runway.cfngin.lookups.handlers.kms module¶
AWS KMS lookup.
-
class
runway.cfngin.lookups.handlers.kms.
KmsLookup
[source]¶ Bases:
runway.lookups.handlers.base.LookupHandler
AWS KMS lookup.
-
classmethod
handle
(value, context=None, provider=None, **kwargs)[source]¶ Decrypt the specified value with a master key in KMS.
- Parameters
value (str) – Parameter(s) given to this lookup.
context (
runway.cfngin.context.Context
) – Context instance.provider (
runway.cfngin.providers.base.BaseProvider
) – Provider instance.
value
should be in the following format:[<region>@]<base64 encrypted value>
Example
# We use the aws cli to get the encrypted value for the string # "PASSWORD" using the master key called "myKey" in # us-east-1 $ aws --region us-east-1 kms encrypt --key-id alias/myKey \ --plaintext "PASSWORD" --output text --query CiphertextBlob CiD6bC8t2Y<...encrypted blob...> # With CFNgin we would reference the encrypted value like: conf_key: ${kms us-east-1@CiD6bC8t2Y<...encrypted blob...>}
You can optionally store the encrypted value in a file, ie:
kms_value.txt us-east-1@CiD6bC8t2Y<...encrypted blob...>
and reference it within CFNgin (NOTE: the path should be relative to the CFNgin config file):
conf_key: ${kms file://kms_value.txt} # Both of the above would resolve to conf_key: PASSWORD
-
classmethod