Docs
PackagesTry AWS Native preview for resources not in the classic version.
aws.kms.getKey
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
Use this data source to get detailed information about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var byAlias = Aws.Kms.GetKey.Invoke(new()
{
KeyId = "alias/my-key",
});
var byId = Aws.Kms.GetKey.Invoke(new()
{
KeyId = "1234abcd-12ab-34cd-56ef-1234567890ab",
});
var byAliasArn = Aws.Kms.GetKey.Invoke(new()
{
KeyId = "arn:aws:kms:us-east-1:111122223333:alias/my-key",
});
var byKeyArn = Aws.Kms.GetKey.Invoke(new()
{
KeyId = "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.LookupKey(ctx, &kms.LookupKeyArgs{
KeyId: "alias/my-key",
}, nil)
if err != nil {
return err
}
_, err = kms.LookupKey(ctx, &kms.LookupKeyArgs{
KeyId: "1234abcd-12ab-34cd-56ef-1234567890ab",
}, nil)
if err != nil {
return err
}
_, err = kms.LookupKey(ctx, &kms.LookupKeyArgs{
KeyId: "arn:aws:kms:us-east-1:111122223333:alias/my-key",
}, nil)
if err != nil {
return err
}
_, err = kms.LookupKey(ctx, &kms.LookupKeyArgs{
KeyId: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
}, nil)
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.KmsFunctions;
import com.pulumi.aws.kms.inputs.GetKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var byAlias = KmsFunctions.getKey(GetKeyArgs.builder()
.keyId("alias/my-key")
.build());
final var byId = KmsFunctions.getKey(GetKeyArgs.builder()
.keyId("1234abcd-12ab-34cd-56ef-1234567890ab")
.build());
final var byAliasArn = KmsFunctions.getKey(GetKeyArgs.builder()
.keyId("arn:aws:kms:us-east-1:111122223333:alias/my-key")
.build());
final var byKeyArn = KmsFunctions.getKey(GetKeyArgs.builder()
.keyId("arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab")
.build());
}
}
import pulumi
import pulumi_aws as aws
by_alias = aws.kms.get_key(key_id="alias/my-key")
by_id = aws.kms.get_key(key_id="1234abcd-12ab-34cd-56ef-1234567890ab")
by_alias_arn = aws.kms.get_key(key_id="arn:aws:kms:us-east-1:111122223333:alias/my-key")
by_key_arn = aws.kms.get_key(key_id="arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const byAlias = aws.kms.getKey({
keyId: "alias/my-key",
});
const byId = aws.kms.getKey({
keyId: "1234abcd-12ab-34cd-56ef-1234567890ab",
});
const byAliasArn = aws.kms.getKey({
keyId: "arn:aws:kms:us-east-1:111122223333:alias/my-key",
});
const byKeyArn = aws.kms.getKey({
keyId: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
});
variables:
byAlias:
fn::invoke:
Function: aws:kms:getKey
Arguments:
keyId: alias/my-key
byId:
fn::invoke:
Function: aws:kms:getKey
Arguments:
keyId: 1234abcd-12ab-34cd-56ef-1234567890ab
byAliasArn:
fn::invoke:
Function: aws:kms:getKey
Arguments:
keyId: arn:aws:kms:us-east-1:111122223333:alias/my-key
byKeyArn:
fn::invoke:
Function: aws:kms:getKey
Arguments:
keyId: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Using getKey
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getKey(args: GetKeyArgs, opts?: InvokeOptions): Promise<GetKeyResult>
function getKeyOutput(args: GetKeyOutputArgs, opts?: InvokeOptions): Output<GetKeyResult>def get_key(grant_tokens: Optional[Sequence[str]] = None,
key_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetKeyResult
def get_key_output(grant_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
key_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetKeyResult]func LookupKey(ctx *Context, args *LookupKeyArgs, opts ...InvokeOption) (*LookupKeyResult, error)
func LookupKeyOutput(ctx *Context, args *LookupKeyOutputArgs, opts ...InvokeOption) LookupKeyResultOutput> Note: This function is named LookupKey in the Go SDK.
public static class GetKey
{
public static Task<GetKeyResult> InvokeAsync(GetKeyArgs args, InvokeOptions? opts = null)
public static Output<GetKeyResult> Invoke(GetKeyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetKeyResult> getKey(GetKeyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: aws:kms/getKey:getKey
arguments:
# arguments dictionaryThe following arguments are supported:
- Key
Id string Key identifier which can be one of the following format:
- Key ID. E.g:
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g.:
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g.:
alias/my-key - Alias ARN: E.g.:
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g:
- Grant
Tokens List<string> List of grant tokens
- Key
Id string Key identifier which can be one of the following format:
- Key ID. E.g:
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g.:
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g.:
alias/my-key - Alias ARN: E.g.:
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g:
- Grant
Tokens []string List of grant tokens
- key
Id String Key identifier which can be one of the following format:
- Key ID. E.g:
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g.:
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g.:
alias/my-key - Alias ARN: E.g.:
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g:
- grant
Tokens List<String> List of grant tokens
- key
Id string Key identifier which can be one of the following format:
- Key ID. E.g:
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g.:
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g.:
alias/my-key - Alias ARN: E.g.:
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g:
- grant
Tokens string[] List of grant tokens
- key_
id str Key identifier which can be one of the following format:
- Key ID. E.g:
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g.:
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g.:
alias/my-key - Alias ARN: E.g.:
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g:
- grant_
tokens Sequence[str] List of grant tokens
- key
Id String Key identifier which can be one of the following format:
- Key ID. E.g:
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g.:
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g.:
alias/my-key - Alias ARN: E.g.:
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g:
- grant
Tokens List<String> List of grant tokens
getKey Result
The following output properties are available:
- Arn string
The key ARN of a primary or replica key of a multi-Region key.
- Aws
Account stringId The twelve-digit account ID of the AWS account that owns the key
- Cloud
Hsm stringCluster Id The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
- Creation
Date string The date and time when the key was created
- Custom
Key stringStore Id A unique identifier for the custom key store that contains the KMS key.
- Customer
Master stringKey Spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
- Deletion
Date string The date and time after which AWS KMS deletes the key. This value is present only when
key_stateisPendingDeletion, otherwise this value is 0- Description string
The description of the key.
- Enabled bool
Specifies whether the key is enabled. When
key_stateisEnabledthis value is true, otherwise it is false- Expiration
Model string Specifies whether the Key's key material expires. This value is present only when
originisEXTERNAL, otherwise this value is empty- Id string
The provider-assigned unique ID for this managed resource.
- Key
Id string - Key
Manager string The key's manager
- Key
Spec string Describes the type of key material in the KMS key.
- Key
State string The state of the key
- Key
Usage string Specifies the intended use of the key
- Multi
Region bool Indicates whether the KMS key is a multi-Region (
true) or regional (false) key.- Multi
Region List<GetConfigurations Key Multi Region Configuration> Lists the primary and replica keys in same multi-Region key. Present only when the value of
multi_regionistrue.- Origin string
When this value is
AWS_KMS, AWS KMS created the key material. When this value isEXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material- Pending
Deletion intWindow In Days The waiting period before the primary key in a multi-Region key is deleted.
- Valid
To string The time at which the imported key material expires. This value is present only when
originisEXTERNALand whoseexpiration_modelisKEY_MATERIAL_EXPIRES, otherwise this value is 0- Xks
Key List<GetConfigurations Key Xks Key Configuration> Information about the external key that is associated with a KMS key in an external key store.
- Grant
Tokens List<string>
- Arn string
The key ARN of a primary or replica key of a multi-Region key.
- Aws
Account stringId The twelve-digit account ID of the AWS account that owns the key
- Cloud
Hsm stringCluster Id The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
- Creation
Date string The date and time when the key was created
- Custom
Key stringStore Id A unique identifier for the custom key store that contains the KMS key.
- Customer
Master stringKey Spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
- Deletion
Date string The date and time after which AWS KMS deletes the key. This value is present only when
key_stateisPendingDeletion, otherwise this value is 0- Description string
The description of the key.
- Enabled bool
Specifies whether the key is enabled. When
key_stateisEnabledthis value is true, otherwise it is false- Expiration
Model string Specifies whether the Key's key material expires. This value is present only when
originisEXTERNAL, otherwise this value is empty- Id string
The provider-assigned unique ID for this managed resource.
- Key
Id string - Key
Manager string The key's manager
- Key
Spec string Describes the type of key material in the KMS key.
- Key
State string The state of the key
- Key
Usage string Specifies the intended use of the key
- Multi
Region bool Indicates whether the KMS key is a multi-Region (
true) or regional (false) key.- Multi
Region []GetConfigurations Key Multi Region Configuration Lists the primary and replica keys in same multi-Region key. Present only when the value of
multi_regionistrue.- Origin string
When this value is
AWS_KMS, AWS KMS created the key material. When this value isEXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material- Pending
Deletion intWindow In Days The waiting period before the primary key in a multi-Region key is deleted.
- Valid
To string The time at which the imported key material expires. This value is present only when
originisEXTERNALand whoseexpiration_modelisKEY_MATERIAL_EXPIRES, otherwise this value is 0- Xks
Key []GetConfigurations Key Xks Key Configuration Information about the external key that is associated with a KMS key in an external key store.
- Grant
Tokens []string
- arn String
The key ARN of a primary or replica key of a multi-Region key.
- aws
Account StringId The twelve-digit account ID of the AWS account that owns the key
- cloud
Hsm StringCluster Id The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
- creation
Date String The date and time when the key was created
- custom
Key StringStore Id A unique identifier for the custom key store that contains the KMS key.
- customer
Master StringKey Spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
- deletion
Date String The date and time after which AWS KMS deletes the key. This value is present only when
key_stateisPendingDeletion, otherwise this value is 0- description String
The description of the key.
- enabled Boolean
Specifies whether the key is enabled. When
key_stateisEnabledthis value is true, otherwise it is false- expiration
Model String Specifies whether the Key's key material expires. This value is present only when
originisEXTERNAL, otherwise this value is empty- id String
The provider-assigned unique ID for this managed resource.
- key
Id String - key
Manager String The key's manager
- key
Spec String Describes the type of key material in the KMS key.
- key
State String The state of the key
- key
Usage String Specifies the intended use of the key
- multi
Region Boolean Indicates whether the KMS key is a multi-Region (
true) or regional (false) key.- multi
Region List<GetConfigurations Key Multi Region Configuration> Lists the primary and replica keys in same multi-Region key. Present only when the value of
multi_regionistrue.- origin String
When this value is
AWS_KMS, AWS KMS created the key material. When this value isEXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material- pending
Deletion IntegerWindow In Days The waiting period before the primary key in a multi-Region key is deleted.
- valid
To String The time at which the imported key material expires. This value is present only when
originisEXTERNALand whoseexpiration_modelisKEY_MATERIAL_EXPIRES, otherwise this value is 0- xks
Key List<GetConfigurations Key Xks Key Configuration> Information about the external key that is associated with a KMS key in an external key store.
- grant
Tokens List<String>
- arn string
The key ARN of a primary or replica key of a multi-Region key.
- aws
Account stringId The twelve-digit account ID of the AWS account that owns the key
- cloud
Hsm stringCluster Id The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
- creation
Date string The date and time when the key was created
- custom
Key stringStore Id A unique identifier for the custom key store that contains the KMS key.
- customer
Master stringKey Spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
- deletion
Date string The date and time after which AWS KMS deletes the key. This value is present only when
key_stateisPendingDeletion, otherwise this value is 0- description string
The description of the key.
- enabled boolean
Specifies whether the key is enabled. When
key_stateisEnabledthis value is true, otherwise it is false- expiration
Model string Specifies whether the Key's key material expires. This value is present only when
originisEXTERNAL, otherwise this value is empty- id string
The provider-assigned unique ID for this managed resource.
- key
Id string - key
Manager string The key's manager
- key
Spec string Describes the type of key material in the KMS key.
- key
State string The state of the key
- key
Usage string Specifies the intended use of the key
- multi
Region boolean Indicates whether the KMS key is a multi-Region (
true) or regional (false) key.- multi
Region GetConfigurations Key Multi Region Configuration[] Lists the primary and replica keys in same multi-Region key. Present only when the value of
multi_regionistrue.- origin string
When this value is
AWS_KMS, AWS KMS created the key material. When this value isEXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material- pending
Deletion numberWindow In Days The waiting period before the primary key in a multi-Region key is deleted.
- valid
To string The time at which the imported key material expires. This value is present only when
originisEXTERNALand whoseexpiration_modelisKEY_MATERIAL_EXPIRES, otherwise this value is 0- xks
Key GetConfigurations Key Xks Key Configuration[] Information about the external key that is associated with a KMS key in an external key store.
- grant
Tokens string[]
- arn str
The key ARN of a primary or replica key of a multi-Region key.
- aws_
account_ strid The twelve-digit account ID of the AWS account that owns the key
- cloud_
hsm_ strcluster_ id The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
- creation_
date str The date and time when the key was created
- custom_
key_ strstore_ id A unique identifier for the custom key store that contains the KMS key.
- customer_
master_ strkey_ spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
- deletion_
date str The date and time after which AWS KMS deletes the key. This value is present only when
key_stateisPendingDeletion, otherwise this value is 0- description str
The description of the key.
- enabled bool
Specifies whether the key is enabled. When
key_stateisEnabledthis value is true, otherwise it is false- expiration_
model str Specifies whether the Key's key material expires. This value is present only when
originisEXTERNAL, otherwise this value is empty- id str
The provider-assigned unique ID for this managed resource.
- key_
id str - key_
manager str The key's manager
- key_
spec str Describes the type of key material in the KMS key.
- key_
state str The state of the key
- key_
usage str Specifies the intended use of the key
- multi_
region bool Indicates whether the KMS key is a multi-Region (
true) or regional (false) key.- multi_
region_ Sequence[Getconfigurations Key Multi Region Configuration] Lists the primary and replica keys in same multi-Region key. Present only when the value of
multi_regionistrue.- origin str
When this value is
AWS_KMS, AWS KMS created the key material. When this value isEXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material- pending_
deletion_ intwindow_ in_ days The waiting period before the primary key in a multi-Region key is deleted.
- valid_
to str The time at which the imported key material expires. This value is present only when
originisEXTERNALand whoseexpiration_modelisKEY_MATERIAL_EXPIRES, otherwise this value is 0- xks_
key_ Sequence[Getconfigurations Key Xks Key Configuration] Information about the external key that is associated with a KMS key in an external key store.
- grant_
tokens Sequence[str]
- arn String
The key ARN of a primary or replica key of a multi-Region key.
- aws
Account StringId The twelve-digit account ID of the AWS account that owns the key
- cloud
Hsm StringCluster Id The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
- creation
Date String The date and time when the key was created
- custom
Key StringStore Id A unique identifier for the custom key store that contains the KMS key.
- customer
Master StringKey Spec Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports
- deletion
Date String The date and time after which AWS KMS deletes the key. This value is present only when
key_stateisPendingDeletion, otherwise this value is 0- description String
The description of the key.
- enabled Boolean
Specifies whether the key is enabled. When
key_stateisEnabledthis value is true, otherwise it is false- expiration
Model String Specifies whether the Key's key material expires. This value is present only when
originisEXTERNAL, otherwise this value is empty- id String
The provider-assigned unique ID for this managed resource.
- key
Id String - key
Manager String The key's manager
- key
Spec String Describes the type of key material in the KMS key.
- key
State String The state of the key
- key
Usage String Specifies the intended use of the key
- multi
Region Boolean Indicates whether the KMS key is a multi-Region (
true) or regional (false) key.- multi
Region List<Property Map>Configurations Lists the primary and replica keys in same multi-Region key. Present only when the value of
multi_regionistrue.- origin String
When this value is
AWS_KMS, AWS KMS created the key material. When this value isEXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material- pending
Deletion NumberWindow In Days The waiting period before the primary key in a multi-Region key is deleted.
- valid
To String The time at which the imported key material expires. This value is present only when
originisEXTERNALand whoseexpiration_modelisKEY_MATERIAL_EXPIRES, otherwise this value is 0- xks
Key List<Property Map>Configurations Information about the external key that is associated with a KMS key in an external key store.
- grant
Tokens List<String>
Supporting Types
GetKeyMultiRegionConfiguration
- Multi
Region stringKey Type Indicates whether the KMS key is a
PRIMARYorREPLICAkey.- Primary
Keys List<GetKey Multi Region Configuration Primary Key> The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.
- Replica
Keys List<GetKey Multi Region Configuration Replica Key> The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.
- Multi
Region stringKey Type Indicates whether the KMS key is a
PRIMARYorREPLICAkey.- Primary
Keys []GetKey Multi Region Configuration Primary Key The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.
- Replica
Keys []GetKey Multi Region Configuration Replica Key The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.
- multi
Region StringKey Type Indicates whether the KMS key is a
PRIMARYorREPLICAkey.- primary
Keys List<GetKey Multi Region Configuration Primary Key> The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.
- replica
Keys List<GetKey Multi Region Configuration Replica Key> The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.
- multi
Region stringKey Type Indicates whether the KMS key is a
PRIMARYorREPLICAkey.- primary
Keys GetKey Multi Region Configuration Primary Key[] The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.
- replica
Keys GetKey Multi Region Configuration Replica Key[] The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.
- multi_
region_ strkey_ type Indicates whether the KMS key is a
PRIMARYorREPLICAkey.- primary_
keys Sequence[GetKey Multi Region Configuration Primary Key] The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.
- replica_
keys Sequence[GetKey Multi Region Configuration Replica Key] The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.
- multi
Region StringKey Type Indicates whether the KMS key is a
PRIMARYorREPLICAkey.- primary
Keys List<Property Map> The key ARN and Region of the primary key. This is the current KMS key if it is the primary key.
- replica
Keys List<Property Map> The key ARNs and Regions of all replica keys. Includes the current KMS key if it is a replica key.
GetKeyMultiRegionConfigurationPrimaryKey
GetKeyMultiRegionConfigurationReplicaKey
GetKeyXksKeyConfiguration
- Id string
The globally unique identifier for the key
- Id string
The globally unique identifier for the key
- id String
The globally unique identifier for the key
- id string
The globally unique identifier for the key
- id str
The globally unique identifier for the key
- id String
The globally unique identifier for the key
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
awsTerraform Provider.
Try AWS Native preview for resources not in the classic version.