Use this data source to get the public key about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.
data "aws_kms_public_key" "by_alias" {
key_id = "alias/my-key"
}
data "aws_kms_public_key" "by_id" {
key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"
}
data "aws_kms_public_key" "by_alias_arn" {
key_id = "arn:aws:kms:us-east-1:111122223333:alias/my-key"
}
data "aws_kms_public_key" "by_key_arn" {
key_id = "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
This data source supports the following arguments:
key_id
- (Required) Key identifier which can be one of the following format:
1234abcd-12ab-34cd-56ef-1234567890ab
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
alias/my-key
arn:aws:kms:us-east-1:111122223333:alias/my-key
grant_tokens
- (Optional) List of grant tokensThis data source exports the following attributes in addition to the arguments above:
arn
- Key ARN of the asymmetric CMK from which the public key was downloaded.customer_master_key_spec
- Type of the public key that was downloaded.encryption_algorithms
- Encryption algorithms that AWS KMS supports for this key. Only set when the key_usage
of the public key is ENCRYPT_DECRYPT
.id
- Key ARN of the asymmetric CMK from which the public key was downloaded.key_usage
- Permitted use of the public key. Valid values are ENCRYPT_DECRYPT
or SIGN_VERIFY
public_key
- Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. The value is Base64-encoded.public_key_pem
- Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.signing_algorithms
- Signing algorithms that AWS KMS supports for this key. Only set when the key_usage
of the public key is SIGN_VERIFY
.