salt.modules.boto_kms

Connection module for Amazon KMS

2015.8.0 新版功能.

configuration:

This module accepts explicit kms credentials but can also utilize IAM roles assigned to the instance trough Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

If IAM roles are not used you need to specify them either in a pillar or in the minion's config file:

kms.keyid: GKTADJGHEIQSXMKKRBJ08H
kms.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

A region may also be specified in the configuration:

kms.region: us-east-1

If a region is not specified, the default is us-east-1.

It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config:

myprofile:

keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1

depends:

boto

salt.modules.boto_kms.create_alias(alias_name, target_key_id, region=None, key=None, keyid=None, profile=None)

Create a display name for a key.

CLI example:

salt myminion boto_kms.create_alias 'alias/mykey' key_id
salt.modules.boto_kms.create_grant(key_id, grantee_principal, retiring_principal=None, operations=None, constraints=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)

Adds a grant to a key to specify who can access the key and under what conditions.

CLI example:

salt myminion boto_kms.create_grant 'alias/mykey' 'arn:aws:iam::1111111:/role/myrole' operations='["Encrypt","Decrypt"]'
salt.modules.boto_kms.create_key(policy=None, description=None, key_usage=None, region=None, key=None, keyid=None, profile=None)

Creates a master key.

CLI example:

salt myminion boto_kms.create_key '{"Statement":...}' "My master key"
salt.modules.boto_kms.decrypt(ciphertext_blob, encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)

Decrypt ciphertext.

CLI example:

salt myminion boto_kms.decrypt encrypted_ciphertext
salt.modules.boto_kms.describe_key(key_id, region=None, key=None, keyid=None, profile=None)

Get detailed information about a key.

CLI example:

salt myminion boto_kms.describe_key 'alias/mykey'
salt.modules.boto_kms.disable_key(key_id, region=None, key=None, keyid=None, profile=None)

Mark key as disabled.

CLI example:

salt myminion boto_kms.disable_key 'alias/mykey'
salt.modules.boto_kms.disable_key_rotation(key_id, region=None, key=None, keyid=None, profile=None)

Disable key rotation for specified key.

CLI example:

salt myminion boto_kms.disable_key_rotation 'alias/mykey'
salt.modules.boto_kms.enable_key(key_id, region=None, key=None, keyid=None, profile=None)

Mark key as enabled.

CLI example:

salt myminion boto_kms.enable_key 'alias/mykey'
salt.modules.boto_kms.enable_key_rotation(key_id, region=None, key=None, keyid=None, profile=None)

Disable key rotation for specified key.

CLI example:

salt myminion boto_kms.enable_key_rotation 'alias/mykey'
salt.modules.boto_kms.encrypt(key_id, plaintext, encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)

Encrypt plaintext into cipher text using specified key.

CLI example:

salt myminion boto_kms.encrypt 'alias/mykey' 'myplaindata' '{"aws:username":"myuser"}'
salt.modules.boto_kms.generate_data_key(key_id, encryption_context=None, number_of_bytes=None, key_spec=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)

Generate a secure data key.

CLI example:

salt myminion boto_kms.generate_data_key 'alias/mykey' number_of_bytes=1024 key_spec=AES_128
salt.modules.boto_kms.generate_data_key_without_plaintext(key_id, encryption_context=None, number_of_bytes=None, key_spec=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)

Generate a secure data key without a plaintext copy of the key.

CLI example:

salt myminion boto_kms.generate_data_key_without_plaintext 'alias/mykey' number_of_bytes=1024 key_spec=AES_128
salt.modules.boto_kms.generate_random(number_of_bytes=None, region=None, key=None, keyid=None, profile=None)

Generate a random string.

CLI example:

salt myminion boto_kms.generate_random number_of_bytes=1024
salt.modules.boto_kms.get_key_policy(key_id, policy_name, region=None, key=None, keyid=None, profile=None)

Get the policy for the specified key.

CLI example:

salt myminion boto_kms.get_key_policy 'alias/mykey' mypolicy
salt.modules.boto_kms.get_key_rotation_status(key_id, region=None, key=None, keyid=None, profile=None)

Get status of whether or not key rotation is enabled for a key.

CLI example:

salt myminion boto_kms.get_key_rotation_status 'alias/mykey'
salt.modules.boto_kms.key_exists(key_id, region=None, key=None, keyid=None, profile=None)

Check for the existence of a key.

CLI example:

salt myminion boto_kms.key_exists 'alias/mykey'
salt.modules.boto_kms.list_grants(key_id, limit=None, marker=None, region=None, key=None, keyid=None, profile=None)

List grants for the specified key.

CLI example:

salt myminion boto_kms.list_grants 'alias/mykey'
salt.modules.boto_kms.list_key_policies(key_id, limit=None, marker=None, region=None, key=None, keyid=None, profile=None)

List key_policies for the specified key.

CLI example:

salt myminion boto_kms.list_key_policies 'alias/mykey'
salt.modules.boto_kms.put_key_policy(key_id, policy_name, policy, region=None, key=None, keyid=None, profile=None)

Attach a key policy to the specified key.

CLI example:

salt myminion boto_kms.put_key_policy 'alias/mykey' default '{"Statement":...}'
salt.modules.boto_kms.re_encrypt(ciphertext_blob, destination_key_id, source_encryption_context=None, destination_encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)

Reencrypt encrypted data with a new master key.

CLI example:

salt myminion boto_kms.re_encrypt 'encrypted_data' 'alias/mynewkey' default '{"Statement":...}'
salt.modules.boto_kms.revoke_grant(key_id, grant_id, region=None, key=None, keyid=None, profile=None)

Revoke a grant from a key.

CLI example:

salt myminion boto_kms.revoke_grant 'alias/mykey' 8u89hf-j09j...
salt.modules.boto_kms.update_key_description(key_id, description, region=None, key=None, keyid=None, profile=None)

Update a key's description.

CLI example:

salt myminion boto_kms.update_key_description 'alias/mykey' 'My key'