@aws-cdk/aws-kms
The CDK Construct Library for AWS::KMS
npm install @aws-cdk/aws-kms@1.85.0
Key
- Implements: IKey
Defines a KMS key.
import { Key } from '@aws-cdk/aws-kms'new Key(scope: Construct, id: string, props?: KeyProps)
- Type: Construct
- Type: string
- Type: KeyProps
| Name | Description |
|---|---|
toString | Returns a string representation of this construct. |
addAlias | Defines a new alias for the key. |
addToResourcePolicy | Adds a statement to the KMS key resource policy. |
grant | Grant the indicated permissions on this key to the given principal. |
grantAdmin | Grant admins permissions using this key to the given principal. |
grantDecrypt | Grant decryption permissions using this key to the given principal. |
grantEncrypt | Grant encryption permissions using this key to the given principal. |
grantEncryptDecrypt | Grant encryption and decryption permissions using this key to the given principal. |
public toString(): string
Returns a string representation of this construct.
public addAlias(aliasName: string): Alias
Defines a new alias for the key.
- Type: string
public addToResourcePolicy(statement: PolicyStatement, allowNoOp?: boolean): AddToResourcePolicyResult
Adds a statement to the KMS key resource policy.
- Type: PolicyStatement
The policy statement to add.
- Type: boolean
If this is set to false and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.
public grant(grantee: IGrantable, actions: string): Grant
Grant the indicated permissions on this key to the given principal.
This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.
- Type: IGrantable
- Type: string
public grantAdmin(grantee: IGrantable): Grant
Grant admins permissions using this key to the given principal.
Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).
- Type: IGrantable
public grantDecrypt(grantee: IGrantable): Grant
Grant decryption permissions using this key to the given principal.
- Type: IGrantable
public grantEncrypt(grantee: IGrantable): Grant
Grant encryption permissions using this key to the given principal.
- Type: IGrantable
public grantEncryptDecrypt(grantee: IGrantable): Grant
Grant encryption and decryption permissions using this key to the given principal.
- Type: IGrantable
| Name | Description |
|---|---|
isConstruct | Return whether the given object is a Construct. |
fromKeyArn | Import an externally defined KMS Key using its ARN. |
import { Key } from '@aws-cdk/aws-kms'Key.isConstruct(x: any)
Return whether the given object is a Construct.
- Type: any
import { Key } from '@aws-cdk/aws-kms'Key.fromKeyArn(scope: Construct, id: string, keyArn: string)
Import an externally defined KMS Key using its ARN.
- Type: Construct
the construct that will "own" the imported key.
- Type: string
the id of the imported key in the construct tree.
- Type: string
the ARN of an existing KMS key.
| Name | Type | Description |
|---|---|---|
node | ConstructNode | The construct tree node associated with this construct. |
env | ResourceEnvironment | The environment this resource belongs to. |
stack | Stack | The stack in which this resource is defined. |
keyArn | string | The ARN of the key. |
keyId | string | The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab). |
public readonly node: ConstructNode;
- Type: ConstructNode
The construct tree node associated with this construct.
public readonly env: ResourceEnvironment;
- Type: ResourceEnvironment
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
public readonly stack: Stack;
- Type: Stack
The stack in which this resource is defined.
public readonly keyArn: string;
- Type: string
The ARN of the key.
public readonly keyId: string;
- Type: string
The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
Use the snippets below in your Git repositories or elsewhere to add a button that links to this package. The button will automatically update to light mode or dark mode based on whether the user's client has requested a light or dark theme.
[](https://constructs.dev/packages/@aws-cdk/aws-kms)
<a href="https://constructs.dev/packages/@aws-cdk/aws-kms"><img src="https://constructs.dev/badge?package=%40aws-cdk%2Faws-kms" alt="View on Construct Hub"/></a>