The AWS::KMS::Alias
resource specifies a display name for a KMS key. You can use an alias to identify a KMS key in the KMS console, in the DescribeKey operation, and in cryptographic operations, such as Decrypt and GenerateDataKey.
Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for in the Developer Guide.
Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys i
To use awscc_kms_alias
with awscc_kms_key
:
resource "awscc_kms_key" "this" {
key_policy = jsonencode({
"Version" : "2012-10-17",
"Id" : "KMS-Key-Policy",
"Statement" : [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : "kms:*",
"Resource" : "*"
},
],
}
)
}
resource "awscc_kms_alias" "this" {
alias_name = "alias/example-kms-alias"
target_key_id = awscc_kms_key.this.key_id
}
alias_name
(String) Specifies the alias name. This value must begin with alias/
followed by a name, such as alias/ExampleAlias
.
If you change the value of the AliasName
property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC).
The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with alias/aws/
. The alias/aws/
prefix is reserved for .target_key_id
(String) Associates the alias with the specified . The KMS key must be in the same AWS-account and Region.
A valid key ID is required. If you supply a null or empty string value, this operation returns an error.
For help finding the key ID and ARN, see Finding the key ID and ARN in the Developer Guide.
Specify the key ID or the key ARN of the KMS key.
For example:
1234abcd-12ab-34cd-56ef-1234567890ab
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
id
(String) Uniquely identifies the resource.Import is supported using the following syntax:
$ terraform import awscc_kms_alias.example <resource ID>