Skip to main content

replica_keys

Creates, updates, deletes or gets a replica_key resource or lists replica_keys in a region

Overview

Namereplica_keys
TypeResource
DescriptionThe AWS::KMS::ReplicaKey resource specifies a multi-region replica AWS KMS key in AWS Key Management Service (AWS KMS).
Idawscc.kms.replica_keys

Fields

NameDatatypeDescription
descriptionstringA description of the AWS KMS key. Use a description that helps you to distinguish this AWS KMS key from others in the account, such as its intended use.
pending_window_in_daysintegerSpecifies the number of days in the waiting period before AWS KMS deletes an AWS KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.
key_policyobjectThe key policy that authorizes use of the AWS KMS key. The key policy must observe the following rules.
primary_key_arnstringIdentifies the primary AWS KMS key to create a replica of. Specify the Amazon Resource Name (ARN) of the AWS KMS key. You cannot specify an alias or key ID. For help finding the ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide.
enabledbooleanSpecifies whether the AWS KMS key is enabled. Disabled AWS KMS keys cannot be used in cryptographic operations.
key_idstring
arnstring
tagsarrayAn array of key-value pairs to apply to this resource.
regionstringAWS region.

For more information, see AWS::KMS::ReplicaKey.

Methods

NameResourceAccessible byRequired Params
create_resourcereplica_keysINSERTPrimaryKeyArn, KeyPolicy, region
delete_resourcereplica_keysDELETEIdentifier, region
update_resourcereplica_keysUPDATEIdentifier, PatchDocument, region
list_resourcesreplica_keys_list_onlySELECTregion
get_resourcereplica_keysSELECTIdentifier, region

SELECT examples

Gets all properties from an individual replica_key.

SELECT
  region,
  description,
  pending_window_in_days,
  key_policy,
  primary_key_arn,
  enabled,
  key_id,
  arn,
  tags
FROM awscc.kms.replica_keys
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ key_id }}';

INSERT example

Use the following StackQL query and manifest file to create a new replica_key resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.kms.replica_keys (
  KeyPolicy,
  PrimaryKeyArn,
  region
)
SELECT
  '{{ key_policy }}',
  '{{ primary_key_arn }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

UPDATE example

Use the following StackQL query and manifest file to update a replica_key resource, using stack-deploy.

/*+ update */
UPDATE awscc.kms.replica_keys
SET PatchDocument = string('{{ {
    "Description": description,
    "PendingWindowInDays": pending_window_in_days,
    "KeyPolicy": key_policy,
    "Enabled": enabled,
    "Tags": tags
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ key_id }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.kms.replica_keys
WHERE
  Identifier = '{{ key_id }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

ParameterDescription
ClientToken
A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.
A client token is valid for 36 hours once used.
After that, a resource request with the same client token is treated as a new request.
If you do not specify a client token, one is generated for inclusion in the request.
RoleArn
The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.
If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId
For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used.

Permissions

To operate on the replica_keys resource, the following permissions are required:

kms:DescribeKey,
kms:GetKeyPolicy,
kms:ListResourceTags