJECT_ID` - GCP project id\n* `REGION` - Crypto key region\n* `KEY_RING` - Crypto key ring\n* `SYM_CRYPTO_KEY` - Symmaetric key name\n* `ASYM_CRYPTO_KEY` - Assymetric key name\n\n\n### Encrypt data (Symmetric Encryption)\n\nPath: `/encrypt`\nMethod: `POST`\nAccept: text/plain\nContent-Type: application/json\n\nThe response is base64 encoded\n\n```bash\n\ncurl 0.0.0.0:8080/encrypt -d 'sample clear text data'\n```\n\nOutput:\n\n```bash\n\n\u003c HTTP/1.1 200 OK\n\u003c Content-Type: application/json; charset=UTF-8\n\u003c\n{\"payload\":\"CiQATxZWh3Ky1nUed8+Uzfy1rrZ0hUrvt8J0OZUyauXbrvv2TwwSLwCPcW8BdQBpa9PXMWdOUk1c8SLNPG7J4NCyVXNfF8FLBnhgXYMGNCeY4B0673bf\"}\n```\n\n### Decrypt data (Symmetric Decryption)\n\nPath: `/decrypt`\nMethod: `POST`\nAccept: text/plain\nContent-Type: application/json \n\n```bash\n\ncurl 0.0.0.0:8080/decrypt -d 'CiQATxZWh3Ky1nUed8+Uzfy1rrZ0hUrvt8J0OZUyauXbrvv2TwwSLwCPcW8BdQBpa9PXMWdOUk1c8SLNPG7J4NCyVXNfF8FLBnhgXYMGNCeY4B0673bf'\n```\n\nOutput:\n\n```bash\n\n\u003c HTTP/1.1 200 OK\n\u003c Content-Type: application/json; charset=UTF-8\n\u003c\n{\"payload\":\"sample clear text data\"}\n```\n\n### Encrypt data (Asymmetric Encryption)\n\nPath: `/asmencrypt`\nMethod: `POST`\nAccept: text/plain\nContent-Type: application/json\n\nThe response is base64 encoded\n\n```bash\n\ncurl localhost:8080/asmencrypt -H \"Content-Type: text/plain\" -d 'this is a test'\n```\n\nOutput:\n\n```json\n\n{\"payload\":\"27dWLYAtq3tI7E3ukT5++9vEoevbb+r3uDB/CqeWxt7JrFtcoy4EMurcnhyVbsDjd7AwYB3icxs/ETEGmrxFESOR8xOI7vE2kCG+8xlFbMitIQDRsmuCwRNMyYfQMyUPtvN+eQ9YJmpxo7YqprOCk3OQ4PDew9R4VAVJxUurGbjNW5gvzLSfutqyR5y7/Ey54HRlNZCWD7GkHHi1YTIp/oc0VL9yr4K8D6P16aH4lF2H0qBF1dOGJCK19ArAZeRwPCauETdGgWepsB9BJIAvsH2CCgOGkACQHgYFIWoBCGW8CEONrlsWh455KctcZ7s4DfMI0YhTsPhu6OLpDbsTsQ==\"}\n```\n\n### Decrypt data (Asymmetric Decryption)\n\nPath: `/asmdecrypt`\nMethod: `POST`\nAccept: text/plain\nContent-Type: application/json \n\n```bash\n\ncurl localhost:8080/asmdecrypt -H \"Content-Type: text/plain\" -d '27dWLYAtq3tI7E3ukT5++9vEoevbb+r3uDB/CqeWxt7JrFtcoy4EMurcnhyVbsDjd7AwYB3icxs/ETEGmrxFESOR8xOI7vE2kCG+8xlFbMitIQDRsmuCwRNMyYfQMyUPtvN+eQ9YJmpxo7YqprOCk3OQ4PDew9R4VAVJxUurGbjNW5gvzLSfutqyR5y7/Ey54HRlNZCWD7GkHHi1YTIp/oc0VL9yr4K8D6P16aH4lF2H0qBF1dOGJCK19ArAZeRwPCauETdGgWepsB9BJIAvsH2CCgOGkACQHgYFIWoBCGW8CEONrlsWh455KctcZ7s4DfMI0YhTsPhu6OLpDbsTsQ=='\n```\n\nOutput:\n\n```json\n{\"payload\":\"this is a test\"}\n```\n\n### Create Secret\n\nCreates a new secret in Secret Manager.\n\nPath: `/secrets`\nMethod: `POST`\nAccept: application/json\nContent-Type: application/json \n\n```bash\n\ncurl localhost:8080/secrets -H \"Content-Type: application/json\" -d '{\"secretId\":\"test\"}'\n```\n\n### Store Secret\n\nStores a secret in Secret Manager, optionally encrypts and stores a section in Secret Manager\n\nPath: `/storesecrets`\nMethod: `POST`\nAccept: application/json\nContent-Type: application/json\n\n```bash\n\ncurl localhost:8080/storesecrets -H \"Content-Type: application/json\" -d '{\"secretId\":\"test\",\"payload\":\"test data\"}'\n```\n\nThe same method can be used to encrypt first with Cloud KMS and then store in Secret Manager.\n\n```json\n\n{\n  \"secretId\":\"test\",\n  \"payload\":\"test data\",\n  \"encrypted\": true\n}\n```\n\n### Access a secret\n\nAccess a secret in Secret Manager, optionally decrypts the secret first and retrieves in clear text\n\nPath: `/secrets/{secretName}/{version}`\nMethod: `GET`\nAccept: application/json\nContent-Type: application/json\n\n```bash\n\ncurl localhost:8080/secrets/test/1\n```\n\nThe same method can be used to access the data from Secret Manager and them decrypt with Cloud KMS\n\n```bash\n\ncurl localhost:8080/secrets/test/1?ecrypted=true\n```\n\n## Access patterns from Apigee hyrid\n\nA typical pattern/example would be to use a [Service Callout policy](https://docs.apigee.com/api-platform/reference/policies/service-callout-policy) to access operations supported by the service.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrinandan%2Fcloudkms-encryption","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsrinandan%2Fcloudkms-encryption","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrinandan%2Fcloudkms-encryption/lists"}