Namespace Pulumi.Aws.Kms

Classes

Alias

Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence this provider too) allows you to create as many aliases as the account limits allow you.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var key = new Aws.Kms.Key("key", new Aws.Kms.KeyArgs
    {
    });
    var @alias = new Aws.Kms.Alias("alias", new Aws.Kms.AliasArgs
    {
        TargetKeyId = key.KeyId,
    });
}

}

AliasArgs

AliasState

Ciphertext

The KMS ciphertext resource allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this resource is stable across every apply. For a changing ciphertext value each apply, see the aws.kms.Ciphertext data source.

Note: All arguments including the plaintext be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var oauthConfig = new Aws.Kms.Key("oauthConfig", new Aws.Kms.KeyArgs
    {
        Description = "oauth config",
        IsEnabled = true,
    });
    var oauth = new Aws.Kms.Ciphertext("oauth", new Aws.Kms.CiphertextArgs
    {
        KeyId = oauthConfig.KeyId,
        Plaintext = @"{
""client_id"": ""e587dbae22222f55da22"",
""client_secret"": ""8289575d00000ace55e1815ec13673955721b8a5""
}

",
    });
}

}

CiphertextArgs

CiphertextState

ExternalKey

Manages a KMS Customer Master Key that uses external key material. To instead manage a KMS Customer Master Key where AWS automatically generates and potentially rotates key material, see the aws.kms.Key resource.

Note: All arguments including the key material will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var example = new Aws.Kms.ExternalKey("example", new Aws.Kms.ExternalKeyArgs
    {
        Description = "KMS EXTERNAL for AMI encryption",
    });
}

}

ExternalKeyArgs

ExternalKeyState

GetAlias

GetAliasArgs

GetAliasResult

GetCipherText

GetCipherTextArgs

GetCipherTextResult

GetKey

GetKeyArgs

GetKeyResult

GetSecret

GetSecretArgs

GetSecretResult

GetSecrets

GetSecretsArgs

GetSecretsResult

Grant

Provides a resource-based access control mechanism for a KMS customer master key.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var key = new Aws.Kms.Key("key", new Aws.Kms.KeyArgs
    {
    });
    var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Action"": ""sts:AssumeRole"",
  ""Principal"": {
    ""Service"": ""lambda.amazonaws.com""
  },
  ""Effect"": ""Allow"",
  ""Sid"": """"
}
]
}

",
    });
    var grant = new Aws.Kms.Grant("grant", new Aws.Kms.GrantArgs
    {
        Constraints = 
        {
            new Aws.Kms.Inputs.GrantConstraintArgs
            {
                EncryptionContextEquals = 
                {
                    { "Department", "Finance" },
                },
            },
        },
        GranteePrincipal = role.Arn,
        KeyId = key.KeyId,
        Operations = 
        {
            "Encrypt",
            "Decrypt",
            "GenerateDataKey",
        },
    });
}

}

GrantArgs

GrantState

Key

Provides a KMS customer master key.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var key = new Aws.Kms.Key("key", new Aws.Kms.KeyArgs
    {
        DeletionWindowInDays = 10,
        Description = "KMS key 1",
    });
}

}

KeyArgs

KeyState