Skip to content
A CloudFormation custom resource provider for creating KMS grants
Makefile Python Shell
Branch: master
Clone or download
Latest commit 8ef1c55 Jan 17, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cloudformation
docs
src
tests
.dockerignore
.gitignore
.gitlab-ci.yml
.make-release-support
.release
Dockerfile.lambda
LICENSE
Makefile
Makefile.mk
Pipfile
Pipfile.lock
README.md
requirements.txt
test-requirements.txt

README.md

cfn-kms-provider

A CloudFormation custom resource provider for creating KMS grants.

How do I create a KMS grant?

It is quite easy: you specify a CloudFormation resource of the Custom::KMSGrant, as follows:

KMSGrant:
  Type: Custom::KMSGrant
  Properties:
    KeyId: !GetAtt EncryptionKey.Arn
    GranteePrincipal: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'
    Operations:
      - 'Encrypt'
      - 'Decrypt'
      - 'ReEncryptFrom'
      - 'ReEncryptTo'
      - 'GenerateDataKey'
      - 'GenerateDataKeyWithoutPlaintext'
      - 'DescribeKey'
      - 'CreateGrant'
    ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-kms-provider'

It will return the GrantId and the GrantToken as attribute. Referencing the resource will return the grant id.

Installation

To install this custom resource, type:

aws cloudformation deploy \
	--capabilities CAPABILITY_IAM \
	--stack-name cfn-kms-provider \
	--template-file ./cloudformation/cfn-kms-provider.yaml

This CloudFormation template will use our pre-packaged provider from s3://binxio-public-${AWS_REGION}/lambdas/cfn-kms-provider-0.1.1.zip.

Demo

To install the simple sample of the Custom Resource, type:

aws cloudformation deploy --stack-name cfn-kms-provider-demo \
	--template-file ./cloudformation/demo-stack.json
You can’t perform that action at this time.