ansible.builtin.aws_kms (v2.5.12) — module

Perform various KMS management tasks.

| "added in version" 2.3 of ansible.builtin"

Authors: tedder

preview | supported by certified

Install Ansible via pip

Install with pip install ansible==2.5.12

Description

Manage role/user access to a KMS key. Not designed for encrypting/decrypting.


Requirements

Usage examples

  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: grant user-style access to production secrets
  kms:
  args:
    mode: grant
    key_alias: "alias/my_production_secrets"
    role_name: "prod-appServerRole-1R5AQG2BSEL6L"
    grant_types: "role,role grant"
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: remove access to production secrets from role
  kms:
  args:
    mode: deny
    key_alias: "alias/my_production_secrets"
    role_name: "prod-appServerRole-1R5AQG2BSEL6L"

Inputs

    
mode:
    choices:
    - grant
    - deny
    default: grant
    description:
    - Grant or deny access.
    required: true

region:
    aliases:
    - aws_region
    - ec2_region
    description:
    - The AWS region to use.
    - For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
    - The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
    - See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
    - The C(ec2_region) alias has been deprecated and will be removed in a release after
      2024-12-01
    - Support for the C(EC2_REGION) environment variable has been deprecated and will
      be removed in a release after 2024-12-01.
    type: str

key_arn:
    description:
    - Full ARN to the key. One of C(key_alias) or C(key_arn) are required.
    required: false

profile:
    aliases:
    - aws_profile
    description:
    - A named AWS profile to use for authentication.
    - See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
    - The C(AWS_PROFILE) environment variable may also be used.
    - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
      and I(security_token) options.
    type: str

role_arn:
    description:
    - ARN of role to allow/deny access. One of C(role_name) or C(role_arn) are required.
    required: false

key_alias:
    description:
    - Alias label to the key. One of C(key_alias) or C(key_arn) are required.
    required: false

role_name:
    description:
    - Role to allow/deny access. One of C(role_name) or C(role_arn) are required.
    required: false

access_key:
    aliases:
    - aws_access_key_id
    - aws_access_key
    - ec2_access_key
    description:
    - AWS access key ID.
    - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
    - The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
      may also be used in decreasing order of preference.
    - The I(aws_access_key) and I(profile) options are mutually exclusive.
    - The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
      AWS botocore SDK.
    - The I(ec2_access_key) alias has been deprecated and will be removed in a release
      after 2024-12-01.
    - Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
      be removed in a release after 2024-12-01.
    type: str

aws_config:
    description:
    - A dictionary to modify the botocore configuration.
    - Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
    type: dict

secret_key:
    aliases:
    - aws_secret_access_key
    - aws_secret_key
    - ec2_secret_key
    description:
    - AWS secret access key.
    - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
    - The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
      variables may also be used in decreasing order of preference.
    - The I(secret_key) and I(profile) options are mutually exclusive.
    - The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
      the AWS botocore SDK.
    - The I(ec2_secret_key) alias has been deprecated and will be removed in a release
      after 2024-12-01.
    - Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
      be removed in a release after 2024-12-01.
    type: str

grant_types:
    description:
    - List of grants to give to user/role. Likely "role,role grant" or "role,role grant,admin".
      Required when C(mode=grant).
    required: false

endpoint_url:
    aliases:
    - ec2_url
    - aws_endpoint_url
    - s3_url
    description:
    - URL to connect to instead of the default AWS endpoints.  While this can be used
      to connection to other AWS-compatible services the amazon.aws and community.aws
      collections are only tested against AWS.
    - The  C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
      order of preference.
    - The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
      a release after 2024-12-01.
    - Support for the C(EC2_URL) environment variable has been deprecated and will be
      removed in a release after 2024-12-01.
    type: str

aws_ca_bundle:
    description:
    - The location of a CA Bundle to use when validating SSL certificates.
    - The C(AWS_CA_BUNDLE) environment variable may also be used.
    type: path

session_token:
    aliases:
    - aws_session_token
    - security_token
    - aws_security_token
    - access_token
    description:
    - AWS STS session token for use with temporary credentials.
    - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
    - The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
      variables may also be used in decreasing order of preference.
    - The I(security_token) and I(profile) options are mutually exclusive.
    - Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
      the parameter being renamed from I(security_token) to I(session_token) in release
      6.0.0.
    - The I(security_token), I(aws_security_token), and I(access_token) aliases have been
      deprecated and will be removed in a release after 2024-12-01.
    - Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
      has been deprecated and will be removed in a release after 2024-12-01.
    type: str

validate_certs:
    default: true
    description:
    - When set to C(false), SSL certificates will not be validated for communication with
      the AWS APIs.
    - Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
      setting I(aws_ca_bundle) instead.
    type: bool

clean_invalid_entries:
    default: true
    description:
    - If adding/removing a role and invalid grantees are found, remove them. These entries
      will cause an update to fail in all known cases.
    - Only cleans if changes are being made.
    type: bool

debug_botocore_endpoint_logs:
    default: false
    description:
    - Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
      API calls made during a task, outputing the set to the resource_actions key in the
      task results. Use the C(aws_resource_action) callback to output to total list made
      during a playbook.
    - The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
    type: bool

Outputs

changes_needed:
  description: grant types that would be changed/were changed.
  returned: always
  sample:
    role: add
    role grant: add
  type: dict
had_invalid_entries:
  description: there are invalid (non-ARN) entries in the KMS entry. These don't count
    as a change, but will be removed if any changes are being made.
  returned: always
  type: boolean