@Generated(value="jsii-pacmak/1.73.0 (build 6faeda3)", date="2023-01-31T18:36:51.659Z") public class Key extends Resource implements IKey
Example:
import software.amazon.awscdk.services.kms.*; Key encryptionKey = Key.Builder.create(this, "Key") .enableKeyRotation(true) .build(); Table table = Table.Builder.create(this, "MyTable") .partitionKey(Attribute.builder().name("id").type(AttributeType.STRING).build()) .encryption(TableEncryption.CUSTOMER_MANAGED) .encryptionKey(encryptionKey) .build();
Modifier and Type | Class and Description |
---|---|
static class |
Key.Builder
A fluent builder for
Key . |
IKey.Jsii$Default, IKey.Jsii$Proxy
Modifier | Constructor and Description |
---|---|
protected |
Key(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) |
protected |
Key(software.amazon.jsii.JsiiObjectRef objRef) |
|
Key(software.constructs.Construct scope,
java.lang.String id) |
|
Key(software.constructs.Construct scope,
java.lang.String id,
KeyProps props) |
Modifier and Type | Method and Description |
---|---|
Alias |
addAlias(java.lang.String aliasName)
Defines a new alias for the key.
|
AddToResourcePolicyResult |
addToResourcePolicy(PolicyStatement statement)
Adds a statement to the KMS key resource policy.
|
AddToResourcePolicyResult |
addToResourcePolicy(PolicyStatement statement,
java.lang.Boolean allowNoOp)
Adds a statement to the KMS key resource policy.
|
static IKey |
fromCfnKey(CfnKey cfnKey)
|
static IKey |
fromKeyArn(software.constructs.Construct scope,
java.lang.String id,
java.lang.String keyArn)
Import an externally defined KMS Key using its ARN.
|
static IKey |
fromLookup(software.constructs.Construct scope,
java.lang.String id,
KeyLookupOptions options)
Import an existing Key by querying the AWS environment this stack is deployed to.
|
java.lang.String |
getKeyArn()
The ARN of the key.
|
java.lang.String |
getKeyId()
The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
|
protected PolicyDocument |
getPolicy()
Optional policy document that represents the resource policy of this key.
|
protected java.lang.Boolean |
getTrustAccountIdentities()
Optional property to control trusting account identities.
|
Grant |
grant(IGrantable grantee,
java.lang.String... actions)
Grant the indicated permissions on this key to the given principal.
|
Grant |
grantAdmin(IGrantable grantee)
Grant admins permissions using this key to the given principal.
|
Grant |
grantDecrypt(IGrantable grantee)
Grant decryption permissions using this key to the given principal.
|
Grant |
grantEncrypt(IGrantable grantee)
Grant encryption permissions using this key to the given principal.
|
Grant |
grantEncryptDecrypt(IGrantable grantee)
Grant encryption and decryption permissions using this key to the given principal.
|
protected java.util.List<java.lang.String> |
validate()
Validate the current construct.
|
applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isResource
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
applyRemovalPolicy, getEnv, getStack
getNode
protected Key(software.amazon.jsii.JsiiObjectRef objRef)
protected Key(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
public Key(software.constructs.Construct scope, java.lang.String id, KeyProps props)
scope
- This parameter is required.id
- This parameter is required.props
- public Key(software.constructs.Construct scope, java.lang.String id)
scope
- This parameter is required.id
- This parameter is required.public static IKey fromCfnKey(CfnKey cfnKey)
IKey
based on a low-level CfnKey
.
This is most useful when combined with the cloudformation-include module. This method is different than {@link fromKeyArn()} because the {@link IKey} returned from this method is mutable; meaning, calling any mutating methods on it, like {@link IKey.addToResourcePolicy()}, will actually be reflected in the resulting template, as opposed to the object returned from {@link fromKeyArn()}, on which calling those methods would have no effect.
cfnKey
- This parameter is required.public static IKey fromKeyArn(software.constructs.Construct scope, java.lang.String id, java.lang.String keyArn)
scope
- the construct that will "own" the imported key. This parameter is required.id
- the id of the imported key in the construct tree. This parameter is required.keyArn
- the ARN of an existing KMS key. This parameter is required.public static IKey fromLookup(software.constructs.Construct scope, java.lang.String id, KeyLookupOptions options)
This function only needs to be used to use Keys not defined in your CDK
application. If you are looking to share a Key between stacks, you can
pass the Key
object between stacks and use it as normal. In addition,
it's not necessary to use this method if an interface accepts an IKey
.
In this case, Alias.fromAliasName()
can be used which returns an alias
that extends IKey
.
Calling this method will lead to a lookup when the CDK CLI is executed. You can therefore not use any values that will only be available at CloudFormation execution time (i.e., Tokens).
The Key information will be cached in cdk.context.json
and the same Key
will be used on future runs. To refresh the lookup, you will have to
evict the value from the cache using the cdk context
command. See
https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.
scope
- This parameter is required.id
- This parameter is required.options
- This parameter is required.public Alias addAlias(java.lang.String aliasName)
public AddToResourcePolicyResult addToResourcePolicy(PolicyStatement statement, java.lang.Boolean allowNoOp)
addToResourcePolicy
in interface IKey
statement
- The policy statement to add. This parameter is required.allowNoOp
- If this is set to `false` and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.public AddToResourcePolicyResult addToResourcePolicy(PolicyStatement statement)
addToResourcePolicy
in interface IKey
statement
- The policy statement to add. This parameter is required.public Grant grant(IGrantable grantee, java.lang.String... actions)
This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.
public Grant grantAdmin(IGrantable grantee)
Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).
grantee
- This parameter is required.public Grant grantDecrypt(IGrantable grantee)
grantDecrypt
in interface IKey
grantee
- This parameter is required.public Grant grantEncrypt(IGrantable grantee)
grantEncrypt
in interface IKey
grantee
- This parameter is required.public Grant grantEncryptDecrypt(IGrantable grantee)
grantEncryptDecrypt
in interface IKey
grantee
- This parameter is required.protected java.util.List<java.lang.String> validate()
This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.
public java.lang.String getKeyArn()
public java.lang.String getKeyId()
protected java.lang.Boolean getTrustAccountIdentities()
If specified, grants will default identity policies instead of to both resource and identity policies. This matches the default behavior when creating KMS keys via the API or console.
protected PolicyDocument getPolicy()
If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.