aliases

Creates, updates, deletes or gets an alias resource or lists aliases in a region

Overview

Name	`aliases`
Type	Resource
Description	The `AWS::KMS::Alias` resource specifies a display name for a [KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys). You can use an alias to identify a KMS key in the KMS console, in the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation, and in [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations), such as [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) and [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html). Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see [ABAC for](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the Developer Guide. Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different AWS-Regions. For more information, see [Using aliases](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) in the Developer Guide. When specifying an alias, observe the following rules. + Each alias is associated with one KMS key, but multiple aliases can be associated with the same KMS key. + The alias and its associated KMS key must be in the same AWS-account and Region. + The alias name must be unique in the AWS-account and Region. However, you can create aliases with the same name in different AWS-Regions. For example, you can have an `alias/projectKey` in multiple Regions, each of which is associated with a KMS key in its Region. + Each alias name must begin with `alias/` followed by a name, such as `alias/exampleKey`. The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with `alias/aws/`. That alias name prefix is reserved for [](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). Regions KMS CloudFormation resources are available in all AWS-Regions in which KMS and CFN are supported.
Id	`aws.kms.aliases`

Fields

Name	Datatype	Description
`target_key_id`	`string`	Associates the alias with the specified [](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). The KMS key must be in the same AWS-account and Region. A valid key ID is required. If you supply a null or empty string value, this operation returns an error. For help finding the key ID and ARN, see [Finding the key ID and ARN](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) in the Developer Guide. Specify the key ID or the key ARN of the KMS key. For example: + Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab` + Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` To get the key ID and key ARN for a KMS key, use [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) or [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html).
`alias_name`	`string`	Specifies the alias name. This value must begin with `alias/` followed by a name, such as `alias/ExampleAlias`. If you change the value of the `AliasName` property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved for [](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk).
`region`	`string`	AWS region.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`AliasName, TargetKeyId, region`
`delete_resource`	`DELETE`	`data__Identifier, region`
`update_resource`	`UPDATE`	`data__Identifier, data__PatchDocument, region`
`list_resources`	`SELECT`	`region`
`get_resource`	`SELECT`	`data__Identifier, region`

`SELECT` examples

Gets all aliases in a region.

SELECT
region,
target_key_id,
alias_name
FROM aws.kms.aliases
WHERE region = 'us-east-1';

Gets all properties from an individual alias.

SELECT
region,
target_key_id,
alias_name
FROM aws.kms.aliases
WHERE region = 'us-east-1' AND data__Identifier = '<AliasName>';

`INSERT` example

Use the following StackQL query and manifest file to create a new alias resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO aws.kms.aliases (
 TargetKeyId,
 AliasName,
 region
)
SELECT 
'{{ TargetKeyId }}',
 '{{ AliasName }}',
'{{ region }}';

/*+ create */
INSERT INTO aws.kms.aliases (
 TargetKeyId,
 AliasName,
 region
)
SELECT 
 '{{ TargetKeyId }}',
 '{{ AliasName }}',
 '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: alias
    props:
      - name: TargetKeyId
        value: '{{ TargetKeyId }}'
      - name: AliasName
        value: '{{ AliasName }}'

`DELETE` example

/*+ delete */
DELETE FROM aws.kms.aliases
WHERE data__Identifier = '<AliasName>'
AND region = 'us-east-1';

Permissions

To operate on the aliases resource, the following permissions are required:

Read

kms:ListAliases

Create

kms:CreateAlias

Update

kms:UpdateAlias

List

kms:ListAliases

Delete

kms:DeleteAlias

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Permissions​

Read​

Create​

Update​

List​

Delete​