Master keys management

Amazon KMS keys are automatically generated by the command line tool when the first configuration entry for a new application is created.

1Config creates a KMS key and an alias with the same name as the application key used for the configuration. All keys created by 1Config are prefixed with 1Config/, for example if your application key is user-profile-service then the master key alias will be alias/1Config/user-profile-service. Keys are created in the same region as the DynamoDB table, keys can be set to automatically rotate. You can list the 1Config managed keys via the command line tools with: 1cfg list-keys. Master keys can also be listed via the AWS command line tool with: $ aws kms list-keys and $ aws kms list-aliases or via the AWS console.

To create a new key you can use the 1Config command line tool with 1cfg create-key -m key-name (eg: 1cfg create-key -m user-profile-service)

You can also use encrypt a config entry with a key with different name by specifying the key to use during set, for example:

1cfg SET -b dynamo -e test -k 'service1' -v '1.6.0' -t edn '{:port 8080}' -m user-profile-service