mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73 lines
2.0 KiB
Plaintext
73 lines
2.0 KiB
Plaintext
5 years ago
|
{
|
||
|
"Id": "key-consolepolicy-3",
|
||
|
"Version": "2012-10-17",
|
||
|
"Statement": [
|
||
|
{
|
||
|
"Sid": "Enable IAM User Permissions",
|
||
|
"Effect": "Allow",
|
||
|
"Principal": {
|
||
|
"AWS": "arn:aws:iam::{{ aws_caller_info.account }}:root"
|
||
|
},
|
||
|
"Action": "kms:*",
|
||
|
"Resource": "*"
|
||
|
},
|
||
|
{
|
||
|
"Sid": "Allow access for Key Administrators",
|
||
|
"Effect": "Allow",
|
||
|
"Principal": {
|
||
|
"AWS": "{{ aws_caller_info.arn }}"
|
||
|
},
|
||
|
"Action": [
|
||
|
"kms:Create*",
|
||
|
"kms:Describe*",
|
||
|
"kms:Enable*",
|
||
|
"kms:List*",
|
||
|
"kms:Put*",
|
||
|
"kms:Update*",
|
||
|
"kms:Revoke*",
|
||
|
"kms:Disable*",
|
||
|
"kms:Get*",
|
||
|
"kms:Delete*",
|
||
|
"kms:TagResource",
|
||
|
"kms:UntagResource",
|
||
|
"kms:ScheduleKeyDeletion",
|
||
|
"kms:CancelKeyDeletion"
|
||
|
],
|
||
|
"Resource": "*"
|
||
|
},
|
||
|
{
|
||
|
"Sid": "Allow use of the key",
|
||
|
"Effect": "Allow",
|
||
|
"Principal": {
|
||
|
"AWS": "{{ aws_caller_info.arn }}"
|
||
|
},
|
||
|
"Action": [
|
||
|
"kms:Encrypt",
|
||
|
"kms:Decrypt",
|
||
|
"kms:ReEncrypt*",
|
||
|
"kms:GenerateDataKey*",
|
||
|
"kms:DescribeKey"
|
||
|
],
|
||
|
"Resource": "*"
|
||
|
},
|
||
|
{
|
||
|
"Sid": "Allow attachment of persistent resources",
|
||
|
"Effect": "Allow",
|
||
|
"Principal": {
|
||
|
"AWS": "{{ aws_caller_info.arn }}"
|
||
|
},
|
||
|
"Action": [
|
||
|
"kms:CreateGrant",
|
||
|
"kms:ListGrants",
|
||
|
"kms:RevokeGrant"
|
||
|
],
|
||
|
"Resource": "*",
|
||
|
"Condition": {
|
||
|
"Bool": {
|
||
|
"kms:GrantIsForAWSResource": "true"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|