Docs Home
ibm 1.78.0 published on Wednesday, Apr 30, 2025 by ibm-cloud
ibm.KmsKey
Explore with Pulumi AI
Example Usage
To Provision Key Protect Service And Key Management
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const kmsInstance = new ibm.ResourceInstance("kmsInstance", {
service: "kms",
plan: "tiered-pricing",
location: "us-south",
});
const test = new ibm.KmsKey("test", {
instanceId: kmsInstance.guid,
keyName: "key-name",
standardKey: false,
forceDelete: true,
});
import pulumi
import pulumi_ibm as ibm
kms_instance = ibm.ResourceInstance("kmsInstance",
service="kms",
plan="tiered-pricing",
location="us-south")
test = ibm.KmsKey("test",
instance_id=kms_instance.guid,
key_name="key-name",
standard_key=False,
force_delete=True)
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
kmsInstance, err := ibm.NewResourceInstance(ctx, "kmsInstance", &ibm.ResourceInstanceArgs{
Service: pulumi.String("kms"),
Plan: pulumi.String("tiered-pricing"),
Location: pulumi.String("us-south"),
})
if err != nil {
return err
}
_, err = ibm.NewKmsKey(ctx, "test", &ibm.KmsKeyArgs{
InstanceId: kmsInstance.Guid,
KeyName: pulumi.String("key-name"),
StandardKey: pulumi.Bool(false),
ForceDelete: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var kmsInstance = new Ibm.ResourceInstance("kmsInstance", new()
{
Service = "kms",
Plan = "tiered-pricing",
Location = "us-south",
});
var test = new Ibm.KmsKey("test", new()
{
InstanceId = kmsInstance.Guid,
KeyName = "key-name",
StandardKey = false,
ForceDelete = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.ResourceInstance;
import com.pulumi.ibm.ResourceInstanceArgs;
import com.pulumi.ibm.KmsKey;
import com.pulumi.ibm.KmsKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var kmsInstance = new ResourceInstance("kmsInstance", ResourceInstanceArgs.builder()
.service("kms")
.plan("tiered-pricing")
.location("us-south")
.build());
var test = new KmsKey("test", KmsKeyArgs.builder()
.instanceId(kmsInstance.guid())
.keyName("key-name")
.standardKey(false)
.forceDelete(true)
.build());
}
}
resources:
kmsInstance:
type: ibm:ResourceInstance
properties:
service: kms
plan: tiered-pricing
location: us-south
test:
type: ibm:KmsKey
properties:
instanceId: ${kmsInstance.guid}
keyName: key-name
standardKey: false
forceDelete: true
~>Note:
key_protect attribute to associate a kms_key with a COS bucket has been renamed as kms_key_crn , hence it is recommended to all the new users to use kms_key_crn.Although the support for older attribute name key_protect will be continued for existing customers.
To Provision HPCS Service And Key Management
Below steps explains how to provision a HPCS service , intialize the service and key mangament.
Step 1: Provision the service using ibm.ResourceInstance
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const hpcs = new ibm.ResourceInstance("hpcs", {
location: "us-south",
parameters: {
units: "2",
},
plan: "standard",
service: "hs-crypto",
});
import pulumi
import pulumi_ibm as ibm
hpcs = ibm.ResourceInstance("hpcs",
location="us-south",
parameters={
"units": "2",
},
plan="standard",
service="hs-crypto")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewResourceInstance(ctx, "hpcs", &ibm.ResourceInstanceArgs{
Location: pulumi.String("us-south"),
Parameters: pulumi.StringMap{
"units": pulumi.String("2"),
},
Plan: pulumi.String("standard"),
Service: pulumi.String("hs-crypto"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var hpcs = new Ibm.ResourceInstance("hpcs", new()
{
Location = "us-south",
Parameters =
{
{ "units", "2" },
},
Plan = "standard",
Service = "hs-crypto",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.ResourceInstance;
import com.pulumi.ibm.ResourceInstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hpcs = new ResourceInstance("hpcs", ResourceInstanceArgs.builder()
.location("us-south")
.parameters(Map.of("units", 2))
.plan("standard")
.service("hs-crypto")
.build());
}
}
resources:
hpcs:
type: ibm:ResourceInstance
properties:
location: us-south
parameters:
units: 2
plan: standard
service: hs-crypto
Step 2: Initialize your service instance manually
To manage your keys, you need to initialize your service instance first. Two options are provided for initializing a service instance. You can use the IBM Hyper Protect Crypto Services Management Utilities to initialize a service instance by using master key parts stored on smart cards. This provides the highest level of security. You can also use the IBM Cloud Trusted Key Entry (TKE) command-line interface (CLI) plug-in to initialize your service instance. For more details refer here
Step 3: Manage your keys using ibm.KmsKey
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const key = new ibm.KmsKey("key", {
instanceId: ibm_resource_instance.hpcs.guid,
keyName: _var.key_name,
standardKey: false,
forceDelete: true,
});
import pulumi
import pulumi_ibm as ibm
key = ibm.KmsKey("key",
instance_id=ibm_resource_instance["hpcs"]["guid"],
key_name=var["key_name"],
standard_key=False,
force_delete=True)
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewKmsKey(ctx, "key", &ibm.KmsKeyArgs{
InstanceId: pulumi.Any(ibm_resource_instance.Hpcs.Guid),
KeyName: pulumi.Any(_var.Key_name),
StandardKey: pulumi.Bool(false),
ForceDelete: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var key = new Ibm.KmsKey("key", new()
{
InstanceId = ibm_resource_instance.Hpcs.Guid,
KeyName = @var.Key_name,
StandardKey = false,
ForceDelete = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.KmsKey;
import com.pulumi.ibm.KmsKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var key = new KmsKey("key", KmsKeyArgs.builder()
.instanceId(ibm_resource_instance.hpcs().guid())
.keyName(var_.key_name())
.standardKey(false)
.forceDelete(true)
.build());
}
}
resources:
key:
type: ibm:KmsKey
properties:
instanceId: ${ibm_resource_instance.hpcs.guid}
keyName: ${var.key_name}
standardKey: false
forceDelete: true
To Provision KMS And Import A Key
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const kpInstance = new ibm.ResourceInstance("kpInstance", {
service: "kms",
plan: "tiered-pricing",
location: "us-south",
});
const key = new ibm.KmsKey("key", {
instanceId: kpInstance.guid,
keyName: "key",
standardKey: false,
payload: "aW1wb3J0ZWQucGF5bG9hZA==",
});
import pulumi
import pulumi_ibm as ibm
kp_instance = ibm.ResourceInstance("kpInstance",
service="kms",
plan="tiered-pricing",
location="us-south")
key = ibm.KmsKey("key",
instance_id=kp_instance.guid,
key_name="key",
standard_key=False,
payload="aW1wb3J0ZWQucGF5bG9hZA==")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
kpInstance, err := ibm.NewResourceInstance(ctx, "kpInstance", &ibm.ResourceInstanceArgs{
Service: pulumi.String("kms"),
Plan: pulumi.String("tiered-pricing"),
Location: pulumi.String("us-south"),
})
if err != nil {
return err
}
_, err = ibm.NewKmsKey(ctx, "key", &ibm.KmsKeyArgs{
InstanceId: kpInstance.Guid,
KeyName: pulumi.String("key"),
StandardKey: pulumi.Bool(false),
Payload: pulumi.String("aW1wb3J0ZWQucGF5bG9hZA=="),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var kpInstance = new Ibm.ResourceInstance("kpInstance", new()
{
Service = "kms",
Plan = "tiered-pricing",
Location = "us-south",
});
var key = new Ibm.KmsKey("key", new()
{
InstanceId = kpInstance.Guid,
KeyName = "key",
StandardKey = false,
Payload = "aW1wb3J0ZWQucGF5bG9hZA==",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.ResourceInstance;
import com.pulumi.ibm.ResourceInstanceArgs;
import com.pulumi.ibm.KmsKey;
import com.pulumi.ibm.KmsKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var kpInstance = new ResourceInstance("kpInstance", ResourceInstanceArgs.builder()
.service("kms")
.plan("tiered-pricing")
.location("us-south")
.build());
var key = new KmsKey("key", KmsKeyArgs.builder()
.instanceId(kpInstance.guid())
.keyName("key")
.standardKey(false)
.payload("aW1wb3J0ZWQucGF5bG9hZA==")
.build());
}
}
resources:
kpInstance:
type: ibm:ResourceInstance
properties:
service: kms
plan: tiered-pricing
location: us-south
key:
type: ibm:KmsKey
properties:
instanceId: ${kpInstance.guid}
keyName: key
standardKey: false
payload: aW1wb3J0ZWQucGF5bG9hZA==
Between A Cloud Object Storage Bucket And A Key
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const kmsInstance = new ibm.ResourceInstance("kmsInstance", {
service: "kms",
plan: "tiered-pricing",
location: "us-south",
});
const cosInstance = new ibm.ResourceInstance("cosInstance", {
service: "cloud-object-storage",
plan: "standard",
location: "global",
});
const policyS2KmsCos = new ibm.IamAuthorizationPolicy("policyS2KmsCos", {
roles: ["Reader"],
sourceServiceName: "cloud-object-storage",
sourceResourceInstanceId: cosInstance.guid,
targetServiceName: "kms",
targetResourceInstanceId: kmsInstance.guid,
});
const kmsRootKey1 = new ibm.KmsKey("kmsRootKey1", {
instanceId: kmsInstance.guid,
keyName: "root_k1",
standardKey: false,
forceDelete: true,
}, {
dependsOn: [policyS2KmsCos],
});
const cosBk1 = new ibm.CosBucket("cosBk1", {
bucketName: "cos-bk-1",
resourceInstanceId: cosInstance.resourceInstanceId,
regionLocation: "us-south",
storageClass: "smart",
kmsKeyCrn: kmsRootKey1.kmsKeyId,
});
import pulumi
import pulumi_ibm as ibm
kms_instance = ibm.ResourceInstance("kmsInstance",
service="kms",
plan="tiered-pricing",
location="us-south")
cos_instance = ibm.ResourceInstance("cosInstance",
service="cloud-object-storage",
plan="standard",
location="global")
policy_s2_kms_cos = ibm.IamAuthorizationPolicy("policyS2KmsCos",
roles=["Reader"],
source_service_name="cloud-object-storage",
source_resource_instance_id=cos_instance.guid,
target_service_name="kms",
target_resource_instance_id=kms_instance.guid)
kms_root_key1 = ibm.KmsKey("kmsRootKey1",
instance_id=kms_instance.guid,
key_name="root_k1",
standard_key=False,
force_delete=True,
opts = pulumi.ResourceOptions(depends_on=[policy_s2_kms_cos]))
cos_bk1 = ibm.CosBucket("cosBk1",
bucket_name="cos-bk-1",
resource_instance_id=cos_instance.resource_instance_id,
region_location="us-south",
storage_class="smart",
kms_key_crn=kms_root_key1.kms_key_id)
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
kmsInstance, err := ibm.NewResourceInstance(ctx, "kmsInstance", &ibm.ResourceInstanceArgs{
Service: pulumi.String("kms"),
Plan: pulumi.String("tiered-pricing"),
Location: pulumi.String("us-south"),
})
if err != nil {
return err
}
cosInstance, err := ibm.NewResourceInstance(ctx, "cosInstance", &ibm.ResourceInstanceArgs{
Service: pulumi.String("cloud-object-storage"),
Plan: pulumi.String("standard"),
Location: pulumi.String("global"),
})
if err != nil {
return err
}
policyS2KmsCos, err := ibm.NewIamAuthorizationPolicy(ctx, "policyS2KmsCos", &ibm.IamAuthorizationPolicyArgs{
Roles: pulumi.StringArray{
pulumi.String("Reader"),
},
SourceServiceName: pulumi.String("cloud-object-storage"),
SourceResourceInstanceId: cosInstance.Guid,
TargetServiceName: pulumi.String("kms"),
TargetResourceInstanceId: kmsInstance.Guid,
})
if err != nil {
return err
}
kmsRootKey1, err := ibm.NewKmsKey(ctx, "kmsRootKey1", &ibm.KmsKeyArgs{
InstanceId: kmsInstance.Guid,
KeyName: pulumi.String("root_k1"),
StandardKey: pulumi.Bool(false),
ForceDelete: pulumi.Bool(true),
}, pulumi.DependsOn([]pulumi.Resource{
policyS2KmsCos,
}))
if err != nil {
return err
}
_, err = ibm.NewCosBucket(ctx, "cosBk1", &ibm.CosBucketArgs{
BucketName: pulumi.String("cos-bk-1"),
ResourceInstanceId: cosInstance.ResourceInstanceId,
RegionLocation: pulumi.String("us-south"),
StorageClass: pulumi.String("smart"),
KmsKeyCrn: kmsRootKey1.KmsKeyId,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var kmsInstance = new Ibm.ResourceInstance("kmsInstance", new()
{
Service = "kms",
Plan = "tiered-pricing",
Location = "us-south",
});
var cosInstance = new Ibm.ResourceInstance("cosInstance", new()
{
Service = "cloud-object-storage",
Plan = "standard",
Location = "global",
});
var policyS2KmsCos = new Ibm.IamAuthorizationPolicy("policyS2KmsCos", new()
{
Roles = new[]
{
"Reader",
},
SourceServiceName = "cloud-object-storage",
SourceResourceInstanceId = cosInstance.Guid,
TargetServiceName = "kms",
TargetResourceInstanceId = kmsInstance.Guid,
});
var kmsRootKey1 = new Ibm.KmsKey("kmsRootKey1", new()
{
InstanceId = kmsInstance.Guid,
KeyName = "root_k1",
StandardKey = false,
ForceDelete = true,
}, new CustomResourceOptions
{
DependsOn =
{
policyS2KmsCos,
},
});
var cosBk1 = new Ibm.CosBucket("cosBk1", new()
{
BucketName = "cos-bk-1",
ResourceInstanceId = cosInstance.ResourceInstanceId,
RegionLocation = "us-south",
StorageClass = "smart",
KmsKeyCrn = kmsRootKey1.KmsKeyId,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.ResourceInstance;
import com.pulumi.ibm.ResourceInstanceArgs;
import com.pulumi.ibm.IamAuthorizationPolicy;
import com.pulumi.ibm.IamAuthorizationPolicyArgs;
import com.pulumi.ibm.KmsKey;
import com.pulumi.ibm.KmsKeyArgs;
import com.pulumi.ibm.CosBucket;
import com.pulumi.ibm.CosBucketArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var kmsInstance = new ResourceInstance("kmsInstance", ResourceInstanceArgs.builder()
.service("kms")
.plan("tiered-pricing")
.location("us-south")
.build());
var cosInstance = new ResourceInstance("cosInstance", ResourceInstanceArgs.builder()
.service("cloud-object-storage")
.plan("standard")
.location("global")
.build());
var policyS2KmsCos = new IamAuthorizationPolicy("policyS2KmsCos", IamAuthorizationPolicyArgs.builder()
.roles("Reader")
.sourceServiceName("cloud-object-storage")
.sourceResourceInstanceId(cosInstance.guid())
.targetServiceName("kms")
.targetResourceInstanceId(kmsInstance.guid())
.build());
var kmsRootKey1 = new KmsKey("kmsRootKey1", KmsKeyArgs.builder()
.instanceId(kmsInstance.guid())
.keyName("root_k1")
.standardKey(false)
.forceDelete(true)
.build(), CustomResourceOptions.builder()
.dependsOn(policyS2KmsCos)
.build());
var cosBk1 = new CosBucket("cosBk1", CosBucketArgs.builder()
.bucketName("cos-bk-1")
.resourceInstanceId(cosInstance.resourceInstanceId())
.regionLocation("us-south")
.storageClass("smart")
.kmsKeyCrn(kmsRootKey1.kmsKeyId())
.build());
}
}
resources:
kmsInstance:
type: ibm:ResourceInstance
properties:
service: kms
plan: tiered-pricing
location: us-south
kmsRootKey1:
type: ibm:KmsKey
properties:
instanceId: ${kmsInstance.guid}
keyName: root_k1
standardKey: false
forceDelete: true
options:
dependsOn:
- ${policyS2KmsCos}
cosInstance:
type: ibm:ResourceInstance
properties:
service: cloud-object-storage
plan: standard
location: global
policyS2KmsCos:
type: ibm:IamAuthorizationPolicy
properties:
roles:
- Reader
sourceServiceName: cloud-object-storage
sourceResourceInstanceId: ${cosInstance.guid}
targetServiceName: kms
targetResourceInstanceId: ${kmsInstance.guid}
cosBk1:
type: ibm:CosBucket
properties:
bucketName: cos-bk-1
resourceInstanceId: ${cosInstance.resourceInstanceId}
regionLocation: us-south
storageClass: smart
kmsKeyCrn: ${kmsRootKey1.kmsKeyId}
Create KmsKey Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new KmsKey(name: string, args: KmsKeyArgs, opts?: CustomResourceOptions);@overload
def KmsKey(resource_name: str,
args: KmsKeyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def KmsKey(resource_name: str,
opts: Optional[ResourceOptions] = None,
instance_id: Optional[str] = None,
key_name: Optional[str] = None,
iv_value: Optional[str] = None,
expiration_date: Optional[str] = None,
force_delete: Optional[bool] = None,
endpoint_type: Optional[str] = None,
description: Optional[str] = None,
encrypted_nonce: Optional[str] = None,
key_ring_id: Optional[str] = None,
kms_key_id: Optional[str] = None,
payload: Optional[str] = None,
standard_key: Optional[bool] = None,
timeouts: Optional[KmsKeyTimeoutsArgs] = None)func NewKmsKey(ctx *Context, name string, args KmsKeyArgs, opts ...ResourceOption) (*KmsKey, error)public KmsKey(string name, KmsKeyArgs args, CustomResourceOptions? opts = null)
public KmsKey(String name, KmsKeyArgs args)
public KmsKey(String name, KmsKeyArgs args, CustomResourceOptions options)
type: ibm:KmsKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KmsKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KmsKeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KmsKeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KmsKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KmsKeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var kmsKeyResource = new Ibm.KmsKey("kmsKeyResource", new()
{
InstanceId = "string",
KeyName = "string",
IvValue = "string",
ExpirationDate = "string",
ForceDelete = false,
EndpointType = "string",
Description = "string",
EncryptedNonce = "string",
KeyRingId = "string",
KmsKeyId = "string",
Payload = "string",
StandardKey = false,
Timeouts = new Ibm.Inputs.KmsKeyTimeoutsArgs
{
Create = "string",
Update = "string",
},
});
example, err := ibm.NewKmsKey(ctx, "kmsKeyResource", &ibm.KmsKeyArgs{
InstanceId: pulumi.String("string"),
KeyName: pulumi.String("string"),
IvValue: pulumi.String("string"),
ExpirationDate: pulumi.String("string"),
ForceDelete: pulumi.Bool(false),
EndpointType: pulumi.String("string"),
Description: pulumi.String("string"),
EncryptedNonce: pulumi.String("string"),
KeyRingId: pulumi.String("string"),
KmsKeyId: pulumi.String("string"),
Payload: pulumi.String("string"),
StandardKey: pulumi.Bool(false),
Timeouts: &ibm.KmsKeyTimeoutsArgs{
Create: pulumi.String("string"),
Update: pulumi.String("string"),
},
})
var kmsKeyResource = new KmsKey("kmsKeyResource", KmsKeyArgs.builder()
.instanceId("string")
.keyName("string")
.ivValue("string")
.expirationDate("string")
.forceDelete(false)
.endpointType("string")
.description("string")
.encryptedNonce("string")
.keyRingId("string")
.kmsKeyId("string")
.payload("string")
.standardKey(false)
.timeouts(KmsKeyTimeoutsArgs.builder()
.create("string")
.update("string")
.build())
.build());
kms_key_resource = ibm.KmsKey("kmsKeyResource",
instance_id="string",
key_name="string",
iv_value="string",
expiration_date="string",
force_delete=False,
endpoint_type="string",
description="string",
encrypted_nonce="string",
key_ring_id="string",
kms_key_id="string",
payload="string",
standard_key=False,
timeouts={
"create": "string",
"update": "string",
})
const kmsKeyResource = new ibm.KmsKey("kmsKeyResource", {
instanceId: "string",
keyName: "string",
ivValue: "string",
expirationDate: "string",
forceDelete: false,
endpointType: "string",
description: "string",
encryptedNonce: "string",
keyRingId: "string",
kmsKeyId: "string",
payload: "string",
standardKey: false,
timeouts: {
create: "string",
update: "string",
},
});
type: ibm:KmsKey
properties:
description: string
encryptedNonce: string
endpointType: string
expirationDate: string
forceDelete: false
instanceId: string
ivValue: string
keyName: string
keyRingId: string
kmsKeyId: string
payload: string
standardKey: false
timeouts:
create: string
update: string
KmsKey Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The KmsKey resource accepts the following input properties:
- Instance
Id string - The HPCS or key-protect instance ID.
- Key
Name string - The name of the key.
- Description string
- An optional description that can be added to the key during creation.
- Encrypted
Nonce string - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - Endpoint
Type string - The type of the public or private endpoint to be used for creating keys.
- Expiration
Date string - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- Force
Delete bool - set to true to force delete the key
- Iv
Value string - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - Key
Ring stringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - Kms
Key stringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- Payload string
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- Standard
Key bool - Set flag true for standard key, and false for root key. Default value is false.
- Timeouts
Kms
Key Timeouts
- Instance
Id string - The HPCS or key-protect instance ID.
- Key
Name string - The name of the key.
- Description string
- An optional description that can be added to the key during creation.
- Encrypted
Nonce string - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - Endpoint
Type string - The type of the public or private endpoint to be used for creating keys.
- Expiration
Date string - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- Force
Delete bool - set to true to force delete the key
- Iv
Value string - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - Key
Ring stringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - Kms
Key stringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- Payload string
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- Standard
Key bool - Set flag true for standard key, and false for root key. Default value is false.
- Timeouts
Kms
Key Timeouts Args
- instance
Id String - The HPCS or key-protect instance ID.
- key
Name String - The name of the key.
- description String
- An optional description that can be added to the key during creation.
- encrypted
Nonce String - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - endpoint
Type String - The type of the public or private endpoint to be used for creating keys.
- expiration
Date String - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- force
Delete Boolean - set to true to force delete the key
- iv
Value String - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - key
Ring StringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - kms
Key StringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- payload String
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- standard
Key Boolean - Set flag true for standard key, and false for root key. Default value is false.
- timeouts
Kms
Key Timeouts
- instance
Id string - The HPCS or key-protect instance ID.
- key
Name string - The name of the key.
- description string
- An optional description that can be added to the key during creation.
- encrypted
Nonce string - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - endpoint
Type string - The type of the public or private endpoint to be used for creating keys.
- expiration
Date string - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- force
Delete boolean - set to true to force delete the key
- iv
Value string - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - key
Ring stringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - kms
Key stringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- payload string
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- standard
Key boolean - Set flag true for standard key, and false for root key. Default value is false.
- timeouts
Kms
Key Timeouts
- instance_
id str - The HPCS or key-protect instance ID.
- key_
name str - The name of the key.
- description str
- An optional description that can be added to the key during creation.
- encrypted_
nonce str - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - endpoint_
type str - The type of the public or private endpoint to be used for creating keys.
- expiration_
date str - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- force_
delete bool - set to true to force delete the key
- iv_
value str - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - key_
ring_ strid - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - kms_
key_ strid - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- payload str
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- standard_
key bool - Set flag true for standard key, and false for root key. Default value is false.
- timeouts
Kms
Key Timeouts Args
- instance
Id String - The HPCS or key-protect instance ID.
- key
Name String - The name of the key.
- description String
- An optional description that can be added to the key during creation.
- encrypted
Nonce String - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - endpoint
Type String - The type of the public or private endpoint to be used for creating keys.
- expiration
Date String - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- force
Delete Boolean - set to true to force delete the key
- iv
Value String - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - key
Ring StringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - kms
Key StringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- payload String
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- standard
Key Boolean - Set flag true for standard key, and false for root key. Default value is false.
- timeouts Property Map
Outputs
All input properties are implicitly available as output properties. Additionally, the KmsKey resource produces the following output properties:
- Crn string
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- Id string
- The provider-assigned unique ID for this managed resource.
- Instance
Crn string - Key protect or hpcs instance CRN
- Key
Id string - (String) The id of the key associated with the association.
- Registrations
List<Kms
Key Registration> - (List) The registrations associated with the key.
- Resource
Controller stringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- Resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- Resource
Group stringName - The resource group name in which resource is provisioned
- Resource
Name string - The name of the resource
- Resource
Status string - The status of the resource
- Type string
- (String) The type of the key KMS or HPCS.
- Crn string
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- Id string
- The provider-assigned unique ID for this managed resource.
- Instance
Crn string - Key protect or hpcs instance CRN
- Key
Id string - (String) The id of the key associated with the association.
- Registrations
[]Kms
Key Registration - (List) The registrations associated with the key.
- Resource
Controller stringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- Resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- Resource
Group stringName - The resource group name in which resource is provisioned
- Resource
Name string - The name of the resource
- Resource
Status string - The status of the resource
- Type string
- (String) The type of the key KMS or HPCS.
- crn String
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- id String
- The provider-assigned unique ID for this managed resource.
- instance
Crn String - Key protect or hpcs instance CRN
- key
Id String - (String) The id of the key associated with the association.
- registrations
List<Kms
Key Registration> - (List) The registrations associated with the key.
- resource
Controller StringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- resource
Crn String - (String) The CRN of the resource that has a registration to the key.
- resource
Group StringName - The resource group name in which resource is provisioned
- resource
Name String - The name of the resource
- resource
Status String - The status of the resource
- type String
- (String) The type of the key KMS or HPCS.
- crn string
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- id string
- The provider-assigned unique ID for this managed resource.
- instance
Crn string - Key protect or hpcs instance CRN
- key
Id string - (String) The id of the key associated with the association.
- registrations
Kms
Key Registration[] - (List) The registrations associated with the key.
- resource
Controller stringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- resource
Group stringName - The resource group name in which resource is provisioned
- resource
Name string - The name of the resource
- resource
Status string - The status of the resource
- type string
- (String) The type of the key KMS or HPCS.
- crn str
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- id str
- The provider-assigned unique ID for this managed resource.
- instance_
crn str - Key protect or hpcs instance CRN
- key_
id str - (String) The id of the key associated with the association.
- registrations
Sequence[Kms
Key Registration] - (List) The registrations associated with the key.
- resource_
controller_ strurl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- resource_
crn str - (String) The CRN of the resource that has a registration to the key.
- resource_
group_ strname - The resource group name in which resource is provisioned
- resource_
name str - The name of the resource
- resource_
status str - The status of the resource
- type str
- (String) The type of the key KMS or HPCS.
- crn String
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- id String
- The provider-assigned unique ID for this managed resource.
- instance
Crn String - Key protect or hpcs instance CRN
- key
Id String - (String) The id of the key associated with the association.
- registrations List<Property Map>
- (List) The registrations associated with the key.
- resource
Controller StringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- resource
Crn String - (String) The CRN of the resource that has a registration to the key.
- resource
Group StringName - The resource group name in which resource is provisioned
- resource
Name String - The name of the resource
- resource
Status String - The status of the resource
- type String
- (String) The type of the key KMS or HPCS.
Look up Existing KmsKey Resource
Get an existing KmsKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KmsKeyState, opts?: CustomResourceOptions): KmsKey@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
crn: Optional[str] = None,
description: Optional[str] = None,
encrypted_nonce: Optional[str] = None,
endpoint_type: Optional[str] = None,
expiration_date: Optional[str] = None,
force_delete: Optional[bool] = None,
instance_crn: Optional[str] = None,
instance_id: Optional[str] = None,
iv_value: Optional[str] = None,
key_id: Optional[str] = None,
key_name: Optional[str] = None,
key_ring_id: Optional[str] = None,
kms_key_id: Optional[str] = None,
payload: Optional[str] = None,
registrations: Optional[Sequence[KmsKeyRegistrationArgs]] = None,
resource_controller_url: Optional[str] = None,
resource_crn: Optional[str] = None,
resource_group_name: Optional[str] = None,
resource_name: Optional[str] = None,
resource_status: Optional[str] = None,
standard_key: Optional[bool] = None,
timeouts: Optional[KmsKeyTimeoutsArgs] = None,
type: Optional[str] = None) -> KmsKeyfunc GetKmsKey(ctx *Context, name string, id IDInput, state *KmsKeyState, opts ...ResourceOption) (*KmsKey, error)public static KmsKey Get(string name, Input<string> id, KmsKeyState? state, CustomResourceOptions? opts = null)public static KmsKey get(String name, Output<String> id, KmsKeyState state, CustomResourceOptions options)resources: _: type: ibm:KmsKey get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Crn string
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- Description string
- An optional description that can be added to the key during creation.
- Encrypted
Nonce string - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - Endpoint
Type string - The type of the public or private endpoint to be used for creating keys.
- Expiration
Date string - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- Force
Delete bool - set to true to force delete the key
- Instance
Crn string - Key protect or hpcs instance CRN
- Instance
Id string - The HPCS or key-protect instance ID.
- Iv
Value string - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - Key
Id string - (String) The id of the key associated with the association.
- Key
Name string - The name of the key.
- Key
Ring stringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - Kms
Key stringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- Payload string
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- Registrations
List<Kms
Key Registration> - (List) The registrations associated with the key.
- Resource
Controller stringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- Resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- Resource
Group stringName - The resource group name in which resource is provisioned
- Resource
Name string - The name of the resource
- Resource
Status string - The status of the resource
- Standard
Key bool - Set flag true for standard key, and false for root key. Default value is false.
- Timeouts
Kms
Key Timeouts - Type string
- (String) The type of the key KMS or HPCS.
- Crn string
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- Description string
- An optional description that can be added to the key during creation.
- Encrypted
Nonce string - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - Endpoint
Type string - The type of the public or private endpoint to be used for creating keys.
- Expiration
Date string - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- Force
Delete bool - set to true to force delete the key
- Instance
Crn string - Key protect or hpcs instance CRN
- Instance
Id string - The HPCS or key-protect instance ID.
- Iv
Value string - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - Key
Id string - (String) The id of the key associated with the association.
- Key
Name string - The name of the key.
- Key
Ring stringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - Kms
Key stringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- Payload string
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- Registrations
[]Kms
Key Registration Args - (List) The registrations associated with the key.
- Resource
Controller stringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- Resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- Resource
Group stringName - The resource group name in which resource is provisioned
- Resource
Name string - The name of the resource
- Resource
Status string - The status of the resource
- Standard
Key bool - Set flag true for standard key, and false for root key. Default value is false.
- Timeouts
Kms
Key Timeouts Args - Type string
- (String) The type of the key KMS or HPCS.
- crn String
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- description String
- An optional description that can be added to the key during creation.
- encrypted
Nonce String - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - endpoint
Type String - The type of the public or private endpoint to be used for creating keys.
- expiration
Date String - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- force
Delete Boolean - set to true to force delete the key
- instance
Crn String - Key protect or hpcs instance CRN
- instance
Id String - The HPCS or key-protect instance ID.
- iv
Value String - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - key
Id String - (String) The id of the key associated with the association.
- key
Name String - The name of the key.
- key
Ring StringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - kms
Key StringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- payload String
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- registrations
List<Kms
Key Registration> - (List) The registrations associated with the key.
- resource
Controller StringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- resource
Crn String - (String) The CRN of the resource that has a registration to the key.
- resource
Group StringName - The resource group name in which resource is provisioned
- resource
Name String - The name of the resource
- resource
Status String - The status of the resource
- standard
Key Boolean - Set flag true for standard key, and false for root key. Default value is false.
- timeouts
Kms
Key Timeouts - type String
- (String) The type of the key KMS or HPCS.
- crn string
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- description string
- An optional description that can be added to the key during creation.
- encrypted
Nonce string - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - endpoint
Type string - The type of the public or private endpoint to be used for creating keys.
- expiration
Date string - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- force
Delete boolean - set to true to force delete the key
- instance
Crn string - Key protect or hpcs instance CRN
- instance
Id string - The HPCS or key-protect instance ID.
- iv
Value string - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - key
Id string - (String) The id of the key associated with the association.
- key
Name string - The name of the key.
- key
Ring stringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - kms
Key stringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- payload string
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- registrations
Kms
Key Registration[] - (List) The registrations associated with the key.
- resource
Controller stringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- resource
Group stringName - The resource group name in which resource is provisioned
- resource
Name string - The name of the resource
- resource
Status string - The status of the resource
- standard
Key boolean - Set flag true for standard key, and false for root key. Default value is false.
- timeouts
Kms
Key Timeouts - type string
- (String) The type of the key KMS or HPCS.
- crn str
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- description str
- An optional description that can be added to the key during creation.
- encrypted_
nonce str - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - endpoint_
type str - The type of the public or private endpoint to be used for creating keys.
- expiration_
date str - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- force_
delete bool - set to true to force delete the key
- instance_
crn str - Key protect or hpcs instance CRN
- instance_
id str - The HPCS or key-protect instance ID.
- iv_
value str - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - key_
id str - (String) The id of the key associated with the association.
- key_
name str - The name of the key.
- key_
ring_ strid - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - kms_
key_ strid - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- payload str
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- registrations
Sequence[Kms
Key Registration Args] - (List) The registrations associated with the key.
- resource_
controller_ strurl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- resource_
crn str - (String) The CRN of the resource that has a registration to the key.
- resource_
group_ strname - The resource group name in which resource is provisioned
- resource_
name str - The name of the resource
- resource_
status str - The status of the resource
- standard_
key bool - Set flag true for standard key, and false for root key. Default value is false.
- timeouts
Kms
Key Timeouts Args - type str
- (String) The type of the key KMS or HPCS.
- crn String
- (String) The Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
- description String
- An optional description that can be added to the key during creation.
- encrypted
Nonce String - The encrypted nonce value that verifies your request to import a key to Key Protect. This value must be encrypted by using the key that you want to import to the service. To retrieve a nonce, use the
ibmcloud kp import-token getcommand. Then, encrypt the value by runningibmcloud kp import-token encrypt-nonce. Only for imported root key. - endpoint
Type String - The type of the public or private endpoint to be used for creating keys.
- expiration
Date String - The date and time that the key expires in the system, in RFC 3339 format (YYYY-MM-DD HH:MM:SS.SS, for example 2019-10-12T07:20:50.52Z). Use caution when setting an expiration date, as keys created with an expiration date automatically transition to the Deactivated state within one hour after expiration. In this state, the only allowed actions on the key are unwrap, rewrap, rotate, and delete. Deactivated keys cannot be used to encrypt (wrap) new data, even if rotated while deactivated. Rotation does not reset or extend the expiration date, nor does it allow the date to be changed. It is recommended that any data encrypted with an expiring or expired key be re-encrypted using a new customer root key (CRK) before the original CRK expires, to prevent service disruptions. Deleting and restoring a deactivated key does not move it back to the Active state. If the expiration_date attribute is omitted, the key does not expire.
- force
Delete Boolean - set to true to force delete the key
- instance
Crn String - Key protect or hpcs instance CRN
- instance
Id String - The HPCS or key-protect instance ID.
- iv
Value String - Used with import tokens. The initialization vector (IV) that is generated when you encrypt a nonce. The IV value is required to decrypt the encrypted nonce value that you provide when you make a key import request to the service. To generate an IV, encrypt the nonce by running
ibmcloud kp import-token encrypt-nonce. Only for imported root key. - key
Id String - (String) The id of the key associated with the association.
- key
Name String - The name of the key.
- key
Ring StringId - The ID of the key ring where you want to add your Key Protect key. The default value is
default. - kms
Key StringId - (String) The v4 UUID used to uniquely identify the policy resource, as specified by RFC 4122.
- payload String
- The base64 encoded key that you want to store and manage in the service. To import an existing key, provide a 256-bit key. To generate a new key, omit this parameter.
- registrations List<Property Map>
- (List) The registrations associated with the key.
- resource
Controller StringUrl - The URL of the IBM Cloud dashboard that can be used to explore and view details about the resource
- resource
Crn String - (String) The CRN of the resource that has a registration to the key.
- resource
Group StringName - The resource group name in which resource is provisioned
- resource
Name String - The name of the resource
- resource
Status String - The status of the resource
- standard
Key Boolean - Set flag true for standard key, and false for root key. Default value is false.
- timeouts Property Map
- type String
- (String) The type of the key KMS or HPCS.
Supporting Types
KmsKeyRegistration, KmsKeyRegistrationArgs
- Key
Id string - (String) The id of the key associated with the association.
- Prevent
Key boolDeletion - (Boolean) Determines if the resource prevents the key deletion.
- Resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- Key
Id string - (String) The id of the key associated with the association.
- Prevent
Key boolDeletion - (Boolean) Determines if the resource prevents the key deletion.
- Resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- key
Id String - (String) The id of the key associated with the association.
- prevent
Key BooleanDeletion - (Boolean) Determines if the resource prevents the key deletion.
- resource
Crn String - (String) The CRN of the resource that has a registration to the key.
- key
Id string - (String) The id of the key associated with the association.
- prevent
Key booleanDeletion - (Boolean) Determines if the resource prevents the key deletion.
- resource
Crn string - (String) The CRN of the resource that has a registration to the key.
- key_
id str - (String) The id of the key associated with the association.
- prevent_
key_ booldeletion - (Boolean) Determines if the resource prevents the key deletion.
- resource_
crn str - (String) The CRN of the resource that has a registration to the key.
- key
Id String - (String) The id of the key associated with the association.
- prevent
Key BooleanDeletion - (Boolean) Determines if the resource prevents the key deletion.
- resource
Crn String - (String) The CRN of the resource that has a registration to the key.
KmsKeyTimeouts, KmsKeyTimeoutsArgs
Import
The ibm_kms_key can be imported by using the id and crn.
Example
$ pulumi import ibm:index/kmsKey:KmsKey crn crn:v1:bluemix:public:kms:us-south:a/faf6addbf6bf4768hhhhe342a5bdd702:05f5bf91-ec66-462f-80eb-8yyui138a315:key:52448f62-9272-4d29-a515-15019e3e5asd
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- ibm ibm-cloud/terraform-provider-ibm
- License
- Notes
- This Pulumi package is based on the
ibmTerraform Provider.