1. Packages
  2. AWS Classic
  3. API Docs
  4. kms
  5. Key

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi

aws.kms.Key

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi

    Manages a single-Region or multi-Region primary KMS key.

    NOTE on KMS Key Policy: KMS Key Policy can be configured in either the standalone resource aws.kms.KeyPolicy or with the parameter policy in this resource. Configuring with both will cause inconsistencies and may overwrite configuration.

    Example Usage

    Symmetric Encryption KMS Key

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const current = aws.getCallerIdentity({});
    const example = new aws.kms.Key("example", {
        description: "An example symmetric encryption KMS key",
        enableKeyRotation: true,
        deletionWindowInDays: 20,
        policy: JSON.stringify({
            Version: "2012-10-17",
            Id: "key-default-1",
            Statement: [
                {
                    Sid: "Enable IAM User Permissions",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
                    },
                    Action: "kms:*",
                    Resource: "*",
                },
                {
                    Sid: "Allow administration of the key",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:user/Alice`),
                    },
                    Action: [
                        "kms:ReplicateKey",
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion",
                    ],
                    Resource: "*",
                },
                {
                    Sid: "Allow use of the key",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:user/Bob`),
                    },
                    Action: [
                        "kms:DescribeKey",
                        "kms:Encrypt",
                        "kms:Decrypt",
                        "kms:ReEncrypt*",
                        "kms:GenerateDataKey",
                        "kms:GenerateDataKeyWithoutPlaintext",
                    ],
                    Resource: "*",
                },
            ],
        }),
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    current = aws.get_caller_identity()
    example = aws.kms.Key("example",
        description="An example symmetric encryption KMS key",
        enable_key_rotation=True,
        deletion_window_in_days=20,
        policy=json.dumps({
            "Version": "2012-10-17",
            "Id": "key-default-1",
            "Statement": [
                {
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:root",
                    },
                    "Action": "kms:*",
                    "Resource": "*",
                },
                {
                    "Sid": "Allow administration of the key",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:user/Alice",
                    },
                    "Action": [
                        "kms:ReplicateKey",
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion",
                    ],
                    "Resource": "*",
                },
                {
                    "Sid": "Allow use of the key",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:user/Bob",
                    },
                    "Action": [
                        "kms:DescribeKey",
                        "kms:Encrypt",
                        "kms:Decrypt",
                        "kms:ReEncrypt*",
                        "kms:GenerateDataKey",
                        "kms:GenerateDataKeyWithoutPlaintext",
                    ],
                    "Resource": "*",
                },
            ],
        }))
    
    package main
    
    import (
    	"encoding/json"
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := aws.GetCallerIdentity(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Id":      "key-default-1",
    			"Statement": []interface{}{
    				map[string]interface{}{
    					"Sid":    "Enable IAM User Permissions",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
    					},
    					"Action":   "kms:*",
    					"Resource": "*",
    				},
    				map[string]interface{}{
    					"Sid":    "Allow administration of the key",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Alice", current.AccountId),
    					},
    					"Action": []string{
    						"kms:ReplicateKey",
    						"kms:Create*",
    						"kms:Describe*",
    						"kms:Enable*",
    						"kms:List*",
    						"kms:Put*",
    						"kms:Update*",
    						"kms:Revoke*",
    						"kms:Disable*",
    						"kms:Get*",
    						"kms:Delete*",
    						"kms:ScheduleKeyDeletion",
    						"kms:CancelKeyDeletion",
    					},
    					"Resource": "*",
    				},
    				map[string]interface{}{
    					"Sid":    "Allow use of the key",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Bob", current.AccountId),
    					},
    					"Action": []string{
    						"kms:DescribeKey",
    						"kms:Encrypt",
    						"kms:Decrypt",
    						"kms:ReEncrypt*",
    						"kms:GenerateDataKey",
    						"kms:GenerateDataKeyWithoutPlaintext",
    					},
    					"Resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
    			Description:          pulumi.String("An example symmetric encryption KMS key"),
    			EnableKeyRotation:    pulumi.Bool(true),
    			DeletionWindowInDays: pulumi.Int(20),
    			Policy:               pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Aws.GetCallerIdentity.Invoke();
    
        var example = new Aws.Kms.Key("example", new()
        {
            Description = "An example symmetric encryption KMS key",
            EnableKeyRotation = true,
            DeletionWindowInDays = 20,
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Id"] = "key-default-1",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Enable IAM User Permissions",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
                        },
                        ["Action"] = "kms:*",
                        ["Resource"] = "*",
                    },
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Allow administration of the key",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:user/Alice",
                        },
                        ["Action"] = new[]
                        {
                            "kms:ReplicateKey",
                            "kms:Create*",
                            "kms:Describe*",
                            "kms:Enable*",
                            "kms:List*",
                            "kms:Put*",
                            "kms:Update*",
                            "kms:Revoke*",
                            "kms:Disable*",
                            "kms:Get*",
                            "kms:Delete*",
                            "kms:ScheduleKeyDeletion",
                            "kms:CancelKeyDeletion",
                        },
                        ["Resource"] = "*",
                    },
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Allow use of the key",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:user/Bob",
                        },
                        ["Action"] = new[]
                        {
                            "kms:DescribeKey",
                            "kms:Encrypt",
                            "kms:Decrypt",
                            "kms:ReEncrypt*",
                            "kms:GenerateDataKey",
                            "kms:GenerateDataKeyWithoutPlaintext",
                        },
                        ["Resource"] = "*",
                    },
                },
            }),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AwsFunctions.getCallerIdentity();
    
            var example = new Key("example", KeyArgs.builder()
                .description("An example symmetric encryption KMS key")
                .enableKeyRotation(true)
                .deletionWindowInDays(20)
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Id", "key-default-1"),
                        jsonProperty("Statement", jsonArray(
                            jsonObject(
                                jsonProperty("Sid", "Enable IAM User Permissions"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", "kms:*"),
                                jsonProperty("Resource", "*")
                            ), 
                            jsonObject(
                                jsonProperty("Sid", "Allow administration of the key"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:user/Alice", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", jsonArray(
                                    "kms:ReplicateKey", 
                                    "kms:Create*", 
                                    "kms:Describe*", 
                                    "kms:Enable*", 
                                    "kms:List*", 
                                    "kms:Put*", 
                                    "kms:Update*", 
                                    "kms:Revoke*", 
                                    "kms:Disable*", 
                                    "kms:Get*", 
                                    "kms:Delete*", 
                                    "kms:ScheduleKeyDeletion", 
                                    "kms:CancelKeyDeletion"
                                )),
                                jsonProperty("Resource", "*")
                            ), 
                            jsonObject(
                                jsonProperty("Sid", "Allow use of the key"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:user/Bob", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", jsonArray(
                                    "kms:DescribeKey", 
                                    "kms:Encrypt", 
                                    "kms:Decrypt", 
                                    "kms:ReEncrypt*", 
                                    "kms:GenerateDataKey", 
                                    "kms:GenerateDataKeyWithoutPlaintext"
                                )),
                                jsonProperty("Resource", "*")
                            )
                        ))
                    )))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:kms:Key
        properties:
          description: An example symmetric encryption KMS key
          enableKeyRotation: true
          deletionWindowInDays: 20
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Id: key-default-1
              Statement:
                - Sid: Enable IAM User Permissions
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:root
                  Action: kms:*
                  Resource: '*'
                - Sid: Allow administration of the key
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:user/Alice
                  Action:
                    - kms:ReplicateKey
                    - kms:Create*
                    - kms:Describe*
                    - kms:Enable*
                    - kms:List*
                    - kms:Put*
                    - kms:Update*
                    - kms:Revoke*
                    - kms:Disable*
                    - kms:Get*
                    - kms:Delete*
                    - kms:ScheduleKeyDeletion
                    - kms:CancelKeyDeletion
                  Resource: '*'
                - Sid: Allow use of the key
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:user/Bob
                  Action:
                    - kms:DescribeKey
                    - kms:Encrypt
                    - kms:Decrypt
                    - kms:ReEncrypt*
                    - kms:GenerateDataKey
                    - kms:GenerateDataKeyWithoutPlaintext
                  Resource: '*'
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
    

    Symmetric Encryption KMS Key With Standalone Policy Resource

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const current = aws.getCallerIdentity({});
    const example = new aws.kms.Key("example", {
        description: "An example symmetric encryption KMS key",
        enableKeyRotation: true,
        deletionWindowInDays: 20,
    });
    const exampleKeyPolicy = new aws.kms.KeyPolicy("example", {
        keyId: example.id,
        policy: JSON.stringify({
            Version: "2012-10-17",
            Id: "key-default-1",
            Statement: [{
                Sid: "Enable IAM User Permissions",
                Effect: "Allow",
                Principal: {
                    AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
                },
                Action: "kms:*",
                Resource: "*",
            }],
        }),
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    current = aws.get_caller_identity()
    example = aws.kms.Key("example",
        description="An example symmetric encryption KMS key",
        enable_key_rotation=True,
        deletion_window_in_days=20)
    example_key_policy = aws.kms.KeyPolicy("example",
        key_id=example.id,
        policy=json.dumps({
            "Version": "2012-10-17",
            "Id": "key-default-1",
            "Statement": [{
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": f"arn:aws:iam::{current.account_id}:root",
                },
                "Action": "kms:*",
                "Resource": "*",
            }],
        }))
    
    package main
    
    import (
    	"encoding/json"
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := aws.GetCallerIdentity(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
    			Description:          pulumi.String("An example symmetric encryption KMS key"),
    			EnableKeyRotation:    pulumi.Bool(true),
    			DeletionWindowInDays: pulumi.Int(20),
    		})
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Id":      "key-default-1",
    			"Statement": []map[string]interface{}{
    				map[string]interface{}{
    					"Sid":    "Enable IAM User Permissions",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
    					},
    					"Action":   "kms:*",
    					"Resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = kms.NewKeyPolicy(ctx, "example", &kms.KeyPolicyArgs{
    			KeyId:  example.ID(),
    			Policy: pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Aws.GetCallerIdentity.Invoke();
    
        var example = new Aws.Kms.Key("example", new()
        {
            Description = "An example symmetric encryption KMS key",
            EnableKeyRotation = true,
            DeletionWindowInDays = 20,
        });
    
        var exampleKeyPolicy = new Aws.Kms.KeyPolicy("example", new()
        {
            KeyId = example.Id,
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Id"] = "key-default-1",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Enable IAM User Permissions",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
                        },
                        ["Action"] = "kms:*",
                        ["Resource"] = "*",
                    },
                },
            }),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import com.pulumi.aws.kms.KeyPolicy;
    import com.pulumi.aws.kms.KeyPolicyArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AwsFunctions.getCallerIdentity();
    
            var example = new Key("example", KeyArgs.builder()
                .description("An example symmetric encryption KMS key")
                .enableKeyRotation(true)
                .deletionWindowInDays(20)
                .build());
    
            var exampleKeyPolicy = new KeyPolicy("exampleKeyPolicy", KeyPolicyArgs.builder()
                .keyId(example.id())
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Id", "key-default-1"),
                        jsonProperty("Statement", jsonArray(jsonObject(
                            jsonProperty("Sid", "Enable IAM User Permissions"),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Principal", jsonObject(
                                jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                            )),
                            jsonProperty("Action", "kms:*"),
                            jsonProperty("Resource", "*")
                        )))
                    )))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:kms:Key
        properties:
          description: An example symmetric encryption KMS key
          enableKeyRotation: true
          deletionWindowInDays: 20
      exampleKeyPolicy:
        type: aws:kms:KeyPolicy
        name: example
        properties:
          keyId: ${example.id}
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Id: key-default-1
              Statement:
                - Sid: Enable IAM User Permissions
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:root
                  Action: kms:*
                  Resource: '*'
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
    

    Asymmetric KMS Key

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const current = aws.getCallerIdentity({});
    const example = new aws.kms.Key("example", {
        description: "RSA-3072 asymmetric KMS key for signing and verification",
        customerMasterKeySpec: "RSA_3072",
        keyUsage: "SIGN_VERIFY",
        enableKeyRotation: false,
        policy: JSON.stringify({
            Version: "2012-10-17",
            Id: "key-default-1",
            Statement: [
                {
                    Sid: "Enable IAM User Permissions",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
                    },
                    Action: "kms:*",
                    Resource: "*",
                },
                {
                    Sid: "Allow administration of the key",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:role/Admin`),
                    },
                    Action: [
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion",
                    ],
                    Resource: "*",
                },
                {
                    Sid: "Allow use of the key",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:role/Developer`),
                    },
                    Action: [
                        "kms:Sign",
                        "kms:Verify",
                        "kms:DescribeKey",
                    ],
                    Resource: "*",
                },
            ],
        }),
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    current = aws.get_caller_identity()
    example = aws.kms.Key("example",
        description="RSA-3072 asymmetric KMS key for signing and verification",
        customer_master_key_spec="RSA_3072",
        key_usage="SIGN_VERIFY",
        enable_key_rotation=False,
        policy=json.dumps({
            "Version": "2012-10-17",
            "Id": "key-default-1",
            "Statement": [
                {
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:root",
                    },
                    "Action": "kms:*",
                    "Resource": "*",
                },
                {
                    "Sid": "Allow administration of the key",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:role/Admin",
                    },
                    "Action": [
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion",
                    ],
                    "Resource": "*",
                },
                {
                    "Sid": "Allow use of the key",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:role/Developer",
                    },
                    "Action": [
                        "kms:Sign",
                        "kms:Verify",
                        "kms:DescribeKey",
                    ],
                    "Resource": "*",
                },
            ],
        }))
    
    package main
    
    import (
    	"encoding/json"
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := aws.GetCallerIdentity(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Id":      "key-default-1",
    			"Statement": []interface{}{
    				map[string]interface{}{
    					"Sid":    "Enable IAM User Permissions",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
    					},
    					"Action":   "kms:*",
    					"Resource": "*",
    				},
    				map[string]interface{}{
    					"Sid":    "Allow administration of the key",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Admin", current.AccountId),
    					},
    					"Action": []string{
    						"kms:Create*",
    						"kms:Describe*",
    						"kms:Enable*",
    						"kms:List*",
    						"kms:Put*",
    						"kms:Update*",
    						"kms:Revoke*",
    						"kms:Disable*",
    						"kms:Get*",
    						"kms:Delete*",
    						"kms:ScheduleKeyDeletion",
    						"kms:CancelKeyDeletion",
    					},
    					"Resource": "*",
    				},
    				map[string]interface{}{
    					"Sid":    "Allow use of the key",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Developer", current.AccountId),
    					},
    					"Action": []string{
    						"kms:Sign",
    						"kms:Verify",
    						"kms:DescribeKey",
    					},
    					"Resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
    			Description:           pulumi.String("RSA-3072 asymmetric KMS key for signing and verification"),
    			CustomerMasterKeySpec: pulumi.String("RSA_3072"),
    			KeyUsage:              pulumi.String("SIGN_VERIFY"),
    			EnableKeyRotation:     pulumi.Bool(false),
    			Policy:                pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Aws.GetCallerIdentity.Invoke();
    
        var example = new Aws.Kms.Key("example", new()
        {
            Description = "RSA-3072 asymmetric KMS key for signing and verification",
            CustomerMasterKeySpec = "RSA_3072",
            KeyUsage = "SIGN_VERIFY",
            EnableKeyRotation = false,
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Id"] = "key-default-1",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Enable IAM User Permissions",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
                        },
                        ["Action"] = "kms:*",
                        ["Resource"] = "*",
                    },
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Allow administration of the key",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:role/Admin",
                        },
                        ["Action"] = new[]
                        {
                            "kms:Create*",
                            "kms:Describe*",
                            "kms:Enable*",
                            "kms:List*",
                            "kms:Put*",
                            "kms:Update*",
                            "kms:Revoke*",
                            "kms:Disable*",
                            "kms:Get*",
                            "kms:Delete*",
                            "kms:ScheduleKeyDeletion",
                            "kms:CancelKeyDeletion",
                        },
                        ["Resource"] = "*",
                    },
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Allow use of the key",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:role/Developer",
                        },
                        ["Action"] = new[]
                        {
                            "kms:Sign",
                            "kms:Verify",
                            "kms:DescribeKey",
                        },
                        ["Resource"] = "*",
                    },
                },
            }),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AwsFunctions.getCallerIdentity();
    
            var example = new Key("example", KeyArgs.builder()
                .description("RSA-3072 asymmetric KMS key for signing and verification")
                .customerMasterKeySpec("RSA_3072")
                .keyUsage("SIGN_VERIFY")
                .enableKeyRotation(false)
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Id", "key-default-1"),
                        jsonProperty("Statement", jsonArray(
                            jsonObject(
                                jsonProperty("Sid", "Enable IAM User Permissions"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", "kms:*"),
                                jsonProperty("Resource", "*")
                            ), 
                            jsonObject(
                                jsonProperty("Sid", "Allow administration of the key"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:role/Admin", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", jsonArray(
                                    "kms:Create*", 
                                    "kms:Describe*", 
                                    "kms:Enable*", 
                                    "kms:List*", 
                                    "kms:Put*", 
                                    "kms:Update*", 
                                    "kms:Revoke*", 
                                    "kms:Disable*", 
                                    "kms:Get*", 
                                    "kms:Delete*", 
                                    "kms:ScheduleKeyDeletion", 
                                    "kms:CancelKeyDeletion"
                                )),
                                jsonProperty("Resource", "*")
                            ), 
                            jsonObject(
                                jsonProperty("Sid", "Allow use of the key"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:role/Developer", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", jsonArray(
                                    "kms:Sign", 
                                    "kms:Verify", 
                                    "kms:DescribeKey"
                                )),
                                jsonProperty("Resource", "*")
                            )
                        ))
                    )))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:kms:Key
        properties:
          description: RSA-3072 asymmetric KMS key for signing and verification
          customerMasterKeySpec: RSA_3072
          keyUsage: SIGN_VERIFY
          enableKeyRotation: false
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Id: key-default-1
              Statement:
                - Sid: Enable IAM User Permissions
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:root
                  Action: kms:*
                  Resource: '*'
                - Sid: Allow administration of the key
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:role/Admin
                  Action:
                    - kms:Create*
                    - kms:Describe*
                    - kms:Enable*
                    - kms:List*
                    - kms:Put*
                    - kms:Update*
                    - kms:Revoke*
                    - kms:Disable*
                    - kms:Get*
                    - kms:Delete*
                    - kms:ScheduleKeyDeletion
                    - kms:CancelKeyDeletion
                  Resource: '*'
                - Sid: Allow use of the key
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:role/Developer
                  Action:
                    - kms:Sign
                    - kms:Verify
                    - kms:DescribeKey
                  Resource: '*'
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
    

    HMAC KMS key

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const current = aws.getCallerIdentity({});
    const example = new aws.kms.Key("example", {
        description: "HMAC_384 key for tokens",
        customerMasterKeySpec: "HMAC_384",
        keyUsage: "GENERATE_VERIFY_MAC",
        enableKeyRotation: false,
        policy: JSON.stringify({
            Version: "2012-10-17",
            Id: "key-default-1",
            Statement: [
                {
                    Sid: "Enable IAM User Permissions",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
                    },
                    Action: "kms:*",
                    Resource: "*",
                },
                {
                    Sid: "Allow administration of the key",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:role/Admin`),
                    },
                    Action: [
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion",
                    ],
                    Resource: "*",
                },
                {
                    Sid: "Allow use of the key",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:role/Developer`),
                    },
                    Action: [
                        "kms:GenerateMac",
                        "kms:VerifyMac",
                        "kms:DescribeKey",
                    ],
                    Resource: "*",
                },
            ],
        }),
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    current = aws.get_caller_identity()
    example = aws.kms.Key("example",
        description="HMAC_384 key for tokens",
        customer_master_key_spec="HMAC_384",
        key_usage="GENERATE_VERIFY_MAC",
        enable_key_rotation=False,
        policy=json.dumps({
            "Version": "2012-10-17",
            "Id": "key-default-1",
            "Statement": [
                {
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:root",
                    },
                    "Action": "kms:*",
                    "Resource": "*",
                },
                {
                    "Sid": "Allow administration of the key",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:role/Admin",
                    },
                    "Action": [
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion",
                    ],
                    "Resource": "*",
                },
                {
                    "Sid": "Allow use of the key",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:role/Developer",
                    },
                    "Action": [
                        "kms:GenerateMac",
                        "kms:VerifyMac",
                        "kms:DescribeKey",
                    ],
                    "Resource": "*",
                },
            ],
        }))
    
    package main
    
    import (
    	"encoding/json"
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := aws.GetCallerIdentity(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Id":      "key-default-1",
    			"Statement": []interface{}{
    				map[string]interface{}{
    					"Sid":    "Enable IAM User Permissions",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
    					},
    					"Action":   "kms:*",
    					"Resource": "*",
    				},
    				map[string]interface{}{
    					"Sid":    "Allow administration of the key",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Admin", current.AccountId),
    					},
    					"Action": []string{
    						"kms:Create*",
    						"kms:Describe*",
    						"kms:Enable*",
    						"kms:List*",
    						"kms:Put*",
    						"kms:Update*",
    						"kms:Revoke*",
    						"kms:Disable*",
    						"kms:Get*",
    						"kms:Delete*",
    						"kms:ScheduleKeyDeletion",
    						"kms:CancelKeyDeletion",
    					},
    					"Resource": "*",
    				},
    				map[string]interface{}{
    					"Sid":    "Allow use of the key",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:role/Developer", current.AccountId),
    					},
    					"Action": []string{
    						"kms:GenerateMac",
    						"kms:VerifyMac",
    						"kms:DescribeKey",
    					},
    					"Resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
    			Description:           pulumi.String("HMAC_384 key for tokens"),
    			CustomerMasterKeySpec: pulumi.String("HMAC_384"),
    			KeyUsage:              pulumi.String("GENERATE_VERIFY_MAC"),
    			EnableKeyRotation:     pulumi.Bool(false),
    			Policy:                pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Aws.GetCallerIdentity.Invoke();
    
        var example = new Aws.Kms.Key("example", new()
        {
            Description = "HMAC_384 key for tokens",
            CustomerMasterKeySpec = "HMAC_384",
            KeyUsage = "GENERATE_VERIFY_MAC",
            EnableKeyRotation = false,
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Id"] = "key-default-1",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Enable IAM User Permissions",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
                        },
                        ["Action"] = "kms:*",
                        ["Resource"] = "*",
                    },
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Allow administration of the key",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:role/Admin",
                        },
                        ["Action"] = new[]
                        {
                            "kms:Create*",
                            "kms:Describe*",
                            "kms:Enable*",
                            "kms:List*",
                            "kms:Put*",
                            "kms:Update*",
                            "kms:Revoke*",
                            "kms:Disable*",
                            "kms:Get*",
                            "kms:Delete*",
                            "kms:ScheduleKeyDeletion",
                            "kms:CancelKeyDeletion",
                        },
                        ["Resource"] = "*",
                    },
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Allow use of the key",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:role/Developer",
                        },
                        ["Action"] = new[]
                        {
                            "kms:GenerateMac",
                            "kms:VerifyMac",
                            "kms:DescribeKey",
                        },
                        ["Resource"] = "*",
                    },
                },
            }),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AwsFunctions.getCallerIdentity();
    
            var example = new Key("example", KeyArgs.builder()
                .description("HMAC_384 key for tokens")
                .customerMasterKeySpec("HMAC_384")
                .keyUsage("GENERATE_VERIFY_MAC")
                .enableKeyRotation(false)
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Id", "key-default-1"),
                        jsonProperty("Statement", jsonArray(
                            jsonObject(
                                jsonProperty("Sid", "Enable IAM User Permissions"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", "kms:*"),
                                jsonProperty("Resource", "*")
                            ), 
                            jsonObject(
                                jsonProperty("Sid", "Allow administration of the key"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:role/Admin", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", jsonArray(
                                    "kms:Create*", 
                                    "kms:Describe*", 
                                    "kms:Enable*", 
                                    "kms:List*", 
                                    "kms:Put*", 
                                    "kms:Update*", 
                                    "kms:Revoke*", 
                                    "kms:Disable*", 
                                    "kms:Get*", 
                                    "kms:Delete*", 
                                    "kms:ScheduleKeyDeletion", 
                                    "kms:CancelKeyDeletion"
                                )),
                                jsonProperty("Resource", "*")
                            ), 
                            jsonObject(
                                jsonProperty("Sid", "Allow use of the key"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:role/Developer", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", jsonArray(
                                    "kms:GenerateMac", 
                                    "kms:VerifyMac", 
                                    "kms:DescribeKey"
                                )),
                                jsonProperty("Resource", "*")
                            )
                        ))
                    )))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:kms:Key
        properties:
          description: HMAC_384 key for tokens
          customerMasterKeySpec: HMAC_384
          keyUsage: GENERATE_VERIFY_MAC
          enableKeyRotation: false
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Id: key-default-1
              Statement:
                - Sid: Enable IAM User Permissions
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:root
                  Action: kms:*
                  Resource: '*'
                - Sid: Allow administration of the key
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:role/Admin
                  Action:
                    - kms:Create*
                    - kms:Describe*
                    - kms:Enable*
                    - kms:List*
                    - kms:Put*
                    - kms:Update*
                    - kms:Revoke*
                    - kms:Disable*
                    - kms:Get*
                    - kms:Delete*
                    - kms:ScheduleKeyDeletion
                    - kms:CancelKeyDeletion
                  Resource: '*'
                - Sid: Allow use of the key
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:role/Developer
                  Action:
                    - kms:GenerateMac
                    - kms:VerifyMac
                    - kms:DescribeKey
                  Resource: '*'
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
    

    Multi-Region Primary Key

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const current = aws.getCallerIdentity({});
    const example = new aws.kms.Key("example", {
        description: "An example multi-Region primary key",
        multiRegion: true,
        enableKeyRotation: true,
        deletionWindowInDays: 10,
        policy: JSON.stringify({
            Version: "2012-10-17",
            Id: "key-default-1",
            Statement: [
                {
                    Sid: "Enable IAM User Permissions",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
                    },
                    Action: "kms:*",
                    Resource: "*",
                },
                {
                    Sid: "Allow administration of the key",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:user/Alice`),
                    },
                    Action: [
                        "kms:ReplicateKey",
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion",
                    ],
                    Resource: "*",
                },
                {
                    Sid: "Allow use of the key",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:user/Bob`),
                    },
                    Action: [
                        "kms:DescribeKey",
                        "kms:Encrypt",
                        "kms:Decrypt",
                        "kms:ReEncrypt*",
                        "kms:GenerateDataKey",
                        "kms:GenerateDataKeyWithoutPlaintext",
                    ],
                    Resource: "*",
                },
            ],
        }),
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    current = aws.get_caller_identity()
    example = aws.kms.Key("example",
        description="An example multi-Region primary key",
        multi_region=True,
        enable_key_rotation=True,
        deletion_window_in_days=10,
        policy=json.dumps({
            "Version": "2012-10-17",
            "Id": "key-default-1",
            "Statement": [
                {
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:root",
                    },
                    "Action": "kms:*",
                    "Resource": "*",
                },
                {
                    "Sid": "Allow administration of the key",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:user/Alice",
                    },
                    "Action": [
                        "kms:ReplicateKey",
                        "kms:Create*",
                        "kms:Describe*",
                        "kms:Enable*",
                        "kms:List*",
                        "kms:Put*",
                        "kms:Update*",
                        "kms:Revoke*",
                        "kms:Disable*",
                        "kms:Get*",
                        "kms:Delete*",
                        "kms:ScheduleKeyDeletion",
                        "kms:CancelKeyDeletion",
                    ],
                    "Resource": "*",
                },
                {
                    "Sid": "Allow use of the key",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:user/Bob",
                    },
                    "Action": [
                        "kms:DescribeKey",
                        "kms:Encrypt",
                        "kms:Decrypt",
                        "kms:ReEncrypt*",
                        "kms:GenerateDataKey",
                        "kms:GenerateDataKeyWithoutPlaintext",
                    ],
                    "Resource": "*",
                },
            ],
        }))
    
    package main
    
    import (
    	"encoding/json"
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := aws.GetCallerIdentity(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Id":      "key-default-1",
    			"Statement": []interface{}{
    				map[string]interface{}{
    					"Sid":    "Enable IAM User Permissions",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
    					},
    					"Action":   "kms:*",
    					"Resource": "*",
    				},
    				map[string]interface{}{
    					"Sid":    "Allow administration of the key",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Alice", current.AccountId),
    					},
    					"Action": []string{
    						"kms:ReplicateKey",
    						"kms:Create*",
    						"kms:Describe*",
    						"kms:Enable*",
    						"kms:List*",
    						"kms:Put*",
    						"kms:Update*",
    						"kms:Revoke*",
    						"kms:Disable*",
    						"kms:Get*",
    						"kms:Delete*",
    						"kms:ScheduleKeyDeletion",
    						"kms:CancelKeyDeletion",
    					},
    					"Resource": "*",
    				},
    				map[string]interface{}{
    					"Sid":    "Allow use of the key",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:user/Bob", current.AccountId),
    					},
    					"Action": []string{
    						"kms:DescribeKey",
    						"kms:Encrypt",
    						"kms:Decrypt",
    						"kms:ReEncrypt*",
    						"kms:GenerateDataKey",
    						"kms:GenerateDataKeyWithoutPlaintext",
    					},
    					"Resource": "*",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
    			Description:          pulumi.String("An example multi-Region primary key"),
    			MultiRegion:          pulumi.Bool(true),
    			EnableKeyRotation:    pulumi.Bool(true),
    			DeletionWindowInDays: pulumi.Int(10),
    			Policy:               pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Aws.GetCallerIdentity.Invoke();
    
        var example = new Aws.Kms.Key("example", new()
        {
            Description = "An example multi-Region primary key",
            MultiRegion = true,
            EnableKeyRotation = true,
            DeletionWindowInDays = 10,
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Id"] = "key-default-1",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Enable IAM User Permissions",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
                        },
                        ["Action"] = "kms:*",
                        ["Resource"] = "*",
                    },
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Allow administration of the key",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:user/Alice",
                        },
                        ["Action"] = new[]
                        {
                            "kms:ReplicateKey",
                            "kms:Create*",
                            "kms:Describe*",
                            "kms:Enable*",
                            "kms:List*",
                            "kms:Put*",
                            "kms:Update*",
                            "kms:Revoke*",
                            "kms:Disable*",
                            "kms:Get*",
                            "kms:Delete*",
                            "kms:ScheduleKeyDeletion",
                            "kms:CancelKeyDeletion",
                        },
                        ["Resource"] = "*",
                    },
                    new Dictionary<string, object?>
                    {
                        ["Sid"] = "Allow use of the key",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:user/Bob",
                        },
                        ["Action"] = new[]
                        {
                            "kms:DescribeKey",
                            "kms:Encrypt",
                            "kms:Decrypt",
                            "kms:ReEncrypt*",
                            "kms:GenerateDataKey",
                            "kms:GenerateDataKeyWithoutPlaintext",
                        },
                        ["Resource"] = "*",
                    },
                },
            }),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AwsFunctions.getCallerIdentity();
    
            var example = new Key("example", KeyArgs.builder()
                .description("An example multi-Region primary key")
                .multiRegion(true)
                .enableKeyRotation(true)
                .deletionWindowInDays(10)
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Id", "key-default-1"),
                        jsonProperty("Statement", jsonArray(
                            jsonObject(
                                jsonProperty("Sid", "Enable IAM User Permissions"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", "kms:*"),
                                jsonProperty("Resource", "*")
                            ), 
                            jsonObject(
                                jsonProperty("Sid", "Allow administration of the key"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:user/Alice", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", jsonArray(
                                    "kms:ReplicateKey", 
                                    "kms:Create*", 
                                    "kms:Describe*", 
                                    "kms:Enable*", 
                                    "kms:List*", 
                                    "kms:Put*", 
                                    "kms:Update*", 
                                    "kms:Revoke*", 
                                    "kms:Disable*", 
                                    "kms:Get*", 
                                    "kms:Delete*", 
                                    "kms:ScheduleKeyDeletion", 
                                    "kms:CancelKeyDeletion"
                                )),
                                jsonProperty("Resource", "*")
                            ), 
                            jsonObject(
                                jsonProperty("Sid", "Allow use of the key"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:user/Bob", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Action", jsonArray(
                                    "kms:DescribeKey", 
                                    "kms:Encrypt", 
                                    "kms:Decrypt", 
                                    "kms:ReEncrypt*", 
                                    "kms:GenerateDataKey", 
                                    "kms:GenerateDataKeyWithoutPlaintext"
                                )),
                                jsonProperty("Resource", "*")
                            )
                        ))
                    )))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:kms:Key
        properties:
          description: An example multi-Region primary key
          multiRegion: true
          enableKeyRotation: true
          deletionWindowInDays: 10
          policy:
            fn::toJSON:
              Version: 2012-10-17
              Id: key-default-1
              Statement:
                - Sid: Enable IAM User Permissions
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:root
                  Action: kms:*
                  Resource: '*'
                - Sid: Allow administration of the key
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:user/Alice
                  Action:
                    - kms:ReplicateKey
                    - kms:Create*
                    - kms:Describe*
                    - kms:Enable*
                    - kms:List*
                    - kms:Put*
                    - kms:Update*
                    - kms:Revoke*
                    - kms:Disable*
                    - kms:Get*
                    - kms:Delete*
                    - kms:ScheduleKeyDeletion
                    - kms:CancelKeyDeletion
                  Resource: '*'
                - Sid: Allow use of the key
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:user/Bob
                  Action:
                    - kms:DescribeKey
                    - kms:Encrypt
                    - kms:Decrypt
                    - kms:ReEncrypt*
                    - kms:GenerateDataKey
                    - kms:GenerateDataKeyWithoutPlaintext
                  Resource: '*'
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
    

    Create Key Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Key(name: string, args?: KeyArgs, opts?: CustomResourceOptions);
    @overload
    def Key(resource_name: str,
            args: Optional[KeyArgs] = None,
            opts: Optional[ResourceOptions] = None)
    
    @overload
    def Key(resource_name: str,
            opts: Optional[ResourceOptions] = None,
            bypass_policy_lockout_safety_check: Optional[bool] = None,
            custom_key_store_id: Optional[str] = None,
            customer_master_key_spec: Optional[str] = None,
            deletion_window_in_days: Optional[int] = None,
            description: Optional[str] = None,
            enable_key_rotation: Optional[bool] = None,
            is_enabled: Optional[bool] = None,
            key_usage: Optional[str] = None,
            multi_region: Optional[bool] = None,
            policy: Optional[str] = None,
            rotation_period_in_days: Optional[int] = None,
            tags: Optional[Mapping[str, str]] = None,
            xks_key_id: Optional[str] = None)
    func NewKey(ctx *Context, name string, args *KeyArgs, opts ...ResourceOption) (*Key, error)
    public Key(string name, KeyArgs? args = null, CustomResourceOptions? opts = null)
    public Key(String name, KeyArgs args)
    public Key(String name, KeyArgs args, CustomResourceOptions options)
    
    type: aws:kms:Key
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var keyResource = new Aws.Kms.Key("keyResource", new()
    {
        BypassPolicyLockoutSafetyCheck = false,
        CustomKeyStoreId = "string",
        CustomerMasterKeySpec = "string",
        DeletionWindowInDays = 0,
        Description = "string",
        EnableKeyRotation = false,
        IsEnabled = false,
        KeyUsage = "string",
        MultiRegion = false,
        Policy = "string",
        RotationPeriodInDays = 0,
        Tags = 
        {
            { "string", "string" },
        },
        XksKeyId = "string",
    });
    
    example, err := kms.NewKey(ctx, "keyResource", &kms.KeyArgs{
    	BypassPolicyLockoutSafetyCheck: pulumi.Bool(false),
    	CustomKeyStoreId:               pulumi.String("string"),
    	CustomerMasterKeySpec:          pulumi.String("string"),
    	DeletionWindowInDays:           pulumi.Int(0),
    	Description:                    pulumi.String("string"),
    	EnableKeyRotation:              pulumi.Bool(false),
    	IsEnabled:                      pulumi.Bool(false),
    	KeyUsage:                       pulumi.String("string"),
    	MultiRegion:                    pulumi.Bool(false),
    	Policy:                         pulumi.String("string"),
    	RotationPeriodInDays:           pulumi.Int(0),
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	XksKeyId: pulumi.String("string"),
    })
    
    var keyResource = new Key("keyResource", KeyArgs.builder()
        .bypassPolicyLockoutSafetyCheck(false)
        .customKeyStoreId("string")
        .customerMasterKeySpec("string")
        .deletionWindowInDays(0)
        .description("string")
        .enableKeyRotation(false)
        .isEnabled(false)
        .keyUsage("string")
        .multiRegion(false)
        .policy("string")
        .rotationPeriodInDays(0)
        .tags(Map.of("string", "string"))
        .xksKeyId("string")
        .build());
    
    key_resource = aws.kms.Key("keyResource",
        bypass_policy_lockout_safety_check=False,
        custom_key_store_id="string",
        customer_master_key_spec="string",
        deletion_window_in_days=0,
        description="string",
        enable_key_rotation=False,
        is_enabled=False,
        key_usage="string",
        multi_region=False,
        policy="string",
        rotation_period_in_days=0,
        tags={
            "string": "string",
        },
        xks_key_id="string")
    
    const keyResource = new aws.kms.Key("keyResource", {
        bypassPolicyLockoutSafetyCheck: false,
        customKeyStoreId: "string",
        customerMasterKeySpec: "string",
        deletionWindowInDays: 0,
        description: "string",
        enableKeyRotation: false,
        isEnabled: false,
        keyUsage: "string",
        multiRegion: false,
        policy: "string",
        rotationPeriodInDays: 0,
        tags: {
            string: "string",
        },
        xksKeyId: "string",
    });
    
    type: aws:kms:Key
    properties:
        bypassPolicyLockoutSafetyCheck: false
        customKeyStoreId: string
        customerMasterKeySpec: string
        deletionWindowInDays: 0
        description: string
        enableKeyRotation: false
        isEnabled: false
        keyUsage: string
        multiRegion: false
        policy: string
        rotationPeriodInDays: 0
        tags:
            string: string
        xksKeyId: string
    

    Key Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Key resource accepts the following input properties:

    BypassPolicyLockoutSafetyCheck bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    CustomKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    CustomerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    DeletionWindowInDays int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    Description string
    The description of the key as viewed in AWS console.
    EnableKeyRotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    IsEnabled bool
    Specifies whether the key is enabled. Defaults to true.
    KeyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    RotationPeriodInDays int
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    Tags Dictionary<string, string>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    XksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    BypassPolicyLockoutSafetyCheck bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    CustomKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    CustomerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    DeletionWindowInDays int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    Description string
    The description of the key as viewed in AWS console.
    EnableKeyRotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    IsEnabled bool
    Specifies whether the key is enabled. Defaults to true.
    KeyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    RotationPeriodInDays int
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    Tags map[string]string
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    XksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    bypassPolicyLockoutSafetyCheck Boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId String
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec String
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays Integer
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description String
    The description of the key as viewed in AWS console.
    enableKeyRotation Boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled Boolean
    Specifies whether the key is enabled. Defaults to true.
    keyUsage String
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    rotationPeriodInDays Integer
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    tags Map<String,String>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    xksKeyId String
    Identifies the external key that serves as key material for the KMS key in an external key store.
    bypassPolicyLockoutSafetyCheck boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays number
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description string
    The description of the key as viewed in AWS console.
    enableKeyRotation boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled boolean
    Specifies whether the key is enabled. Defaults to true.
    keyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    rotationPeriodInDays number
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    tags {[key: string]: string}
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    xksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    bypass_policy_lockout_safety_check bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    custom_key_store_id str
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customer_master_key_spec str
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletion_window_in_days int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description str
    The description of the key as viewed in AWS console.
    enable_key_rotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    is_enabled bool
    Specifies whether the key is enabled. Defaults to true.
    key_usage str
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multi_region bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy str

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    rotation_period_in_days int
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    tags Mapping[str, str]
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    xks_key_id str
    Identifies the external key that serves as key material for the KMS key in an external key store.
    bypassPolicyLockoutSafetyCheck Boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId String
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec String
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays Number
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description String
    The description of the key as viewed in AWS console.
    enableKeyRotation Boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled Boolean
    Specifies whether the key is enabled. Defaults to true.
    keyUsage String
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    rotationPeriodInDays Number
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    tags Map<String>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    xksKeyId String
    Identifies the external key that serves as key material for the KMS key in an external key store.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Key resource produces the following output properties:

    Arn string
    The Amazon Resource Name (ARN) of the key.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyId string
    The globally unique identifier for the key.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Arn string
    The Amazon Resource Name (ARN) of the key.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyId string
    The globally unique identifier for the key.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn String
    The Amazon Resource Name (ARN) of the key.
    id String
    The provider-assigned unique ID for this managed resource.
    keyId String
    The globally unique identifier for the key.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn string
    The Amazon Resource Name (ARN) of the key.
    id string
    The provider-assigned unique ID for this managed resource.
    keyId string
    The globally unique identifier for the key.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn str
    The Amazon Resource Name (ARN) of the key.
    id str
    The provider-assigned unique ID for this managed resource.
    key_id str
    The globally unique identifier for the key.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    arn String
    The Amazon Resource Name (ARN) of the key.
    id String
    The provider-assigned unique ID for this managed resource.
    keyId String
    The globally unique identifier for the key.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Look up Existing Key Resource

    Get an existing Key resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KeyState, opts?: CustomResourceOptions): Key
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            bypass_policy_lockout_safety_check: Optional[bool] = None,
            custom_key_store_id: Optional[str] = None,
            customer_master_key_spec: Optional[str] = None,
            deletion_window_in_days: Optional[int] = None,
            description: Optional[str] = None,
            enable_key_rotation: Optional[bool] = None,
            is_enabled: Optional[bool] = None,
            key_id: Optional[str] = None,
            key_usage: Optional[str] = None,
            multi_region: Optional[bool] = None,
            policy: Optional[str] = None,
            rotation_period_in_days: Optional[int] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            xks_key_id: Optional[str] = None) -> Key
    func GetKey(ctx *Context, name string, id IDInput, state *KeyState, opts ...ResourceOption) (*Key, error)
    public static Key Get(string name, Input<string> id, KeyState? state, CustomResourceOptions? opts = null)
    public static Key get(String name, Output<String> id, KeyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    The Amazon Resource Name (ARN) of the key.
    BypassPolicyLockoutSafetyCheck bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    CustomKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    CustomerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    DeletionWindowInDays int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    Description string
    The description of the key as viewed in AWS console.
    EnableKeyRotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    IsEnabled bool
    Specifies whether the key is enabled. Defaults to true.
    KeyId string
    The globally unique identifier for the key.
    KeyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    RotationPeriodInDays int
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    Tags Dictionary<string, string>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    XksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    Arn string
    The Amazon Resource Name (ARN) of the key.
    BypassPolicyLockoutSafetyCheck bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    CustomKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    CustomerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    DeletionWindowInDays int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    Description string
    The description of the key as viewed in AWS console.
    EnableKeyRotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    IsEnabled bool
    Specifies whether the key is enabled. Defaults to true.
    KeyId string
    The globally unique identifier for the key.
    KeyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    MultiRegion bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    Policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    RotationPeriodInDays int
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    Tags map[string]string
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    XksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    arn String
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck Boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId String
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec String
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays Integer
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description String
    The description of the key as viewed in AWS console.
    enableKeyRotation Boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled Boolean
    Specifies whether the key is enabled. Defaults to true.
    keyId String
    The globally unique identifier for the key.
    keyUsage String
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    rotationPeriodInDays Integer
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    tags Map<String,String>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    xksKeyId String
    Identifies the external key that serves as key material for the KMS key in an external key store.
    arn string
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId string
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec string
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays number
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description string
    The description of the key as viewed in AWS console.
    enableKeyRotation boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled boolean
    Specifies whether the key is enabled. Defaults to true.
    keyId string
    The globally unique identifier for the key.
    keyUsage string
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy string

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    rotationPeriodInDays number
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    tags {[key: string]: string}
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    xksKeyId string
    Identifies the external key that serves as key material for the KMS key in an external key store.
    arn str
    The Amazon Resource Name (ARN) of the key.
    bypass_policy_lockout_safety_check bool
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    custom_key_store_id str
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customer_master_key_spec str
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletion_window_in_days int
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description str
    The description of the key as viewed in AWS console.
    enable_key_rotation bool
    Specifies whether key rotation is enabled. Defaults to false.
    is_enabled bool
    Specifies whether the key is enabled. Defaults to true.
    key_id str
    The globally unique identifier for the key.
    key_usage str
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multi_region bool
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy str

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    rotation_period_in_days int
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    tags Mapping[str, str]
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    xks_key_id str
    Identifies the external key that serves as key material for the KMS key in an external key store.
    arn String
    The Amazon Resource Name (ARN) of the key.
    bypassPolicyLockoutSafetyCheck Boolean
    A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
    customKeyStoreId String
    ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
    customerMasterKeySpec String
    Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
    deletionWindowInDays Number
    The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
    description String
    The description of the key as viewed in AWS console.
    enableKeyRotation Boolean
    Specifies whether key rotation is enabled. Defaults to false.
    isEnabled Boolean
    Specifies whether the key is enabled. Defaults to true.
    keyId String
    The globally unique identifier for the key.
    keyUsage String
    Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
    multiRegion Boolean
    Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
    policy String

    A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws.iam.getPolicyDocument, in the form that designates a principal, can be used.

    NOTE: Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

    rotationPeriodInDays Number
    Custom period of time between each rotation date. Must be a number between 90 and 2560 (inclusive).
    tags Map<String>
    A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    xksKeyId String
    Identifies the external key that serves as key material for the KMS key in an external key store.

    Import

    Using pulumi import, import KMS Keys using the id. For example:

    $ pulumi import aws:kms/key:Key a 1234abcd-12ab-34cd-56ef-1234567890ab
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi