Manage KMS keys, key policies and grants.
Be aware that this interacts with Amazon's services, and so may incur charges.
This module uses
boto, which can be installed via package, or pip.
This module accepts explicit kms credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here.
If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file:
elb.keyid: GKTADJGHEIQSXMKKRBJ08H elb.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
It's also possible to specify
region via a profile,
either passed in as a dict, or as a string to pull from pillars or minion
myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1
Ensure mykey key exists: boto_kms.key_present: - name: mykey - region: us-east-1 # Using a profile from pillars Ensure mykey key exists: boto_kms.key_present: - name: mykey - region: us-east-1 - profile: myprofile # Passing in a profile Ensure mykey key exists: boto_key.key_present: - name: mykey - region: us-east-1 - profile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
key_present(name, policy, description=None, key_usage=None, grants=None, manage_grants=False, key_rotation=False, enabled=True, region=None, key=None, keyid=None, profile=None)¶
Ensure the KMS key exists. KMS keys can not be deleted, so this function must be used to ensure the key is enabled or disabled.