-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a KMS Envelope-Encryption Renderer #46155
Conversation
Please rename to aws_kms as kms is to generic. |
OK, I did that. |
It occurs to me that the main difference between GPG and AWS_KMS is the configuration of a particular |
The trick is to make the salt interface generic so you can swap one in and swap another out. Bit like pkg almost does |
2a3d936
to
97c86f4
Compare
Updates: I've rewritten some of the code to facilitate testing, tweaked the docblock a bit, renamed the renderer to aws_kms and the config key to aws_kms_data_key and written unit tests. |
97c86f4
to
6c5cfe3
Compare
@kojiromike Can you write some tests for these new files? |
@rallytime I did write tests for these new files. Did I miss something? |
@kojiromike Oh, you're right. I'm not sure how I missed that. My apologies. It does look like one of them is failing however: https://jenkins.saltstack.com/job/PR/job/salt-pr-rs-cent7-n/16770/. There is also a small lint error: https://jenkins.saltstack.com/job/PR/job/salt-pr-lint-n/19717/violations/file/salt/renderers/aws_kms.py/ |
@rallytime Oh, thanks, I fixed the whitespace error. When I run the tests locally ( |
I was able to see the Jenkins error now. I will attempt to reproduce locally and fix. |
Whew, that was a bigger task than I thought. Not only was it a legitimate error, but I was clearly letting some library calls slide through the mocks. I realized that I was testing locally with my AWS fully configured. Jenkins was showing a NoRegionError, but it could have been any number of aws configuration errors. Rather than re-invent aws configuration in salt configuration, I only implemented one additional and optional AWS configuration key: |
@kojiromike Looks like there's a small lint error here: https://jenkins.saltstack.com/job/PR/job/salt-pr-lint-n/19824/violations/file/salt/renderers/aws_kms.py/ |
@kojiromike It looks like your new tests are failing on the PY3 builds. Mind taking another look? |
e8f2037
to
13cc08d
Compare
Yep, fixed up. Sorry, not used to working in both major versions of Python at the same time. |
re-run py3 |
What does this PR do?
This provides a renderer to decrypt values stored using a KMS data key as per KMS envelope encryption. It is pretty similar to the gpg renderer -- it just uses a different approach to do the actual decryption. This is something that is useful to me. I hope it's useful to others, too.
New Behavior
aws_kms_data_key
.cryptography.fernet
and put them in a sls file to be rendered via the kms renderer provided in this PR.Notes and sales pitch
This is most useful for salt users already in an AWS environment who need shared secrets stored in pillars and prefer to put them e.g. in Git rather than in S3. With GPG you would need each salt user to have their own key, but encrypted PGP messages get linearly larger with each recipient key. Of course, you could use a single shared GPG key, but then you'd have to figure out how to securely share that key. KMS just handles the securely-sharing keys bit for us.
Tests written?
Yes
Commits signed with GPG?
Yes