Connection module for Amazon KMS
New in version 2015.8.0.
This module accepts explicit kms credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
If IAM roles are not used you need to specify them either in a pillar or in the minion's config file:
kms.keyid: GKTADJGHEIQSXMKKRBJ08H
kms.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
A region may also be specified in the configuration:
kms.region: us-east-1
If a region is not specified, the default is us-east-1.
It's also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config:
- myprofile:
keyid: GKTADJGHEIQSXMKKRBJ08H key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1
boto
Create a display name for a key.
CLI Example:
salt myminion boto_kms.create_alias 'alias/mykey' key_id
Adds a grant to a key to specify who can access the key and under what conditions.
CLI Example:
salt myminion boto_kms.create_grant 'alias/mykey' 'arn:aws:iam::1111111:/role/myrole' operations='["Encrypt","Decrypt"]'
Creates a master key.
CLI Example:
salt myminion boto_kms.create_key '{"Statement":...}' "My master key"
Decrypt ciphertext.
CLI Example:
salt myminion boto_kms.decrypt encrypted_ciphertext
Get detailed information about a key.
CLI Example:
salt myminion boto_kms.describe_key 'alias/mykey'
Mark key as disabled.
CLI Example:
salt myminion boto_kms.disable_key 'alias/mykey'
Disable key rotation for specified key.
CLI Example:
salt myminion boto_kms.disable_key_rotation 'alias/mykey'
Mark key as enabled.
CLI Example:
salt myminion boto_kms.enable_key 'alias/mykey'
Disable key rotation for specified key.
CLI Example:
salt myminion boto_kms.enable_key_rotation 'alias/mykey'
Encrypt plaintext into cipher text using specified key.
CLI Example:
salt myminion boto_kms.encrypt 'alias/mykey' 'myplaindata' '{"aws:username":"myuser"}'
Generate a secure data key.
CLI Example:
salt myminion boto_kms.generate_data_key 'alias/mykey' number_of_bytes=1024 key_spec=AES_128
Generate a secure data key without a plaintext copy of the key.
CLI Example:
salt myminion boto_kms.generate_data_key_without_plaintext 'alias/mykey' number_of_bytes=1024 key_spec=AES_128
Generate a random string.
CLI Example:
salt myminion boto_kms.generate_random number_of_bytes=1024
Get the policy for the specified key.
CLI Example:
salt myminion boto_kms.get_key_policy 'alias/mykey' mypolicy
Get status of whether or not key rotation is enabled for a key.
CLI Example:
salt myminion boto_kms.get_key_rotation_status 'alias/mykey'
Check for the existence of a key.
CLI Example:
salt myminion boto_kms.key_exists 'alias/mykey'
List grants for the specified key.
CLI Example:
salt myminion boto_kms.list_grants 'alias/mykey'
List key_policies for the specified key.
CLI Example:
salt myminion boto_kms.list_key_policies 'alias/mykey'
Attach a key policy to the specified key.
CLI Example:
salt myminion boto_kms.put_key_policy 'alias/mykey' default '{"Statement":...}'
Reencrypt encrypted data with a new master key.
CLI Example:
salt myminion boto_kms.re_encrypt 'encrypted_data' 'alias/mynewkey' default '{"Statement":...}'
Revoke a grant from a key.
CLI Example:
salt myminion boto_kms.revoke_grant 'alias/mykey' 8u89hf-j09j...
Update a key's description.
CLI Example:
salt myminion boto_kms.update_key_description 'alias/mykey' 'My key'