diff options
author | Will Thames <will@thames.id.au> | 2019-02-13 13:06:58 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-02-13 13:06:58 +1000 |
commit | 46fbcf08bc1998db821714ad65a2b271e4e74f89 (patch) | |
tree | 774951d7ba00b037ce9de0eaf44bab1fd277161e /hacking | |
parent | 1f3a74c0c82556a3ed435c55b901a6f43d599f8a (diff) | |
download | ansible-46fbcf08bc1998db821714ad65a2b271e4e74f89.tar.gz |
aws_kms enhancements (#31960)
* Allow creation and deletion of keys (deletion just schedules for
deletion, recreating an old key is just cancelling its deletion)
* Allow grants to be set, thus enabling encryption contexts to be
used with keys
* Allow tags to be added and modified
* Add testing for KMS module
* Tidy up aws_kms module to latest standards
Diffstat (limited to 'hacking')
-rw-r--r-- | hacking/aws_config/testing_policies/kms-policy.json | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/hacking/aws_config/testing_policies/kms-policy.json b/hacking/aws_config/testing_policies/kms-policy.json new file mode 100644 index 0000000000..0ddc760633 --- /dev/null +++ b/hacking/aws_config/testing_policies/kms-policy.json @@ -0,0 +1,54 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAccessToUnspecifiedKMSResources", + "Effect": "Allow", + "Action": [ + "iam:ListRoles", + "kms:CancelKeyDeletion", + "kms:CreateAlias", + "kms:CreateGrant", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:Describe*", + "kms:DisableKey", + "kms:EnableKey", + "kms:GenerateRandom", + "kms:Get*", + "kms:List*", + "kms:RetireGrant", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:UpdateGrant", + "kms:UpdateKeyDescription" + ], + "Resource": "*" + }, + { + "Sid": "AllowAccessToSpecifiedIAMResources", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:DeleteRole", + "iam:GetRole", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:PassRole", + "iam:UpdateAssumeRolePolicy" + ], + "Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*" + }, + { + "Sid": "AllowInstanceProfileCreation", + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:RemoveRoleFromInstanceProfile" + ], + "Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*" + } + ] +} |