kms

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.kms.Alias(resource_name, opts=None, name=None, name_prefix=None, target_key_id=None, __props__=None, __name__=None, __opts__=None)

Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence this provider too) allows you to create as many aliases as the account limits allow you.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

  • name_prefix (pulumi.Input[str]) – Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

  • target_key_id (pulumi.Input[str]) – Identifier for the key for which the alias is for, can be either an ARN or key_id.

arn = None

The Amazon Resource Name (ARN) of the key alias.

name = None

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

name_prefix = None

Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

target_key_arn = None

The Amazon Resource Name (ARN) of the target key identifier.

target_key_id = None

Identifier for the key for which the alias is for, can be either an ARN or key_id.

static get(resource_name, id, opts=None, arn=None, name=None, name_prefix=None, target_key_arn=None, target_key_id=None)

Get an existing Alias resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) of the key alias.

  • name (pulumi.Input[str]) – The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

  • name_prefix (pulumi.Input[str]) – Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

  • target_key_arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) of the target key identifier.

  • target_key_id (pulumi.Input[str]) – Identifier for the key for which the alias is for, can be either an ARN or key_id.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.kms.AwaitableGetAliasResult(arn=None, name=None, target_key_arn=None, target_key_id=None, id=None)
class pulumi_aws.kms.AwaitableGetCipherTextResult(ciphertext_blob=None, context=None, key_id=None, plaintext=None, id=None)
class pulumi_aws.kms.AwaitableGetKeyResult(arn=None, aws_account_id=None, creation_date=None, deletion_date=None, description=None, enabled=None, expiration_model=None, grant_tokens=None, key_id=None, key_manager=None, key_state=None, key_usage=None, origin=None, valid_to=None, id=None)
class pulumi_aws.kms.AwaitableGetSecretResult(secrets=None, id=None)
class pulumi_aws.kms.AwaitableGetSecretsResult(plaintext=None, secrets=None, id=None)
class pulumi_aws.kms.Ciphertext(resource_name, opts=None, context=None, key_id=None, plaintext=None, __props__=None, __name__=None, __opts__=None)

The KMS ciphertext resource allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this resource is stable across every apply. For a changing ciphertext value each apply, see the ``kms.Ciphertext` data source <https://www.terraform.io/docs/providers/aws/d/kms_ciphertext.html>`_.

Note: All arguments including the plaintext be stored in the raw state as plain-text. Read more about sensitive data in state.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • context (pulumi.Input[dict]) – An optional mapping that makes up the encryption context.

  • key_id (pulumi.Input[str]) – Globally unique key ID for the customer master key.

  • plaintext (pulumi.Input[str]) – Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

ciphertext_blob = None

Base64 encoded ciphertext

context = None

An optional mapping that makes up the encryption context.

key_id = None

Globally unique key ID for the customer master key.

plaintext = None

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

static get(resource_name, id, opts=None, ciphertext_blob=None, context=None, key_id=None, plaintext=None)

Get an existing Ciphertext resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • ciphertext_blob (pulumi.Input[str]) – Base64 encoded ciphertext

  • context (pulumi.Input[dict]) – An optional mapping that makes up the encryption context.

  • key_id (pulumi.Input[str]) – Globally unique key ID for the customer master key.

  • plaintext (pulumi.Input[str]) – Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.kms.ExternalKey(resource_name, opts=None, deletion_window_in_days=None, description=None, enabled=None, key_material_base64=None, policy=None, tags=None, valid_to=None, __props__=None, __name__=None, __opts__=None)

Manages a KMS Customer Master Key that uses external key material. To instead manage a KMS Customer Master Key where AWS automatically generates and potentially rotates key material, see the ``kms.Key` resource <https://www.terraform.io/docs/providers/aws/r/kms_key.html>`_.

Note: All arguments including the key material will be stored in the raw state as plain-text. Read more about sensitive data in state.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • deletion_window_in_days (pulumi.Input[float]) – Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

  • description (pulumi.Input[str]) – Description of the key.

  • enabled (pulumi.Input[bool]) – Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

  • key_material_base64 (pulumi.Input[str]) – Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

  • policy (pulumi.Input[str]) – A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

  • tags (pulumi.Input[dict]) – A key-value map of tags to assign to the key.

  • valid_to (pulumi.Input[str]) – Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

arn = None

The Amazon Resource Name (ARN) of the key.

deletion_window_in_days = None

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description = None

Description of the key.

enabled = None

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

expiration_model = None

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

key_material_base64 = None

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

key_state = None

The state of the CMK.

key_usage = None

The cryptographic operations for which you can use the CMK.

policy = None

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags = None

A key-value map of tags to assign to the key.

valid_to = None

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

static get(resource_name, id, opts=None, arn=None, deletion_window_in_days=None, description=None, enabled=None, expiration_model=None, key_material_base64=None, key_state=None, key_usage=None, policy=None, tags=None, valid_to=None)

Get an existing ExternalKey resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) of the key.

  • deletion_window_in_days (pulumi.Input[float]) – Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

  • description (pulumi.Input[str]) – Description of the key.

  • enabled (pulumi.Input[bool]) – Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

  • expiration_model (pulumi.Input[str]) – Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

  • key_material_base64 (pulumi.Input[str]) – Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

  • key_state (pulumi.Input[str]) – The state of the CMK.

  • key_usage (pulumi.Input[str]) – The cryptographic operations for which you can use the CMK.

  • policy (pulumi.Input[str]) – A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

  • tags (pulumi.Input[dict]) – A key-value map of tags to assign to the key.

  • valid_to (pulumi.Input[str]) –

    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.kms.GetAliasResult(arn=None, name=None, target_key_arn=None, target_key_id=None, id=None)

A collection of values returned by getAlias.

arn = None

The Amazon Resource Name(ARN) of the key alias.

target_key_arn = None

ARN pointed to by the alias.

target_key_id = None

Key identifier pointed to by the alias.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_aws.kms.GetCipherTextResult(ciphertext_blob=None, context=None, key_id=None, plaintext=None, id=None)

A collection of values returned by getCipherText.

ciphertext_blob = None

Base64 encoded ciphertext

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_aws.kms.GetKeyResult(arn=None, aws_account_id=None, creation_date=None, deletion_date=None, description=None, enabled=None, expiration_model=None, grant_tokens=None, key_id=None, key_manager=None, key_state=None, key_usage=None, origin=None, valid_to=None, id=None)

A collection of values returned by getKey.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_aws.kms.GetSecretResult(secrets=None, id=None)

A collection of values returned by getSecret.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_aws.kms.GetSecretsResult(plaintext=None, secrets=None, id=None)

A collection of values returned by getSecrets.

plaintext = None

Map containing each secret name as the key with its decrypted plaintext value

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_aws.kms.Grant(resource_name, opts=None, constraints=None, grant_creation_tokens=None, grantee_principal=None, key_id=None, name=None, operations=None, retire_on_delete=None, retiring_principal=None, __props__=None, __name__=None, __opts__=None)

Provides a resource-based access control mechanism for a KMS customer master key.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • constraints (pulumi.Input[list]) – A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

  • grant_creation_tokens (pulumi.Input[list]) – A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

* `retire_on_delete` -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants.
See [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) for more information.
Parameters
  • grantee_principal (pulumi.Input[str]) – The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

  • key_id (pulumi.Input[str]) – The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

  • name (pulumi.Input[str]) – A friendly name for identifying the grant.

  • operations (pulumi.Input[list]) – A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

  • retiring_principal (pulumi.Input[str]) – The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

The constraints object supports the following:

  • encryptionContextEquals (pulumi.Input[dict])

  • encryptionContextSubset (pulumi.Input[dict])

constraints = None

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

  • encryptionContextEquals (dict)

  • encryptionContextSubset (dict)

grant_creation_tokens = None

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

  • retire_on_delete -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

grant_id = None

The unique identifier for the grant.

grant_token = None

The grant token for the created grant. For more information, see Grant Tokens.

grantee_principal = None

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

key_id = None

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

name = None

A friendly name for identifying the grant.

operations = None

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

retiring_principal = None

The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

static get(resource_name, id, opts=None, constraints=None, grant_creation_tokens=None, grant_id=None, grant_token=None, grantee_principal=None, key_id=None, name=None, operations=None, retire_on_delete=None, retiring_principal=None)

Get an existing Grant resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • constraints (pulumi.Input[list]) –

    A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

  • grant_creation_tokens (pulumi.Input[list]) –

    A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

* `retire_on_delete` -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants.
See [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) for more information.
Parameters
  • grant_id (pulumi.Input[str]) – The unique identifier for the grant.

  • grant_token (pulumi.Input[str]) –

    The grant token for the created grant. For more information, see Grant Tokens.

  • grantee_principal (pulumi.Input[str]) – The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

  • key_id (pulumi.Input[str]) – The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

  • name (pulumi.Input[str]) – A friendly name for identifying the grant.

  • operations (pulumi.Input[list]) – A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

  • retiring_principal (pulumi.Input[str]) – The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

The constraints object supports the following:

  • encryptionContextEquals (pulumi.Input[dict])

  • encryptionContextSubset (pulumi.Input[dict])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.kms.Key(resource_name, opts=None, deletion_window_in_days=None, description=None, enable_key_rotation=None, is_enabled=None, key_usage=None, policy=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a KMS customer master key.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • deletion_window_in_days (pulumi.Input[float]) – Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

  • description (pulumi.Input[str]) – The description of the key as viewed in AWS console.

  • enable_key_rotation (pulumi.Input[bool]) – Specifies whether key rotation is enabled. Defaults to false.

  • is_enabled (pulumi.Input[bool]) – Specifies whether the key is enabled. Defaults to true.

  • key_usage (pulumi.Input[str]) – Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the object.

arn = None

The Amazon Resource Name (ARN) of the key.

deletion_window_in_days = None

Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

description = None

The description of the key as viewed in AWS console.

enable_key_rotation = None

Specifies whether key rotation is enabled. Defaults to false.

is_enabled = None

Specifies whether the key is enabled. Defaults to true.

key_id = None

The globally unique identifier for the key.

key_usage = None

Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported.

tags = None

A mapping of tags to assign to the object.

static get(resource_name, id, opts=None, arn=None, deletion_window_in_days=None, description=None, enable_key_rotation=None, is_enabled=None, key_id=None, key_usage=None, policy=None, tags=None)

Get an existing Key resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The Amazon Resource Name (ARN) of the key.

  • deletion_window_in_days (pulumi.Input[float]) – Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

  • description (pulumi.Input[str]) – The description of the key as viewed in AWS console.

  • enable_key_rotation (pulumi.Input[bool]) –

    Specifies whether key rotation is enabled. Defaults to false.

  • is_enabled (pulumi.Input[bool]) – Specifies whether the key is enabled. Defaults to true.

  • key_id (pulumi.Input[str]) – The globally unique identifier for the key.

  • key_usage (pulumi.Input[str]) – Specifies the intended use of the key. Defaults to ENCRYPT_DECRYPT, and only symmetric encryption and decryption are supported.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the object.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_aws.kms.get_alias(name=None, opts=None)

Use this data source to get the ARN of a KMS key alias. By using this data source, you can reference key alias without having to hard code the ARN as input.

Parameters

name (str) – The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

pulumi_aws.kms.get_cipher_text(context=None, key_id=None, plaintext=None, opts=None)

The KMS ciphertext data source allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this data source changes every apply. For a stable ciphertext value, see the ``kms.Ciphertext` resource <https://www.terraform.io/docs/providers/aws/r/kms_ciphertext.html>`_.

Note: All arguments including the plaintext be stored in the raw state as plain-text. Read more about sensitive data in state.

Parameters
  • context (dict) – An optional mapping that makes up the encryption context.

  • key_id (str) – Globally unique key ID for the customer master key.

  • plaintext (str) – Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

pulumi_aws.kms.get_key(grant_tokens=None, key_id=None, opts=None)

Use this data source to get detailed information about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.

Parameters
  • grant_tokens (list) – List of grant tokens

  • key_id (str) – Key identifier which can be one of the following format:

* Key ID. E.g: `1234abcd-12ab-34cd-56ef-1234567890ab`
* Key ARN. E.g.: `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
* Alias name. E.g.: `alias/my-key`
* Alias ARN: E.g.: `arn:aws:kms:us-east-1:111122223333:alias/my-key`
pulumi_aws.kms.get_secret(secrets=None, opts=None)

!> WARNING: This data source was removed in version 2.0.0 of the AWS Provider. You can migrate existing configurations to the ``kms.getSecrets` data source <https://www.terraform.io/docs/providers/aws/d/kms_secrets.html>`_ following instructions available in the Version 2 Upgrade Guide.

The secrets object supports the following:

  • context (dict)

  • grantTokens (list)

  • name (str)

  • payload (str)

pulumi_aws.kms.get_secrets(secrets=None, opts=None)

Decrypt multiple secrets from data encrypted with the AWS KMS service.

Parameters

secrets (list) – One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.

The secrets object supports the following:

  • context (dict) - An optional mapping that makes up the Encryption Context for the secret.

  • grantTokens (list) - An optional list of Grant Tokens for the secret.

  • name (str) - The name to export this secret under in the attributes.

  • payload (str) - Base64 encoded payload, as returned from a KMS encrypt operation.