This Gist shows how you can encrypt/decrypt variables with KMS during your Ansible playbook execution. While google searching I couldn't find anything useful on the subject.
Let's say your project has a folder of playbooks called plays.
In that folder, create a folder called filter_plugins and insert kms_filters.py (included in this gist)
plays/
├── filter_plugins
│ └── kms_filters.py
├── play1.yml
├── play2.yml
Ansible automatically imports any plugins found and makes them available to your playbooks. The example below shows how you can use the filters.
# play.yml
---
- hosts: localhost
connection: local
vars:
kms_key: arn:aws:kms:us-east-1:xxxxxxxxxxxx:key/c21ca336-c9ed-5765-ad5f-fc941a5192ca
tasks:
- name: kms encrypt
debug:
msg: "{{ 'hello' | kms_encrypt(kms_key) }}"
- name: kms encrypt
debug:
msg: "{{ 'Some base64 encoded Ciphertext Blob' | kms_decrypt }}"
For this to work you must have either one of the following:
- The
awscliis configured on your machine (so boto can automatically pick up your AWS credentials) - OR you're running this on an EC2 instance that has the appropriate permissions to access KMS
Anyone get this error (or similar) when trying to use this?
FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <type 'exceptions.UnicodeDecodeError'>, original message: 'utf8' codec can't decode byte 0x8d in position 5: invalid start byte"}