Key

class aws_cdk.aws_kms.Key(scope, id, *, alias=None, description=None, enabled=None, enable_key_rotation=None, policy=None, removal_policy=None)

Bases: aws_cdk.core.Resource

Defines a KMS key.

resource: :resource:: AWS::KMS::Key

__init__(scope, id, *, alias=None, description=None, enabled=None, enable_key_rotation=None, policy=None, removal_policy=None)
Parameters
  • scope (Construct) –

  • id (str) –

  • props

  • alias (Optional[str]) – Initial alias to add to the key. More aliases can be added later by calling addAlias. Default: - No alias is added for the key.

  • description (Optional[str]) – A description of the key. Use a description that helps your users decide whether the key is appropriate for a particular task. Default: - No description.

  • enabled (Optional[bool]) – Indicates whether the key is available for use. Default: - Key is enabled.

  • enable_key_rotation (Optional[bool]) – Indicates whether AWS KMS rotates the key. Default: false

  • policy (Optional[PolicyDocument]) – Custom policy document to attach to the KMS key. Default: - A policy document with permissions for the account root to administer the key will be created.

  • removal_policy (Optional[RemovalPolicy]) – Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to retain access to data that was encrypted with a key that is being retired. Default: RemovalPolicy.Retain

Return type

None

Methods

add_alias(alias_name)

Defines a new alias for the key.

Parameters

alias_name (str) –

Return type

Alias

add_to_resource_policy(statement, allow_no_op=None)

Adds a statement to the KMS key resource policy.

Parameters
  • statement (PolicyStatement) – The policy statement to add.

  • allow_no_op (Optional[bool]) – If this is set to false and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.

Return type

None

grant(grantee, *actions)

Grant the indicated permissions on this key to the given principal.

This modifies both the principal’s policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won’t work.

Parameters
Return type

Grant

grant_decrypt(grantee)

Grant decryption permisisons using this key to the given principal.

Parameters

grantee (IGrantable) –

Return type

Grant

grant_encrypt(grantee)

Grant encryption permisisons using this key to the given principal.

Parameters

grantee (IGrantable) –

Return type

Grant

grant_encrypt_decrypt(grantee)

Grant encryption and decryption permisisons using this key to the given principal.

Parameters

grantee (IGrantable) –

Return type

Grant

to_string()

Returns a string representation of this construct.

Return type

str

Attributes

key_arn

The ARN of the key.

Return type

str

key_id

1234abcd-12ab-34cd-56ef-1234567890ab).

Type

The ID of the key (the part that looks something like

Return type

str

node

Construct tree node which offers APIs for interacting with the construct tree.

Return type

ConstructNode

stack

The stack in which this resource is defined.

Return type

Stack

Static Methods

classmethod from_key_arn(scope, id, key_arn)

Import an externally defined KMS Key using its ARN.

Parameters
  • scope (Construct) – the construct that will “own” the imported key.

  • id (str) – the id of the imported key in the construct tree.

  • key_arn (str) – the ARN of an existing KMS key.

Return type

IKey

classmethod is_construct(x)

Return whether the given object is a Construct.

Parameters

x (Any) –

Return type

bool