KMS support added to SaltStack Beryllium (development) branch

In the development branch of SaltStack (to be the Beryllium release) I’ve added the boto_kms state and execution modules. This allows you to manage KMS master keys, their policies, key rotation, and other attributes via states. It also allows you to make KMS calls from other state and execution modules.

Here’s an example of managing a key and its attributes via a state:

Ensure my-master-key is managed:
  boto_kms.key_present:
    - name: my-master-key
    - policy:
        Id: key-consolepolicy
        Statement:
          - Action: 'kms:*'
            Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::12345:user/rlane'
            Resource: '*'
            Sid: Enable IAM User Permissions
          - Action:
              - kms:Describe*
              - kms:Put*
              - kms:Create*
              - kms:Update*
              - kms:Enable*
              - kms:Revoke*
              - kms:List*
              - kms:Get*
              - kms:Disable*
              - kms:Delete*
            Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::12345:root'
            Resource: '*'
            Sid: Allow access for Key Administrators
          - Action:
              - kms:DescribeKey
              - kms:GenerateDataKey*
              - kms:Encrypt
              - kms:ReEncrypt*
              - kms:Decrypt
            Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::12345:role/my-service'
            Resource: '*'
            Sid: Allow use of the key
          - Action:
              - kms:ListGrants
              - kms:CreateGrant
              - kms:RevokeGrant
            Condition:
              Bool:
                'kms:GrantIsForAWSResource': true
            Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::12345:user/rlane'
            Resource: '*'
            Sid: Allow attachment of persistent resources
        Version: '2012-10-17'
    - description: 'Testing key. Feel free to disable.'
    - key_rotation: False
    - enabled: True

Note that you should be very careful when defining the policy for a key. It’s apparently possible to create a key that even your root user can’t access. If you can’t access the key, then you also can’t modify the policy, so you have a permanently broken key (I created 4 broken keys while creating these modules).

Though this module is written for the development branch the state module is API stable and both modules are stable enough for use. The execution module’s API may change slightly before release. It’s possible to use this module in the 2015.5 (Lithium) release of salt, by including it as a custom module.