Module kms

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

Functions

getAlias
getCipherText
getKey
getSecret
getSecrets

Others

Resources

Resource Alias

class Alias extends CustomResource

Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence this provider too) allows you to create as many aliases as the account limits allow you.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const key = new aws.kms.Key("a", {});
const alias = new aws.kms.Alias("a", {
    targetKeyId: key.keyId,
});

constructor

new Alias(name: string, args: AliasArgs, opts?: pulumi.CustomResourceOptions)

Create a Alias resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AliasState, opts?: pulumi.CustomResourceOptions): Alias

Get an existing Alias resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Alias

Returns true if the given object is an instance of Alias. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) of the key alias.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

property namePrefix

public namePrefix: pulumi.Output<string | undefined>;

Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

property targetKeyArn

public targetKeyArn: pulumi.Output<string>;

The Amazon Resource Name (ARN) of the target key identifier.

property targetKeyId

public targetKeyId: pulumi.Output<string>;

Identifier for the key for which the alias is for, can be either an ARN or key_id.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Ciphertext

class Ciphertext extends CustomResource

The KMS ciphertext resource allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this resource is stable across every apply. For a changing ciphertext value each apply, see the aws.kms.Ciphertext data source.

Note: All arguments including the plaintext be stored in the raw state as plain-text.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const oauthConfig = new aws.kms.Key("oauth_config", {
    description: "oauth config",
    isEnabled: true,
});
const oauth = new aws.kms.Ciphertext("oauth", {
    keyId: oauthConfig.keyId,
    plaintext: `{
  "client_id": "e587dbae22222f55da22",
  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}
`,
});

constructor

new Ciphertext(name: string, args: CiphertextArgs, opts?: pulumi.CustomResourceOptions)

Create a Ciphertext resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CiphertextState, opts?: pulumi.CustomResourceOptions): Ciphertext

Get an existing Ciphertext resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Ciphertext

Returns true if the given object is an instance of Ciphertext. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property ciphertextBlob

public ciphertextBlob: pulumi.Output<string>;

Base64 encoded ciphertext

property context

public context: pulumi.Output<{[key: string]: string} | undefined>;

An optional mapping that makes up the encryption context.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyId

public keyId: pulumi.Output<string>;

Globally unique key ID for the customer master key.

property plaintext

public plaintext: pulumi.Output<string>;

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource ExternalKey

class ExternalKey extends CustomResource

Manages a KMS Customer Master Key that uses external key material. To instead manage a KMS Customer Master Key where AWS automatically generates and potentially rotates key material, see the aws.kms.Key resource.

Note: All arguments including the key material will be stored in the raw state as plain-text.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.kms.ExternalKey("example", {
    description: "KMS EXTERNAL for AMI encryption",
});

constructor

new ExternalKey(name: string, args?: ExternalKeyArgs, opts?: pulumi.CustomResourceOptions)

Create a ExternalKey resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ExternalKeyState, opts?: pulumi.CustomResourceOptions): ExternalKey

Get an existing ExternalKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is ExternalKey

Returns true if the given object is an instance of ExternalKey. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) of the key.

property deletionWindowInDays

public deletionWindowInDays: pulumi.Output<number | undefined>;

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

property description

public description: pulumi.Output<string | undefined>;

Description of the key.

property enabled

public enabled: pulumi.Output<boolean>;

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

property expirationModel

public expirationModel: pulumi.Output<string>;

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyMaterialBase64

public keyMaterialBase64: pulumi.Output<string | undefined>;

Base64 encoded 256-bit symmetric encryption key material to import. The CMK is permanently associated with this key material. The same key material can be reimported, but you cannot import different key material.

property keyState

public keyState: pulumi.Output<string>;

The state of the CMK.

property keyUsage

public keyUsage: pulumi.Output<string>;

The cryptographic operations for which you can use the CMK.

property policy

public policy: pulumi.Output<string>;

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

A key-value map of tags to assign to the key.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validTo

public validTo: pulumi.Output<string | undefined>;

Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)

Resource Grant

class Grant extends CustomResource

Provides a resource-based access control mechanism for a KMS customer master key.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const key = new aws.kms.Key("a", {});
const role = new aws.iam.Role("a", {
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
});
const grant = new aws.kms.Grant("a", {
    constraints: [{
        encryptionContextEquals: {
            Department: "Finance",
        },
    }],
    granteePrincipal: role.arn,
    keyId: key.keyId,
    operations: [
        "Encrypt",
        "Decrypt",
        "GenerateDataKey",
    ],
});

constructor

new Grant(name: string, args: GrantArgs, opts?: pulumi.CustomResourceOptions)

Create a Grant resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GrantState, opts?: pulumi.CustomResourceOptions): Grant

Get an existing Grant resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Grant

Returns true if the given object is an instance of Grant. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property constraints

public constraints: pulumi.Output<GrantConstraint[] | undefined>;

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

property grantCreationTokens

public grantCreationTokens: pulumi.Output<string[] | undefined>;

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

property grantId

public grantId: pulumi.Output<string>;

The unique identifier for the grant.

property grantToken

public grantToken: pulumi.Output<string>;

The grant token for the created grant. For more information, see Grant Tokens.

property granteePrincipal

public granteePrincipal: pulumi.Output<string>;

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyId

public keyId: pulumi.Output<string>;

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

property name

public name: pulumi.Output<string>;

A friendly name for identifying the grant.

property operations

public operations: pulumi.Output<string[]>;

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

property retireOnDelete

public retireOnDelete: pulumi.Output<boolean | undefined>;

-(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

property retiringPrincipal

public retiringPrincipal: pulumi.Output<string | undefined>;

The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Key

class Key extends CustomResource

Provides a KMS customer master key.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const key = new aws.kms.Key("a", {
    deletionWindowInDays: 10,
    description: "KMS key 1",
});

constructor

new Key(name: string, args?: KeyArgs, opts?: pulumi.CustomResourceOptions)

Create a Key resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: KeyState, opts?: pulumi.CustomResourceOptions): Key

Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Key

Returns true if the given object is an instance of Key. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name (ARN) of the key.

property customerMasterKeySpec

public customerMasterKeySpec: pulumi.Output<string | undefined>;

Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.

property deletionWindowInDays

public deletionWindowInDays: pulumi.Output<number | undefined>;

Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

property description

public description: pulumi.Output<string>;

The description of the key as viewed in AWS console.

property enableKeyRotation

public enableKeyRotation: pulumi.Output<boolean | undefined>;

Specifies whether key rotation is enabled. Defaults to false.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property isEnabled

public isEnabled: pulumi.Output<boolean | undefined>;

Specifies whether the key is enabled. Defaults to true.

property keyId

public keyId: pulumi.Output<string>;

The globally unique identifier for the key.

property keyUsage

public keyUsage: pulumi.Output<string | undefined>;

Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.

property policy

public policy: pulumi.Output<string>;

A valid policy JSON document.

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

A map of tags to assign to the object.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getAlias

getAlias(args: GetAliasArgs, opts?: pulumi.InvokeOptions): Promise<GetAliasResult>

Use this data source to get the ARN of a KMS key alias. By using this data source, you can reference key alias without having to hard code the ARN as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const s3 = pulumi.output(aws.kms.getAlias({
    name: "alias/aws/s3",
}, { async: true }));

Function getCipherText

getCipherText(args: GetCipherTextArgs, opts?: pulumi.InvokeOptions): Promise<GetCipherTextResult>

The KMS ciphertext data source allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key. The value returned by this data source changes every apply. For a stable ciphertext value, see the aws.kms.Ciphertext resource.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const oauthConfig = new aws.kms.Key("oauth_config", {
    description: "oauth config",
    isEnabled: true,
});
const oauth = oauthConfig.keyId.apply(keyId => aws.kms.getCipherText({
    keyId: keyId,
    plaintext: `{
  "client_id": "e587dbae22222f55da22",
  "client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}
`,
}, { async: true }));

Function getKey

getKey(args: GetKeyArgs, opts?: pulumi.InvokeOptions): Promise<GetKeyResult>

Use this data source to get detailed information about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const foo = pulumi.output(aws.kms.getKey({
    keyId: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
}, { async: true }));

Function getSecret

getSecret(args: GetSecretArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretResult>

Function getSecrets

getSecrets(args: GetSecretsArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretsResult>

Decrypt multiple secrets from data encrypted with the AWS KMS service.

Others

interface AliasArgs

interface AliasArgs

The set of arguments for constructing a Alias resource.

property name

name?: pulumi.Input<string>;

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

property targetKeyId

targetKeyId: pulumi.Input<string>;

Identifier for the key for which the alias is for, can be either an ARN or key_id.

interface AliasState

interface AliasState

Input properties used for looking up and filtering Alias resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) of the key alias.

property name

name?: pulumi.Input<string>;

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates an unique alias beginning with the specified prefix. The name must start with the word “alias” followed by a forward slash (alias/). Conflicts with name.

property targetKeyArn

targetKeyArn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) of the target key identifier.

property targetKeyId

targetKeyId?: pulumi.Input<string>;

Identifier for the key for which the alias is for, can be either an ARN or key_id.

interface CiphertextArgs

interface CiphertextArgs

The set of arguments for constructing a Ciphertext resource.

property context

context?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

An optional mapping that makes up the encryption context.

property keyId

keyId: pulumi.Input<string>;

Globally unique key ID for the customer master key.

property plaintext

plaintext: pulumi.Input<string>;

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

interface CiphertextState

interface CiphertextState

Input properties used for looking up and filtering Ciphertext resources.

property ciphertextBlob

ciphertextBlob?: pulumi.Input<string>;

Base64 encoded ciphertext

property context

context?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

An optional mapping that makes up the encryption context.

property keyId

keyId?: pulumi.Input<string>;

Globally unique key ID for the customer master key.

property plaintext

plaintext?: pulumi.Input<string>;

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

interface ExternalKeyArgs

interface ExternalKeyArgs

The set of arguments for constructing a ExternalKey resource.

property deletionWindowInDays

deletionWindowInDays?: pulumi.Input<number>;

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

property description

description?: pulumi.Input<string>;

Description of the key.

property enabled

enabled?: pulumi.Input<boolean>;

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

property keyMaterialBase64

keyMaterialBase64?: pulumi.Input<string>;

property policy

policy?: pulumi.Input<string>;

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A key-value map of tags to assign to the key.

property validTo

validTo?: pulumi.Input<string>;

interface ExternalKeyState

interface ExternalKeyState

Input properties used for looking up and filtering ExternalKey resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) of the key.

property deletionWindowInDays

deletionWindowInDays?: pulumi.Input<number>;

Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.

property description

description?: pulumi.Input<string>;

Description of the key.

property enabled

enabled?: pulumi.Input<boolean>;

Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.

property expirationModel

expirationModel?: pulumi.Input<string>;

Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.

property keyMaterialBase64

keyMaterialBase64?: pulumi.Input<string>;

property keyState

keyState?: pulumi.Input<string>;

The state of the CMK.

property keyUsage

keyUsage?: pulumi.Input<string>;

The cryptographic operations for which you can use the CMK.

property policy

policy?: pulumi.Input<string>;

A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A key-value map of tags to assign to the key.

property validTo

validTo?: pulumi.Input<string>;

interface GetAliasArgs

interface GetAliasArgs

A collection of arguments for invoking getAlias.

property name

name: string;

The display name of the alias. The name must start with the word “alias” followed by a forward slash (alias/)

interface GetAliasResult

interface GetAliasResult

A collection of values returned by getAlias.

property arn

arn: string;

The Amazon Resource Name(ARN) of the key alias.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

property targetKeyArn

targetKeyArn: string;

ARN pointed to by the alias.

property targetKeyId

targetKeyId: string;

Key identifier pointed to by the alias.

interface GetCipherTextArgs

interface GetCipherTextArgs

A collection of arguments for invoking getCipherText.

property context

context?: undefined | {[key: string]: string};

An optional mapping that makes up the encryption context.

property keyId

keyId: string;

Globally unique key ID for the customer master key.

property plaintext

plaintext: string;

Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.

interface GetCipherTextResult

interface GetCipherTextResult

A collection of values returned by getCipherText.

property ciphertextBlob

ciphertextBlob: string;

Base64 encoded ciphertext

property context

context?: undefined | {[key: string]: string};

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyId

keyId: string;

property plaintext

plaintext: string;

interface GetKeyArgs

interface GetKeyArgs

A collection of arguments for invoking getKey.

property grantTokens

grantTokens?: string[];

List of grant tokens

property keyId

keyId: string;

Key identifier which can be one of the following format: * Key ID. E.g: 1234abcd-12ab-34cd-56ef-1234567890ab * Key ARN. E.g.: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab * Alias name. E.g.: alias/my-key * Alias ARN: E.g.: arn:aws:kms:us-east-1:111122223333:alias/my-key

interface GetKeyResult

interface GetKeyResult

A collection of values returned by getKey.

property arn

arn: string;

property awsAccountId

awsAccountId: string;

property creationDate

creationDate: string;

property customerMasterKeySpec

customerMasterKeySpec: string;

property deletionDate

deletionDate: string;

property description

description: string;

property enabled

enabled: boolean;

property expirationModel

expirationModel: string;

property grantTokens

grantTokens?: string[];

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyId

keyId: string;

property keyManager

keyManager: string;

property keyState

keyState: string;

property keyUsage

keyUsage: string;

property origin

origin: string;

property validTo

validTo: string;

interface GetSecretArgs

interface GetSecretArgs

A collection of arguments for invoking getSecret.

property secrets

secrets: GetSecretSecret[];

interface GetSecretResult

interface GetSecretResult

A collection of values returned by getSecret.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property secrets

secrets: GetSecretSecret[];

interface GetSecretsArgs

interface GetSecretsArgs

A collection of arguments for invoking getSecrets.

property secrets

secrets: GetSecretsSecret[];

One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.

interface GetSecretsResult

interface GetSecretsResult

A collection of values returned by getSecrets.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property plaintext

plaintext: {[key: string]: string};

Map containing each secret name as the key with its decrypted plaintext value

property secrets

secrets: GetSecretsSecret[];

interface GrantArgs

interface GrantArgs

The set of arguments for constructing a Grant resource.

property constraints

constraints?: pulumi.Input<pulumi.Input<GrantConstraint>[]>;

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

property grantCreationTokens

grantCreationTokens?: pulumi.Input<pulumi.Input<string>[]>;

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

property granteePrincipal

granteePrincipal: pulumi.Input<string>;

property keyId

keyId: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

A friendly name for identifying the grant.

property operations

operations: pulumi.Input<pulumi.Input<string>[]>;

property retireOnDelete

retireOnDelete?: pulumi.Input<boolean>;

property retiringPrincipal

retiringPrincipal?: pulumi.Input<string>;

interface GrantState

interface GrantState

Input properties used for looking up and filtering Grant resources.

property constraints

constraints?: pulumi.Input<pulumi.Input<GrantConstraint>[]>;

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

property grantCreationTokens

grantCreationTokens?: pulumi.Input<pulumi.Input<string>[]>;

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

property grantId

grantId?: pulumi.Input<string>;

The unique identifier for the grant.

property grantToken

grantToken?: pulumi.Input<string>;

The grant token for the created grant. For more information, see Grant Tokens.

property granteePrincipal

granteePrincipal?: pulumi.Input<string>;

property keyId

keyId?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

A friendly name for identifying the grant.

property operations

operations?: pulumi.Input<pulumi.Input<string>[]>;

property retireOnDelete

retireOnDelete?: pulumi.Input<boolean>;

property retiringPrincipal

retiringPrincipal?: pulumi.Input<string>;

interface KeyArgs

interface KeyArgs

The set of arguments for constructing a Key resource.

property customerMasterKeySpec

customerMasterKeySpec?: pulumi.Input<string>;

property deletionWindowInDays

deletionWindowInDays?: pulumi.Input<number>;

Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

property description

description?: pulumi.Input<string>;

The description of the key as viewed in AWS console.

property enableKeyRotation

enableKeyRotation?: pulumi.Input<boolean>;

Specifies whether key rotation is enabled. Defaults to false.

property isEnabled

isEnabled?: pulumi.Input<boolean>;

Specifies whether the key is enabled. Defaults to true.

property keyUsage

keyUsage?: pulumi.Input<string>;

Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.

property policy

policy?: pulumi.Input<string>;

A valid policy JSON document.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A map of tags to assign to the object.

interface KeyState

interface KeyState

Input properties used for looking up and filtering Key resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name (ARN) of the key.

property customerMasterKeySpec

customerMasterKeySpec?: pulumi.Input<string>;

property deletionWindowInDays

deletionWindowInDays?: pulumi.Input<number>;

Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.

property description

description?: pulumi.Input<string>;

The description of the key as viewed in AWS console.

property enableKeyRotation

enableKeyRotation?: pulumi.Input<boolean>;

Specifies whether key rotation is enabled. Defaults to false.

property isEnabled

isEnabled?: pulumi.Input<boolean>;

Specifies whether the key is enabled. Defaults to true.

property keyId

keyId?: pulumi.Input<string>;

The globally unique identifier for the key.

property keyUsage

keyUsage?: pulumi.Input<string>;

Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT.

property policy

policy?: pulumi.Input<string>;

A valid policy JSON document.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A map of tags to assign to the object.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Module kms

Resources

Functions

Others

Resources

Example Usage

Example Usage

Example Usage

Example Usage

Example Usage

Functions

Example Usage

Example Usage

Example Usage

Others