runway.cfngin.lookups.handlers.kms module¶

AWS KMS lookup.

class runway.cfngin.lookups.handlers.kms.KmsLookup[source]¶

Bases: runway.lookups.handlers.base.LookupHandler

AWS KMS lookup.

classmethod handle(value, context=None, provider=None, **kwargs)[source]¶

Decrypt the specified value with a master key in KMS.

Parameters

value (str) – Parameter(s) given to this lookup.
context (runway.cfngin.context.Context) – Context instance.
provider (runway.cfngin.providers.base.BaseProvider) – Provider instance.

value should be in the following format:

[<region>@]<base64 encrypted value>

Example

# We use the aws cli to get the encrypted value for the string
# "PASSWORD" using the master key called "myKey" in
# us-east-1
$ aws --region us-east-1 kms encrypt --key-id alias/myKey \
        --plaintext "PASSWORD" --output text --query CiphertextBlob

CiD6bC8t2Y<...encrypted blob...>

# With CFNgin we would reference the encrypted value like:
conf_key: ${kms us-east-1@CiD6bC8t2Y<...encrypted blob...>}

You can optionally store the encrypted value in a file, ie:

kms_value.txt
us-east-1@CiD6bC8t2Y<...encrypted blob...>

and reference it within CFNgin (NOTE: the path should be relative to the CFNgin config file):

conf_key: ${kms file://kms_value.txt}

# Both of the above would resolve to
conf_key: PASSWORD