Try SpotterGather information about AWS KMS keys
| "added in version" 1.0.0 of community.aws"
Authors: Will Thames (@willthames)
Install with ansible-galaxy collection install community.aws:==1.1.0
collections:
- name: community.aws
version: 1.1.0Gather information about AWS KMS keys including tags and grants
This module was called C(aws_kms_facts) before Ansible 2.9. The usage did not change.
# Note: These examples do not set authentication details, see the AWS Guide for details. # Gather information about all KMS keys - community.aws.aws_kms_info:
# Gather information about all keys with a Name tag
- community.aws.aws_kms_info:
filters:
tag-key: Name
# Gather information about all keys with a specific name
- community.aws.aws_kms_info:
filters:
"tag:Name": Example
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
filters:
description:
- A dict of filters to apply. Each dict item consists of a filter key and a filter
value. The filters aren't natively supported by boto3, but are supported to provide
similar functionality to other modules. Standard tag filters (C(tag-key), C(tag-value)
and C(tag:tagName)) are available, as are C(key-id) and C(alias)
type: dict
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
pending_deletion:
default: false
description: Whether to get full details (tags, grants etc.) of keys pending deletion
type: bool
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool
keys:
contains:
aliases:
description: list of aliases associated with the key
returned: always
sample:
- aws/acm
- aws/ebs
type: list
aws_account_id:
description: The AWS Account ID that the key belongs to
returned: always
sample: 1234567890123
type: str
creation_date:
description: Date of creation of the key
returned: always
sample: '2017-04-18T15:12:08.551000+10:00'
type: str
description:
description: Description of the key
returned: always
sample: My Key for Protecting important stuff
type: str
enable_key_rotation:
description: Whether the automatically key rotation every year is enabled.
returned: always
sample: false
type: bool
enabled:
description: Whether the key is enabled. True if C(KeyState) is true.
returned: always
sample: false
type: str
grants:
contains:
constraints:
description: Constraints on the encryption context that the grant allows.
See U(https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html)
for further details
returned: always
sample:
encryption_context_equals:
aws:lambda:_function_arn: arn:aws:lambda:ap-southeast-2:012345678912:function:xyz
type: dict
creation_date:
description: Date of creation of the grant
returned: always
sample: '2017-04-18T15:12:08+10:00'
type: str
grant_id:
description: The unique ID for the grant
returned: always
sample: abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
type: str
grantee_principal:
description: The principal that receives the grant's permissions
returned: always
sample: arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz
type: str
issuing_account:
description: The AWS account under which the grant was issued
returned: always
sample: arn:aws:iam::01234567890:root
type: str
key_id:
description: The key ARN to which the grant applies.
returned: always
sample: arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890
type: str
name:
description: The friendly name that identifies the grant
returned: always
sample: xyz
type: str
operations:
description: The list of operations permitted by the grant
returned: always
sample:
- Decrypt
- RetireGrant
type: list
retiring_principal:
description: The principal that can retire the grant
returned: always
sample: arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz
type: str
description: list of grants associated with a key
returned: always
type: complex
key_arn:
description: ARN of key
returned: always
sample: arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890
type: str
key_id:
description: ID of key
returned: always
sample: abcd1234-abcd-1234-5678-ef1234567890
type: str
key_state:
description: The state of the key
returned: always
sample: PendingDeletion
type: str
key_usage:
description: The cryptographic operations for which you can use the key.
returned: always
sample: ENCRYPT_DECRYPT
type: str
origin:
description: The source of the key's key material. When this value is C(AWS_KMS),
AWS KMS created the key material. When this value is C(EXTERNAL), the key
material was imported or the CMK lacks key material.
returned: always
sample: AWS_KMS
type: str
policies:
description: list of policy documents for the keys. Empty when access is denied
even if there are policies.
returned: always
sample:
Id: auto-ebs-2
Statement:
- Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:CreateGrant
- kms:DescribeKey
Condition:
StringEquals:
kms:CallerAccount: '111111111111'
kms:ViaService: ec2.ap-southeast-2.amazonaws.com
Effect: Allow
Principal:
AWS: '*'
Resource: '*'
Sid: Allow access through EBS for all principals in the account that are
authorized to use EBS
- Action:
- kms:Describe*
- kms:Get*
- kms:List*
- kms:RevokeGrant
Effect: Allow
Principal:
AWS: arn:aws:iam::111111111111:root
Resource: '*'
Sid: Allow direct access to key metadata to the account
Version: '2012-10-17'
type: list
tags:
description: dictionary of tags applied to the key. Empty when access is denied
even if there are tags.
returned: always
sample:
Name: myKey
Purpose: protecting_stuff
type: dict
description: list of keys
returned: always
type: complex