software.amazon.awscdk.services.kms

Class Key

java.lang.Object

software.amazon.jsii.JsiiObject

software.constructs.Construct

software.amazon.awscdk.Resource

software.amazon.awscdk.services.kms.Key

All Implemented Interfaces:

IResource, IKey, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable

@Generated(value="jsii-pacmak/1.67.0 (build 2c027f5)",
           date="2022-09-19T20:26:40.342Z")
 @Stability(value=Stable)
public class Key
extends Resource
implements IKey

Defines a KMS key.

Example:

 import software.amazon.awscdk.services.kms.*;
 Key encryptionKey = Key.Builder.create(this, "Key")
         .enableKeyRotation(true)
         .build();
 Table table = Table.Builder.create(this, "MyTable")
         .partitionKey(Attribute.builder().name("id").type(AttributeType.STRING).build())
         .encryption(TableEncryption.CUSTOMER_MANAGED)
         .encryptionKey(encryptionKey)
         .build();
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	Key.Builder A fluent builder for Key.

Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

software.amazon.jsii.JsiiObject.InitializationMode

Nested classes/interfaces inherited from interface software.amazon.awscdk.services.kms.IKey

IKey.Jsii$Default, IKey.Jsii$Proxy

Constructor Summary

Constructors

Modifier	Constructor and Description
	Key(software.constructs.Construct scope, String id)
	Key(software.constructs.Construct scope, String id, KeyProps props)
protected	Key(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	Key(software.amazon.jsii.JsiiObjectRef objRef)

Method Summary

Modifier and Type	Method and Description
Alias	addAlias(String aliasName) Defines a new alias for the key.
AddToResourcePolicyResult	addToResourcePolicy(PolicyStatement statement) Adds a statement to the KMS key resource policy.
AddToResourcePolicyResult	addToResourcePolicy(PolicyStatement statement, Boolean allowNoOp) Adds a statement to the KMS key resource policy.
static IKey	fromCfnKey(CfnKey cfnKey) Create a mutable IKey based on a low-level CfnKey.
static IKey	fromKeyArn(software.constructs.Construct scope, String id, String keyArn) Import an externally defined KMS Key using its ARN.
static IKey	fromLookup(software.constructs.Construct scope, String id, KeyLookupOptions options) Import an existing Key by querying the AWS environment this stack is deployed to.
String	getKeyArn() The ARN of the key.
String	getKeyId() The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
protected PolicyDocument	getPolicy() Optional policy document that represents the resource policy of this key.
protected Boolean	getTrustAccountIdentities() Optional property to control trusting account identities.
Grant	grant(IGrantable grantee, String... actions) Grant the indicated permissions on this key to the given principal.
Grant	grantAdmin(IGrantable grantee) Grant admins permissions using this key to the given principal.
Grant	grantDecrypt(IGrantable grantee) Grant decryption permissions using this key to the given principal.
Grant	grantEncrypt(IGrantable grantee) Grant encryption permissions using this key to the given principal.
Grant	grantEncryptDecrypt(IGrantable grantee) Grant encryption and decryption permissions using this key to the given principal.

Methods inherited from class software.amazon.awscdk.Resource

applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isOwnedResource, isResource

Methods inherited from class software.constructs.Construct

getNode, isConstruct, toString

Methods inherited from class software.amazon.jsii.JsiiObject

jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface software.amazon.awscdk.IResource

applyRemovalPolicy, getEnv, getStack

Methods inherited from interface software.constructs.IConstruct

getNode

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Constructor Detail

Key

protected Key(software.amazon.jsii.JsiiObjectRef objRef)

Key

protected Key(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

Key

@Stability(value=Stable)
public Key(@NotNull
                                    software.constructs.Construct scope,
                                    @NotNull
                                    String id,
                                    @Nullable
                                    KeyProps props)

Parameters:

scope - This parameter is required.

id - This parameter is required.

props -

Key

@Stability(value=Stable)
public Key(@NotNull
                                    software.constructs.Construct scope,
                                    @NotNull
                                    String id)

Parameters:

scope - This parameter is required.

id - This parameter is required.

Method Detail

fromCfnKey

@Stability(value=Stable)
 @NotNull
public static IKey fromCfnKey(@NotNull
                                                                 CfnKey cfnKey)

Create a mutable IKey based on a low-level CfnKey.

This is most useful when combined with the cloudformation-include module. This method is different than {@link fromKeyArn()} because the {@link IKey} returned from this method is mutable; meaning, calling any mutating methods on it, like {@link IKey.addToResourcePolicy()}, will actually be reflected in the resulting template, as opposed to the object returned from {@link fromKeyArn()}, on which calling those methods would have no effect.

Parameters:

cfnKey - This parameter is required.

fromKeyArn

@Stability(value=Stable)
 @NotNull
public static IKey fromKeyArn(@NotNull
                                                                 software.constructs.Construct scope,
                                                                 @NotNull
                                                                 String id,
                                                                 @NotNull
                                                                 String keyArn)

Import an externally defined KMS Key using its ARN.

Parameters:

scope - the construct that will "own" the imported key. This parameter is required.

id - the id of the imported key in the construct tree. This parameter is required.

keyArn - the ARN of an existing KMS key. This parameter is required.

fromLookup

@Stability(value=Stable)
 @NotNull
public static IKey fromLookup(@NotNull
                                                                 software.constructs.Construct scope,
                                                                 @NotNull
                                                                 String id,
                                                                 @NotNull
                                                                 KeyLookupOptions options)

Import an existing Key by querying the AWS environment this stack is deployed to.

This function only needs to be used to use Keys not defined in your CDK application. If you are looking to share a Key between stacks, you can pass the Key object between stacks and use it as normal. In addition, it's not necessary to use this method if an interface accepts an IKey. In this case, Alias.fromAliasName() can be used which returns an alias that extends IKey.

Calling this method will lead to a lookup when the CDK CLI is executed. You can therefore not use any values that will only be available at CloudFormation execution time (i.e., Tokens).

The Key information will be cached in cdk.context.json and the same Key will be used on future runs. To refresh the lookup, you will have to evict the value from the cache using the cdk context command. See https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.

Parameters:

scope - This parameter is required.

id - This parameter is required.

options - This parameter is required.

addAlias

@Stability(value=Stable)
 @NotNull
public Alias addAlias(@NotNull
                                                         String aliasName)

Defines a new alias for the key.

Specified by:

addAlias in interface IKey

Parameters:

aliasName - This parameter is required.

addToResourcePolicy

@Stability(value=Stable)
 @NotNull
public AddToResourcePolicyResult addToResourcePolicy(@NotNull
                                                                                        PolicyStatement statement,
                                                                                        @Nullable
                                                                                        Boolean allowNoOp)

Adds a statement to the KMS key resource policy.

Specified by:

addToResourcePolicy in interface IKey

Parameters:

statement - The policy statement to add. This parameter is required.

allowNoOp - If this is set to `false` and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.

addToResourcePolicy

@Stability(value=Stable)
 @NotNull
public AddToResourcePolicyResult addToResourcePolicy(@NotNull
                                                                                        PolicyStatement statement)

Adds a statement to the KMS key resource policy.

Specified by:

addToResourcePolicy in interface IKey

Parameters:

statement - The policy statement to add. This parameter is required.

grant

@Stability(value=Stable)
 @NotNull
public Grant grant(@NotNull
                                                      IGrantable grantee,
                                                      @NotNull
                                                      String... actions)

Grant the indicated permissions on this key to the given principal.

This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.

Specified by:

grant in interface IKey

Parameters:

grantee - This parameter is required.

actions - This parameter is required.

grantAdmin

@Stability(value=Stable)
 @NotNull
public Grant grantAdmin(@NotNull
                                                           IGrantable grantee)

Grant admins permissions using this key to the given principal.

Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).

Parameters:

grantee - This parameter is required.

grantDecrypt

@Stability(value=Stable)
 @NotNull
public Grant grantDecrypt(@NotNull
                                                             IGrantable grantee)

Grant decryption permissions using this key to the given principal.

Specified by:

grantDecrypt in interface IKey

Parameters:

grantee - This parameter is required.

grantEncrypt

@Stability(value=Stable)
 @NotNull
public Grant grantEncrypt(@NotNull
                                                             IGrantable grantee)

Grant encryption permissions using this key to the given principal.

Specified by:

grantEncrypt in interface IKey

Parameters:

grantee - This parameter is required.

grantEncryptDecrypt

@Stability(value=Stable)
 @NotNull
public Grant grantEncryptDecrypt(@NotNull
                                                                    IGrantable grantee)

Grant encryption and decryption permissions using this key to the given principal.

Specified by:

grantEncryptDecrypt in interface IKey

Parameters:

grantee - This parameter is required.

getKeyArn

@Stability(value=Stable)
 @NotNull
public String getKeyArn()

The ARN of the key.

Specified by:

getKeyArn in interface IKey

getKeyId

@Stability(value=Stable)
 @NotNull
public String getKeyId()

The ID of the key (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).

Specified by:

getKeyId in interface IKey

getTrustAccountIdentities

@Stability(value=Stable)
 @NotNull
protected Boolean getTrustAccountIdentities()

Optional property to control trusting account identities.

If specified, grants will default identity policies instead of to both resource and identity policies. This matches the default behavior when creating KMS keys via the API or console.

getPolicy

@Stability(value=Stable)
 @Nullable
protected PolicyDocument getPolicy()

Optional policy document that represents the resource policy of this key.

If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.