Manage KMS keys, key policies and grants.
New in version beryllium.
Be aware that this interacts with Amazon's services, and so may incur charges.
This module uses boto
, which can be installed via package, or pip.
This module accepts explicit kms credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here.
If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file:
elb.keyid: GKTADJGHEIQSXMKKRBJ08H
elb.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
It's also possible to specify key
, keyid
and region
via a profile,
either passed in as a dict, or as a string to pull from pillars or minion
config:
myprofile:
keyid: GKTADJGHEIQSXMKKRBJ08H
key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
region: us-east-1
Ensure mykey key exists:
boto_kms.key_present:
- name: mykey
- region: us-east-1
# Using a profile from pillars
Ensure mykey key exists:
boto_kms.key_present:
- name: mykey
- region: us-east-1
- profile: myprofile
# Passing in a profile
Ensure mykey key exists:
boto_key.key_present:
- name: mykey
- region: us-east-1
- profile:
keyid: GKTADJGHEIQSXMKKRBJ08H
key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
salt.states.boto_kms.
key_present
(name, policy, description=None, key_usage=None, grants=None, manage_grants=False, key_rotation=False, enabled=True, region=None, key=None, keyid=None, profile=None)¶Ensure the KMS key exists. KMS keys can not be deleted, so this function must be used to ensure the key is enabled or disabled.