1. Answers
  2. Configure an AWS KMS Key with Pulumi

How do I configure an AWS KMS key with Pulumi?

To configure an AWS KMS key using Pulumi, you need to create an instance of the aws.kms.Key resource. This resource allows you to manage a primary key in AWS Key Management Service (KMS). You can use this key to encrypt and decrypt data, generate data keys, and manage access to the key.

Below is a Pulumi program written in TypeScript that demonstrates how to create an AWS KMS key with a specific policy and description. The key will also have key rotation enabled.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Define the policy for the KMS key
const keyPolicy = JSON.stringify({
    Version: "2012-10-17",
    Statement: [
        {
            Sid: "Enable IAM User Permissions",
            Effect: "Allow",
            Principal: {
                AWS: "*"
            },
            Action: "kms:*",
            Resource: "*"
        },
        {
            Sid: "Allow access for Key Administrators",
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::123456789012:role/KeyAdminRole"
            },
            Action: [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            Resource: "*"
        },
        {
            Sid: "Allow use of the key",
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::123456789012:user/KeyUser"
            },
            Action: [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            Resource: "*"
        },
        {
            Sid: "Allow attachment of persistent resources",
            Effect: "Allow",
            Principal: {
                AWS: "arn:aws:iam::123456789012:user/KeyUser"
            },
            Action: [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            Resource: "*",
            Condition: {
                Bool: {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
});

// Create the KMS key
const kmsKey = new aws.kms.Key("myKmsKey", {
    description: "My KMS Key for encrypting data",
    policy: keyPolicy,
    enableKeyRotation: true
});

// Export the ARN of the KMS key
export const kmsKeyArn = kmsKey.arn;

In this program, we define a KMS key policy that grants various permissions to different IAM entities. We then create a KMS key with a description and enable key rotation. Finally, we export the ARN of the KMS key.

By following this guide, you have successfully configured an AWS KMS key using Pulumi, which can now be used to encrypt and decrypt data securely.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up