emiliosetiadarma commented on a change in pull request #5202: URL: https://github.com/apache/nifi/pull/5202#discussion_r669806075
########## File path: nifi-docs/src/main/asciidoc/toolkit-guide.adoc ########## @@ -504,6 +504,26 @@ This protection scheme uses HashiCorp Vault's Transit Secrets Engine (https://ww |`vault.ssl.trust-store-password`|Truststore password. Required if the Vault server is TLS-enabled|_none_ |=== +==== AWS_KMS +This protection scheme uses AWS Key Management Service, or AWS KMS for short (https://aws.amazon.com/kms/) for encryption/decryption. All AWS KMS configuration/credentials details are to be stored in the `bootstrap-aws.conf` file, as referenced in the `bootstrap.conf` of a NiFi or NiFi Registry instance. If the configuration/credentials details are not fully specified in `bootstrap-aws.conf`, then the protection scheme will attempt to use the default AWS credentials/configuration chain. Therefore, when using the AWS_KMS protection scheme, the `nifi(.registry)?.bootstrap.protection.aws.kms.conf` property in the `bootstrap.conf` specified using the `-b` flag must be available to the Encrypt Configuration Tool and must be configured as follows: + +===== Required properties +[options="header,footer"] +|=== +|Property Name|Description|Default +|`aws.kms.key.id`|The key id or ARN to be used by AWS KMS to identify the key used for encryption/decryption.|_none_ Review comment: Making the changes ########## File path: nifi-docs/src/main/asciidoc/toolkit-guide.adoc ########## @@ -504,6 +504,26 @@ This protection scheme uses HashiCorp Vault's Transit Secrets Engine (https://ww |`vault.ssl.trust-store-password`|Truststore password. Required if the Vault server is TLS-enabled|_none_ |=== +==== AWS_KMS +This protection scheme uses AWS Key Management Service, or AWS KMS for short (https://aws.amazon.com/kms/) for encryption/decryption. All AWS KMS configuration/credentials details are to be stored in the `bootstrap-aws.conf` file, as referenced in the `bootstrap.conf` of a NiFi or NiFi Registry instance. If the configuration/credentials details are not fully specified in `bootstrap-aws.conf`, then the protection scheme will attempt to use the default AWS credentials/configuration chain. Therefore, when using the AWS_KMS protection scheme, the `nifi(.registry)?.bootstrap.protection.aws.kms.conf` property in the `bootstrap.conf` specified using the `-b` flag must be available to the Encrypt Configuration Tool and must be configured as follows: + +===== Required properties +[options="header,footer"] +|=== +|Property Name|Description|Default +|`aws.kms.key.id`|The key id or ARN to be used by AWS KMS to identify the key used for encryption/decryption.|_none_ +|=== + +===== Optional properties +====== All of the following must be configured, or will be ignored entirely. +[options="header,footer"] +|=== +|Property Name|Description|Default +|`aws.region`|The region to configure AWS KMS Client with for encryption/decryption.|_none_ Review comment: Making the changes -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
