Menu
AWS Key Management Service
API Reference (API Version 2014-11-01)

KeyMetadata

Contains metadata about a customer master key (CMK).

This data type is used as a response element for the CreateKey and DescribeKey operations.

Contents

Note

In the following list, the required parameters are described first.

KeyId

The globally unique identifier for the CMK.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Arn

The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management Service (AWS KMS) in the Example ARNs section of the AWS General Reference.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: No

AWSAccountId

The twelve-digit account ID of the AWS account that owns the CMK.

Type: String

Required: No

CreationDate

The date and time when the CMK was created.

Type: Timestamp

Required: No

DeletionDate

The date and time after which AWS KMS deletes the CMK. This value is present only when KeyState is PendingDeletion, otherwise this value is omitted.

Type: Timestamp

Required: No

Description

The description of the CMK.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 8192.

Required: No

Enabled

Specifies whether the CMK is enabled. When KeyState is Enabled this value is true, otherwise it is false.

Type: Boolean

Required: No

ExpirationModel

Specifies whether the CMK's key material expires. This value is present only when Origin is EXTERNAL, otherwise this value is omitted.

Type: String

Valid Values: KEY_MATERIAL_EXPIRES | KEY_MATERIAL_DOES_NOT_EXPIRE

Required: No

KeyState

The state of the CMK.

For more information about how key state affects the use of a CMK, see How Key State Affects the Use of a Customer Master Key in the AWS Key Management Service Developer Guide.

Type: String

Valid Values: Enabled | Disabled | PendingDeletion | PendingImport

Required: No

KeyUsage

The cryptographic operations for which you can use the CMK. Currently the only allowed value is ENCRYPT_DECRYPT, which means you can use the CMK for the Encrypt and Decrypt operations.

Type: String

Valid Values: ENCRYPT_DECRYPT

Required: No

Origin

The source of the CMK's key material. When this value is AWS_KMS, AWS KMS created the key material. When this value is EXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material.

Type: String

Valid Values: AWS_KMS | EXTERNAL

Required: No

ValidTo

The time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. This value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel is KEY_MATERIAL_EXPIRES, otherwise this value is omitted.

Type: Timestamp

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

On this page: