@aws-cdk/kms¶
AWS KMS Construct Library¶
Defines a KMS key:
new EncryptionKey(this, 'MyKey', {
enableKeyRotation: true
});
Add a couple of aliases:
const key = new EncryptionKey(this, 'MyKey');
key.addAlias('alias/foo');
key.addAlias('alias/bar');
Importing and exporting keys¶
To use a KMS key that is not defined within this stack, use the
EncryptionKey.import(parent, name, ref)
factory method:
const key = EncryptionKey.import(this, 'MyImportedKey', {
keyArn: new KeyArn('arn:aws:...')
});
// you can do stuff with this imported key.
key.addAlias('alias/foo');
To export a key from a stack and import it in another stack, use key.export
which returns an EncryptionKeyRef
, which can later be used to import:
// in stackA
const myKey = new EncryptionKey(stackA, 'MyKey');
const myKeyRef = myKey.export();
// meanwhile in stackB
const myKeyImported = EncryptionKey.import(stackB, 'MyKeyImported', myKeyRef);
Note that a call to .addToPolicy(statement)
on myKeyImported
will not have
an affect on the key’s policy because it is not owned by your stack. The call
will be a no-op.
Reference¶
AliasName¶
EncryptionKey¶
-
class
_aws-cdk_kms.
EncryptionKey
(parent, name[, props])¶ Definews a KMS key.
Extends: EncryptionKeyRef
Parameters: - parent (
Construct
) – - name (string) –
- props (
EncryptionKeyProps
or None) –
-
keyArn
¶ The ARN of the key.
Type: KeyArn
(readonly)
-
policy
¶ Optional policy document that represents the resource policy of this key. If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.
Type: PolicyDocument
or None (readonly)
- parent (
EncryptionKeyAlias¶
-
class
_aws-cdk_kms.
EncryptionKeyAlias
(parent, name, props)¶ Defines a display name for a customer master key (CMK) in AWS Key Management Service (AWS KMS). Using an alias to refer to a key can help you simplify key management. For example, when rotating keys, you can just update the alias mapping instead of tracking and changing key IDs. For more information, see Working with Aliases in the AWS Key Management Service Developer Guide. You can also add an alias for a key by calling key.addAlias(alias).
Extends: Construct
Parameters: - parent (
Construct
) – - name (string) –
- props (
EncryptionKeyAliasProps
) –
-
aliasName
¶ The name of the alias.
Type: AliasName
- parent (
EncryptionKeyAliasProps (interface)¶
-
class
_aws-cdk_kms.
EncryptionKeyAliasProps
¶ -
alias
¶ The name of the alias. The name must start with alias followed by a forward slash, such as alias/. You can’t specify aliases that begin with alias/AWS. These aliases are reserved.
Type: string
-
key
¶ The ID of the key for which you are creating the alias. Specify the key’s globally unique identifier or Amazon Resource Name (ARN). You can’t specify another alias.
Type: EncryptionKeyRef
-
EncryptionKeyProps (interface)¶
-
class
_aws-cdk_kms.
EncryptionKeyProps
¶ Construction properties for a KMS Key object
-
description
¶ A description of the key. Use a description that helps your users decide whether the key is appropriate for a particular task.
Type: string or None
-
enableKeyRotation
¶ Indicates whether AWS KMS rotates the key.
Type: boolean or None
-
enabled
¶ Indicates whether the key is available for use.
Type: boolean or None
-
policy
¶ Custom policy document to attach to the KMS key.
Type: PolicyDocument
or None
-
EncryptionKeyRef¶
-
class
_aws-cdk_kms.
EncryptionKeyRef
(parent, name)¶ Extends: Construct
Abstract: Yes
Parameters: - parent (
Construct
) – The parent construct - name (string) –
-
static
import
(parent, name, props) → @aws-cdk/kms.EncryptionKeyRef¶ Defines an imported encryption key. ref can be obtained either via a call to key.export() or using literals. For example: const keyRefProps = key.export(); const keyRef1 = EncryptionKeyRef.import(this, ‘MyImportedKey1’, keyRefProps); const keyRef2 = EncryptionKeyRef.import(this, ‘MyImportedKey2’, { keyArn: new KeyArn(‘arn:aws:kms:…’) });
Parameters: - parent (
Construct
) – The parent construct. - name (string) – The name of the construct.
- props (
EncryptionKeyRefProps
) – The key reference.
Return type: EncryptionKeyRef
- parent (
-
addAlias
(alias) → @aws-cdk/kms.EncryptionKeyAlias¶ Defines a new alias for the key.
Parameters: alias (string) – Return type: EncryptionKeyAlias
-
addToResourcePolicy
(statement)¶ Adds a statement to the KMS key resource policy.
Parameters: statement ( PolicyStatement
) –
-
export
() → @aws-cdk/kms.EncryptionKeyRefProps¶ Exports this key from the current stack.
Returns: a key ref which can be used in a call to EncryptionKey.import(ref). Return type: EncryptionKeyRefProps
-
keyArn
¶ The ARN of the key.
Type: KeyArn
(readonly) (abstract)
-
policy
¶ Optional policy document that represents the resource policy of this key. If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.
Type: PolicyDocument
or None (readonly) (abstract)
- parent (