Managing AI/ML Service Credentials with AWS KMS

Question

Pulumi · Accepted Answer

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. KMS is integrated with other AWS services making it simple to encrypt data you store in these services and control access to the keys that decrypt it.

When managing AI/ML services and the credentials associated with them, it's important to ensure that your credentials are stored securely. AWS KMS allows you to encrypt your sensitive information, such as API keys or tokens. You can also set precise access controls to these keys to define who can use them under which conditions.

The following Pulumi program demonstrates how to create a new KMS key, set a key policy that defines who can manage and use the key, and finally, how to use an alias for more convenient access to the key in your applications.

Here's a step-by-step guide explaining each part of the Pulumi program in Python:

1. **Importing required modules**: We'll start by importing the `pulumi` and `pulumi_aws` modules.
2. **Creating a KMS Key**: The key is created using `aws.kms.Key`. This object represents a unique key in KMS, which can then be used for encrypting and decrypting your data.
3. **Key Policy**: The policy is an IAM policy document that determines who gets access to the key. It is written in JSON format.
4. **Creating a KMS Alias**: An alias is a friendly name for a KMS key which can make managing keys easier. 
5. **Exporting the Key ARN and Alias**: At the end of the program, we'll export the ARN of the key and the alias name. ARN stands for Amazon Resource Name and is a unique identifier for the key in AWS.

```python
import pulumi
import pulumi_aws as aws

# Create a KMS Key for encrypting data
kms_key = aws.kms.Key("my-kms-key",
                      description="KMS key for AI/ML service credentials",
                      policy="""{
                          "Version": "2012-10-17",
                          "Statement": [
                              {
                                  "Effect": "Allow",
                                  "Principal": {
                                      "AWS": "arn:aws:iam::123456789012:user/MyUser"
                                  },
                                  "Action": "kms:*",
                                  "Resource": "*"
                              }
                          ]
                      }""")

# Creating an Alias for the KMS key
# Aliases allow you to have a friendly name to refer to keys. 
# They are format as `alias/<aliasName>`
kms_key_alias = aws.kms.Alias("my-kms-key-alias",
                              target_key_id=kms_key.id,
                              name=f"alias/myKmsKey")

# Output the Key ARN and Alias name
pulumi.export("kms_key_arn", kms_key.arn)
pulumi.export("kms_key_alias", kms_key_alias.name)
```

In the above program:

- Replace the `"arn:aws:iam::123456789012:user/MyUser"` with the actual ARN of the IAM user you want to grant access to. This line grants the user denoted by the ARN all actions (`"kms:*"`) on all resources (`"Resource": "*"`) for this key.
- If you are managing other principals such as roles or other AWS accounts, modify the principal in the policy accordingly.
- The `name` for the `Alias` (`alias/myKmsKey`) should be unique within your AWS account.

Remember to replace `123456789012` with your AWS account ID and `MyUser` with your actual IAM user.

After you run this program with Pulumi CLI, Pulumi will provision these resources in AWS according to the configuration. The output will be the ARN of the KMS key and the alias assigned to it, which you can then use to reference this key from your application or other AWS services.