ansible / ansible.builtin / v2.6.20 / module / aws_kms_facts Gather facts about AWS KMS keys | "added in version" 2.5 of ansible.builtin" Authors: Will Thames (@willthames) preview | supported by communityansible.builtin.aws_kms_facts (v2.6.20) — module
pip
Install with pip install ansible==2.6.20
Gather facts about AWS KMS keys including tags and grants
# Note: These examples do not set authentication details, see the AWS Guide for details. # Gather facts about all KMS keys - aws_kms_facts # Gather facts about all keys with a Name tag - aws_kms_facts: filters: tag-key: Name
# Gather facts about all keys with a specific name - aws_kms_facts: filters: "tag:Name": Example
region: aliases: - aws_region - ec2_region description: - The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region) type: str filters: description: - A dict of filters to apply. Each dict item consists of a filter key and a filter value. The filters aren't natively supported by boto3, but are supported to provide similar functionality to other modules. Standard tag filters (C(tag-key), C(tag-value) and C(tag:tagName)) are available, as are C(key-id) and C(alias) profile: aliases: - aws_profile description: - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints). Ignored for modules where region is required. Must be specified for all other modules if region is not used. If not set then the value of the EC2_URL environment variable, if any, is used. type: str aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied from the controller if not run locally.' type: path aws_access_key: aliases: - ec2_access_key - access_key description: - C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variable is used. - The I(aws_access_key) and I(profile) options are mutually exclusive. type: str aws_secret_key: aliases: - ec2_secret_key - secret_key description: - C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variable is used. - The I(aws_secret_key) and I(profile) options are mutually exclusive. type: str security_token: aliases: - aws_session_token - session_token - aws_security_token - access_token description: - C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variable is used. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) have been added in version 3.2.0. type: str validate_certs: default: true description: - When set to "no", SSL certificates will not be validated for communication with the AWS APIs. type: bool pending_deletion: default: false description: Whether to get full details (tags, grants etc.) of keys pending deletion debug_botocore_endpoint_logs: default: 'no' description: - Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action" API calls made during a task, outputing the set to the resource_actions key in the task results. Use the aws_resource_action callback to output to total list made during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also be used. type: bool
keys: contains: aliases: description: list of aliases associated with the key returned: always sample: - aws/acm - aws/ebs type: list aws_account_id: description: The AWS Account ID that the key belongs to returned: always sample: 1234567890123 type: str creation_date: description: Date of creation of the key returned: always sample: '2017-04-18T15:12:08.551000+10:00' type: str description: description: Description of the key returned: always sample: My Key for Protecting important stuff type: str enabled: description: Whether the key is enabled. True if C(KeyState) is true. returned: always sample: false type: str grants: contains: constraints: description: Constraints on the encryption context that the grant allows. See U(https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html) for further details returned: always sample: encryption_context_equals: aws:lambda:_function_arn: arn:aws:lambda:ap-southeast-2:012345678912:function:xyz type: dict creation_date: description: Date of creation of the grant returned: always sample: '2017-04-18T15:12:08+10:00' type: str grant_id: description: The unique ID for the grant returned: always sample: abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234 type: str grantee_principal: description: The principal that receives the grant's permissions returned: always sample: arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz type: str issuing_account: description: The AWS account under which the grant was issued returned: always sample: arn:aws:iam::01234567890:root type: str key_id: description: The key ARN to which the grant applies. returned: always sample: arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890 type: str name: description: The friendly name that identifies the grant returned: always sample: xyz type: str operations: description: The list of operations permitted by the grant returned: always sample: - Decrypt - RetireGrant type: list retiring_principal: description: The principal that can retire the grant returned: always sample: arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz type: str description: list of grants associated with a key returned: always type: complex key_arn: description: ARN of key returned: always sample: arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890 type: str key_id: description: ID of key returned: always sample: abcd1234-abcd-1234-5678-ef1234567890 type: str key_state: description: The state of the key returned: always sample: PendingDeletion type: str key_usage: description: The cryptographic operations for which you can use the key. returned: always sample: ENCRYPT_DECRYPT type: str origin: description: The source of the key's key material. When this value is C(AWS_KMS), AWS KMS created the key material. When this value is C(EXTERNAL), the key material was imported or the CMK lacks key material. returned: always sample: AWS_KMS type: str policies: description: list of policy documents for the keys. Empty when access is denied even if there are policies. returned: always sample: Id: auto-ebs-2 Statement: - Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:CreateGrant - kms:DescribeKey Condition: StringEquals: kms:CallerAccount: '111111111111' kms:ViaService: ec2.ap-southeast-2.amazonaws.com Effect: Allow Principal: AWS: '*' Resource: '*' Sid: Allow access through EBS for all principals in the account that are authorized to use EBS - Action: - kms:Describe* - kms:Get* - kms:List* - kms:RevokeGrant Effect: Allow Principal: AWS: arn:aws:iam::111111111111:root Resource: '*' Sid: Allow direct access to key metadata to the account Version: '2012-10-17' type: list tags: description: dictionary of tags applied to the key. Empty when access is denied even if there are tags. returned: always sample: Name: myKey Purpose: protecting_stuff type: dict description: list of keys returned: always type: complex