In the development branch of SaltStack (to be the Beryllium release) I’ve added the boto_kms state and execution modules. This allows you to manage KMS master keys, their policies, key rotation, and other attributes via states. It also allows you to make KMS calls from other state and execution modules.
Here’s an example of managing a key and its attributes via a state:
Ensure my-master-key is managed:
boto_kms.key_present:
- name: my-master-key
- policy:
Id: key-consolepolicy
Statement:
- Action: 'kms:*'
Effect: Allow
Principal:
AWS:
- 'arn:aws:iam::12345:user/rlane'
Resource: '*'
Sid: Enable IAM User Permissions
- Action:
- kms:Describe*
- kms:Put*
- kms:Create*
- kms:Update*
- kms:Enable*
- kms:Revoke*
- kms:List*
- kms:Get*
- kms:Disable*
- kms:Delete*
Effect: Allow
Principal:
AWS:
- 'arn:aws:iam::12345:root'
Resource: '*'
Sid: Allow access for Key Administrators
- Action:
- kms:DescribeKey
- kms:GenerateDataKey*
- kms:Encrypt
- kms:ReEncrypt*
- kms:Decrypt
Effect: Allow
Principal:
AWS:
- 'arn:aws:iam::12345:role/my-service'
Resource: '*'
Sid: Allow use of the key
- Action:
- kms:ListGrants
- kms:CreateGrant
- kms:RevokeGrant
Condition:
Bool:
'kms:GrantIsForAWSResource': true
Effect: Allow
Principal:
AWS:
- 'arn:aws:iam::12345:user/rlane'
Resource: '*'
Sid: Allow attachment of persistent resources
Version: '2012-10-17'
- description: 'Testing key. Feel free to disable.'
- key_rotation: False
- enabled: True
Note that you should be very careful when defining the policy for a key. It’s apparently possible to create a key that even your root user can’t access. If you can’t access the key, then you also can’t modify the policy, so you have a permanently broken key (I created 4 broken keys while creating these modules).
Though this module is written for the development branch the state module is API stable and both modules are stable enough for use. The execution module’s API may change slightly before release. It’s possible to use this module in the 2015.5 (Lithium) release of salt, by including it as a custom module.