AWS SDK for Go V1 has reached end-of-support. We recommend that you migrate to [AWS SDK for Go V2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/). For additional details and information on how to migrate, please refer to this [announcement](https://aws.amazon.com/blogs//developer/announcing-end-of-support-for-aws-sdk-for-go-v1-on-july-31-2025/).
# AWS Key Management Service Examples Using the AWS SDK for Go
You can use the following examples to access AWS Key Management Service (AWS KMS) using the AWS SDK for Go. For more information about AWS KMS, see the [AWS KMS documentation](https://aws.amazon.com/documentation/kms/). For reference information about the AWS KMS client, see the [New](https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#New) function.
**Examples**
**Topics**
+ [
# Creating a CMK in AWS Key Management Service
](kms-example-create-key.md)
+ [
# Encrypting Data with AWS Key Management Service
](kms-example-encrypt-data.md)
+ [
# Decrypting a Data Blob in AWS Key Management Service
](kms-example-decrypt-blob.md)
+ [
# Re-encrypting a Data Blob in AWS Key Management Service
](kms-example-re-encrypt-data.md)
# Creating a CMK in AWS Key Management Service
The following example uses the AWS SDK for Go[CreateKey](https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#KMS.CreateKey) method, which implements the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation, to create a customer master key (CMK). Since the example only encrypts a small amount of data, a CMK is fine for our purposes. For larger amounts of data, use the CMK to encrypt a data encryption key (DEK).
```
import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/kms"
"fmt"
"os"
)
// Create an AWS KMS key (KMS key)
// Since we are only encrypting small amounts of data (4 KiB or less) directly,
// a KMS key is fine for our purposes.
// For larger amounts of data,
// use the KMS key to encrypt a data encryption key (DEK).
func main() {
// Initialize a session in us-west-2 that the SDK will use to load
// credentials from the shared credentials file ~/.aws/credentials.
sess, err := session.NewSession(&aws.Config{
Region: aws.String("us-west-2")},
)
// Create KMS service client
svc := kms.New(sess)
// Create the key
result, err := svc.CreateKey(&kms.CreateKeyInput{
Tags: []*kms.Tag{
{
TagKey: aws.String("CreatedBy"),
TagValue: aws.String("ExampleUser"),
},
},
})
if err != nil {
fmt.Println("Got error creating key: ", err)
os.Exit(1)
}
fmt.Println(*result.KeyMetadata.KeyId)
}
```
Choose `Copy` to save the code locally. See the [complete example](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/go/example_code/kms/kms_create_key.go) on GitHub.
# Encrypting Data with AWS Key Management Service
The following example uses the AWS SDK for Go[Encrypt](https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#KMS.Encrypt) method, which implements the [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) operation, to encrypt the string “1234567890”. The example displays a readable version of the resulting encrypted blob.
```
import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/kms"
"fmt"
"os"
)
func main() {
// Initialize a session in us-west-2 that the SDK will use to load
// credentials from the shared credentials file ~/.aws/credentials.
sess, err := session.NewSession(&aws.Config{
Region: aws.String("us-west-2")},
)
// Create KMS service client
svc := kms.New(sess)
// Encrypt data key
//
// Replace the fictitious key ARN with a valid key ID
keyId := "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
text := "1234567890"
// Encrypt the data
result, err := svc.Encrypt(&kms.EncryptInput{
KeyId: aws.String(keyId),
Plaintext: []byte(text),
})
if err != nil {
fmt.Println("Got error encrypting data: ", err)
os.Exit(1)
}
fmt.Println("Blob (base-64 byte array):")
fmt.Println(result.CiphertextBlob)
}
```
Choose `Copy` to save the code locally. See the [complete example](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/go/example_code/kms/kms_encrypt_data.go) on GitHub.
# Decrypting a Data Blob in AWS Key Management Service
The following example uses the AWS SDK for Go[Decrypt](https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#KMS.Decrypt) method, which implements the [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operation, to decrypt the provided string and emits the result.
```
import (
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/kms"
"fmt"
"os"
)
func main() {
// Initialize a session that the SDK uses to load
// credentials from the shared credentials file ~/.aws/credentials
// and configuration from the shared configuration file ~/.aws/config.
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
// Create KMS service client
svc := kms.New(sess)
// Encrypted data
blob := []byte("1234567890")
// Decrypt the data
result, err := svc.Decrypt(&kms.DecryptInput{CiphertextBlob: blob})
if err != nil {
fmt.Println("Got error decrypting data: ", err)
os.Exit(1)
}
blob_string := string(result.Plaintext)
fmt.Println(blob_string)
```
Choose `Copy` to save the code locally. See the [complete example](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/go/example_code/kms/kms_decrypt_data.go) on GitHub.
# Re-encrypting a Data Blob in AWS Key Management Service
The following example uses the AWS SDK for Go[ReEncrypt](https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#KMS.ReEncrypt) method, which implements the [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) operation, to decrypt encrypted data and then immediately re-encrypt data under a new customer master key (CMK). The operations are performed entirely on the server side within AWS KMS, so they never expose your plaintext outside of AWS KMS. The example displays a readable version of the resulting re-encrypted blob.
```
import (
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/kms"
"fmt"
"os"
)
func main() {
// Initialize a session that the SDK uses to load
// credentials from the shared credentials file ~/.aws/credentials
// and configuration from the shared configuration file ~/.aws/config.
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
// Create KMS service client
svc := kms.New(sess)
// Encrypt data key
//
// Replace the fictitious key ARN with a valid key ID
keyId := "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
// Encrypted data
blob := []byte("1234567890")
// Re-encrypt the data key
result, err := svc.ReEncrypt(&kms.ReEncryptInput{CiphertextBlob: blob, DestinationKeyId: &keyId})
if err != nil {
fmt.Println("Got error re-encrypting data: ", err)
os.Exit(1)
}
fmt.Println("Blob (base-64 byte array):")
fmt.Println(result.CiphertextBlob)
```
Choose `Copy` to save the code locally. See the [complete example](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/go/example_code/kms/kms_re_encrypt_data.go) on GitHub.