KmsKey

stackit v0.0.4, Feb 20 26

Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud

Schema (JSON)

stackitcloud/pulumi-stackit

Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud

Schema (JSON)

stackitcloud/pulumi-stackit

Example Usage

resource "stackit_kms_key" "key" {
  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  keyring_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  display_name = "key-01"
  protection   = "software"
  algorithm    = "aes_256_gcm"
  purpose      = "symmetric_encrypt_decrypt"
}

Create KmsKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new KmsKey(name: string, args: KmsKeyArgs, opts?: CustomResourceOptions);

@overload
def KmsKey(resource_name: str,
           args: KmsKeyArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def KmsKey(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           algorithm: Optional[str] = None,
           display_name: Optional[str] = None,
           keyring_id: Optional[str] = None,
           project_id: Optional[str] = None,
           protection: Optional[str] = None,
           purpose: Optional[str] = None,
           access_scope: Optional[str] = None,
           description: Optional[str] = None,
           import_only: Optional[bool] = None,
           region: Optional[str] = None)

func NewKmsKey(ctx *Context, name string, args KmsKeyArgs, opts ...ResourceOption) (*KmsKey, error)

public KmsKey(string name, KmsKeyArgs args, CustomResourceOptions? opts = null)

public KmsKey(String name, KmsKeyArgs args)
public KmsKey(String name, KmsKeyArgs args, CustomResourceOptions options)

type: stackit:KmsKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args KmsKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var kmsKeyResource = new Stackit.KmsKey("kmsKeyResource", new()
{
    Algorithm = "string",
    DisplayName = "string",
    KeyringId = "string",
    ProjectId = "string",
    Protection = "string",
    Purpose = "string",
    AccessScope = "string",
    Description = "string",
    ImportOnly = false,
    Region = "string",
});

example, err := stackit.NewKmsKey(ctx, "kmsKeyResource", &stackit.KmsKeyArgs{
	Algorithm:   pulumi.String("string"),
	DisplayName: pulumi.String("string"),
	KeyringId:   pulumi.String("string"),
	ProjectId:   pulumi.String("string"),
	Protection:  pulumi.String("string"),
	Purpose:     pulumi.String("string"),
	AccessScope: pulumi.String("string"),
	Description: pulumi.String("string"),
	ImportOnly:  pulumi.Bool(false),
	Region:      pulumi.String("string"),
})

var kmsKeyResource = new KmsKey("kmsKeyResource", KmsKeyArgs.builder()
    .algorithm("string")
    .displayName("string")
    .keyringId("string")
    .projectId("string")
    .protection("string")
    .purpose("string")
    .accessScope("string")
    .description("string")
    .importOnly(false)
    .region("string")
    .build());

kms_key_resource = stackit.KmsKey("kmsKeyResource",
    algorithm="string",
    display_name="string",
    keyring_id="string",
    project_id="string",
    protection="string",
    purpose="string",
    access_scope="string",
    description="string",
    import_only=False,
    region="string")

const kmsKeyResource = new stackit.KmsKey("kmsKeyResource", {
    algorithm: "string",
    displayName: "string",
    keyringId: "string",
    projectId: "string",
    protection: "string",
    purpose: "string",
    accessScope: "string",
    description: "string",
    importOnly: false,
    region: "string",
});

type: stackit:KmsKey
properties:
    accessScope: string
    algorithm: string
    description: string
    displayName: string
    importOnly: false
    keyringId: string
    projectId: string
    protection: string
    purpose: string
    region: string

KmsKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The KmsKey resource accepts the following input properties:

Algorithm string: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
DisplayName string: The display name to distinguish multiple keys
KeyringId string: The ID of the associated keyring
ProjectId string: STACKIT project ID to which the key is associated.
Protection string: The underlying system that is responsible for protecting the key material. Possible values are: software.
Purpose string: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
AccessScope string: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
Description string: A user chosen description to distinguish multiple keys
ImportOnly bool: States whether versions can be created or only imported.
Region string: The resource region. If not defined, the provider region is used.

Algorithm string: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
DisplayName string: The display name to distinguish multiple keys
KeyringId string: The ID of the associated keyring
ProjectId string: STACKIT project ID to which the key is associated.
Protection string: The underlying system that is responsible for protecting the key material. Possible values are: software.
Purpose string: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
AccessScope string: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
Description string: A user chosen description to distinguish multiple keys
ImportOnly bool: States whether versions can be created or only imported.
Region string: The resource region. If not defined, the provider region is used.

algorithm String: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
displayName String: The display name to distinguish multiple keys
keyringId String: The ID of the associated keyring
projectId String: STACKIT project ID to which the key is associated.
protection String: The underlying system that is responsible for protecting the key material. Possible values are: software.
purpose String: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
accessScope String: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
description String: A user chosen description to distinguish multiple keys
importOnly Boolean: States whether versions can be created or only imported.
region String: The resource region. If not defined, the provider region is used.

algorithm string: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
displayName string: The display name to distinguish multiple keys
keyringId string: The ID of the associated keyring
projectId string: STACKIT project ID to which the key is associated.
protection string: The underlying system that is responsible for protecting the key material. Possible values are: software.
purpose string: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
accessScope string: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
description string: A user chosen description to distinguish multiple keys
importOnly boolean: States whether versions can be created or only imported.
region string: The resource region. If not defined, the provider region is used.

algorithm str: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
display_name str: The display name to distinguish multiple keys
keyring_id str: The ID of the associated keyring
project_id str: STACKIT project ID to which the key is associated.
protection str: The underlying system that is responsible for protecting the key material. Possible values are: software.
purpose str: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
access_scope str: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
description str: A user chosen description to distinguish multiple keys
import_only bool: States whether versions can be created or only imported.
region str: The resource region. If not defined, the provider region is used.

algorithm String: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
displayName String: The display name to distinguish multiple keys
keyringId String: The ID of the associated keyring
projectId String: STACKIT project ID to which the key is associated.
protection String: The underlying system that is responsible for protecting the key material. Possible values are: software.
purpose String: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
accessScope String: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
description String: A user chosen description to distinguish multiple keys
importOnly Boolean: States whether versions can be created or only imported.
region String: The resource region. If not defined, the provider region is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the KmsKey resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
KeyId string: The ID of the key

Id string: The provider-assigned unique ID for this managed resource.
KeyId string: The ID of the key

id String: The provider-assigned unique ID for this managed resource.
keyId String: The ID of the key

id string: The provider-assigned unique ID for this managed resource.
keyId string: The ID of the key

id str: The provider-assigned unique ID for this managed resource.
key_id str: The ID of the key

id String: The provider-assigned unique ID for this managed resource.
keyId String: The ID of the key

Look up Existing KmsKey Resource

Get an existing KmsKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: KmsKeyState, opts?: CustomResourceOptions): KmsKey

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_scope: Optional[str] = None,
        algorithm: Optional[str] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        import_only: Optional[bool] = None,
        key_id: Optional[str] = None,
        keyring_id: Optional[str] = None,
        project_id: Optional[str] = None,
        protection: Optional[str] = None,
        purpose: Optional[str] = None,
        region: Optional[str] = None) -> KmsKey

func GetKmsKey(ctx *Context, name string, id IDInput, state *KmsKeyState, opts ...ResourceOption) (*KmsKey, error)

public static KmsKey Get(string name, Input<string> id, KmsKeyState? state, CustomResourceOptions? opts = null)

public static KmsKey get(String name, Output<String> id, KmsKeyState state, CustomResourceOptions options)

resources:  _:    type: stackit:KmsKey    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessScope string: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
Algorithm string: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
Description string: A user chosen description to distinguish multiple keys
DisplayName string: The display name to distinguish multiple keys
ImportOnly bool: States whether versions can be created or only imported.
KeyId string: The ID of the key
KeyringId string: The ID of the associated keyring
ProjectId string: STACKIT project ID to which the key is associated.
Protection string: The underlying system that is responsible for protecting the key material. Possible values are: software.
Purpose string: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
Region string: The resource region. If not defined, the provider region is used.

AccessScope string: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
Algorithm string: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
Description string: A user chosen description to distinguish multiple keys
DisplayName string: The display name to distinguish multiple keys
ImportOnly bool: States whether versions can be created or only imported.
KeyId string: The ID of the key
KeyringId string: The ID of the associated keyring
ProjectId string: STACKIT project ID to which the key is associated.
Protection string: The underlying system that is responsible for protecting the key material. Possible values are: software.
Purpose string: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
Region string: The resource region. If not defined, the provider region is used.

accessScope String: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
algorithm String: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
description String: A user chosen description to distinguish multiple keys
displayName String: The display name to distinguish multiple keys
importOnly Boolean: States whether versions can be created or only imported.
keyId String: The ID of the key
keyringId String: The ID of the associated keyring
projectId String: STACKIT project ID to which the key is associated.
protection String: The underlying system that is responsible for protecting the key material. Possible values are: software.
purpose String: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
region String: The resource region. If not defined, the provider region is used.

accessScope string: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
algorithm string: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
description string: A user chosen description to distinguish multiple keys
displayName string: The display name to distinguish multiple keys
importOnly boolean: States whether versions can be created or only imported.
keyId string: The ID of the key
keyringId string: The ID of the associated keyring
projectId string: STACKIT project ID to which the key is associated.
protection string: The underlying system that is responsible for protecting the key material. Possible values are: software.
purpose string: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
region string: The resource region. If not defined, the provider region is used.

access_scope str: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
algorithm str: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
description str: A user chosen description to distinguish multiple keys
display_name str: The display name to distinguish multiple keys
import_only bool: States whether versions can be created or only imported.
key_id str: The ID of the key
keyring_id str: The ID of the associated keyring
project_id str: STACKIT project ID to which the key is associated.
protection str: The underlying system that is responsible for protecting the key material. Possible values are: software.
purpose str: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
region str: The resource region. If not defined, the provider region is used.

accessScope String: The access scope of the key. Default is PUBLIC. Possible values are: PUBLIC, SNA.
algorithm String: The encryption algorithm that the key will use to encrypt data. Possible values are: aes_256_gcm, rsa_2048_oaep_sha256, rsa_3072_oaep_sha256, rsa_4096_oaep_sha256, rsa_4096_oaep_sha512, hmac_sha256, hmac_sha384, hmac_sha512, ecdsa_p256_sha256, ecdsa_p384_sha384, ecdsa_p521_sha512.
description String: A user chosen description to distinguish multiple keys
displayName String: The display name to distinguish multiple keys
importOnly Boolean: States whether versions can be created or only imported.
keyId String: The ID of the key
keyringId String: The ID of the associated keyring
projectId String: STACKIT project ID to which the key is associated.
protection String: The underlying system that is responsible for protecting the key material. Possible values are: software.
purpose String: The purpose for which the key will be used. Possible values are: symmetric_encrypt_decrypt, asymmetric_encrypt_decrypt, message_authentication_code, asymmetric_sign_verify.
region String: The resource region. If not defined, the provider region is used.

Package Details

Repository: stackit stackitcloud/pulumi-stackit
License: Apache-2.0
Notes: This Pulumi package is based on the stackit Terraform Provider.

Viewing docs for stackit v0.0.4
published on Friday, Feb 20, 2026 by stackitcloud

Schema (JSON)

stackitcloud/pulumi-stackit

stackit.KmsKey

On this page

On this page

Example Usage

Create KmsKey Resource

Constructor syntax

Parameters

Constructor example

KmsKey Resource Properties

Inputs

Outputs

Look up Existing KmsKey Resource

Package Details

On this page

On this page