runway.cfngin.lookups.handlers.kms module

AWS KMS lookup.

class runway.cfngin.lookups.handlers.kms.KmsLookup[source]

Bases: runway.lookups.handlers.base.LookupHandler

AWS KMS lookup.

classmethod handle(value, context=None, provider=None, **kwargs)[source]

Decrypt the specified value with a master key in KMS.


value should be in the following format:

[<region>@]<base64 encrypted value>


# We use the aws cli to get the encrypted value for the string
# "PASSWORD" using the master key called "myKey" in
# us-east-1
$ aws --region us-east-1 kms encrypt --key-id alias/myKey \
        --plaintext "PASSWORD" --output text --query CiphertextBlob

CiD6bC8t2Y<...encrypted blob...>

# With CFNgin we would reference the encrypted value like:
conf_key: ${kms us-east-1@CiD6bC8t2Y<...encrypted blob...>}

You can optionally store the encrypted value in a file, ie:

us-east-1@CiD6bC8t2Y<...encrypted blob...>

and reference it within CFNgin (NOTE: the path should be relative to the CFNgin config file):

conf_key: ${kms file://kms_value.txt}

# Both of the above would resolve to
conf_key: PASSWORD