In the development branch of SaltStack (to be the Beryllium release) I’ve added the boto_kms state and execution modules. This allows you to manage KMS master keys, their policies, key rotation, and other attributes via states. It also allows you to make KMS calls from other state and execution modules.
Here’s an example of managing a key and its attributes via a state:
Ensure my-master-key is managed: boto_kms.key_present: - name: my-master-key - policy: Id: key-consolepolicy Statement: - Action: 'kms:*' Effect: Allow Principal: AWS: - 'arn:aws:iam::12345:user/rlane' Resource: '*' Sid: Enable IAM User Permissions - Action: - kms:Describe* - kms:Put* - kms:Create* - kms:Update* - kms:Enable* - kms:Revoke* - kms:List* - kms:Get* - kms:Disable* - kms:Delete* Effect: Allow Principal: AWS: - 'arn:aws:iam::12345:root' Resource: '*' Sid: Allow access for Key Administrators - Action: - kms:DescribeKey - kms:GenerateDataKey* - kms:Encrypt - kms:ReEncrypt* - kms:Decrypt Effect: Allow Principal: AWS: - 'arn:aws:iam::12345:role/my-service' Resource: '*' Sid: Allow use of the key - Action: - kms:ListGrants - kms:CreateGrant - kms:RevokeGrant Condition: Bool: 'kms:GrantIsForAWSResource': true Effect: Allow Principal: AWS: - 'arn:aws:iam::12345:user/rlane' Resource: '*' Sid: Allow attachment of persistent resources Version: '2012-10-17' - description: 'Testing key. Feel free to disable.' - key_rotation: False - enabled: True
Note that you should be very careful when defining the policy for a key. It’s apparently possible to create a key that even your root user can’t access. If you can’t access the key, then you also can’t modify the policy, so you have a permanently broken key (I created 4 broken keys while creating these modules).
Though this module is written for the development branch the state module is API stable and both modules are stable enough for use. The execution module’s API may change slightly before release. It’s possible to use this module in the 2015.5 (Lithium) release of salt, by including it as a custom module.