Package software.amazon.awscdk.services.kms

Class Key

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.core.Construct
software.amazon.awscdk.core.Resource
software.amazon.awscdk.services.kms.Key
All Implemented Interfaces:
IConstruct, IDependable, IResource, IKey, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct
@Generated(value="jsii-pacmak/1.84.0 (build 5404dcf)", date="2023-06-19T16:30:37.304Z") @Stability(Stable) public class Key extends Resource implements IKey
Defines a KMS key.

Example: 

 import software.amazon.awscdk.services.kms.*;
 Key encryptionKey = Key.Builder.create(this, "Key")
         .enableKeyRotation(true)
         .build();
 Table table = Table.Builder.create(this, "MyTable")
         .partitionKey(Attribute.builder().name("id").type(AttributeType.STRING).build())
         .encryption(TableEncryption.CUSTOMER_MANAGED)
         .encryptionKey(encryptionKey)
         .build();

  • Constructor Details

    • Key

      protected Key(software.amazon.jsii.JsiiObjectRef objRef)

    • Key

      protected Key(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • Key

      @Stability(Stable) public Key(@NotNull software.constructs.Construct scope, @NotNull String id, @Nullable KeyProps props)
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      props -

    • Key

      @Stability(Stable) public Key(@NotNull software.constructs.Construct scope, @NotNull String id)
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.

  • Method Details

    • fromCfnKey

      @Stability(Stable) @NotNull public static IKey fromCfnKey(@NotNull CfnKey cfnKey)
      Create a mutable IKey based on a low-level CfnKey.

      This is most useful when combined with the cloudformation-include module. This method is different than

      invalid @link 
      fromKeyArn()
      because the IKey returned from this method is mutable; meaning, calling any mutating methods on it, like
      invalid @link 
      {@link IKey.addToResourcePolicy()
      }, will actually be reflected in the resulting template, as opposed to the object returned from
      invalid @link 
      fromKeyArn()
      , on which calling those methods would have no effect.

      Parameters:
      cfnKey - This parameter is required.

    • fromKeyArn

      @Stability(Stable) @NotNull public static IKey fromKeyArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String keyArn)
      Import an externally defined KMS Key using its ARN.

      Parameters:
      scope - the construct that will "own" the imported key. This parameter is required.
      id - the id of the imported key in the construct tree. This parameter is required.
      keyArn - the ARN of an existing KMS key. This parameter is required.

    • fromLookup

      @Stability(Stable) @NotNull public static IKey fromLookup(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull KeyLookupOptions options)
      Import an existing Key by querying the AWS environment this stack is deployed to.

      This function only needs to be used to use Keys not defined in your CDK application. If you are looking to share a Key between stacks, you can pass the Key object between stacks and use it as normal. In addition, it's not necessary to use this method if an interface accepts an IKey. In this case, Alias.fromAliasName() can be used which returns an alias that extends IKey.

      Calling this method will lead to a lookup when the CDK CLI is executed. You can therefore not use any values that will only be available at CloudFormation execution time (i.e., Tokens).

      The Key information will be cached in cdk.context.json and the same Key will be used on future runs. To refresh the lookup, you will have to evict the value from the cache using the cdk context command. See https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      options - This parameter is required.

    • addAlias

      @Stability(Stable) @NotNull public Alias addAlias(@NotNull String aliasName)
      Defines a new alias for the key.

      Specified by:
      addAlias in interface IKey
      Parameters:
      aliasName - This parameter is required.

    • addToResourcePolicy

      @Stability(Stable) @NotNull public AddToResourcePolicyResult addToResourcePolicy(@NotNull PolicyStatement statement, @Nullable Boolean allowNoOp)
      Adds a statement to the KMS key resource policy.

      Specified by:
      addToResourcePolicy in interface IKey
      Parameters:
      statement - The policy statement to add. This parameter is required.
      allowNoOp - If this is set to false and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.

    • addToResourcePolicy

      @Stability(Stable) @NotNull public AddToResourcePolicyResult addToResourcePolicy(@NotNull PolicyStatement statement)
      Adds a statement to the KMS key resource policy.

      Specified by:
      addToResourcePolicy in interface IKey
      Parameters:
      statement - The policy statement to add. This parameter is required.

    • grant

      @Stability(Stable) @NotNull public Grant grant(@NotNull IGrantable grantee, @NotNull @NotNull String... actions)
      Grant the indicated permissions on this key to the given principal.

      This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.

      Specified by:
      grant in interface IKey
      Parameters:
      grantee - This parameter is required.
      actions - This parameter is required.

    • grantAdmin

      @Stability(Stable) @NotNull public Grant grantAdmin(@NotNull IGrantable grantee)
      Grant admins permissions using this key to the given principal.

      Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).

      Parameters:
      grantee - This parameter is required.

    • grantDecrypt

      @Stability(Stable) @NotNull public Grant grantDecrypt(@NotNull IGrantable grantee)
      Grant decryption permissions using this key to the given principal.

      Specified by:
      grantDecrypt in interface IKey
      Parameters:
      grantee - This parameter is required.

    • grantEncrypt

      @Stability(Stable) @NotNull public Grant grantEncrypt(@NotNull IGrantable grantee)
      Grant encryption permissions using this key to the given principal.

      Specified by:
      grantEncrypt in interface IKey
      Parameters:
      grantee - This parameter is required.

    • grantEncryptDecrypt

      @Stability(Stable) @NotNull public Grant grantEncryptDecrypt(@NotNull IGrantable grantee)
      Grant encryption and decryption permissions using this key to the given principal.

      Specified by:
      grantEncryptDecrypt in interface IKey
      Parameters:
      grantee - This parameter is required.

    • validate

      @Stability(Stable) @NotNull protected List<String> validate()
      Validate the current construct.

      This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.

      Overrides:
      validate in class Construct
      Returns:
      An array of validation error messages, or an empty array if the construct is valid.

    • getKeyArn

      @Stability(Stable) @NotNull public String getKeyArn()
      The ARN of the key.
      Specified by:
      getKeyArn in interface IKey

    • getKeyId

      @Stability(Stable) @NotNull public String getKeyId()
      The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
      Specified by:
      getKeyId in interface IKey

    • getTrustAccountIdentities

      @Stability(Stable) @NotNull protected Boolean getTrustAccountIdentities()
      Optional property to control trusting account identities.

      If specified, grants will default identity policies instead of to both resource and identity policies. This matches the default behavior when creating KMS keys via the API or console.

    • getPolicy

      @Stability(Stable) @Nullable protected PolicyDocument getPolicy()
      Optional policy document that represents the resource policy of this key.

      If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.