Key
data class KeyArgs(val bypassPolicyLockoutSafetyCheck: Output<Boolean>? = null, val customKeyStoreId: Output<String>? = null, val customerMasterKeySpec: Output<String>? = null, val deletionWindowInDays: Output<Int>? = null, val description: Output<String>? = null, val enableKeyRotation: Output<Boolean>? = null, val isEnabled: Output<Boolean>? = null, val keyUsage: Output<String>? = null, val multiRegion: Output<Boolean>? = null, val policy: Output<String>? = null, val rotationPeriodInDays: Output<Int>? = null, val tags: Output<Map<String, String>>? = null, val xksKeyId: Output<String>? = null) : ConvertibleToJava<KeyArgs>
Manages a single-Region or multi-Region primary KMS key.
NOTE on KMS Key Policy: KMS Key Policy can be configured in either the standalone resource
aws.kms.KeyPolicyor with the parameterpolicyin this resource. Configuring with both will cause inconsistencies and may overwrite configuration.
Example Usage
Symmetric Encryption KMS Key
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const example = new aws.kms.Key("example", {
description: "An example symmetric encryption KMS key",
enableKeyRotation: true,
deletionWindowInDays: 20,
policy: JSON.stringify({
Version: "2012-10-17",
Id: "key-default-1",
Statement: [
{
Sid: "Enable IAM User Permissions",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
},
Action: "kms:*",
Resource: "*",
},
{
Sid: "Allow administration of the key",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:user/Alice`),
},
Action: [
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
],
Resource: "*",
},
{
Sid: "Allow use of the key",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:user/Bob`),
},
Action: [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
],
Resource: "*",
},
],
}),
});Content copied to clipboard
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
example = aws.kms.Key("example",
description="An example symmetric encryption KMS key",
enable_key_rotation=True,
deletion_window_in_days=20,
policy=json.dumps({
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:root",
},
"Action": "kms:*",
"Resource": "*",
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:user/Alice",
},
"Action": [
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
],
"Resource": "*",
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:user/Bob",
},
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
],
"Resource": "*",
},
],
}))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var example = new Aws.Kms.Key("example", new()
{
Description = "An example symmetric encryption KMS key",
EnableKeyRotation = true,
DeletionWindowInDays = 20,
Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Id"] = "key-default-1",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Enable IAM User Permissions",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
},
["Action"] = "kms:*",
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow administration of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:user/Alice",
},
["Action"] = new[]
{
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
},
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow use of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:user/Bob",
},
["Action"] = new[]
{
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
},
["Resource"] = "*",
},
},
}),
});
});Content copied to clipboard
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": []interface{}{
map[string]interface{}{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
},
"Action": "kms:*",
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Alice", current.AccountId),
},
"Action": []string{
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
},
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Bob", current.AccountId),
},
"Action": []string{
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
},
"Resource": "*",
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("An example symmetric encryption KMS key"),
EnableKeyRotation: pulumi.Bool(true),
DeletionWindowInDays: pulumi.Int(20),
Policy: pulumi.String(json0),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var example = new Key("example", KeyArgs.builder()
.description("An example symmetric encryption KMS key")
.enableKeyRotation(true)
.deletionWindowInDays(20)
.policy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Id", "key-default-1"),
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Sid", "Enable IAM User Permissions"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", "kms:*"),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow administration of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:user/Alice", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", jsonArray(
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
)),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow use of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:user/Bob", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", jsonArray(
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
)),
jsonProperty("Resource", "*")
)
))
)))
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:kms:Key
properties:
description: An example symmetric encryption KMS key
enableKeyRotation: true
deletionWindowInDays: 20
policy:
fn::toJSON:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:user/Alice
Action:
- kms:ReplicateKey
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:user/Bob
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: '*'
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}Content copied to clipboard
Symmetric Encryption KMS Key With Standalone Policy Resource
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const example = new aws.kms.Key("example", {
description: "An example symmetric encryption KMS key",
enableKeyRotation: true,
deletionWindowInDays: 20,
});
const exampleKeyPolicy = new aws.kms.KeyPolicy("example", {
keyId: example.id,
policy: JSON.stringify({
Version: "2012-10-17",
Id: "key-default-1",
Statement: [{
Sid: "Enable IAM User Permissions",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
},
Action: "kms:*",
Resource: "*",
}],
}),
});Content copied to clipboard
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
example = aws.kms.Key("example",
description="An example symmetric encryption KMS key",
enable_key_rotation=True,
deletion_window_in_days=20)
example_key_policy = aws.kms.KeyPolicy("example",
key_id=example.id,
policy=json.dumps({
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:root",
},
"Action": "kms:*",
"Resource": "*",
}],
}))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var example = new Aws.Kms.Key("example", new()
{
Description = "An example symmetric encryption KMS key",
EnableKeyRotation = true,
DeletionWindowInDays = 20,
});
var exampleKeyPolicy = new Aws.Kms.KeyPolicy("example", new()
{
KeyId = example.Id,
Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Id"] = "key-default-1",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Enable IAM User Permissions",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
},
["Action"] = "kms:*",
["Resource"] = "*",
},
},
}),
});
});Content copied to clipboard
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("An example symmetric encryption KMS key"),
EnableKeyRotation: pulumi.Bool(true),
DeletionWindowInDays: pulumi.Int(20),
})
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
},
"Action": "kms:*",
"Resource": "*",
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kms.NewKeyPolicy(ctx, "example", &kms.KeyPolicyArgs{
KeyId: example.ID(),
Policy: pulumi.String(json0),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.kms.KeyPolicy;
import com.pulumi.aws.kms.KeyPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var example = new Key("example", KeyArgs.builder()
.description("An example symmetric encryption KMS key")
.enableKeyRotation(true)
.deletionWindowInDays(20)
.build());
var exampleKeyPolicy = new KeyPolicy("exampleKeyPolicy", KeyPolicyArgs.builder()
.keyId(example.id())
.policy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Id", "key-default-1"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Sid", "Enable IAM User Permissions"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", "kms:*"),
jsonProperty("Resource", "*")
)))
)))
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:kms:Key
properties:
description: An example symmetric encryption KMS key
enableKeyRotation: true
deletionWindowInDays: 20
exampleKeyPolicy:
type: aws:kms:KeyPolicy
name: example
properties:
keyId: ${example.id}
policy:
fn::toJSON:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:root
Action: kms:*
Resource: '*'
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}Content copied to clipboard
Asymmetric KMS Key
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const example = new aws.kms.Key("example", {
description: "RSA-3072 asymmetric KMS key for signing and verification",
customerMasterKeySpec: "RSA_3072",
keyUsage: "SIGN_VERIFY",
enableKeyRotation: false,
policy: JSON.stringify({
Version: "2012-10-17",
Id: "key-default-1",
Statement: [
{
Sid: "Enable IAM User Permissions",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
},
Action: "kms:*",
Resource: "*",
},
{
Sid: "Allow administration of the key",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:role/Admin`),
},
Action: [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
],
Resource: "*",
},
{
Sid: "Allow use of the key",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:role/Developer`),
},
Action: [
"kms:Sign",
"kms:Verify",
"kms:DescribeKey",
],
Resource: "*",
},
],
}),
});Content copied to clipboard
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
example = aws.kms.Key("example",
description="RSA-3072 asymmetric KMS key for signing and verification",
customer_master_key_spec="RSA_3072",
key_usage="SIGN_VERIFY",
enable_key_rotation=False,
policy=json.dumps({
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:root",
},
"Action": "kms:*",
"Resource": "*",
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:role/Admin",
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
],
"Resource": "*",
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:role/Developer",
},
"Action": [
"kms:Sign",
"kms:Verify",
"kms:DescribeKey",
],
"Resource": "*",
},
],
}))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var example = new Aws.Kms.Key("example", new()
{
Description = "RSA-3072 asymmetric KMS key for signing and verification",
CustomerMasterKeySpec = "RSA_3072",
KeyUsage = "SIGN_VERIFY",
EnableKeyRotation = false,
Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Id"] = "key-default-1",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Enable IAM User Permissions",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
},
["Action"] = "kms:*",
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow administration of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:role/Admin",
},
["Action"] = new[]
{
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
},
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow use of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:role/Developer",
},
["Action"] = new[]
{
"kms:Sign",
"kms:Verify",
"kms:DescribeKey",
},
["Resource"] = "*",
},
},
}),
});
});Content copied to clipboard
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": []interface{}{
map[string]interface{}{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
},
"Action": "kms:*",
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Admin", current.AccountId),
},
"Action": []string{
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
},
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Developer", current.AccountId),
},
"Action": []string{
"kms:Sign",
"kms:Verify",
"kms:DescribeKey",
},
"Resource": "*",
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("RSA-3072 asymmetric KMS key for signing and verification"),
CustomerMasterKeySpec: pulumi.String("RSA_3072"),
KeyUsage: pulumi.String("SIGN_VERIFY"),
EnableKeyRotation: pulumi.Bool(false),
Policy: pulumi.String(json0),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var example = new Key("example", KeyArgs.builder()
.description("RSA-3072 asymmetric KMS key for signing and verification")
.customerMasterKeySpec("RSA_3072")
.keyUsage("SIGN_VERIFY")
.enableKeyRotation(false)
.policy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Id", "key-default-1"),
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Sid", "Enable IAM User Permissions"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", "kms:*"),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow administration of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:role/Admin", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", jsonArray(
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
)),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow use of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:role/Developer", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", jsonArray(
"kms:Sign",
"kms:Verify",
"kms:DescribeKey"
)),
jsonProperty("Resource", "*")
)
))
)))
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:kms:Key
properties:
description: RSA-3072 asymmetric KMS key for signing and verification
customerMasterKeySpec: RSA_3072
keyUsage: SIGN_VERIFY
enableKeyRotation: false
policy:
fn::toJSON:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:role/Admin
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:role/Developer
Action:
- kms:Sign
- kms:Verify
- kms:DescribeKey
Resource: '*'
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}Content copied to clipboard
HMAC KMS key
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const example = new aws.kms.Key("example", {
description: "HMAC_384 key for tokens",
customerMasterKeySpec: "HMAC_384",
keyUsage: "GENERATE_VERIFY_MAC",
enableKeyRotation: false,
policy: JSON.stringify({
Version: "2012-10-17",
Id: "key-default-1",
Statement: [
{
Sid: "Enable IAM User Permissions",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
},
Action: "kms:*",
Resource: "*",
},
{
Sid: "Allow administration of the key",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:role/Admin`),
},
Action: [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
],
Resource: "*",
},
{
Sid: "Allow use of the key",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:role/Developer`),
},
Action: [
"kms:GenerateMac",
"kms:VerifyMac",
"kms:DescribeKey",
],
Resource: "*",
},
],
}),
});Content copied to clipboard
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
example = aws.kms.Key("example",
description="HMAC_384 key for tokens",
customer_master_key_spec="HMAC_384",
key_usage="GENERATE_VERIFY_MAC",
enable_key_rotation=False,
policy=json.dumps({
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:root",
},
"Action": "kms:*",
"Resource": "*",
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:role/Admin",
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
],
"Resource": "*",
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:role/Developer",
},
"Action": [
"kms:GenerateMac",
"kms:VerifyMac",
"kms:DescribeKey",
],
"Resource": "*",
},
],
}))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var example = new Aws.Kms.Key("example", new()
{
Description = "HMAC_384 key for tokens",
CustomerMasterKeySpec = "HMAC_384",
KeyUsage = "GENERATE_VERIFY_MAC",
EnableKeyRotation = false,
Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Id"] = "key-default-1",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Enable IAM User Permissions",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
},
["Action"] = "kms:*",
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow administration of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:role/Admin",
},
["Action"] = new[]
{
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
},
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow use of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:role/Developer",
},
["Action"] = new[]
{
"kms:GenerateMac",
"kms:VerifyMac",
"kms:DescribeKey",
},
["Resource"] = "*",
},
},
}),
});
});Content copied to clipboard
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": []interface{}{
map[string]interface{}{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
},
"Action": "kms:*",
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Admin", current.AccountId),
},
"Action": []string{
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
},
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Developer", current.AccountId),
},
"Action": []string{
"kms:GenerateMac",
"kms:VerifyMac",
"kms:DescribeKey",
},
"Resource": "*",
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("HMAC_384 key for tokens"),
CustomerMasterKeySpec: pulumi.String("HMAC_384"),
KeyUsage: pulumi.String("GENERATE_VERIFY_MAC"),
EnableKeyRotation: pulumi.Bool(false),
Policy: pulumi.String(json0),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var example = new Key("example", KeyArgs.builder()
.description("HMAC_384 key for tokens")
.customerMasterKeySpec("HMAC_384")
.keyUsage("GENERATE_VERIFY_MAC")
.enableKeyRotation(false)
.policy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Id", "key-default-1"),
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Sid", "Enable IAM User Permissions"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", "kms:*"),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow administration of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:role/Admin", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", jsonArray(
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
)),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow use of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:role/Developer", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", jsonArray(
"kms:GenerateMac",
"kms:VerifyMac",
"kms:DescribeKey"
)),
jsonProperty("Resource", "*")
)
))
)))
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:kms:Key
properties:
description: HMAC_384 key for tokens
customerMasterKeySpec: HMAC_384
keyUsage: GENERATE_VERIFY_MAC
enableKeyRotation: false
policy:
fn::toJSON:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:role/Admin
Action:
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:role/Developer
Action:
- kms:GenerateMac
- kms:VerifyMac
- kms:DescribeKey
Resource: '*'
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}Content copied to clipboard
Multi-Region Primary Key
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const example = new aws.kms.Key("example", {
description: "An example multi-Region primary key",
multiRegion: true,
enableKeyRotation: true,
deletionWindowInDays: 10,
policy: JSON.stringify({
Version: "2012-10-17",
Id: "key-default-1",
Statement: [
{
Sid: "Enable IAM User Permissions",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
},
Action: "kms:*",
Resource: "*",
},
{
Sid: "Allow administration of the key",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:user/Alice`),
},
Action: [
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
],
Resource: "*",
},
{
Sid: "Allow use of the key",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:user/Bob`),
},
Action: [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
],
Resource: "*",
},
],
}),
});Content copied to clipboard
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
example = aws.kms.Key("example",
description="An example multi-Region primary key",
multi_region=True,
enable_key_rotation=True,
deletion_window_in_days=10,
policy=json.dumps({
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:root",
},
"Action": "kms:*",
"Resource": "*",
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:user/Alice",
},
"Action": [
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
],
"Resource": "*",
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:user/Bob",
},
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
],
"Resource": "*",
},
],
}))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var example = new Aws.Kms.Key("example", new()
{
Description = "An example multi-Region primary key",
MultiRegion = true,
EnableKeyRotation = true,
DeletionWindowInDays = 10,
Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Id"] = "key-default-1",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Enable IAM User Permissions",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
},
["Action"] = "kms:*",
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow administration of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:user/Alice",
},
["Action"] = new[]
{
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
},
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow use of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:user/Bob",
},
["Action"] = new[]
{
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
},
["Resource"] = "*",
},
},
}),
});
});Content copied to clipboard
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": []interface{}{
map[string]interface{}{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
},
"Action": "kms:*",
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Alice", current.AccountId),
},
"Action": []string{
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
},
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Bob", current.AccountId),
},
"Action": []string{
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
},
"Resource": "*",
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("An example multi-Region primary key"),
MultiRegion: pulumi.Bool(true),
EnableKeyRotation: pulumi.Bool(true),
DeletionWindowInDays: pulumi.Int(10),
Policy: pulumi.String(json0),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var example = new Key("example", KeyArgs.builder()
.description("An example multi-Region primary key")
.multiRegion(true)
.enableKeyRotation(true)
.deletionWindowInDays(10)
.policy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Id", "key-default-1"),
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Sid", "Enable IAM User Permissions"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", "kms:*"),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow administration of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:user/Alice", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", jsonArray(
"kms:ReplicateKey",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
)),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow use of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:user/Bob", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Action", jsonArray(
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
)),
jsonProperty("Resource", "*")
)
))
)))
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:kms:Key
properties:
description: An example multi-Region primary key
multiRegion: true
enableKeyRotation: true
deletionWindowInDays: 10
policy:
fn::toJSON:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:user/Alice
Action:
- kms:ReplicateKey
- kms:Create*
- kms:Describe*
- kms:Enable*
- kms:List*
- kms:Put*
- kms:Update*
- kms:Revoke*
- kms:Disable*
- kms:Get*
- kms:Delete*
- kms:ScheduleKeyDeletion
- kms:CancelKeyDeletion
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:user/Bob
Action:
- kms:DescribeKey
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlaintext
Resource: '*'
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}Content copied to clipboard
Import
Using pulumi import, import KMS Keys using the id. For example:
$ pulumi import aws:kms/key:Key a 1234abcd-12ab-34cd-56ef-1234567890abContent copied to clipboard
Constructors
Link copied to clipboard
constructor(bypassPolicyLockoutSafetyCheck: Output<Boolean>? = null, customKeyStoreId: Output<String>? = null, customerMasterKeySpec: Output<String>? = null, deletionWindowInDays: Output<Int>? = null, description: Output<String>? = null, enableKeyRotation: Output<Boolean>? = null, isEnabled: Output<Boolean>? = null, keyUsage: Output<String>? = null, multiRegion: Output<Boolean>? = null, policy: Output<String>? = null, rotationPeriodInDays: Output<Int>? = null, tags: Output<Map<String, String>>? = null, xksKeyId: Output<String>? = null)
Properties
Link copied to clipboard
A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
Link copied to clipboard
Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
Link copied to clipboard
ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
Link copied to clipboard
The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
Link copied to clipboard
The description of the key as viewed in AWS console.
Link copied to clipboard
Specifies whether key rotation is enabled. Defaults to false.
Link copied to clipboard
Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
Link copied to clipboard
Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).