AWS Classic

Pulumi Official
Package maintained by Pulumi
v5.10.0 published on Monday, Jul 11, 2022 by Pulumi

ExternalKey

Manages a KMS Customer Master Key that uses external key material. To instead manage a KMS Customer Master Key where AWS automatically generates and potentially rotates key material, see the aws.kms.Key resource.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.Kms.ExternalKey("example", new Aws.Kms.ExternalKeyArgs
        {
            Description = "KMS EXTERNAL for AMI encryption",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/kms"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewExternalKey(ctx, "example", &kms.ExternalKeyArgs{
			Description: pulumi.String("KMS EXTERNAL for AMI encryption"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new ExternalKey("example", ExternalKeyArgs.builder()        
            .description("KMS EXTERNAL for AMI encryption")
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.kms.ExternalKey("example", description="KMS EXTERNAL for AMI encryption")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.kms.ExternalKey("example", {
    description: "KMS EXTERNAL for AMI encryption",
});
resources:
  example:
    type: aws:kms:ExternalKey
    properties:
      description: KMS EXTERNAL for AMI encryption

Create a ExternalKey Resource

new ExternalKey(name: string, args?: ExternalKeyArgs, opts?: CustomResourceOptions);
@overload
def ExternalKey(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                bypass_policy_lockout_safety_check: Optional[bool] = None,
                deletion_window_in_days: Optional[int] = None,
                description: Optional[str] = None,
                enabled: Optional[bool] = None,
                key_material_base64: Optional[str] = None,
                multi_region: Optional[bool] = None,
                policy: Optional[str] = None,
                tags: Optional[Mapping[str, str]] = None,
                valid_to: Optional[str] = None)
@overload
def ExternalKey(resource_name: str,
                args: Optional[ExternalKeyArgs] = None,
                opts: Optional[ResourceOptions] = None)
func NewExternalKey(ctx *Context, name string, args *ExternalKeyArgs, opts ...ResourceOption) (*ExternalKey, error)
public ExternalKey(string name, ExternalKeyArgs? args = null, CustomResourceOptions? opts = null)
public ExternalKey(String name, ExternalKeyArgs args)
public ExternalKey(String name, ExternalKeyArgs args, CustomResourceOptions options)
type: aws:kms:ExternalKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ExternalKeyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ExternalKeyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ExternalKeyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ExternalKeyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ExternalKeyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

ExternalKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ExternalKey resource accepts the following input properties:

BypassPolicyLockoutSafetyCheck bool

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

DeletionWindowInDays int

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

Description string

Description of the key.

Enabled bool

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

KeyMaterialBase64 string

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

MultiRegion bool

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

Policy string

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

Tags Dictionary<string, string>

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

ValidTo string

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

BypassPolicyLockoutSafetyCheck bool

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

DeletionWindowInDays int

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

Description string

Description of the key.

Enabled bool

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

KeyMaterialBase64 string

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

MultiRegion bool

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

Policy string

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

Tags map[string]string

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

ValidTo string

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

bypassPolicyLockoutSafetyCheck Boolean

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

deletionWindowInDays Integer

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description String

Description of the key.

enabled Boolean

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

keyMaterialBase64 String

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

multiRegion Boolean

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

policy String

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags Map<String,String>

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

validTo String

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

bypassPolicyLockoutSafetyCheck boolean

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

deletionWindowInDays number

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description string

Description of the key.

enabled boolean

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

keyMaterialBase64 string

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

multiRegion boolean

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

policy string

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags {[key: string]: string}

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

validTo string

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

bypass_policy_lockout_safety_check bool

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

deletion_window_in_days int

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description str

Description of the key.

enabled bool

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

key_material_base64 str

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

multi_region bool

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

policy str

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags Mapping[str, str]

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

valid_to str

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

bypassPolicyLockoutSafetyCheck Boolean

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

deletionWindowInDays Number

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description String

Description of the key.

enabled Boolean

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

keyMaterialBase64 String

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

multiRegion Boolean

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

policy String

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags Map<String>

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

validTo String

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

Outputs

All input properties are implicitly available as output properties. Additionally, the ExternalKey resource produces the following output properties:

Arn string

The Amazon Resource Name (ARN) of the key.

ExpirationModel string

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

Id string

The provider-assigned unique ID for this managed resource.

KeyState string

The state of the CMK.

KeyUsage string

The cryptographic operations for which you can use the CMK.

TagsAll Dictionary<string, string>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Arn string

The Amazon Resource Name (ARN) of the key.

ExpirationModel string

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

Id string

The provider-assigned unique ID for this managed resource.

KeyState string

The state of the CMK.

KeyUsage string

The cryptographic operations for which you can use the CMK.

TagsAll map[string]string

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

arn String

The Amazon Resource Name (ARN) of the key.

expirationModel String

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

id String

The provider-assigned unique ID for this managed resource.

keyState String

The state of the CMK.

keyUsage String

The cryptographic operations for which you can use the CMK.

tagsAll Map<String,String>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

arn string

The Amazon Resource Name (ARN) of the key.

expirationModel string

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

id string

The provider-assigned unique ID for this managed resource.

keyState string

The state of the CMK.

keyUsage string

The cryptographic operations for which you can use the CMK.

tagsAll {[key: string]: string}

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

arn str

The Amazon Resource Name (ARN) of the key.

expiration_model str

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

id str

The provider-assigned unique ID for this managed resource.

key_state str

The state of the CMK.

key_usage str

The cryptographic operations for which you can use the CMK.

tags_all Mapping[str, str]

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

arn String

The Amazon Resource Name (ARN) of the key.

expirationModel String

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

id String

The provider-assigned unique ID for this managed resource.

keyState String

The state of the CMK.

keyUsage String

The cryptographic operations for which you can use the CMK.

tagsAll Map<String>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Look up an Existing ExternalKey Resource

Get an existing ExternalKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ExternalKeyState, opts?: CustomResourceOptions): ExternalKey
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        bypass_policy_lockout_safety_check: Optional[bool] = None,
        deletion_window_in_days: Optional[int] = None,
        description: Optional[str] = None,
        enabled: Optional[bool] = None,
        expiration_model: Optional[str] = None,
        key_material_base64: Optional[str] = None,
        key_state: Optional[str] = None,
        key_usage: Optional[str] = None,
        multi_region: Optional[bool] = None,
        policy: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        valid_to: Optional[str] = None) -> ExternalKey
func GetExternalKey(ctx *Context, name string, id IDInput, state *ExternalKeyState, opts ...ResourceOption) (*ExternalKey, error)
public static ExternalKey Get(string name, Input<string> id, ExternalKeyState? state, CustomResourceOptions? opts = null)
public static ExternalKey get(String name, Output<String> id, ExternalKeyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Arn string

The Amazon Resource Name (ARN) of the key.

BypassPolicyLockoutSafetyCheck bool

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

DeletionWindowInDays int

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

Description string

Description of the key.

Enabled bool

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

ExpirationModel string

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

KeyMaterialBase64 string

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

KeyState string

The state of the CMK.

KeyUsage string

The cryptographic operations for which you can use the CMK.

MultiRegion bool

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

Policy string

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

Tags Dictionary<string, string>

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

TagsAll Dictionary<string, string>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

ValidTo string

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

Arn string

The Amazon Resource Name (ARN) of the key.

BypassPolicyLockoutSafetyCheck bool

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

DeletionWindowInDays int

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

Description string

Description of the key.

Enabled bool

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

ExpirationModel string

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

KeyMaterialBase64 string

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

KeyState string

The state of the CMK.

KeyUsage string

The cryptographic operations for which you can use the CMK.

MultiRegion bool

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

Policy string

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

Tags map[string]string

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

TagsAll map[string]string

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

ValidTo string

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

arn String

The Amazon Resource Name (ARN) of the key.

bypassPolicyLockoutSafetyCheck Boolean

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

deletionWindowInDays Integer

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description String

Description of the key.

enabled Boolean

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

expirationModel String

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

keyMaterialBase64 String

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

keyState String

The state of the CMK.

keyUsage String

The cryptographic operations for which you can use the CMK.

multiRegion Boolean

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

policy String

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags Map<String,String>

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll Map<String,String>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

validTo String

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

arn string

The Amazon Resource Name (ARN) of the key.

bypassPolicyLockoutSafetyCheck boolean

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

deletionWindowInDays number

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description string

Description of the key.

enabled boolean

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

expirationModel string

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

keyMaterialBase64 string

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

keyState string

The state of the CMK.

keyUsage string

The cryptographic operations for which you can use the CMK.

multiRegion boolean

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

policy string

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags {[key: string]: string}

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll {[key: string]: string}

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

validTo string

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

arn str

The Amazon Resource Name (ARN) of the key.

bypass_policy_lockout_safety_check bool

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

deletion_window_in_days int

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description str

Description of the key.

enabled bool

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

expiration_model str

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

key_material_base64 str

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

key_state str

The state of the CMK.

key_usage str

The cryptographic operations for which you can use the CMK.

multi_region bool

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

policy str

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags Mapping[str, str]

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tags_all Mapping[str, str]

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

valid_to str

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

arn String

The Amazon Resource Name (ARN) of the key.

bypassPolicyLockoutSafetyCheck Boolean

Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.

deletionWindowInDays Number

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

description String

Description of the key.

enabled Boolean

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

expirationModel String

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

keyMaterialBase64 String

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

keyState String

The state of the CMK.

keyUsage String

The cryptographic operations for which you can use the CMK.

multiRegion Boolean

Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.

policy String

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

tags Map<String>

A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll Map<String>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

validTo String

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

Import

KMS External Keys can be imported using the id, e.g.,

 $ pulumi import aws:kms/externalKey:ExternalKey a arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes

This Pulumi package is based on the aws Terraform Provider.