Class Key
Defines a KMS key.
Inherited Members
Namespace: Amazon.CDK.AWS.KMS
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class Key : Resource, IKey, IResource
Syntax (vb)
Public Class Key
Inherits Resource
Implements IKey, IResource
Remarks
Resource: AWS::KMS::Key
ExampleMetadata: infused
Examples
Bucket destinationBucket;
var sourceBucket = Bucket.FromBucketAttributes(this, "SourceBucket", new BucketAttributes {
BucketArn = "arn:aws:s3:::my-source-bucket-name",
EncryptionKey = Key.FromKeyArn(this, "SourceBucketEncryptionKey", "arn:aws:kms:us-east-1:123456789012:key/<key-id>")
});
var deployment = new BucketDeployment(this, "DeployFiles", new BucketDeploymentProps {
Sources = new [] { Source.Bucket(sourceBucket, "source.zip") },
DestinationBucket = destinationBucket
});
Synopsis
Constructors
Key(ByRefValue) | Used by jsii to construct an instance of this class from a Javascript-owned object reference |
Key(DeputyBase.DeputyProps) | Used by jsii to construct an instance of this class from DeputyProps |
Key(Construct, String, IKeyProps) |
Properties
KeyArn | The ARN of the key. |
KeyId | The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab). |
Policy | Optional policy document that represents the resource policy of this key. |
TrustAccountIdentities | Optional property to control trusting account identities. |
Methods
AddAlias(String) | Defines a new alias for the key. |
AddToResourcePolicy(PolicyStatement, Nullable<Boolean>) | Adds a statement to the KMS key resource policy. |
FromCfnKey(CfnKey) | Create a mutable |
FromKeyArn(Construct, String, String) | Import an externally defined KMS Key using its ARN. |
FromLookup(Construct, String, IKeyLookupOptions) | Import an existing Key by querying the AWS environment this stack is deployed to. |
Grant(IGrantable, String[]) | Grant the indicated permissions on this key to the given principal. |
GrantAdmin(IGrantable) | Grant admins permissions using this key to the given principal. |
GrantDecrypt(IGrantable) | Grant decryption permissions using this key to the given principal. |
GrantEncrypt(IGrantable) | Grant encryption permissions using this key to the given principal. |
GrantEncryptDecrypt(IGrantable) | Grant encryption and decryption permissions using this key to the given principal. |
GrantGenerateMac(IGrantable) | Grant permissions to generating MACs to the given principal. |
GrantVerifyMac(IGrantable) | Grant permissions to verifying MACs to the given principal. |
Constructors
Key(ByRefValue)
Used by jsii to construct an instance of this class from a Javascript-owned object reference
protected Key(ByRefValue reference)
Parameters
- reference Amazon.JSII.Runtime.Deputy.ByRefValue
The Javascript-owned object reference
Key(DeputyBase.DeputyProps)
Used by jsii to construct an instance of this class from DeputyProps
protected Key(DeputyBase.DeputyProps props)
Parameters
- props Amazon.JSII.Runtime.Deputy.DeputyBase.DeputyProps
The deputy props
Key(Construct, String, IKeyProps)
public Key(Construct scope, string id, IKeyProps props = null)
Parameters
- scope Constructs.Construct
- id System.String
- props IKeyProps
Properties
KeyArn
The ARN of the key.
public virtual string KeyArn { get; }
Property Value
System.String
KeyId
The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
public virtual string KeyId { get; }
Property Value
System.String
Policy
Optional policy document that represents the resource policy of this key.
protected virtual PolicyDocument Policy { get; }
Property Value
Remarks
If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.
TrustAccountIdentities
Optional property to control trusting account identities.
protected virtual bool TrustAccountIdentities { get; }
Property Value
System.Boolean
Remarks
If specified, grants will default identity policies instead of to both resource and identity policies. This matches the default behavior when creating KMS keys via the API or console.
Methods
AddAlias(String)
Defines a new alias for the key.
public virtual Alias AddAlias(string aliasName)
Parameters
- aliasName System.String
Returns
AddToResourcePolicy(PolicyStatement, Nullable<Boolean>)
Adds a statement to the KMS key resource policy.
public virtual IAddToResourcePolicyResult AddToResourcePolicy(PolicyStatement statement, Nullable<bool> allowNoOp = null)
Parameters
- statement PolicyStatement
The policy statement to add.
- allowNoOp System.Nullable<System.Boolean>
If this is set to
false
and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.
Returns
FromCfnKey(CfnKey)
Create a mutable IKey
based on a low-level CfnKey
.
public static IKey FromCfnKey(CfnKey cfnKey)
Parameters
- cfnKey CfnKey
Returns
Remarks
This is most useful when combined with the cloudformation-include module.
This method is different than fromKeyArn()
because the IKey
returned from this method is mutable;
meaning, calling any mutating methods on it,
like IKey.addToResourcePolicy()
,
will actually be reflected in the resulting template,
as opposed to the object returned from fromKeyArn()
,
on which calling those methods would have no effect.
FromKeyArn(Construct, String, String)
Import an externally defined KMS Key using its ARN.
public static IKey FromKeyArn(Construct scope, string id, string keyArn)
Parameters
- scope Constructs.Construct
the construct that will "own" the imported key.
- id System.String
the id of the imported key in the construct tree.
- keyArn System.String
the ARN of an existing KMS key.
Returns
FromLookup(Construct, String, IKeyLookupOptions)
Import an existing Key by querying the AWS environment this stack is deployed to.
public static IKey FromLookup(Construct scope, string id, IKeyLookupOptions options)
Parameters
- scope Constructs.Construct
- id System.String
- options IKeyLookupOptions
Returns
Remarks
This function only needs to be used to use Keys not defined in your CDK
application. If you are looking to share a Key between stacks, you can
pass the Key
object between stacks and use it as normal. In addition,
it's not necessary to use this method if an interface accepts an IKey
.
In this case, Alias.fromAliasName()
can be used which returns an alias
that extends IKey
.
Calling this method will lead to a lookup when the CDK CLI is executed. You can therefore not use any values that will only be available at CloudFormation execution time (i.e., Tokens).
The Key information will be cached in cdk.context.json
and the same Key
will be used on future runs. To refresh the lookup, you will have to
evict the value from the cache using the cdk context
command. See
https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.
Grant(IGrantable, String[])
Grant the indicated permissions on this key to the given principal.
public virtual Grant Grant(IGrantable grantee, params string[] actions)
Parameters
- grantee IGrantable
- actions System.String[]
Returns
Remarks
This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.
GrantAdmin(IGrantable)
Grant admins permissions using this key to the given principal.
public virtual Grant GrantAdmin(IGrantable grantee)
Parameters
- grantee IGrantable
Returns
Remarks
Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).
GrantDecrypt(IGrantable)
Grant decryption permissions using this key to the given principal.
public virtual Grant GrantDecrypt(IGrantable grantee)
Parameters
- grantee IGrantable
Returns
GrantEncrypt(IGrantable)
Grant encryption permissions using this key to the given principal.
public virtual Grant GrantEncrypt(IGrantable grantee)
Parameters
- grantee IGrantable
Returns
GrantEncryptDecrypt(IGrantable)
Grant encryption and decryption permissions using this key to the given principal.
public virtual Grant GrantEncryptDecrypt(IGrantable grantee)
Parameters
- grantee IGrantable
Returns
GrantGenerateMac(IGrantable)
Grant permissions to generating MACs to the given principal.
public virtual Grant GrantGenerateMac(IGrantable grantee)
Parameters
- grantee IGrantable
Returns
GrantVerifyMac(IGrantable)
Grant permissions to verifying MACs to the given principal.
public virtual Grant GrantVerifyMac(IGrantable grantee)
Parameters
- grantee IGrantable
Returns