Skip to content
No description, website, or topics provided.
Ruby Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib/hiera/backend/eyaml/encryptors Fix gemspec (#6) Oct 3, 2017
tools Initial commit, plugin based on gtmtechltd/hiera-eyaml-plaintext Aug 26, 2015
Gemfile Fix gemspec (#6) Oct 3, 2017
LICENSE.txt add EC2 Instance Profile note to readme (#12) Nov 11, 2018
Rakefile Initial commit, plugin based on gtmtechltd/hiera-eyaml-plaintext Aug 26, 2015
hiera-eyaml-kms.gemspec Fix gemspec (#6) Oct 3, 2017


This is a plugin encryptor for the hiera-eyaml project (hosted

hiera-eyaml-kms encrypts and decrypts Hiera data using AWS KMS.

AWS KMS is a service that encrypts and decrypts data through API calls. Permissions are controlled by IAM. Read more about AWS KMS.

Using KMS avoids having to expose private keys to decrypt information when running Puppet.


Since this is a plugin for hiera-eyaml, you need to install it first:

$ gem install hiera-eyaml

You might need to install the aws-sdk for ruby, with the command:

$ gem install aws-sdk

This plugin uses aws-sdk version 2.


$ gem install hiera-eyaml-kms

Then see hiera-eyaml documentation for how to use the eyaml tool to encrypt and use the 'KMS' encryption_type for values to be encrypted with this plugin.


This plugin adds 2 options to hiera-eyaml:

--kms-key-id=<s>            KMS Key ID  (default: )
--kms-aws-region=<s>        AWS Region  (default: ap-southeast-2)
--kms-aws-profile=<s>       AWS Profile (default: default)

To avoid passing CLI parameters every call to eyaml, you can create a config file to set the defaults.

Config files will be read first from /etc/eyaml/config.yaml, then from ~/.eyaml/config.yaml and finally by anything referenced in the EYAML_CONFIG environment variable.


kms_key_id: '00000000-0000-0000-0000-000000000000'
kms_aws_region: 'us-west-1'
kms_aws_profile: 'your-profile'

EC2 Instance Profile:

The aws-sdk will use an EC2 Instance Profile if one is present and an AWS profile is not specified.


You can’t perform that action at this time.