0.04
No release in over 3 years
Low commit activity in last 3 years
AWS KMS encryptor for use with hiera-eyaml
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

 Project Readme

hiera-eyaml-kms

This is a plugin encryptor for the hiera-eyaml project (hosted https://github.com/TomPoulton/hiera-eyaml/).

hiera-eyaml-kms encrypts and decrypts Hiera data using AWS KMS.

AWS KMS is a service that encrypts and decrypts data through API calls. Permissions are controlled by IAM. Read more about AWS KMS.

Using KMS avoids having to expose private keys to decrypt information when running Puppet.

Requirements

Since this is a plugin for hiera-eyaml, you need to install it first:

$ gem install hiera-eyaml

You might need to install the aws-sdk for ruby, with the command:

$ gem install aws-sdk

This plugin uses aws-sdk version 2.

Installation

$ gem install hiera-eyaml-kms

Then see hiera-eyaml documentation for how to use the eyaml tool to encrypt and use the 'KMS' encryption_type for values to be encrypted with this plugin.

Configuration

This plugin adds 2 options to hiera-eyaml:

--kms-key-id=<s>            KMS Key ID  (default: )

To avoid passing CLI parameters every call to eyaml, you can create a config file to set the defaults.

Config files will be read first from /etc/eyaml/config.yaml, then from ~/.eyaml/config.yaml and finally by anything referenced in the EYAML_CONFIG environment variable.

Example:

---
kms_key_id: '00000000-0000-0000-0000-000000000000'

EC2 Instance Profile:

The aws-sdk will use an EC2 Instance Profile if one is present and an AWS profile is not specified.

Authors