community / community.aws / 1.1.0 / module / aws_kms_info Gather information about AWS KMS keys | "added in version" 1.0.0 of community.aws" Authors: Will Thames (@willthames)community.aws.aws_kms_info (1.1.0) — module
Install with ansible-galaxy collection install community.aws:==1.1.0
collections: - name: community.aws version: 1.1.0
Gather information about AWS KMS keys including tags and grants
This module was called C(aws_kms_facts) before Ansible 2.9. The usage did not change.
# Note: These examples do not set authentication details, see the AWS Guide for details. # Gather information about all KMS keys - community.aws.aws_kms_info:
# Gather information about all keys with a Name tag - community.aws.aws_kms_info: filters: tag-key: Name
# Gather information about all keys with a specific name - community.aws.aws_kms_info: filters: "tag:Name": Example
region: aliases: - aws_region - ec2_region description: - The AWS region to use. - For global services such as IAM, Route53 and CloudFront, I(region) is ignored. - The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used. - See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region). - The C(ec2_region) alias has been deprecated and will be removed in a release after 2024-12-01 - Support for the C(EC2_REGION) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str filters: description: - A dict of filters to apply. Each dict item consists of a filter key and a filter value. The filters aren't natively supported by boto3, but are supported to provide similar functionality to other modules. Standard tag filters (C(tag-key), C(tag-value) and C(tag:tagName)) are available, as are C(key-id) and C(alias) type: dict profile: aliases: - aws_profile description: - A named AWS profile to use for authentication. - See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). - The C(AWS_PROFILE) environment variable may also be used. - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str access_key: aliases: - aws_access_key_id - aws_access_key - ec2_access_key description: - AWS access key ID. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables may also be used in decreasing order of preference. - The I(aws_access_key) and I(profile) options are mutually exclusive. - The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_access_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict secret_key: aliases: - aws_secret_access_key - aws_secret_key - ec2_secret_key description: - AWS secret access key. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variables may also be used in decreasing order of preference. - The I(secret_key) and I(profile) options are mutually exclusive. - The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_secret_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. - The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing order of preference. - The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_URL) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - The C(AWS_CA_BUNDLE) environment variable may also be used. type: path session_token: aliases: - aws_session_token - security_token - aws_security_token - access_token description: - AWS STS session token for use with temporary credentials. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variables may also be used in decreasing order of preference. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with the parameter being renamed from I(security_token) to I(session_token) in release 6.0.0. - The I(security_token), I(aws_security_token), and I(access_token) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables has been deprecated and will be removed in a release after 2024-12-01. type: str validate_certs: default: true description: - When set to C(false), SSL certificates will not be validated for communication with the AWS APIs. - Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider setting I(aws_ca_bundle) instead. type: bool pending_deletion: default: false description: Whether to get full details (tags, grants etc.) of keys pending deletion type: bool debug_botocore_endpoint_logs: default: false description: - Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action") API calls made during a task, outputing the set to the resource_actions key in the task results. Use the C(aws_resource_action) callback to output to total list made during a playbook. - The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used. type: bool
keys: contains: aliases: description: list of aliases associated with the key returned: always sample: - aws/acm - aws/ebs type: list aws_account_id: description: The AWS Account ID that the key belongs to returned: always sample: 1234567890123 type: str creation_date: description: Date of creation of the key returned: always sample: '2017-04-18T15:12:08.551000+10:00' type: str description: description: Description of the key returned: always sample: My Key for Protecting important stuff type: str enable_key_rotation: description: Whether the automatically key rotation every year is enabled. returned: always sample: false type: bool enabled: description: Whether the key is enabled. True if C(KeyState) is true. returned: always sample: false type: str grants: contains: constraints: description: Constraints on the encryption context that the grant allows. See U(https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html) for further details returned: always sample: encryption_context_equals: aws:lambda:_function_arn: arn:aws:lambda:ap-southeast-2:012345678912:function:xyz type: dict creation_date: description: Date of creation of the grant returned: always sample: '2017-04-18T15:12:08+10:00' type: str grant_id: description: The unique ID for the grant returned: always sample: abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234 type: str grantee_principal: description: The principal that receives the grant's permissions returned: always sample: arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz type: str issuing_account: description: The AWS account under which the grant was issued returned: always sample: arn:aws:iam::01234567890:root type: str key_id: description: The key ARN to which the grant applies. returned: always sample: arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890 type: str name: description: The friendly name that identifies the grant returned: always sample: xyz type: str operations: description: The list of operations permitted by the grant returned: always sample: - Decrypt - RetireGrant type: list retiring_principal: description: The principal that can retire the grant returned: always sample: arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz type: str description: list of grants associated with a key returned: always type: complex key_arn: description: ARN of key returned: always sample: arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890 type: str key_id: description: ID of key returned: always sample: abcd1234-abcd-1234-5678-ef1234567890 type: str key_state: description: The state of the key returned: always sample: PendingDeletion type: str key_usage: description: The cryptographic operations for which you can use the key. returned: always sample: ENCRYPT_DECRYPT type: str origin: description: The source of the key's key material. When this value is C(AWS_KMS), AWS KMS created the key material. When this value is C(EXTERNAL), the key material was imported or the CMK lacks key material. returned: always sample: AWS_KMS type: str policies: description: list of policy documents for the keys. Empty when access is denied even if there are policies. returned: always sample: Id: auto-ebs-2 Statement: - Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:CreateGrant - kms:DescribeKey Condition: StringEquals: kms:CallerAccount: '111111111111' kms:ViaService: ec2.ap-southeast-2.amazonaws.com Effect: Allow Principal: AWS: '*' Resource: '*' Sid: Allow access through EBS for all principals in the account that are authorized to use EBS - Action: - kms:Describe* - kms:Get* - kms:List* - kms:RevokeGrant Effect: Allow Principal: AWS: arn:aws:iam::111111111111:root Resource: '*' Sid: Allow direct access to key metadata to the account Version: '2012-10-17' type: list tags: description: dictionary of tags applied to the key. Empty when access is denied even if there are tags. returned: always sample: Name: myKey Purpose: protecting_stuff type: dict description: list of keys returned: always type: complex