From 7ee554cb6b0e06e8efda56a555589058f7050936 Mon Sep 17 00:00:00 2001
From: Benjamin Ludewig <benjamin.ludewig@neuland-bfi.de>
Date: Thu, 1 Sep 2022 23:14:53 +0200
Subject: [PATCH 1/3] config: respect `aws_profile` from group config

Signed-off-by: Benjamin Ludewig <benjamin.ludewig@neuland-bfi.de>
---
 config/config.go      | 2 +-
 config/config_test.go | 6 ++++--
 kms/keysource.go      | 8 ++++++++
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/config/config.go b/config/config.go
index c2475a2b9..6f34e0066 100644
--- a/config/config.go
+++ b/config/config.go
@@ -164,7 +164,7 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 				keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
 			}
 			for _, k := range group.KMS {
-				keyGroup = append(keyGroup, kms.NewMasterKey(k.Arn, k.Role, k.Context))
+				keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile))
 			}
 			for _, k := range group.GCPKMS {
 				keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
diff --git a/config/config_test.go b/config/config_test.go
index 4c43686c0..1c9814a41 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -93,6 +93,7 @@ creation_rules:
     key_groups:
     - kms:
       - arn: foo
+        aws_profile: bar
       pgp:
       - bar
       gcp_kms:
@@ -105,6 +106,7 @@ creation_rules:
       - 'https://foo.vault:8200/v1/foo/keys/foo-key'
     - kms:
       - arn: baz
+        aws_profile: foo
       pgp:
       - qux
       gcp_kms:
@@ -287,14 +289,14 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
 				PathRegex: "",
 				KeyGroups: []keyGroup{
 					{
-						KMS:     []kmsKey{{Arn: "foo"}},
+						KMS:     []kmsKey{{Arn: "foo", AwsProfile: "bar"}},
 						PGP:     []string{"bar"},
 						GCPKMS:  []gcpKmsKey{{ResourceID: "foo"}},
 						AzureKV: []azureKVKey{{VaultURL: "https://foo.vault.azure.net", Key: "foo-key", Version: "fooversion"}},
 						Vault:   []string{"https://foo.vault:8200/v1/foo/keys/foo-key"},
 					},
 					{
-						KMS: []kmsKey{{Arn: "baz"}},
+						KMS: []kmsKey{{Arn: "baz", AwsProfile: "foo"}},
 						PGP: []string{"qux"},
 						GCPKMS: []gcpKmsKey{
 							{ResourceID: "bar"},
diff --git a/kms/keysource.go b/kms/keysource.go
index a28398090..1749b3455 100644
--- a/kms/keysource.go
+++ b/kms/keysource.go
@@ -88,6 +88,14 @@ func NewMasterKey(arn string, role string, context map[string]*string) *MasterKe
 	}
 }
 
+// NewMasterKeyWithProfile creates a new MasterKey from an ARN, role, context
+// and awsProfile, setting the creation date to the current date.
+func NewMasterKeyWithProfile(arn string, role string, context map[string]*string, awsProfile string) *MasterKey {
+	k := NewMasterKey(arn, role, context)
+	k.AwsProfile = awsProfile
+	return k
+}
+
 // NewMasterKeyFromArn takes an ARN string and returns a new MasterKey for that
 // ARN.
 func NewMasterKeyFromArn(arn string, context map[string]*string, awsProfile string) *MasterKey {

From 75137322d50d988f248af7bf1615f5d29e4ef37f Mon Sep 17 00:00:00 2001
From: Benjamin Ludewig <benjamin.ludewig@neuland-bfi.de>
Date: Fri, 13 Oct 2023 15:13:56 +0200
Subject: [PATCH 2/3] docs: add aws_profile to creation_rules examples

Signed-off-by: Benjamin Ludewig <benjamin.ludewig@neuland-bfi.de>
---
 README.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.rst b/README.rst
index c6a40453b..5ed120d1a 100644
--- a/README.rst
+++ b/README.rst
@@ -776,6 +776,7 @@ like so:
                       context:
                           foo: bar
                     - arn: arn2
+                      aws_profile: myprofile
               # Second key group
               - pgp:
                     - fingerprint3
@@ -818,6 +819,7 @@ with ``shamir_threshold``:
                       context:
                           foo: bar
                     - arn: arn2
+                      aws_profile: myprofile
               # Second key group
               - pgp:
                     - fingerprint3

From 6887ebfb193fcb7bb2b2a2628bf95803cf5f5dc1 Mon Sep 17 00:00:00 2001
From: Hidde Beydals <hidde@hhh.computer>
Date: Fri, 13 Oct 2023 16:14:07 +0200
Subject: [PATCH 3/3] kms: add minimal test for `NewMasterKeyWithProfile`

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
---
 kms/keysource_test.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/kms/keysource_test.go b/kms/keysource_test.go
index 4bed28621..855a1f880 100644
--- a/kms/keysource_test.go
+++ b/kms/keysource_test.go
@@ -122,6 +122,22 @@ func TestNewMasterKey(t *testing.T) {
 	assert.NotNil(t, key.CreationDate)
 }
 
+func TestNewMasterKeyWithProfile(t *testing.T) {
+	var (
+		dummyRole              = "a-role"
+		dummyEncryptionContext = map[string]*string{
+			"foo": aws.String("bar"),
+		}
+		dummyProfile = "a-profile"
+	)
+	key := NewMasterKeyWithProfile(dummyARN, dummyRole, dummyEncryptionContext, dummyProfile)
+	assert.Equal(t, dummyARN, key.Arn)
+	assert.Equal(t, dummyRole, key.Role)
+	assert.Equal(t, dummyEncryptionContext, key.EncryptionContext)
+	assert.Equal(t, dummyProfile, key.AwsProfile)
+	assert.NotNil(t, key.CreationDate)
+}
+
 func TestNewMasterKeyFromArn(t *testing.T) {
 	t.Run("arn", func(t *testing.T) {
 		var (