This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

kms

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.kms.Alias(resource_name, opts=None, name=None, name_prefix=None, target_key_id=None, __props__=None, __name__=None, __opts__=None)

Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence this provider too) allows you to create as many aliases as the account limits allow you.

import pulumi
import pulumi_aws as aws

key = aws.kms.Key("key")
alias = aws.kms.Alias("alias", target_key_id=key.key_id)
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

  • name_prefix (pulumi.Input[str]) – Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

  • target_key_id (pulumi.Input[str]) – Identifier for the key for which the alias is for, can be either an ARN or key_id.

arn: pulumi.Output[str] = None

The Amazon Resource Name (ARN) of the key alias.

name: pulumi.Output[str] = None

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

name_prefix: pulumi.Output[str] = None

Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

target_key_arn: pulumi.Output[str] = None

The Amazon Resource Name (ARN) of the target key identifier.

target_key_id: pulumi.Output[str] = None

Identifier for the key for which the alias is for, can be either an ARN or key_id.

static get(resource_name, id, opts=None, arn=None, name=None, name_prefix=None, target_key_arn=None, target_key_id=None)

Get an existing Alias resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) of the key alias.

  • name (pulumi.Input[str]) – The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

  • name_prefix (pulumi.Input[str]) – Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

  • target_key_arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) of the target key identifier.

  • target_key_id (pulumi.Input[str]) – Identifier for the key for which the alias is for, can be either an ARN or key_id.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.kms.AwaitableGetAliasResult(arn=None, id=None, name=None, target_key_arn=None, target_key_id=None)
class pulumi_aws.kms.AwaitableGetCipherTextResult(ciphertext_blob=None, context=None, id=None, key_id=None, plaintext=None)
class pulumi_aws.kms.AwaitableGetKeyResult(arn=None, aws_account_id=None, creation_date=None, customer_master_key_spec=None, deletion_date=None, description=None, enabled=None, expiration_model=None, grant_tokens=None, id=None, key_id=None, key_manager=None, key_state=None, key_usage=None, origin=None, valid_to=None)
class pulumi_aws.kms.AwaitableGetSecretResult(id=None, secrets=None)
class pulumi_aws.kms.AwaitableGetSecretsResult(id=None, plaintext=None, secrets=None)
class pulumi_aws.kms.Ciphertext(resource_name, opts=None, context=None, key_id=None, plaintext=None, __props__=None, __name__=None, __opts__=None)

The KMS ciphertext resource allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this resource is stable across every apply. For a changing ciphertext value each apply, see the kms.Ciphertext data source.

Note: All arguments including the plaintext be stored in the raw state as plain-text.

import pulumi
import pulumi_aws as aws

oauth_config = aws.kms.Key("oauthConfig",
    description="oauth config",
    is_enabled=True)
oauth = aws.kms.Ciphertext("oauth",
    key_id=oauth_config.key_id,
    plaintext="""{
  "client_id": "e587dbae22222f55da22",
  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}

""")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • context (pulumi.Input[dict]) – An optional mapping that makes up the encryption context.

  • key_id (pulumi.Input[str]) – Globally unique key ID for the customer master key.

  • plaintext (pulumi.Input[str]) – Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

ciphertext_blob: pulumi.Output[str] = None

Base64 encoded ciphertext

context: pulumi.Output[dict] = None

An optional mapping that makes up the encryption context.

key_id: pulumi.Output[str] = None

Globally unique key ID for the customer master key.

plaintext: pulumi.Output[str] = None

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

static get(resource_name, id, opts=None, ciphertext_blob=None, context=None, key_id=None, plaintext=None)

Get an existing Ciphertext resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ciphertext_blob (pulumi.Input[str]) – Base64 encoded ciphertext

  • context (pulumi.Input[dict]) – An optional mapping that makes up the encryption context.

  • key_id (pulumi.Input[str]) – Globally unique key ID for the customer master key.

  • plaintext (pulumi.Input[str]) – Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.kms.ExternalKey(resource_name, opts=None, deletion_window_in_days=None, description=None, enabled=None, key_material_base64=None, policy=None, tags=None, valid_to=None, __props__=None, __name__=None, __opts__=None)

Manages a KMS Customer Master Key that uses external key material. To instead manage a KMS Customer Master Key where AWS automatically generates and potentially rotates key material, see the kms.Key resource.

Note: All arguments including the key material will be stored in the raw state as plain-text.

import pulumi
import pulumi_aws as aws

example = aws.kms.ExternalKey("example", description="KMS EXTERNAL for AMI encryption")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • deletion_window_in_days (pulumi.Input[float]) – Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

  • description (pulumi.Input[str]) – Description of the key.

  • enabled (pulumi.Input[bool]) – Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

  • key_material_base64 (pulumi.Input[str]) – Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

  • policy (pulumi.Input[str]) – A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

  • tags (pulumi.Input[dict]) – A key-value map of tags to assign to the key.

  • valid_to (pulumi.Input[str]) – Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

arn: pulumi.Output[str] = None

The Amazon Resource Name (ARN) of the key.

deletion_window_in_days: pulumi.Output[float] = None

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description: pulumi.Output[str] = None

Description of the key.

enabled: pulumi.Output[bool] = None

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

expiration_model: pulumi.Output[str] = None

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

key_material_base64: pulumi.Output[str] = None

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

key_state: pulumi.Output[str] = None

The state of the CMK.

key_usage: pulumi.Output[str] = None

The cryptographic operations for which you can use the CMK.

policy: pulumi.Output[str] = None

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags: pulumi.Output[dict] = None

A key-value map of tags to assign to the key.

valid_to: pulumi.Output[str] = None

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

static get(resource_name, id, opts=None, arn=None, deletion_window_in_days=None, description=None, enabled=None, expiration_model=None, key_material_base64=None, key_state=None, key_usage=None, policy=None, tags=None, valid_to=None)

Get an existing ExternalKey resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) of the key.

  • deletion_window_in_days (pulumi.Input[float]) – Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

  • description (pulumi.Input[str]) – Description of the key.

  • enabled (pulumi.Input[bool]) – Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

  • expiration_model (pulumi.Input[str]) – Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

  • key_material_base64 (pulumi.Input[str]) – Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

  • key_state (pulumi.Input[str]) – The state of the CMK.

  • key_usage (pulumi.Input[str]) – The cryptographic operations for which you can use the CMK.

  • policy (pulumi.Input[str]) – A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

  • tags (pulumi.Input[dict]) – A key-value map of tags to assign to the key.

  • valid_to (pulumi.Input[str]) –

    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.kms.GetAliasResult(arn=None, id=None, name=None, target_key_arn=None, target_key_id=None)

A collection of values returned by getAlias.

arn = None

The Amazon Resource Name(ARN) of the key alias.

id = None

The provider-assigned unique ID for this managed resource.

target_key_arn = None

ARN pointed to by the alias.

target_key_id = None

Key identifier pointed to by the alias.

class pulumi_aws.kms.GetCipherTextResult(ciphertext_blob=None, context=None, id=None, key_id=None, plaintext=None)

A collection of values returned by getCipherText.

ciphertext_blob = None

Base64 encoded ciphertext

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_aws.kms.GetKeyResult(arn=None, aws_account_id=None, creation_date=None, customer_master_key_spec=None, deletion_date=None, description=None, enabled=None, expiration_model=None, grant_tokens=None, id=None, key_id=None, key_manager=None, key_state=None, key_usage=None, origin=None, valid_to=None)

A collection of values returned by getKey.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_aws.kms.GetSecretResult(id=None, secrets=None)

A collection of values returned by getSecret.

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_aws.kms.GetSecretsResult(id=None, plaintext=None, secrets=None)

A collection of values returned by getSecrets.

id = None

The provider-assigned unique ID for this managed resource.

plaintext = None

Map containing each secret name as the key with its decrypted plaintext value

class pulumi_aws.kms.Grant(resource_name, opts=None, constraints=None, grant_creation_tokens=None, grantee_principal=None, key_id=None, name=None, operations=None, retire_on_delete=None, retiring_principal=None, __props__=None, __name__=None, __opts__=None)

Provides a resource-based access control mechanism for a KMS customer master key.

import pulumi
import pulumi_aws as aws

key = aws.kms.Key("key")
role = aws.iam.Role("role", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
grant = aws.kms.Grant("grant",
    constraints=[{
        "encryptionContextEquals": {
            "Department": "Finance",
        },
    }],
    grantee_principal=role.arn,
    key_id=key.key_id,
    operations=[
        "Encrypt",
        "Decrypt",
        "GenerateDataKey",
    ])
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • constraints (pulumi.Input[list]) – A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

  • grant_creation_tokens (pulumi.Input[list]) – A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

  • grantee_principal (pulumi.Input[str]) – The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

  • key_id (pulumi.Input[str]) – The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

  • name (pulumi.Input[str]) – A friendly name for identifying the grant.

  • operations (pulumi.Input[list]) – A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

  • retire_on_delete (pulumi.Input[bool]) – -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

  • retiring_principal (pulumi.Input[str]) – The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

The constraints object supports the following:

  • encryptionContextEquals (pulumi.Input[dict]) - A list of key-value pairs that must match the encryption context in subsequent cryptographic operation requests. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. Conflicts with encryption_context_subset.

  • encryptionContextSubset (pulumi.Input[dict]) - A list of key-value pairs that must be included in the encryption context of subsequent cryptographic operation requests. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. Conflicts with encryption_context_equals.

constraints: pulumi.Output[list] = None

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

  • encryptionContextEquals (dict) - A list of key-value pairs that must match the encryption context in subsequent cryptographic operation requests. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. Conflicts with encryption_context_subset.

  • encryptionContextSubset (dict) - A list of key-value pairs that must be included in the encryption context of subsequent cryptographic operation requests. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. Conflicts with encryption_context_equals.

grant_creation_tokens: pulumi.Output[list] = None

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

grant_id: pulumi.Output[str] = None

The unique identifier for the grant.

grant_token: pulumi.Output[str] = None

The grant token for the created grant. For more information, see Grant Tokens.

grantee_principal: pulumi.Output[str] = None

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

key_id: pulumi.Output[str] = None

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

name: pulumi.Output[str] = None

A friendly name for identifying the grant.

operations: pulumi.Output[list] = None

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

retire_on_delete: pulumi.Output[bool] = None

-(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

retiring_principal: pulumi.Output[str] = None

The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

static get(resource_name, id, opts=None, constraints=None, grant_creation_tokens=None, grant_id=None, grant_token=None, grantee_principal=None, key_id=None, name=None, operations=None, retire_on_delete=None, retiring_principal=None)

Get an existing Grant resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • constraints (pulumi.Input[list]) –

    A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

  • grant_creation_tokens (pulumi.Input[list]) –

    A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

  • grant_id (pulumi.Input[str]) – The unique identifier for the grant.

  • grant_token (pulumi.Input[str]) –

    The grant token for the created grant. For more information, see Grant Tokens.

  • grantee_principal (pulumi.Input[str]) – The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

  • key_id (pulumi.Input[str]) – The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

  • name (pulumi.Input[str]) – A friendly name for identifying the grant.

  • operations (pulumi.Input[list]) – A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

  • retire_on_delete (pulumi.Input[bool]) –

    -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

  • retiring_principal (pulumi.Input[str]) – The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

The constraints object supports the following:

  • encryptionContextEquals (pulumi.Input[dict]) - A list of key-value pairs that must match the encryption context in subsequent cryptographic operation requests. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. Conflicts with encryption_context_subset.

  • encryptionContextSubset (pulumi.Input[dict]) - A list of key-value pairs that must be included in the encryption context of subsequent cryptographic operation requests. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. Conflicts with encryption_context_equals.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.kms.Key(resource_name, opts=None, customer_master_key_spec=None, deletion_window_in_days=None, description=None, enable_key_rotation=None, is_enabled=None, key_usage=None, policy=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a KMS customer master key.

import pulumi
import pulumi_aws as aws

key = aws.kms.Key("key",
    deletion_window_in_days=10,
    description="KMS key 1")
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • customer_master_key_spec (pulumi.Input[str]) – Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.

  • deletion_window_in_days (pulumi.Input[float]) – Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

  • description (pulumi.Input[str]) – The description of the key as viewed in AWS console.

  • enable_key_rotation (pulumi.Input[bool]) – Specifies whether key rotation is enabled. Defaults to false.

  • is_enabled (pulumi.Input[bool]) – Specifies whether the key is enabled. Defaults to true.

  • key_usage (pulumi.Input[str]) – Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.

  • policy (pulumi.Input[str]) – A valid policy JSON document.

  • tags (pulumi.Input[dict]) – A map of tags to assign to the object.

arn: pulumi.Output[str] = None

The Amazon Resource Name (ARN) of the key.

customer_master_key_spec: pulumi.Output[str] = None

Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.

deletion_window_in_days: pulumi.Output[float] = None

Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

description: pulumi.Output[str] = None

The description of the key as viewed in AWS console.

enable_key_rotation: pulumi.Output[bool] = None

Specifies whether key rotation is enabled. Defaults to false.

is_enabled: pulumi.Output[bool] = None

Specifies whether the key is enabled. Defaults to true.

key_id: pulumi.Output[str] = None

The globally unique identifier for the key.

key_usage: pulumi.Output[str] = None

Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.

policy: pulumi.Output[str] = None

A valid policy JSON document.

tags: pulumi.Output[dict] = None

A map of tags to assign to the object.

static get(resource_name, id, opts=None, arn=None, customer_master_key_spec=None, deletion_window_in_days=None, description=None, enable_key_rotation=None, is_enabled=None, key_id=None, key_usage=None, policy=None, tags=None)

Get an existing Key resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) of the key.

  • customer_master_key_spec (pulumi.Input[str]) –

    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.

  • deletion_window_in_days (pulumi.Input[float]) – Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

  • description (pulumi.Input[str]) – The description of the key as viewed in AWS console.

  • enable_key_rotation (pulumi.Input[bool]) –

    Specifies whether key rotation is enabled. Defaults to false.

  • is_enabled (pulumi.Input[bool]) – Specifies whether the key is enabled. Defaults to true.

  • key_id (pulumi.Input[str]) – The globally unique identifier for the key.

  • key_usage (pulumi.Input[str]) – Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.

  • policy (pulumi.Input[str]) – A valid policy JSON document.

  • tags (pulumi.Input[dict]) – A map of tags to assign to the object.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_aws.kms.get_alias(name=None, opts=None)

Use this data source to get the ARN of a KMS key alias. By using this data source, you can reference key alias without having to hard code the ARN as input.

import pulumi
import pulumi_aws as aws

s3 = aws.kms.get_alias(name="alias/aws/s3")
Parameters

name (str) – The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

pulumi_aws.kms.get_cipher_text(context=None, key_id=None, plaintext=None, opts=None)

The KMS ciphertext data source allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this data source changes every apply. For a stable ciphertext value, see the kms.Ciphertext resource.

import pulumi
import pulumi_aws as aws

oauth_config = aws.kms.Key("oauthConfig",
    description="oauth config",
    is_enabled=True)
oauth = oauth_config.key_id.apply(lambda key_id: aws.kms.get_cipher_text(key_id=key_id,
    plaintext="""{
  "client_id": "e587dbae22222f55da22",
  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}

"""))
Parameters
  • context (dict) – An optional mapping that makes up the encryption context.

  • key_id (str) – Globally unique key ID for the customer master key.

  • plaintext (str) – Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

pulumi_aws.kms.get_key(grant_tokens=None, key_id=None, opts=None)

Use this data source to get detailed information about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.

import pulumi
import pulumi_aws as aws

foo = aws.kms.get_key(key_id="arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab")
Parameters
  • grant_tokens (list) – List of grant tokens

  • key_id (str) – Key identifier which can be one of the following format:

* Key ID. E.g: `1234abcd-12ab-34cd-56ef-1234567890ab`
* Key ARN. E.g.: `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
* Alias name. E.g.: `alias/my-key`
* Alias ARN: E.g.: `arn:aws:kms:us-east-1:111122223333:alias/my-key`
pulumi_aws.kms.get_secret(secrets=None, opts=None)

Use this data source to access information about an existing resource.

The secrets object supports the following:

  • context (dict)

  • grantTokens (list)

  • name (str)

  • payload (str)

pulumi_aws.kms.get_secrets(secrets=None, opts=None)

Decrypt multiple secrets from data encrypted with the AWS KMS service.

Parameters

secrets (list) – One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.

The secrets object supports the following:

  • context (dict) - An optional mapping that makes up the Encryption Context for the secret.

  • grantTokens (list) - An optional list of Grant Tokens for the secret.

  • name (str) - The name to export this secret under in the attributes.

  • payload (str) - Base64 encoded payload, as returned from a KMS encrypt operation.