Try AWS Native preview for resources not in the classic version.
aws.kms.Key
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
Manages a single-Region or multi-Region primary KMS key.
NOTE on KMS Key Policy: KMS Key Policy can be configured in either the standalone resource
aws.kms.KeyPolicy
or with the parameterpolicy
in this resource. Configuring with both will cause inconsistencies and may overwrite configuration.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const a = new aws.kms.Key("a", {
description: "KMS key 1",
deletionWindowInDays: 10,
});
import pulumi
import pulumi_aws as aws
a = aws.kms.Key("a",
description="KMS key 1",
deletion_window_in_days=10)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.NewKey(ctx, "a", &kms.KeyArgs{
Description: pulumi.String("KMS key 1"),
DeletionWindowInDays: pulumi.Int(10),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var a = new Aws.Kms.Key("a", new()
{
Description = "KMS key 1",
DeletionWindowInDays = 10,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var a = new Key("a", KeyArgs.builder()
.description("KMS key 1")
.deletionWindowInDays(10)
.build());
}
}
resources:
a:
type: aws:kms:Key
properties:
description: KMS key 1
deletionWindowInDays: 10
Create Key Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Key(name: string, args?: KeyArgs, opts?: CustomResourceOptions);
@overload
def Key(resource_name: str,
args: Optional[KeyArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def Key(resource_name: str,
opts: Optional[ResourceOptions] = None,
bypass_policy_lockout_safety_check: Optional[bool] = None,
custom_key_store_id: Optional[str] = None,
customer_master_key_spec: Optional[str] = None,
deletion_window_in_days: Optional[int] = None,
description: Optional[str] = None,
enable_key_rotation: Optional[bool] = None,
is_enabled: Optional[bool] = None,
key_usage: Optional[str] = None,
multi_region: Optional[bool] = None,
policy: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
xks_key_id: Optional[str] = None)
func NewKey(ctx *Context, name string, args *KeyArgs, opts ...ResourceOption) (*Key, error)
public Key(string name, KeyArgs? args = null, CustomResourceOptions? opts = null)
type: aws:kms:Key
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var keyResource = new Aws.Kms.Key("keyResource", new()
{
BypassPolicyLockoutSafetyCheck = false,
CustomKeyStoreId = "string",
CustomerMasterKeySpec = "string",
DeletionWindowInDays = 0,
Description = "string",
EnableKeyRotation = false,
IsEnabled = false,
KeyUsage = "string",
MultiRegion = false,
Policy = "string",
Tags =
{
{ "string", "string" },
},
XksKeyId = "string",
});
example, err := kms.NewKey(ctx, "keyResource", &kms.KeyArgs{
BypassPolicyLockoutSafetyCheck: pulumi.Bool(false),
CustomKeyStoreId: pulumi.String("string"),
CustomerMasterKeySpec: pulumi.String("string"),
DeletionWindowInDays: pulumi.Int(0),
Description: pulumi.String("string"),
EnableKeyRotation: pulumi.Bool(false),
IsEnabled: pulumi.Bool(false),
KeyUsage: pulumi.String("string"),
MultiRegion: pulumi.Bool(false),
Policy: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
XksKeyId: pulumi.String("string"),
})
var keyResource = new Key("keyResource", KeyArgs.builder()
.bypassPolicyLockoutSafetyCheck(false)
.customKeyStoreId("string")
.customerMasterKeySpec("string")
.deletionWindowInDays(0)
.description("string")
.enableKeyRotation(false)
.isEnabled(false)
.keyUsage("string")
.multiRegion(false)
.policy("string")
.tags(Map.of("string", "string"))
.xksKeyId("string")
.build());
key_resource = aws.kms.Key("keyResource",
bypass_policy_lockout_safety_check=False,
custom_key_store_id="string",
customer_master_key_spec="string",
deletion_window_in_days=0,
description="string",
enable_key_rotation=False,
is_enabled=False,
key_usage="string",
multi_region=False,
policy="string",
tags={
"string": "string",
},
xks_key_id="string")
const keyResource = new aws.kms.Key("keyResource", {
bypassPolicyLockoutSafetyCheck: false,
customKeyStoreId: "string",
customerMasterKeySpec: "string",
deletionWindowInDays: 0,
description: "string",
enableKeyRotation: false,
isEnabled: false,
keyUsage: "string",
multiRegion: false,
policy: "string",
tags: {
string: "string",
},
xksKeyId: "string",
});
type: aws:kms:Key
properties:
bypassPolicyLockoutSafetyCheck: false
customKeyStoreId: string
customerMasterKeySpec: string
deletionWindowInDays: 0
description: string
enableKeyRotation: false
isEnabled: false
keyUsage: string
multiRegion: false
policy: string
tags:
string: string
xksKeyId: string
Key Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Key resource accepts the following input properties:
- Bypass
Policy boolLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - Custom
Key stringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- Customer
Master stringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - Deletion
Window intIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - Description string
- The description of the key as viewed in AWS console.
- Enable
Key boolRotation - Specifies whether key rotation is enabled. Defaults to
false
. - Is
Enabled bool - Specifies whether the key is enabled. Defaults to
true
. - Key
Usage string - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - Multi
Region bool - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - Policy string
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- Dictionary<string, string>
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Xks
Key stringId - Identifies the external key that serves as key material for the KMS key in an external key store.
- Bypass
Policy boolLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - Custom
Key stringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- Customer
Master stringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - Deletion
Window intIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - Description string
- The description of the key as viewed in AWS console.
- Enable
Key boolRotation - Specifies whether key rotation is enabled. Defaults to
false
. - Is
Enabled bool - Specifies whether the key is enabled. Defaults to
true
. - Key
Usage string - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - Multi
Region bool - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - Policy string
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- map[string]string
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Xks
Key stringId - Identifies the external key that serves as key material for the KMS key in an external key store.
- bypass
Policy BooleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - custom
Key StringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- customer
Master StringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - deletion
Window IntegerIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - description String
- The description of the key as viewed in AWS console.
- enable
Key BooleanRotation - Specifies whether key rotation is enabled. Defaults to
false
. - is
Enabled Boolean - Specifies whether the key is enabled. Defaults to
true
. - key
Usage String - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - multi
Region Boolean - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - policy String
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- Map<String,String>
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - xks
Key StringId - Identifies the external key that serves as key material for the KMS key in an external key store.
- bypass
Policy booleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - custom
Key stringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- customer
Master stringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - deletion
Window numberIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - description string
- The description of the key as viewed in AWS console.
- enable
Key booleanRotation - Specifies whether key rotation is enabled. Defaults to
false
. - is
Enabled boolean - Specifies whether the key is enabled. Defaults to
true
. - key
Usage string - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - multi
Region boolean - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - policy string
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- {[key: string]: string}
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - xks
Key stringId - Identifies the external key that serves as key material for the KMS key in an external key store.
- bypass_
policy_ boollockout_ safety_ check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - custom_
key_ strstore_ id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- customer_
master_ strkey_ spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - deletion_
window_ intin_ days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - description str
- The description of the key as viewed in AWS console.
- enable_
key_ boolrotation - Specifies whether key rotation is enabled. Defaults to
false
. - is_
enabled bool - Specifies whether the key is enabled. Defaults to
true
. - key_
usage str - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - multi_
region bool - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - policy str
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- Mapping[str, str]
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - xks_
key_ strid - Identifies the external key that serves as key material for the KMS key in an external key store.
- bypass
Policy BooleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - custom
Key StringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- customer
Master StringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - deletion
Window NumberIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - description String
- The description of the key as viewed in AWS console.
- enable
Key BooleanRotation - Specifies whether key rotation is enabled. Defaults to
false
. - is
Enabled Boolean - Specifies whether the key is enabled. Defaults to
true
. - key
Usage String - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - multi
Region Boolean - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - policy String
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- Map<String>
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - xks
Key StringId - Identifies the external key that serves as key material for the KMS key in an external key store.
Outputs
All input properties are implicitly available as output properties. Additionally, the Key resource produces the following output properties:
- Arn string
- The Amazon Resource Name (ARN) of the key.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Id string - The globally unique identifier for the key.
- Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- Arn string
- The Amazon Resource Name (ARN) of the key.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Id string - The globally unique identifier for the key.
- map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn String
- The Amazon Resource Name (ARN) of the key.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Id String - The globally unique identifier for the key.
- Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn string
- The Amazon Resource Name (ARN) of the key.
- id string
- The provider-assigned unique ID for this managed resource.
- key
Id string - The globally unique identifier for the key.
- {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn str
- The Amazon Resource Name (ARN) of the key.
- id str
- The provider-assigned unique ID for this managed resource.
- key_
id str - The globally unique identifier for the key.
- Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn String
- The Amazon Resource Name (ARN) of the key.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Id String - The globally unique identifier for the key.
- Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
Look up Existing Key Resource
Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KeyState, opts?: CustomResourceOptions): Key
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
bypass_policy_lockout_safety_check: Optional[bool] = None,
custom_key_store_id: Optional[str] = None,
customer_master_key_spec: Optional[str] = None,
deletion_window_in_days: Optional[int] = None,
description: Optional[str] = None,
enable_key_rotation: Optional[bool] = None,
is_enabled: Optional[bool] = None,
key_id: Optional[str] = None,
key_usage: Optional[str] = None,
multi_region: Optional[bool] = None,
policy: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
xks_key_id: Optional[str] = None) -> Key
func GetKey(ctx *Context, name string, id IDInput, state *KeyState, opts ...ResourceOption) (*Key, error)
public static Key Get(string name, Input<string> id, KeyState? state, CustomResourceOptions? opts = null)
public static Key get(String name, Output<String> id, KeyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- The Amazon Resource Name (ARN) of the key.
- Bypass
Policy boolLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - Custom
Key stringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- Customer
Master stringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - Deletion
Window intIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - Description string
- The description of the key as viewed in AWS console.
- Enable
Key boolRotation - Specifies whether key rotation is enabled. Defaults to
false
. - Is
Enabled bool - Specifies whether the key is enabled. Defaults to
true
. - Key
Id string - The globally unique identifier for the key.
- Key
Usage string - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - Multi
Region bool - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - Policy string
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- Dictionary<string, string>
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - Xks
Key stringId - Identifies the external key that serves as key material for the KMS key in an external key store.
- Arn string
- The Amazon Resource Name (ARN) of the key.
- Bypass
Policy boolLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - Custom
Key stringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- Customer
Master stringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - Deletion
Window intIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - Description string
- The description of the key as viewed in AWS console.
- Enable
Key boolRotation - Specifies whether key rotation is enabled. Defaults to
false
. - Is
Enabled bool - Specifies whether the key is enabled. Defaults to
true
. - Key
Id string - The globally unique identifier for the key.
- Key
Usage string - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - Multi
Region bool - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - Policy string
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- map[string]string
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - Xks
Key stringId - Identifies the external key that serves as key material for the KMS key in an external key store.
- arn String
- The Amazon Resource Name (ARN) of the key.
- bypass
Policy BooleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - custom
Key StringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- customer
Master StringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - deletion
Window IntegerIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - description String
- The description of the key as viewed in AWS console.
- enable
Key BooleanRotation - Specifies whether key rotation is enabled. Defaults to
false
. - is
Enabled Boolean - Specifies whether the key is enabled. Defaults to
true
. - key
Id String - The globally unique identifier for the key.
- key
Usage String - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - multi
Region Boolean - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - policy String
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- Map<String,String>
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - xks
Key StringId - Identifies the external key that serves as key material for the KMS key in an external key store.
- arn string
- The Amazon Resource Name (ARN) of the key.
- bypass
Policy booleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - custom
Key stringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- customer
Master stringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - deletion
Window numberIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - description string
- The description of the key as viewed in AWS console.
- enable
Key booleanRotation - Specifies whether key rotation is enabled. Defaults to
false
. - is
Enabled boolean - Specifies whether the key is enabled. Defaults to
true
. - key
Id string - The globally unique identifier for the key.
- key
Usage string - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - multi
Region boolean - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - policy string
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- {[key: string]: string}
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - xks
Key stringId - Identifies the external key that serves as key material for the KMS key in an external key store.
- arn str
- The Amazon Resource Name (ARN) of the key.
- bypass_
policy_ boollockout_ safety_ check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - custom_
key_ strstore_ id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- customer_
master_ strkey_ spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - deletion_
window_ intin_ days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - description str
- The description of the key as viewed in AWS console.
- enable_
key_ boolrotation - Specifies whether key rotation is enabled. Defaults to
false
. - is_
enabled bool - Specifies whether the key is enabled. Defaults to
true
. - key_
id str - The globally unique identifier for the key.
- key_
usage str - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - multi_
region bool - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - policy str
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- Mapping[str, str]
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - xks_
key_ strid - Identifies the external key that serves as key material for the KMS key in an external key store.
- arn String
- The Amazon Resource Name (ARN) of the key.
- bypass
Policy BooleanLockout Safety Check - A flag to indicate whether to bypass the key policy lockout safety check.
Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
The default value is
false
. - custom
Key StringStore Id - ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
- customer
Master StringKey Spec - Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
Valid values:
SYMMETRIC_DEFAULT
,RSA_2048
,RSA_3072
,RSA_4096
,HMAC_256
,ECC_NIST_P256
,ECC_NIST_P384
,ECC_NIST_P521
, orECC_SECG_P256K1
. Defaults toSYMMETRIC_DEFAULT
. For help with choosing a key spec, see the AWS KMS Developer Guide. - deletion
Window NumberIn Days - The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
If you specify a value, it must be between
7
and30
, inclusive. If you do not specify a value, it defaults to30
. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately. - description String
- The description of the key as viewed in AWS console.
- enable
Key BooleanRotation - Specifies whether key rotation is enabled. Defaults to
false
. - is
Enabled Boolean - Specifies whether the key is enabled. Defaults to
true
. - key
Id String - The globally unique identifier for the key.
- key
Usage String - Specifies the intended use of the key. Valid values:
ENCRYPT_DECRYPT
,SIGN_VERIFY
, orGENERATE_VERIFY_MAC
. Defaults toENCRYPT_DECRYPT
. - multi
Region Boolean - Indicates whether the KMS key is a multi-Region (
true
) or regional (false
) key. Defaults tofalse
. - policy String
A valid policy JSON document. Although this is a key policy, not an IAM policy, an
aws.iam.getPolicyDocument
, in the form that designates a principal, can be used.NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.
- Map<String>
- A map of tags to assign to the object. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block. - xks
Key StringId - Identifies the external key that serves as key material for the KMS key in an external key store.
Import
Using pulumi import
, import KMS Keys using the id
. For example:
$ pulumi import aws:kms/key:Key a 1234abcd-12ab-34cd-56ef-1234567890ab
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aws
Terraform Provider.
Try AWS Native preview for resources not in the classic version.