boto3_kms¶
Connection module for Amazon KMS using boto3.¶
Renamed from
boto_kmstoboto3_kmsand rewritten to use the boto3kmsclient APIs directly viasaltext.boto3.utils.boto3mod. The legacy boto2 code path (object-style access, retry loops) has been removed.
- depends:
boto3 >= 1.28.0
botocore >= 1.31.0
- configuration:
This module accepts explicit kms credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More Information available at:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
If IAM roles are not used you need to specify them either in the minion’s config file or as a profile. For example, to specify them in the minion’s config file:
kms.keyid: GKTADJGHEIQSXMKKRBJ08H
kms.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
A region may also be specified in the configuration:
kms.region: us-east-1
It’s also possible to specify key, keyid and region via a profile, either as a passed in dict, or as a string to pull from pillars or minion config:
myprofile:
keyid: GKTADJGHEIQSXMKKRBJ08H
key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
region: us-east-1
Added in version 1.0.0.
- saltext.boto3.modules.boto3_kms.create_alias(alias_name, target_key_id, region=None, key=None, keyid=None, profile=None)[source]¶
Create a display name for a key.
CLI Example:
salt myminion boto3_kms.create_alias 'alias/mykey' key_id
- saltext.boto3.modules.boto3_kms.create_grant(key_id, grantee_principal, retiring_principal=None, operations=None, constraints=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)[source]¶
Add a grant to a key.
CLI Example:
salt myminion boto3_kms.create_grant 'alias/mykey' 'arn:aws:iam::1:role/r' operations='["Encrypt","Decrypt"]'
- saltext.boto3.modules.boto3_kms.create_key(policy=None, description=None, key_usage=None, region=None, key=None, keyid=None, profile=None)[source]¶
Create a customer master key.
CLI Example:
salt myminion boto3_kms.create_key '{"Statement":...}' "My master key"
- saltext.boto3.modules.boto3_kms.decrypt(ciphertext_blob, encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)[source]¶
Decrypt ciphertext.
CLI Example:
salt myminion boto3_kms.decrypt encrypted_ciphertext
- saltext.boto3.modules.boto3_kms.key_exists(key_id, region=None, key=None, keyid=None, profile=None)[source]¶
Check whether a KMS key exists.
CLI Example:
salt myminion boto3_kms.key_exists 'alias/mykey'
- saltext.boto3.modules.boto3_kms.describe_key(key_id, region=None, key=None, keyid=None, profile=None)[source]¶
Get detailed information about a key.
CLI Example:
salt myminion boto3_kms.describe_key 'alias/mykey'
- saltext.boto3.modules.boto3_kms.disable_key(key_id, region=None, key=None, keyid=None, profile=None)[source]¶
Mark a key as disabled.
CLI Example:
salt myminion boto3_kms.disable_key 'alias/mykey'
- saltext.boto3.modules.boto3_kms.disable_key_rotation(key_id, region=None, key=None, keyid=None, profile=None)[source]¶
Disable key rotation for a key.
CLI Example:
salt myminion boto3_kms.disable_key_rotation 'alias/mykey'
- saltext.boto3.modules.boto3_kms.enable_key(key_id, region=None, key=None, keyid=None, profile=None)[source]¶
Mark a key as enabled.
CLI Example:
salt myminion boto3_kms.enable_key 'alias/mykey'
- saltext.boto3.modules.boto3_kms.enable_key_rotation(key_id, region=None, key=None, keyid=None, profile=None)[source]¶
Enable key rotation for a key.
CLI Example:
salt myminion boto3_kms.enable_key_rotation 'alias/mykey'
- saltext.boto3.modules.boto3_kms.encrypt(key_id, plaintext, encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)[source]¶
Encrypt plaintext using a KMS key.
CLI Example:
salt myminion boto3_kms.encrypt 'alias/mykey' 'myplaindata'
- saltext.boto3.modules.boto3_kms.generate_data_key(key_id, encryption_context=None, number_of_bytes=None, key_spec=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)[source]¶
Generate a secure data key.
CLI Example:
salt myminion boto3_kms.generate_data_key 'alias/mykey' number_of_bytes=1024 key_spec=AES_128
- saltext.boto3.modules.boto3_kms.generate_data_key_without_plaintext(key_id, encryption_context=None, number_of_bytes=None, key_spec=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)[source]¶
Generate a secure data key without a plaintext copy.
CLI Example:
salt myminion boto3_kms.generate_data_key_without_plaintext 'alias/mykey' number_of_bytes=1024
- saltext.boto3.modules.boto3_kms.generate_random(number_of_bytes=None, region=None, key=None, keyid=None, profile=None)[source]¶
Generate cryptographically secure random bytes.
CLI Example:
salt myminion boto3_kms.generate_random number_of_bytes=1024
- saltext.boto3.modules.boto3_kms.get_key_policy(key_id, policy_name, region=None, key=None, keyid=None, profile=None)[source]¶
Get the policy for the specified key.
CLI Example:
salt myminion boto3_kms.get_key_policy 'alias/mykey' default
- saltext.boto3.modules.boto3_kms.get_key_rotation_status(key_id, region=None, key=None, keyid=None, profile=None)[source]¶
Return whether key rotation is enabled for the specified key.
CLI Example:
salt myminion boto3_kms.get_key_rotation_status 'alias/mykey'
- saltext.boto3.modules.boto3_kms.list_grants(key_id, limit=None, marker=None, region=None, key=None, keyid=None, profile=None)[source]¶
List grants for the specified key.
CLI Example:
salt myminion boto3_kms.list_grants 'alias/mykey'
- saltext.boto3.modules.boto3_kms.list_key_policies(key_id, limit=None, marker=None, region=None, key=None, keyid=None, profile=None)[source]¶
List key policies for the specified key.
CLI Example:
salt myminion boto3_kms.list_key_policies 'alias/mykey'
- saltext.boto3.modules.boto3_kms.put_key_policy(key_id, policy_name, policy, region=None, key=None, keyid=None, profile=None)[source]¶
Attach a key policy to the specified key.
CLI Example:
salt myminion boto3_kms.put_key_policy 'alias/mykey' default '{"Statement":...}'
- saltext.boto3.modules.boto3_kms.re_encrypt(ciphertext_blob, destination_key_id, source_encryption_context=None, destination_encryption_context=None, grant_tokens=None, region=None, key=None, keyid=None, profile=None)[source]¶
Re-encrypt ciphertext with a new master key.
CLI Example:
salt myminion boto3_kms.re_encrypt 'encrypted_data' 'alias/mynewkey'