class Key (construct)
Defines a KMS key.
new Key(scope: Construct, id: string, props?: KeyProps)
|alias?||Initial alias to add to the key.|
|description?||A description of the key.|
|enable||Indicates whether AWS KMS rotates the key.|
|enabled?||Indicates whether the key is available for use.|
|policy?||Custom policy document to attach to the KMS key.|
|removal||Whether the encryption key should be retained when it is removed from the Stack.|
|trust||Whether the key usage can be granted by IAM policies.|
(optional, default: No alias is added for the key.)
Initial alias to add to the key.
More aliases can be added later by calling
(optional, default: No description.)
A description of the key.
Use a description that helps your users decide whether the key is appropriate for a particular task.
(optional, default: false)
Indicates whether AWS KMS rotates the key.
(optional, default: Key is enabled.)
Indicates whether the key is available for use.
(optional, default: A policy document with permissions for the account root to
administer the key will be created.)
Custom policy document to attach to the KMS key.
(optional, default: RemovalPolicy.Retain)
Whether the encryption key should be retained when it is removed from the Stack.
This is useful when one wants to retain access to data that was encrypted with a key that is being retired.
(optional, default: false)
Whether the key usage can be granted by IAM policies.
Setting this to true adds a default statement which delegates key access control completely to the identity's IAM policy (similar to how it works for other AWS resources).
|env||The environment this resource belongs to.|
|key||The ARN of the key.|
|key||The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).|
|node||The construct tree node associated with this construct.|
|stack||The stack in which this resource is defined.|
|trust||Optional property to control trusting account identities.|
|policy?||Optional policy document that represents the resource policy of this key.|
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
The ARN of the key.
The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
The construct tree node associated with this construct.
The stack in which this resource is defined.
Optional property to control trusting account identities.
If specified grants will default identity policies instead of to both resource and identity policies.
Optional policy document that represents the resource policy of this key.
If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.
|add||Defines a new alias for the key.|
|add||Adds a statement to the KMS key resource policy.|
|grant(grantee, ...actions)||Grant the indicated permissions on this key to the given principal.|
|grant||Grant decryption permisisons using this key to the given principal.|
|grant||Grant encryption permisisons using this key to the given principal.|
|grant||Grant encryption and decryption permisisons using this key to the given principal.|
|to||Returns a string representation of this construct.|
|protected validate()||Validate the current construct.|
|static from||Import an externally defined KMS Key using its ARN.|
public addAlias(aliasName: string):
Defines a new alias for the key.
To Resource Policy(statement, allowNoOp?)
public addToResourcePolicy(statement: PolicyStatement, allowNoOp?: boolean): AddToResourcePolicyResult
Policy— The policy statement to add.
boolean— If this is set to
falseand there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.
Adds a statement to the KMS key resource policy.
public grant(grantee: IGrantable, ...actions: string): Grant
Grant the indicated permissions on this key to the given principal.
This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.
public grantDecrypt(grantee: IGrantable): Grant
Grant decryption permisisons using this key to the given principal.
public grantEncrypt(grantee: IGrantable): Grant
Grant encryption permisisons using this key to the given principal.
public grantEncryptDecrypt(grantee: IGrantable): Grant
Grant encryption and decryption permisisons using this key to the given principal.
public toString(): string
Returns a string representation of this construct.
protected validate(): string
Validate the current construct.
This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.
Key Arn(scope, id, keyArn)
public static fromKeyArn(scope: Construct, id: string, keyArn: string): IKey
Construct— the construct that will "own" the imported key.
string— the id of the imported key in the construct tree.
string— the ARN of an existing KMS key.
Import an externally defined KMS Key using its ARN.