1. Packages
  2. AWS
  3. API Docs
  4. kms
  5. ExternalKey
AWS v6.54.2 published on Wednesday, Oct 2, 2024 by Pulumi

aws.kms.ExternalKey

Explore with Pulumi AI

aws logo
AWS v6.54.2 published on Wednesday, Oct 2, 2024 by Pulumi

    Manages a single-Region or multi-Region primary KMS key that uses external key material. To instead manage a single-Region or multi-Region primary KMS key where AWS automatically generates and potentially rotates key material, see the aws.kms.Key resource.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.kms.ExternalKey("example", {description: "KMS EXTERNAL for AMI encryption"});
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.kms.ExternalKey("example", description="KMS EXTERNAL for AMI encryption")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := kms.NewExternalKey(ctx, "example", &kms.ExternalKeyArgs{
    			Description: pulumi.String("KMS EXTERNAL for AMI encryption"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Kms.ExternalKey("example", new()
        {
            Description = "KMS EXTERNAL for AMI encryption",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.kms.ExternalKey;
    import com.pulumi.aws.kms.ExternalKeyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ExternalKey("example", ExternalKeyArgs.builder()
                .description("KMS EXTERNAL for AMI encryption")
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:kms:ExternalKey
        properties:
          description: KMS EXTERNAL for AMI encryption
    

    Create ExternalKey Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new ExternalKey(name: string, args?: ExternalKeyArgs, opts?: CustomResourceOptions);
    @overload
    def ExternalKey(resource_name: str,
                    args: Optional[ExternalKeyArgs] = None,
                    opts: Optional[ResourceOptions] = None)
    
    @overload
    def ExternalKey(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    bypass_policy_lockout_safety_check: Optional[bool] = None,
                    deletion_window_in_days: Optional[int] = None,
                    description: Optional[str] = None,
                    enabled: Optional[bool] = None,
                    key_material_base64: Optional[str] = None,
                    multi_region: Optional[bool] = None,
                    policy: Optional[str] = None,
                    tags: Optional[Mapping[str, str]] = None,
                    valid_to: Optional[str] = None)
    func NewExternalKey(ctx *Context, name string, args *ExternalKeyArgs, opts ...ResourceOption) (*ExternalKey, error)
    public ExternalKey(string name, ExternalKeyArgs? args = null, CustomResourceOptions? opts = null)
    public ExternalKey(String name, ExternalKeyArgs args)
    public ExternalKey(String name, ExternalKeyArgs args, CustomResourceOptions options)
    
    type: aws:kms:ExternalKey
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args ExternalKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ExternalKeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ExternalKeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ExternalKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ExternalKeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var externalKeyResource = new Aws.Kms.ExternalKey("externalKeyResource", new()
    {
        BypassPolicyLockoutSafetyCheck = false,
        DeletionWindowInDays = 0,
        Description = "string",
        Enabled = false,
        KeyMaterialBase64 = "string",
        MultiRegion = false,
        Policy = "string",
        Tags = 
        {
            { "string", "string" },
        },
        ValidTo = "string",
    });
    
    example, err := kms.NewExternalKey(ctx, "externalKeyResource", &kms.ExternalKeyArgs{
    	BypassPolicyLockoutSafetyCheck: pulumi.Bool(false),
    	DeletionWindowInDays:           pulumi.Int(0),
    	Description:                    pulumi.String("string"),
    	Enabled:                        pulumi.Bool(false),
    	KeyMaterialBase64:              pulumi.String("string"),
    	MultiRegion:                    pulumi.Bool(false),
    	Policy:                         pulumi.String("string"),
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	ValidTo: pulumi.String("string"),
    })
    
    var externalKeyResource = new ExternalKey("externalKeyResource", ExternalKeyArgs.builder()
        .bypassPolicyLockoutSafetyCheck(false)
        .deletionWindowInDays(0)
        .description("string")
        .enabled(false)
        .keyMaterialBase64("string")
        .multiRegion(false)
        .policy("string")
        .tags(Map.of("string", "string"))
        .validTo("string")
        .build());
    
    external_key_resource = aws.kms.ExternalKey("externalKeyResource",
        bypass_policy_lockout_safety_check=False,
        deletion_window_in_days=0,
        description="string",
        enabled=False,
        key_material_base64="string",
        multi_region=False,
        policy="string",
        tags={
            "string": "string",
        },
        valid_to="string")
    
    const externalKeyResource = new aws.kms.ExternalKey("externalKeyResource", {
        bypassPolicyLockoutSafetyCheck: false,
        deletionWindowInDays: 0,
        description: "string",
        enabled: false,
        keyMaterialBase64: "string",
        multiRegion: false,
        policy: "string",
        tags: {
            string: "string",
        },
        validTo: "string",
    });
    
    type: aws:kms:ExternalKey
    properties:
        bypassPolicyLockoutSafetyCheck: false
        deletionWindowInDays: 0
        description: string
        enabled: false
        keyMaterialBase64: string
        multiRegion: false
        policy: string
        tags:
            string: string
        validTo: string
    

    ExternalKey Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ExternalKey resource accepts the following input properties:

    BypassPolicyLockoutSafetyCheck bool
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    DeletionWindowInDays int
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    Description string
    Description of the key.
    Enabled bool
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    KeyMaterialBase64 string
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    Tags Dictionary<string, string>
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    ValidTo string
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    BypassPolicyLockoutSafetyCheck bool
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    DeletionWindowInDays int
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    Description string
    Description of the key.
    Enabled bool
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    KeyMaterialBase64 string
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    Tags map[string]string
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    ValidTo string
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    bypassPolicyLockoutSafetyCheck Boolean
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    deletionWindowInDays Integer
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    description String
    Description of the key.
    enabled Boolean
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    keyMaterialBase64 String
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    tags Map<String,String>
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    validTo String
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    bypassPolicyLockoutSafetyCheck boolean
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    deletionWindowInDays number
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    description string
    Description of the key.
    enabled boolean
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    keyMaterialBase64 string
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    multiRegion boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy string
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    tags {[key: string]: string}
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    validTo string
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    bypass_policy_lockout_safety_check bool
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    deletion_window_in_days int
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    description str
    Description of the key.
    enabled bool
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    key_material_base64 str
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    multi_region bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy str
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    tags Mapping[str, str]
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    valid_to str
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    bypassPolicyLockoutSafetyCheck Boolean
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    deletionWindowInDays Number
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    description String
    Description of the key.
    enabled Boolean
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    keyMaterialBase64 String
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    tags Map<String>
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    validTo String
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ExternalKey resource produces the following output properties:

    Arn string
    The Amazon Resource Name (ARN) of the key.
    ExpirationModel string
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyState string
    The state of the CMK.
    KeyUsage string
    The cryptographic operations for which you can use the CMK.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Arn string
    The Amazon Resource Name (ARN) of the key.
    ExpirationModel string
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyState string
    The state of the CMK.
    KeyUsage string
    The cryptographic operations for which you can use the CMK.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn String
    The Amazon Resource Name (ARN) of the key.
    expirationModel String
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    id String
    The provider-assigned unique ID for this managed resource.
    keyState String
    The state of the CMK.
    keyUsage String
    The cryptographic operations for which you can use the CMK.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn string
    The Amazon Resource Name (ARN) of the key.
    expirationModel string
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    id string
    The provider-assigned unique ID for this managed resource.
    keyState string
    The state of the CMK.
    keyUsage string
    The cryptographic operations for which you can use the CMK.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn str
    The Amazon Resource Name (ARN) of the key.
    expiration_model str
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    id str
    The provider-assigned unique ID for this managed resource.
    key_state str
    The state of the CMK.
    key_usage str
    The cryptographic operations for which you can use the CMK.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn String
    The Amazon Resource Name (ARN) of the key.
    expirationModel String
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    id String
    The provider-assigned unique ID for this managed resource.
    keyState String
    The state of the CMK.
    keyUsage String
    The cryptographic operations for which you can use the CMK.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Look up Existing ExternalKey Resource

    Get an existing ExternalKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ExternalKeyState, opts?: CustomResourceOptions): ExternalKey
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            bypass_policy_lockout_safety_check: Optional[bool] = None,
            deletion_window_in_days: Optional[int] = None,
            description: Optional[str] = None,
            enabled: Optional[bool] = None,
            expiration_model: Optional[str] = None,
            key_material_base64: Optional[str] = None,
            key_state: Optional[str] = None,
            key_usage: Optional[str] = None,
            multi_region: Optional[bool] = None,
            policy: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            valid_to: Optional[str] = None) -> ExternalKey
    func GetExternalKey(ctx *Context, name string, id IDInput, state *ExternalKeyState, opts ...ResourceOption) (*ExternalKey, error)
    public static ExternalKey Get(string name, Input<string> id, ExternalKeyState? state, CustomResourceOptions? opts = null)
    public static ExternalKey get(String name, Output<String> id, ExternalKeyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    The Amazon Resource Name (ARN) of the key.
    BypassPolicyLockoutSafetyCheck bool
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    DeletionWindowInDays int
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    Description string
    Description of the key.
    Enabled bool
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    ExpirationModel string
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    KeyMaterialBase64 string
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    KeyState string
    The state of the CMK.
    KeyUsage string
    The cryptographic operations for which you can use the CMK.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    Tags Dictionary<string, string>
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    ValidTo string
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    Arn string
    The Amazon Resource Name (ARN) of the key.
    BypassPolicyLockoutSafetyCheck bool
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    DeletionWindowInDays int
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    Description string
    Description of the key.
    Enabled bool
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    ExpirationModel string
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    KeyMaterialBase64 string
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    KeyState string
    The state of the CMK.
    KeyUsage string
    The cryptographic operations for which you can use the CMK.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    Tags map[string]string
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    ValidTo string
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    arn String
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck Boolean
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    deletionWindowInDays Integer
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    description String
    Description of the key.
    enabled Boolean
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    expirationModel String
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    keyMaterialBase64 String
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    keyState String
    The state of the CMK.
    keyUsage String
    The cryptographic operations for which you can use the CMK.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    tags Map<String,String>
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    validTo String
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    arn string
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck boolean
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    deletionWindowInDays number
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    description string
    Description of the key.
    enabled boolean
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    expirationModel string
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    keyMaterialBase64 string
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    keyState string
    The state of the CMK.
    keyUsage string
    The cryptographic operations for which you can use the CMK.
    multiRegion boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy string
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    tags {[key: string]: string}
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    validTo string
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    arn str
    The Amazon Resource Name (ARN) of the key.
    bypass_policy_lockout_safety_check bool
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    deletion_window_in_days int
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    description str
    Description of the key.
    enabled bool
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    expiration_model str
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    key_material_base64 str
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    key_state str
    The state of the CMK.
    key_usage str
    The cryptographic operations for which you can use the CMK.
    multi_region bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy str
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    tags Mapping[str, str]
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    valid_to str
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
    arn String
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck Boolean
    Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
    deletionWindowInDays Number
    Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
    description String
    Description of the key.
    enabled Boolean
    Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
    expirationModel String
    Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
    keyMaterialBase64 String
    Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.
    keyState String
    The state of the CMK.
    keyUsage String
    The cryptographic operations for which you can use the CMK.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String
    A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
    tags Map<String>
    A key-value map of tags to assign to the key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    validTo String
    Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

    Import

    Using pulumi import, import KMS External Keys using the id. For example:

    $ pulumi import aws:kms/externalKey:ExternalKey a arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo
    AWS v6.54.2 published on Wednesday, Oct 2, 2024 by Pulumi