key_signing_keys
Creates, updates, deletes or gets a key_signing_key resource or lists key_signing_keys in a region
Overview
| Name | key_signing_keys |
| Type | Resource |
| Description | Represents a key signing key (KSK) associated with a hosted zone. You can only have two KSKs per hosted zone. |
| Id | awscc.route53.key_signing_keys |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
hosted_zone_id | string | The unique string (ID) used to identify a hosted zone. |
status | string | A string specifying the initial status of the key signing key (KSK). You can set the value to ACTIVE or INACTIVE. |
name | string | An alphanumeric string used to identify a key signing key (KSK). Name must be unique for each key signing key in the same hosted zone. |
key_management_service_arn | string | The Amazon resource name (ARN) for a customer managed key (CMK) in AWS Key Management Service (KMS). The KeyManagementServiceArn must be unique for each key signing key (KSK) in a single hosted zone. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
hosted_zone_id | string | The unique string (ID) used to identify a hosted zone. |
name | string | An alphanumeric string used to identify a key signing key (KSK). Name must be unique for each key signing key in the same hosted zone. |
region | string | AWS region. |
For more information, see AWS::Route53::KeySigningKey.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | key_signing_keys | INSERT | Status, HostedZoneId, Name, KeyManagementServiceArn, region |
delete_resource | key_signing_keys | DELETE | Identifier, region |
update_resource | key_signing_keys | UPDATE | Identifier, PatchDocument, region |
list_resources | key_signing_keys_list_only | SELECT | region |
get_resource | key_signing_keys | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual key_signing_key.
SELECT
region,
hosted_zone_id,
status,
name,
key_management_service_arn
FROM awscc.route53.key_signing_keys
WHERE
region = 'us-east-1' AND
Identifier = '{{ hosted_zone_id }}|{{ name }}';
Lists all key_signing_keys in a region.
SELECT
region,
hosted_zone_id,
name
FROM awscc.route53.key_signing_keys_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new key_signing_key resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.route53.key_signing_keys (
HostedZoneId,
Status,
Name,
KeyManagementServiceArn,
region
)
SELECT
'{{ hosted_zone_id }}',
'{{ status }}',
'{{ name }}',
'{{ key_management_service_arn }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.route53.key_signing_keys (
HostedZoneId,
Status,
Name,
KeyManagementServiceArn,
region
)
SELECT
'{{ hosted_zone_id }}',
'{{ status }}',
'{{ name }}',
'{{ key_management_service_arn }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: key_signing_key
props:
- name: hosted_zone_id
value: '{{ hosted_zone_id }}'
- name: status
value: '{{ status }}'
- name: name
value: '{{ name }}'
- name: key_management_service_arn
value: '{{ key_management_service_arn }}'
UPDATE example
Use the following StackQL query and manifest file to update a key_signing_key resource, using stack-deploy.
/*+ update */
UPDATE awscc.route53.key_signing_keys
SET PatchDocument = string('{{ {
"Status": status
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ hosted_zone_id }}|{{ name }}';
DELETE example
/*+ delete */
DELETE FROM awscc.route53.key_signing_keys
WHERE
Identifier = '{{ hosted_zone_id }}|{{ name }}' AND
region = 'us-east-1';
Permissions
To operate on the key_signing_keys resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
route53:CreateKeySigningKey,
kms:DescribeKey,
kms:GetPublicKey,
kms:Sign,
kms:CreateGrant
route53:GetDNSSEC
route53:GetDNSSEC,
route53:ActivateKeySigningKey,
route53:DeactivateKeySigningKey,
kms:DescribeKey,
kms:GetPublicKey,
kms:Sign,
kms:CreateGrant
route53:DeactivateKeySigningKey,
route53:DeleteKeySigningKey,
kms:DescribeKey,
kms:GetPublicKey,
kms:Sign,
kms:CreateGrant
route53:GetDNSSEC,
route53:ListHostedZones