replica_keys
Creates, updates, deletes or gets a replica_key resource or lists replica_keys in a region
Overview
| Name | replica_keys |
| Type | Resource |
| Description | The AWS::KMS::ReplicaKey resource specifies a multi-region replica AWS KMS key in AWS Key Management Service (AWS KMS). |
| Id | aws.kms.replica_keys |
Fields
| Name | Datatype | Description |
|---|---|---|
description | string | A description of the AWS KMS key. Use a description that helps you to distinguish this AWS KMS key from others in the account, such as its intended use. |
pending_window_in_days | integer | Specifies the number of days in the waiting period before AWS KMS deletes an AWS KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. |
key_policy | object | The key policy that authorizes use of the AWS KMS key. The key policy must observe the following rules. |
primary_key_arn | string | Identifies the primary AWS KMS key to create a replica of. Specify the Amazon Resource Name (ARN) of the AWS KMS key. You cannot specify an alias or key ID. For help finding the ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide. |
enabled | boolean | Specifies whether the AWS KMS key is enabled. Disabled AWS KMS keys cannot be used in cryptographic operations. |
key_id | string | |
arn | string | |
tags | array | An array of key-value pairs to apply to this resource. |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | PrimaryKeyArn, KeyPolicy, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all replica_keys in a region.
SELECT
region,
description,
pending_window_in_days,
key_policy,
primary_key_arn,
enabled,
key_id,
arn,
tags
FROM aws.kms.replica_keys
WHERE region = 'us-east-1';
Gets all properties from an individual replica_key.
SELECT
region,
description,
pending_window_in_days,
key_policy,
primary_key_arn,
enabled,
key_id,
arn,
tags
FROM aws.kms.replica_keys
WHERE region = 'us-east-1' AND data__Identifier = '<KeyId>';
INSERT example
Use the following StackQL query and manifest file to create a new replica_key resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.kms.replica_keys (
KeyPolicy,
PrimaryKeyArn,
region
)
SELECT
'{{ KeyPolicy }}',
'{{ PrimaryKeyArn }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.kms.replica_keys (
Description,
PendingWindowInDays,
KeyPolicy,
PrimaryKeyArn,
Enabled,
Tags,
region
)
SELECT
'{{ Description }}',
'{{ PendingWindowInDays }}',
'{{ KeyPolicy }}',
'{{ PrimaryKeyArn }}',
'{{ Enabled }}',
'{{ Tags }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: replica_key
props:
- name: Description
value: '{{ Description }}'
- name: PendingWindowInDays
value: '{{ PendingWindowInDays }}'
- name: KeyPolicy
value: {}
- name: PrimaryKeyArn
value: '{{ PrimaryKeyArn }}'
- name: Enabled
value: '{{ Enabled }}'
- name: Tags
value:
- Value: '{{ Value }}'
Key: '{{ Key }}'
DELETE example
/*+ delete */
DELETE FROM aws.kms.replica_keys
WHERE data__Identifier = '<KeyId>'
AND region = 'us-east-1';
Permissions
To operate on the replica_keys resource, the following permissions are required:
Read
kms:DescribeKey,
kms:GetKeyPolicy,
kms:ListResourceTags
Create
kms:ReplicateKey,
kms:CreateKey,
kms:DescribeKey,
kms:DisableKey,
kms:TagResource
Update
kms:DescribeKey,
kms:DisableKey,
kms:EnableKey,
kms:PutKeyPolicy,
kms:TagResource,
kms:UntagResource,
kms:UpdateKeyDescription
List
kms:ListKeys,
kms:DescribeKey
Delete
kms:DescribeKey,
kms:ScheduleKeyDeletion