replica_keys
Creates, updates, deletes or gets a replica_key resource or lists replica_keys in a region
Overview
| Name | replica_keys |
| Type | Resource |
| Description | The AWS::KMS::ReplicaKey resource specifies a multi-region replica AWS KMS key in AWS Key Management Service (AWS KMS). |
| Id | awscc.kms.replica_keys |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
description | string | A description of the AWS KMS key. Use a description that helps you to distinguish this AWS KMS key from others in the account, such as its intended use. |
pending_window_in_days | integer | Specifies the number of days in the waiting period before AWS KMS deletes an AWS KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. |
key_policy | object | The key policy that authorizes use of the AWS KMS key. The key policy must observe the following rules. |
primary_key_arn | string | Identifies the primary AWS KMS key to create a replica of. Specify the Amazon Resource Name (ARN) of the AWS KMS key. You cannot specify an alias or key ID. For help finding the ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide. |
enabled | boolean | Specifies whether the AWS KMS key is enabled. Disabled AWS KMS keys cannot be used in cryptographic operations. |
key_id | string | |
arn | string | |
tags | array | An array of key-value pairs to apply to this resource. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
key_id | string | |
region | string | AWS region. |
For more information, see AWS::KMS::ReplicaKey.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | replica_keys | INSERT | PrimaryKeyArn, KeyPolicy, region |
delete_resource | replica_keys | DELETE | Identifier, region |
update_resource | replica_keys | UPDATE | Identifier, PatchDocument, region |
list_resources | replica_keys_list_only | SELECT | region |
get_resource | replica_keys | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual replica_key.
SELECT
region,
description,
pending_window_in_days,
key_policy,
primary_key_arn,
enabled,
key_id,
arn,
tags
FROM awscc.kms.replica_keys
WHERE
region = 'us-east-1' AND
Identifier = '{{ key_id }}';
Lists all replica_keys in a region.
SELECT
region,
key_id
FROM awscc.kms.replica_keys_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new replica_key resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.kms.replica_keys (
KeyPolicy,
PrimaryKeyArn,
region
)
SELECT
'{{ key_policy }}',
'{{ primary_key_arn }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.kms.replica_keys (
Description,
PendingWindowInDays,
KeyPolicy,
PrimaryKeyArn,
Enabled,
Tags,
region
)
SELECT
'{{ description }}',
'{{ pending_window_in_days }}',
'{{ key_policy }}',
'{{ primary_key_arn }}',
'{{ enabled }}',
'{{ tags }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: replica_key
props:
- name: description
value: '{{ description }}'
- name: pending_window_in_days
value: '{{ pending_window_in_days }}'
- name: key_policy
value: {}
- name: primary_key_arn
value: '{{ primary_key_arn }}'
- name: enabled
value: '{{ enabled }}'
- name: tags
value:
- value: '{{ value }}'
key: '{{ key }}'
UPDATE example
Use the following StackQL query and manifest file to update a replica_key resource, using stack-deploy.
/*+ update */
UPDATE awscc.kms.replica_keys
SET PatchDocument = string('{{ {
"Description": description,
"PendingWindowInDays": pending_window_in_days,
"KeyPolicy": key_policy,
"Enabled": enabled,
"Tags": tags
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ key_id }}';
DELETE example
/*+ delete */
DELETE FROM awscc.kms.replica_keys
WHERE
Identifier = '{{ key_id }}' AND
region = 'us-east-1';
Permissions
To operate on the replica_keys resource, the following permissions are required:
- Read
- Create
- Update
- List
- Delete
kms:DescribeKey,
kms:GetKeyPolicy,
kms:ListResourceTags
kms:ReplicateKey,
kms:CreateKey,
kms:DescribeKey,
kms:DisableKey,
kms:TagResource
kms:DescribeKey,
kms:DisableKey,
kms:EnableKey,
kms:PutKeyPolicy,
kms:TagResource,
kms:UntagResource,
kms:UpdateKeyDescription
kms:ListKeys,
kms:DescribeKey
kms:DescribeKey,
kms:ScheduleKeyDeletion