1. Packages
  2. AWS Classic
  3. API Docs
  4. route53
  5. KeySigningKey

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi

aws.route53.KeySigningKey

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi

    Manages a Route 53 Key Signing Key. To manage Domain Name System Security Extensions (DNSSEC) for a Hosted Zone, see the aws.route53.HostedZoneDnsSec resource. For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const current = aws.getCallerIdentity({});
    const example = new aws.kms.Key("example", {
        customerMasterKeySpec: "ECC_NIST_P256",
        deletionWindowInDays: 7,
        keyUsage: "SIGN_VERIFY",
        policy: JSON.stringify({
            Statement: [
                {
                    Action: [
                        "kms:DescribeKey",
                        "kms:GetPublicKey",
                        "kms:Sign",
                    ],
                    Effect: "Allow",
                    Principal: {
                        Service: "dnssec-route53.amazonaws.com",
                    },
                    Sid: "Allow Route 53 DNSSEC Service",
                    Resource: "*",
                    Condition: {
                        StringEquals: {
                            "aws:SourceAccount": current.then(current => current.accountId),
                        },
                        ArnLike: {
                            "aws:SourceArn": "arn:aws:route53:::hostedzone/*",
                        },
                    },
                },
                {
                    Action: "kms:CreateGrant",
                    Effect: "Allow",
                    Principal: {
                        Service: "dnssec-route53.amazonaws.com",
                    },
                    Sid: "Allow Route 53 DNSSEC Service to CreateGrant",
                    Resource: "*",
                    Condition: {
                        Bool: {
                            "kms:GrantIsForAWSResource": "true",
                        },
                    },
                },
                {
                    Action: "kms:*",
                    Effect: "Allow",
                    Principal: {
                        AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
                    },
                    Resource: "*",
                    Sid: "Enable IAM User Permissions",
                },
            ],
            Version: "2012-10-17",
        }),
    });
    const exampleZone = new aws.route53.Zone("example", {name: "example.com"});
    const exampleKeySigningKey = new aws.route53.KeySigningKey("example", {
        hostedZoneId: test.id,
        keyManagementServiceArn: testAwsKmsKey.arn,
        name: "example",
    });
    const exampleHostedZoneDnsSec = new aws.route53.HostedZoneDnsSec("example", {hostedZoneId: exampleKeySigningKey.hostedZoneId}, {
        dependsOn: [exampleKeySigningKey],
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    current = aws.get_caller_identity()
    example = aws.kms.Key("example",
        customer_master_key_spec="ECC_NIST_P256",
        deletion_window_in_days=7,
        key_usage="SIGN_VERIFY",
        policy=json.dumps({
            "Statement": [
                {
                    "Action": [
                        "kms:DescribeKey",
                        "kms:GetPublicKey",
                        "kms:Sign",
                    ],
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "dnssec-route53.amazonaws.com",
                    },
                    "Sid": "Allow Route 53 DNSSEC Service",
                    "Resource": "*",
                    "Condition": {
                        "StringEquals": {
                            "aws:SourceAccount": current.account_id,
                        },
                        "ArnLike": {
                            "aws:SourceArn": "arn:aws:route53:::hostedzone/*",
                        },
                    },
                },
                {
                    "Action": "kms:CreateGrant",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "dnssec-route53.amazonaws.com",
                    },
                    "Sid": "Allow Route 53 DNSSEC Service to CreateGrant",
                    "Resource": "*",
                    "Condition": {
                        "Bool": {
                            "kms:GrantIsForAWSResource": "true",
                        },
                    },
                },
                {
                    "Action": "kms:*",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": f"arn:aws:iam::{current.account_id}:root",
                    },
                    "Resource": "*",
                    "Sid": "Enable IAM User Permissions",
                },
            ],
            "Version": "2012-10-17",
        }))
    example_zone = aws.route53.Zone("example", name="example.com")
    example_key_signing_key = aws.route53.KeySigningKey("example",
        hosted_zone_id=test["id"],
        key_management_service_arn=test_aws_kms_key["arn"],
        name="example")
    example_hosted_zone_dns_sec = aws.route53.HostedZoneDnsSec("example", hosted_zone_id=example_key_signing_key.hosted_zone_id,
    opts = pulumi.ResourceOptions(depends_on=[example_key_signing_key]))
    
    package main
    
    import (
    	"encoding/json"
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/route53"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := aws.GetCallerIdentity(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Statement": []interface{}{
    				map[string]interface{}{
    					"Action": []string{
    						"kms:DescribeKey",
    						"kms:GetPublicKey",
    						"kms:Sign",
    					},
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"Service": "dnssec-route53.amazonaws.com",
    					},
    					"Sid":      "Allow Route 53 DNSSEC Service",
    					"Resource": "*",
    					"Condition": map[string]interface{}{
    						"StringEquals": map[string]interface{}{
    							"aws:SourceAccount": current.AccountId,
    						},
    						"ArnLike": map[string]interface{}{
    							"aws:SourceArn": "arn:aws:route53:::hostedzone/*",
    						},
    					},
    				},
    				map[string]interface{}{
    					"Action": "kms:CreateGrant",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"Service": "dnssec-route53.amazonaws.com",
    					},
    					"Sid":      "Allow Route 53 DNSSEC Service to CreateGrant",
    					"Resource": "*",
    					"Condition": map[string]interface{}{
    						"Bool": map[string]interface{}{
    							"kms:GrantIsForAWSResource": "true",
    						},
    					},
    				},
    				map[string]interface{}{
    					"Action": "kms:*",
    					"Effect": "Allow",
    					"Principal": map[string]interface{}{
    						"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
    					},
    					"Resource": "*",
    					"Sid":      "Enable IAM User Permissions",
    				},
    			},
    			"Version": "2012-10-17",
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
    			CustomerMasterKeySpec: pulumi.String("ECC_NIST_P256"),
    			DeletionWindowInDays:  pulumi.Int(7),
    			KeyUsage:              pulumi.String("SIGN_VERIFY"),
    			Policy:                pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = route53.NewZone(ctx, "example", &route53.ZoneArgs{
    			Name: pulumi.String("example.com"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleKeySigningKey, err := route53.NewKeySigningKey(ctx, "example", &route53.KeySigningKeyArgs{
    			HostedZoneId:            pulumi.Any(test.Id),
    			KeyManagementServiceArn: pulumi.Any(testAwsKmsKey.Arn),
    			Name:                    pulumi.String("example"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = route53.NewHostedZoneDnsSec(ctx, "example", &route53.HostedZoneDnsSecArgs{
    			HostedZoneId: exampleKeySigningKey.HostedZoneId,
    		}, pulumi.DependsOn([]pulumi.Resource{
    			exampleKeySigningKey,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Aws.GetCallerIdentity.Invoke();
    
        var example = new Aws.Kms.Key("example", new()
        {
            CustomerMasterKeySpec = "ECC_NIST_P256",
            DeletionWindowInDays = 7,
            KeyUsage = "SIGN_VERIFY",
            Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Action"] = new[]
                        {
                            "kms:DescribeKey",
                            "kms:GetPublicKey",
                            "kms:Sign",
                        },
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["Service"] = "dnssec-route53.amazonaws.com",
                        },
                        ["Sid"] = "Allow Route 53 DNSSEC Service",
                        ["Resource"] = "*",
                        ["Condition"] = new Dictionary<string, object?>
                        {
                            ["StringEquals"] = new Dictionary<string, object?>
                            {
                                ["aws:SourceAccount"] = current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId),
                            },
                            ["ArnLike"] = new Dictionary<string, object?>
                            {
                                ["aws:SourceArn"] = "arn:aws:route53:::hostedzone/*",
                            },
                        },
                    },
                    new Dictionary<string, object?>
                    {
                        ["Action"] = "kms:CreateGrant",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["Service"] = "dnssec-route53.amazonaws.com",
                        },
                        ["Sid"] = "Allow Route 53 DNSSEC Service to CreateGrant",
                        ["Resource"] = "*",
                        ["Condition"] = new Dictionary<string, object?>
                        {
                            ["Bool"] = new Dictionary<string, object?>
                            {
                                ["kms:GrantIsForAWSResource"] = "true",
                            },
                        },
                    },
                    new Dictionary<string, object?>
                    {
                        ["Action"] = "kms:*",
                        ["Effect"] = "Allow",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
                        },
                        ["Resource"] = "*",
                        ["Sid"] = "Enable IAM User Permissions",
                    },
                },
                ["Version"] = "2012-10-17",
            }),
        });
    
        var exampleZone = new Aws.Route53.Zone("example", new()
        {
            Name = "example.com",
        });
    
        var exampleKeySigningKey = new Aws.Route53.KeySigningKey("example", new()
        {
            HostedZoneId = test.Id,
            KeyManagementServiceArn = testAwsKmsKey.Arn,
            Name = "example",
        });
    
        var exampleHostedZoneDnsSec = new Aws.Route53.HostedZoneDnsSec("example", new()
        {
            HostedZoneId = exampleKeySigningKey.HostedZoneId,
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                exampleKeySigningKey,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import com.pulumi.aws.route53.Zone;
    import com.pulumi.aws.route53.ZoneArgs;
    import com.pulumi.aws.route53.KeySigningKey;
    import com.pulumi.aws.route53.KeySigningKeyArgs;
    import com.pulumi.aws.route53.HostedZoneDnsSec;
    import com.pulumi.aws.route53.HostedZoneDnsSecArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AwsFunctions.getCallerIdentity();
    
            var example = new Key("example", KeyArgs.builder()
                .customerMasterKeySpec("ECC_NIST_P256")
                .deletionWindowInDays(7)
                .keyUsage("SIGN_VERIFY")
                .policy(serializeJson(
                    jsonObject(
                        jsonProperty("Statement", jsonArray(
                            jsonObject(
                                jsonProperty("Action", jsonArray(
                                    "kms:DescribeKey", 
                                    "kms:GetPublicKey", 
                                    "kms:Sign"
                                )),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("Service", "dnssec-route53.amazonaws.com")
                                )),
                                jsonProperty("Sid", "Allow Route 53 DNSSEC Service"),
                                jsonProperty("Resource", "*"),
                                jsonProperty("Condition", jsonObject(
                                    jsonProperty("StringEquals", jsonObject(
                                        jsonProperty("aws:SourceAccount", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))
                                    )),
                                    jsonProperty("ArnLike", jsonObject(
                                        jsonProperty("aws:SourceArn", "arn:aws:route53:::hostedzone/*")
                                    ))
                                ))
                            ), 
                            jsonObject(
                                jsonProperty("Action", "kms:CreateGrant"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("Service", "dnssec-route53.amazonaws.com")
                                )),
                                jsonProperty("Sid", "Allow Route 53 DNSSEC Service to CreateGrant"),
                                jsonProperty("Resource", "*"),
                                jsonProperty("Condition", jsonObject(
                                    jsonProperty("Bool", jsonObject(
                                        jsonProperty("kms:GrantIsForAWSResource", "true")
                                    ))
                                ))
                            ), 
                            jsonObject(
                                jsonProperty("Action", "kms:*"),
                                jsonProperty("Effect", "Allow"),
                                jsonProperty("Principal", jsonObject(
                                    jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                )),
                                jsonProperty("Resource", "*"),
                                jsonProperty("Sid", "Enable IAM User Permissions")
                            )
                        )),
                        jsonProperty("Version", "2012-10-17")
                    )))
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()
                .name("example.com")
                .build());
    
            var exampleKeySigningKey = new KeySigningKey("exampleKeySigningKey", KeySigningKeyArgs.builder()
                .hostedZoneId(test.id())
                .keyManagementServiceArn(testAwsKmsKey.arn())
                .name("example")
                .build());
    
            var exampleHostedZoneDnsSec = new HostedZoneDnsSec("exampleHostedZoneDnsSec", HostedZoneDnsSecArgs.builder()
                .hostedZoneId(exampleKeySigningKey.hostedZoneId())
                .build(), CustomResourceOptions.builder()
                    .dependsOn(exampleKeySigningKey)
                    .build());
    
        }
    }
    
    resources:
      example:
        type: aws:kms:Key
        properties:
          customerMasterKeySpec: ECC_NIST_P256
          deletionWindowInDays: 7
          keyUsage: SIGN_VERIFY
          policy:
            fn::toJSON:
              Statement:
                - Action:
                    - kms:DescribeKey
                    - kms:GetPublicKey
                    - kms:Sign
                  Effect: Allow
                  Principal:
                    Service: dnssec-route53.amazonaws.com
                  Sid: Allow Route 53 DNSSEC Service
                  Resource: '*'
                  Condition:
                    StringEquals:
                      aws:SourceAccount: ${current.accountId}
                    ArnLike:
                      aws:SourceArn: arn:aws:route53:::hostedzone/*
                - Action: kms:CreateGrant
                  Effect: Allow
                  Principal:
                    Service: dnssec-route53.amazonaws.com
                  Sid: Allow Route 53 DNSSEC Service to CreateGrant
                  Resource: '*'
                  Condition:
                    Bool:
                      kms:GrantIsForAWSResource: 'true'
                - Action: kms:*
                  Effect: Allow
                  Principal:
                    AWS: arn:aws:iam::${current.accountId}:root
                  Resource: '*'
                  Sid: Enable IAM User Permissions
              Version: 2012-10-17
      exampleZone:
        type: aws:route53:Zone
        name: example
        properties:
          name: example.com
      exampleKeySigningKey:
        type: aws:route53:KeySigningKey
        name: example
        properties:
          hostedZoneId: ${test.id}
          keyManagementServiceArn: ${testAwsKmsKey.arn}
          name: example
      exampleHostedZoneDnsSec:
        type: aws:route53:HostedZoneDnsSec
        name: example
        properties:
          hostedZoneId: ${exampleKeySigningKey.hostedZoneId}
        options:
          dependson:
            - ${exampleKeySigningKey}
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
    

    Create KeySigningKey Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new KeySigningKey(name: string, args: KeySigningKeyArgs, opts?: CustomResourceOptions);
    @overload
    def KeySigningKey(resource_name: str,
                      args: KeySigningKeyArgs,
                      opts: Optional[ResourceOptions] = None)
    
    @overload
    def KeySigningKey(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      hosted_zone_id: Optional[str] = None,
                      key_management_service_arn: Optional[str] = None,
                      name: Optional[str] = None,
                      status: Optional[str] = None)
    func NewKeySigningKey(ctx *Context, name string, args KeySigningKeyArgs, opts ...ResourceOption) (*KeySigningKey, error)
    public KeySigningKey(string name, KeySigningKeyArgs args, CustomResourceOptions? opts = null)
    public KeySigningKey(String name, KeySigningKeyArgs args)
    public KeySigningKey(String name, KeySigningKeyArgs args, CustomResourceOptions options)
    
    type: aws:route53:KeySigningKey
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args KeySigningKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KeySigningKeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KeySigningKeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KeySigningKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KeySigningKeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var keySigningKeyResource = new Aws.Route53.KeySigningKey("keySigningKeyResource", new()
    {
        HostedZoneId = "string",
        KeyManagementServiceArn = "string",
        Name = "string",
        Status = "string",
    });
    
    example, err := route53.NewKeySigningKey(ctx, "keySigningKeyResource", &route53.KeySigningKeyArgs{
    	HostedZoneId:            pulumi.String("string"),
    	KeyManagementServiceArn: pulumi.String("string"),
    	Name:                    pulumi.String("string"),
    	Status:                  pulumi.String("string"),
    })
    
    var keySigningKeyResource = new KeySigningKey("keySigningKeyResource", KeySigningKeyArgs.builder()
        .hostedZoneId("string")
        .keyManagementServiceArn("string")
        .name("string")
        .status("string")
        .build());
    
    key_signing_key_resource = aws.route53.KeySigningKey("keySigningKeyResource",
        hosted_zone_id="string",
        key_management_service_arn="string",
        name="string",
        status="string")
    
    const keySigningKeyResource = new aws.route53.KeySigningKey("keySigningKeyResource", {
        hostedZoneId: "string",
        keyManagementServiceArn: "string",
        name: "string",
        status: "string",
    });
    
    type: aws:route53:KeySigningKey
    properties:
        hostedZoneId: string
        keyManagementServiceArn: string
        name: string
        status: string
    

    KeySigningKey Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The KeySigningKey resource accepts the following input properties:

    HostedZoneId string
    Identifier of the Route 53 Hosted Zone.
    KeyManagementServiceArn string
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    Name string

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    Status string
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    HostedZoneId string
    Identifier of the Route 53 Hosted Zone.
    KeyManagementServiceArn string
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    Name string

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    Status string
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    hostedZoneId String
    Identifier of the Route 53 Hosted Zone.
    keyManagementServiceArn String
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    name String

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    status String
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    hostedZoneId string
    Identifier of the Route 53 Hosted Zone.
    keyManagementServiceArn string
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    name string

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    status string
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    hosted_zone_id str
    Identifier of the Route 53 Hosted Zone.
    key_management_service_arn str
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    name str

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    status str
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    hostedZoneId String
    Identifier of the Route 53 Hosted Zone.
    keyManagementServiceArn String
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    name String

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    status String
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the KeySigningKey resource produces the following output properties:

    DigestAlgorithmMnemonic string
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    DigestAlgorithmType int
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    DigestValue string
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    DnskeyRecord string
    A string that represents a DNSKEY record.
    DsRecord string
    A string that represents a delegation signer (DS) record.
    Flag int
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyTag int
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    PublicKey string
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    SigningAlgorithmMnemonic string
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    SigningAlgorithmType int
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    DigestAlgorithmMnemonic string
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    DigestAlgorithmType int
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    DigestValue string
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    DnskeyRecord string
    A string that represents a DNSKEY record.
    DsRecord string
    A string that represents a delegation signer (DS) record.
    Flag int
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyTag int
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    PublicKey string
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    SigningAlgorithmMnemonic string
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    SigningAlgorithmType int
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    digestAlgorithmMnemonic String
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestAlgorithmType Integer
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestValue String
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    dnskeyRecord String
    A string that represents a DNSKEY record.
    dsRecord String
    A string that represents a delegation signer (DS) record.
    flag Integer
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    id String
    The provider-assigned unique ID for this managed resource.
    keyTag Integer
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    publicKey String
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    signingAlgorithmMnemonic String
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    signingAlgorithmType Integer
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    digestAlgorithmMnemonic string
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestAlgorithmType number
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestValue string
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    dnskeyRecord string
    A string that represents a DNSKEY record.
    dsRecord string
    A string that represents a delegation signer (DS) record.
    flag number
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    id string
    The provider-assigned unique ID for this managed resource.
    keyTag number
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    publicKey string
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    signingAlgorithmMnemonic string
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    signingAlgorithmType number
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    digest_algorithm_mnemonic str
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digest_algorithm_type int
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digest_value str
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    dnskey_record str
    A string that represents a DNSKEY record.
    ds_record str
    A string that represents a delegation signer (DS) record.
    flag int
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    id str
    The provider-assigned unique ID for this managed resource.
    key_tag int
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    public_key str
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    signing_algorithm_mnemonic str
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    signing_algorithm_type int
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    digestAlgorithmMnemonic String
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestAlgorithmType Number
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestValue String
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    dnskeyRecord String
    A string that represents a DNSKEY record.
    dsRecord String
    A string that represents a delegation signer (DS) record.
    flag Number
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    id String
    The provider-assigned unique ID for this managed resource.
    keyTag Number
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    publicKey String
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    signingAlgorithmMnemonic String
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    signingAlgorithmType Number
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.

    Look up Existing KeySigningKey Resource

    Get an existing KeySigningKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KeySigningKeyState, opts?: CustomResourceOptions): KeySigningKey
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            digest_algorithm_mnemonic: Optional[str] = None,
            digest_algorithm_type: Optional[int] = None,
            digest_value: Optional[str] = None,
            dnskey_record: Optional[str] = None,
            ds_record: Optional[str] = None,
            flag: Optional[int] = None,
            hosted_zone_id: Optional[str] = None,
            key_management_service_arn: Optional[str] = None,
            key_tag: Optional[int] = None,
            name: Optional[str] = None,
            public_key: Optional[str] = None,
            signing_algorithm_mnemonic: Optional[str] = None,
            signing_algorithm_type: Optional[int] = None,
            status: Optional[str] = None) -> KeySigningKey
    func GetKeySigningKey(ctx *Context, name string, id IDInput, state *KeySigningKeyState, opts ...ResourceOption) (*KeySigningKey, error)
    public static KeySigningKey Get(string name, Input<string> id, KeySigningKeyState? state, CustomResourceOptions? opts = null)
    public static KeySigningKey get(String name, Output<String> id, KeySigningKeyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    DigestAlgorithmMnemonic string
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    DigestAlgorithmType int
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    DigestValue string
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    DnskeyRecord string
    A string that represents a DNSKEY record.
    DsRecord string
    A string that represents a delegation signer (DS) record.
    Flag int
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    HostedZoneId string
    Identifier of the Route 53 Hosted Zone.
    KeyManagementServiceArn string
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    KeyTag int
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    Name string

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    PublicKey string
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    SigningAlgorithmMnemonic string
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    SigningAlgorithmType int
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    Status string
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    DigestAlgorithmMnemonic string
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    DigestAlgorithmType int
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    DigestValue string
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    DnskeyRecord string
    A string that represents a DNSKEY record.
    DsRecord string
    A string that represents a delegation signer (DS) record.
    Flag int
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    HostedZoneId string
    Identifier of the Route 53 Hosted Zone.
    KeyManagementServiceArn string
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    KeyTag int
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    Name string

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    PublicKey string
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    SigningAlgorithmMnemonic string
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    SigningAlgorithmType int
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    Status string
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    digestAlgorithmMnemonic String
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestAlgorithmType Integer
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestValue String
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    dnskeyRecord String
    A string that represents a DNSKEY record.
    dsRecord String
    A string that represents a delegation signer (DS) record.
    flag Integer
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    hostedZoneId String
    Identifier of the Route 53 Hosted Zone.
    keyManagementServiceArn String
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    keyTag Integer
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    name String

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    publicKey String
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    signingAlgorithmMnemonic String
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    signingAlgorithmType Integer
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    status String
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    digestAlgorithmMnemonic string
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestAlgorithmType number
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestValue string
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    dnskeyRecord string
    A string that represents a DNSKEY record.
    dsRecord string
    A string that represents a delegation signer (DS) record.
    flag number
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    hostedZoneId string
    Identifier of the Route 53 Hosted Zone.
    keyManagementServiceArn string
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    keyTag number
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    name string

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    publicKey string
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    signingAlgorithmMnemonic string
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    signingAlgorithmType number
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    status string
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    digest_algorithm_mnemonic str
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digest_algorithm_type int
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digest_value str
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    dnskey_record str
    A string that represents a DNSKEY record.
    ds_record str
    A string that represents a delegation signer (DS) record.
    flag int
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    hosted_zone_id str
    Identifier of the Route 53 Hosted Zone.
    key_management_service_arn str
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    key_tag int
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    name str

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    public_key str
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    signing_algorithm_mnemonic str
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    signing_algorithm_type int
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    status str
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.
    digestAlgorithmMnemonic String
    A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestAlgorithmType Number
    An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
    digestValue String
    A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
    dnskeyRecord String
    A string that represents a DNSKEY record.
    dsRecord String
    A string that represents a delegation signer (DS) record.
    flag Number
    An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
    hostedZoneId String
    Identifier of the Route 53 Hosted Zone.
    keyManagementServiceArn String
    Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the us-east-1 Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference.
    keyTag Number
    An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
    name String

    Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.

    The following arguments are optional:

    publicKey String
    The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
    signingAlgorithmMnemonic String
    A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    signingAlgorithmType Number
    An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
    status String
    Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE.

    Import

    Using pulumi import, import aws_route53_key_signing_key resources using the Route 53 Hosted Zone identifier and KMS Key identifier, separated by a comma (,). For example:

    $ pulumi import aws:route53/keySigningKey:KeySigningKey example Z1D633PJN98FT9,example
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi