Key

Provides a KMS customer master key.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var key = new Aws.Kms.Key("key", new Aws.Kms.KeyArgs
        {
            DeletionWindowInDays = 10,
            Description = "KMS key 1",
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/kms"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := kms.NewKey(ctx, "key", &kms.KeyArgs{
            DeletionWindowInDays: pulumi.Int(10),
            Description:          pulumi.String("KMS key 1"),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

key = aws.kms.Key("key",
    deletion_window_in_days=10,
    description="KMS key 1")

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const key = new aws.kms.Key("a", {
    deletionWindowInDays: 10,
    description: "KMS key 1",
});

Create a Key Resource

new Key(name: string, args?: KeyArgs, opts?: CustomResourceOptions);

def Key(resource_name, opts=None, customer_master_key_spec=None, deletion_window_in_days=None, description=None, enable_key_rotation=None, is_enabled=None, key_usage=None, policy=None, tags=None, __props__=None);

func NewKey(ctx *Context, name string, args *KeyArgs, opts ...ResourceOption) (*Key, error)

public Key(string name, KeyArgs? args = null, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args KeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args KeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args KeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Key Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Key resource accepts the following input properties:

CustomerMasterKeySpec string: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
DeletionWindowInDays int: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
Description string: The description of the key as viewed in AWS console.
EnableKeyRotation bool: Specifies whether key rotation is enabled. Defaults to false.
IsEnabled bool: Specifies whether the key is enabled. Defaults to true.
KeyUsage string: Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.
Policy string: A valid policy JSON document.
Tags Dictionary<string, string>: A map of tags to assign to the object.

CustomerMasterKeySpec string: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
DeletionWindowInDays int: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
Description string: The description of the key as viewed in AWS console.
EnableKeyRotation bool: Specifies whether key rotation is enabled. Defaults to false.
IsEnabled bool: Specifies whether the key is enabled. Defaults to true.
KeyUsage string: Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.
Policy string: A valid policy JSON document.
Tags map[string]string: A map of tags to assign to the object.

customerMasterKeySpec string: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
deletionWindowInDays number: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
description string: The description of the key as viewed in AWS console.
enableKeyRotation boolean: Specifies whether key rotation is enabled. Defaults to false.
isEnabled boolean: Specifies whether the key is enabled. Defaults to true.
keyUsage string: Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.
policy string: A valid policy JSON document.
tags {[key: string]: string}: A map of tags to assign to the object.

customer_master_key_spec str: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
deletion_window_in_days float: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
description str: The description of the key as viewed in AWS console.
enable_key_rotation bool: Specifies whether key rotation is enabled. Defaults to false.
is_enabled bool: Specifies whether the key is enabled. Defaults to true.
key_usage str: Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.
policy str: A valid policy JSON document.
tags Dict[str, str]: A map of tags to assign to the object.

Outputs

All input properties are implicitly available as output properties. Additionally, the Key resource produces the following output properties:

Arn string: The Amazon Resource Name (ARN) of the key.
Id string: The provider-assigned unique ID for this managed resource.
KeyId string: The globally unique identifier for the key.

Arn string: The Amazon Resource Name (ARN) of the key.
Id string: The provider-assigned unique ID for this managed resource.
KeyId string: The globally unique identifier for the key.

arn string: The Amazon Resource Name (ARN) of the key.
id string: The provider-assigned unique ID for this managed resource.
keyId string: The globally unique identifier for the key.

arn str: The Amazon Resource Name (ARN) of the key.
id str: The provider-assigned unique ID for this managed resource.
key_id str: The globally unique identifier for the key.

Look up an Existing Key Resource

Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: KeyState, opts?: CustomResourceOptions): Key

static get(resource_name, id, opts=None, arn=None, customer_master_key_spec=None, deletion_window_in_days=None, description=None, enable_key_rotation=None, is_enabled=None, key_id=None, key_usage=None, policy=None, tags=None, __props__=None);

func GetKey(ctx *Context, name string, id IDInput, state *KeyState, opts ...ResourceOption) (*Key, error)

public static Key Get(string name, Input<string> id, KeyState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: The Amazon Resource Name (ARN) of the key.
CustomerMasterKeySpec string: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
DeletionWindowInDays int: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
Description string: The description of the key as viewed in AWS console.
EnableKeyRotation bool: Specifies whether key rotation is enabled. Defaults to false.
IsEnabled bool: Specifies whether the key is enabled. Defaults to true.
KeyId string: The globally unique identifier for the key.
KeyUsage string: Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.
Policy string: A valid policy JSON document.
Tags Dictionary<string, string>: A map of tags to assign to the object.

Arn string: The Amazon Resource Name (ARN) of the key.
CustomerMasterKeySpec string: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
DeletionWindowInDays int: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
Description string: The description of the key as viewed in AWS console.
EnableKeyRotation bool: Specifies whether key rotation is enabled. Defaults to false.
IsEnabled bool: Specifies whether the key is enabled. Defaults to true.
KeyId string: The globally unique identifier for the key.
KeyUsage string: Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.
Policy string: A valid policy JSON document.
Tags map[string]string: A map of tags to assign to the object.

arn string: The Amazon Resource Name (ARN) of the key.
customerMasterKeySpec string: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
deletionWindowInDays number: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
description string: The description of the key as viewed in AWS console.
enableKeyRotation boolean: Specifies whether key rotation is enabled. Defaults to false.
isEnabled boolean: Specifies whether the key is enabled. Defaults to true.
keyId string: The globally unique identifier for the key.
keyUsage string: Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.
policy string: A valid policy JSON document.
tags {[key: string]: string}: A map of tags to assign to the object.

arn str: The Amazon Resource Name (ARN) of the key.
customer_master_key_spec str: Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
deletion_window_in_days float: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
description str: The description of the key as viewed in AWS console.
enable_key_rotation bool: Specifies whether key rotation is enabled. Defaults to false.
is_enabled bool: Specifies whether the key is enabled. Defaults to true.
key_id str: The globally unique identifier for the key.
key_usage str: Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.
policy str: A valid policy JSON document.
tags Dict[str, str]: A map of tags to assign to the object.

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Key