Key
- class aws_cdk.aws_kms.Key(scope, id, *, admins=None, alias=None, description=None, enabled=None, enable_key_rotation=None, key_spec=None, key_usage=None, multi_region=None, pending_window=None, policy=None, removal_policy=None, rotation_period=None)
Bases:
Resource
Defines a KMS key.
- Resource:
AWS::KMS::Key
- ExampleMetadata:
infused
Example:
import aws_cdk.aws_kms as kms my_kms_key = kms.Key(self, "myKMSKey") my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket", encryption=s3.BucketEncryption.KMS, encryption_key=my_kms_key, object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED ) cloudfront.Distribution(self, "myDist", default_behavior=cloudfront.BehaviorOptions( origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket) ) )
- Parameters:
scope (
Construct
) –id (
str
) –admins (
Optional
[Sequence
[IPrincipal
]]) – A list of principals to add as key administrators to the key policy. Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt). These principals will be added to the default key policy (if none specified), or to the specified policy (if provided). Default: []alias (
Optional
[str
]) – Initial alias to add to the key. More aliases can be added later by callingaddAlias
. Default: - No alias is added for the key.description (
Optional
[str
]) – A description of the key. Use a description that helps your users decide whether the key is appropriate for a particular task. Default: - No description.enabled (
Optional
[bool
]) – Indicates whether the key is available for use. Default: - Key is enabled.enable_key_rotation (
Optional
[bool
]) – Indicates whether AWS KMS rotates the key. Default: falsekey_spec (
Optional
[KeySpec
]) – The cryptographic configuration of the key. The valid value depends on usage of the key. IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value. Default: KeySpec.SYMMETRIC_DEFAULTkey_usage (
Optional
[KeyUsage
]) – The cryptographic operations for which the key can be used. IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion and a new key is created with the specified value. Default: KeyUsage.ENCRYPT_DECRYPTmulti_region (
Optional
[bool
]) – Creates a multi-Region primary key that you can replicate in other AWS Regions. You can’t change themultiRegion
value after the KMS key is created. IMPORTANT: If you change the value of themultiRegion
property on an existing KMS key, the update request fails, regardless of the value of the UpdateReplacePolicy attribute. This prevents you from accidentally deleting a KMS key by changing an immutable property value. Default: falsepending_window (
Optional
[Duration
]) – Specifies the number of days in the waiting period before AWS KMS deletes a CMK that has been removed from a CloudFormation stack. When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK. Enter a value between 7 and 30 days. Default: - 30 dayspolicy (
Optional
[PolicyDocument
]) – Custom policy document to attach to the KMS key. NOTE - If the@aws-cdk/aws-kms:defaultKeyPolicies
feature flag is set (the default for new projects), this policy will override the default key policy and become the only key policy for the key. If the feature flag is not set, this policy will be appended to the default key policy. Default: - A policy document with permissions for the account root to administer the key will be created.removal_policy (
Optional
[RemovalPolicy
]) – Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to retain access to data that was encrypted with a key that is being retired. Default: RemovalPolicy.Retainrotation_period (
Optional
[Duration
]) – The period between each automatic rotation. Default: - set by CFN to 365 days.
Methods
- add_alias(alias_name)
Defines a new alias for the key.
- Parameters:
alias_name (
str
) –- Return type:
- add_to_resource_policy(statement, allow_no_op=None)
Adds a statement to the KMS key resource policy.
- Parameters:
statement (
PolicyStatement
) – The policy statement to add.allow_no_op (
Optional
[bool
]) – If this is set tofalse
and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.
- Return type:
- apply_removal_policy(policy)
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY
), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN
).- Parameters:
policy (
RemovalPolicy
) –- Return type:
None
- grant(grantee, *actions)
Grant the indicated permissions on this key to the given principal.
This modifies both the principal’s policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won’t work.
- Parameters:
grantee (
IGrantable
) –actions (
str
) –
- Return type:
- grant_admin(grantee)
Grant admins permissions using this key to the given principal.
Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).
- Parameters:
grantee (
IGrantable
) –- Return type:
- grant_decrypt(grantee)
Grant decryption permissions using this key to the given principal.
- Parameters:
grantee (
IGrantable
) –- Return type:
- grant_encrypt(grantee)
Grant encryption permissions using this key to the given principal.
- Parameters:
grantee (
IGrantable
) –- Return type:
- grant_encrypt_decrypt(grantee)
Grant encryption and decryption permissions using this key to the given principal.
- Parameters:
grantee (
IGrantable
) –- Return type:
- grant_generate_mac(grantee)
Grant permissions to generating MACs to the given principal.
- Parameters:
grantee (
IGrantable
) –- Return type:
- grant_verify_mac(grantee)
Grant permissions to verifying MACs to the given principal.
- Parameters:
grantee (
IGrantable
) –- Return type:
- to_string()
Returns a string representation of this construct.
- Return type:
str
Attributes
- DEFAULT_DUMMY_KEY_ID = '1234abcd-12ab-34cd-56ef-1234567890ab'
- env
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
- key_arn
The ARN of the key.
- key_id
1234abcd-12ab-34cd-56ef-1234567890ab).
- Type:
The ID of the key (the part that looks something like
- node
The tree node.
- stack
The stack in which this resource is defined.
Static Methods
- classmethod from_cfn_key(cfn_key)
Create a mutable
IKey
based on a low-levelCfnKey
.This is most useful when combined with the cloudformation-include module. This method is different than
fromKeyArn()
because theIKey
returned from this method is mutable; meaning, calling any mutating methods on it, likeIKey.addToResourcePolicy()
, will actually be reflected in the resulting template, as opposed to the object returned fromfromKeyArn()
, on which calling those methods would have no effect.
- classmethod from_key_arn(scope, id, key_arn)
Import an externally defined KMS Key using its ARN.
- classmethod from_lookup(scope, id, *, alias_name, return_dummy_key_on_missing=None)
Import an existing Key by querying the AWS environment this stack is deployed to.
This function only needs to be used to use Keys not defined in your CDK application. If you are looking to share a Key between stacks, you can pass the
Key
object between stacks and use it as normal. In addition, it’s not necessary to use this method if an interface accepts anIKey
. In this case,Alias.fromAliasName()
can be used which returns an alias that extendsIKey
.Calling this method will lead to a lookup when the CDK CLI is executed. You can therefore not use any values that will only be available at CloudFormation execution time (i.e., Tokens).
If you set
returnDummyKeyOnMissing
totrue
inoptions
and the key was not found, this method will return a dummy key with a key id ‘1234abcd-12ab-34cd-56ef-1234567890ab’. The value of the dummy key id can also be referenced using theKey.DEFAULT_DUMMY_KEY_ID
variable, and you can check if the key is a dummy key by using theKey.isLookupDummy()
method.The Key information will be cached in
cdk.context.json
and the same Key will be used on future runs. To refresh the lookup, you will have to evict the value from the cache using thecdk context
command. See https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.- Parameters:
scope (
Construct
) –id (
str
) –alias_name (
str
) – The alias name of the Key. Must be in the formatalias/<AliasName>
.return_dummy_key_on_missing (
Optional
[bool
]) – Whether to return a dummy key if the key was not found. If it is set totrue
and the key was not found, a dummy key with a key id ‘1234abcd-12ab-34cd-56ef-1234567890ab’ will be returned. The value of the dummy key id can also be referenced using theKey.DEFAULT_DUMMY_KEY_ID
variable, and you can check if the key is a dummy key by using theKey.isLookupDummy()
method. Default: false
- Return type:
- classmethod is_construct(x)
Checks if
x
is a construct.Use this method instead of
instanceof
to properly detectConstruct
instances, even when the construct library is symlinked.Explanation: in JavaScript, multiple copies of the
constructs
library on disk are seen as independent, completely different libraries. As a consequence, the classConstruct
in each copy of theconstructs
library is seen as a different class, and an instance of one class will not test asinstanceof
the other class.npm install
will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of theconstructs
library can be accidentally installed, andinstanceof
will behave unpredictably. It is safest to avoid usinginstanceof
, and using this type-testing method instead.- Parameters:
x (
Any
) – Any object.- Return type:
bool
- Returns:
true if
x
is an object created from a class which extendsConstruct
.
- classmethod is_lookup_dummy(key)
Checks if the key returned by the
Key.fromLookup()
method is a dummy key, i.e., a key that was not found.This method can only be used if the
returnDummyKeyOnMissing
option is set totrue
in theoptions
for theKey.fromLookup()
method.- Parameters:
key (
IKey
) –- Return type:
bool
- classmethod is_owned_resource(construct)
Returns true if the construct was created by CDK, and false otherwise.
- Parameters:
construct (
IConstruct
) –- Return type:
bool
- classmethod is_resource(construct)
Check whether the given construct is a Resource.
- Parameters:
construct (
IConstruct
) –- Return type:
bool