ReadonlyenvThe environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
ReadonlykeyThe ARN of the key.
ReadonlykeyReadonlynodeThe tree node.
Protected ReadonlyphysicalReturns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
This value will resolve to one of the following:
"my-awesome-bucket")undefined, when a name should be generated by CloudFormationProtected Optional ReadonlypolicyOptional policy document that represents the resource policy of this key.
If specified, addToResourcePolicy can be used to edit this policy. Otherwise this method will no-op.
ReadonlystackThe stack in which this resource is defined.
Protected ReadonlytrustOptional property to control trusting account identities.
If specified, grants will default identity policies instead of to both resource and identity policies. This matches the default behavior when creating KMS keys via the API or console.
Static ReadonlyDEFAULT_The default key id of the dummy key.
This value is used as a dummy key id if the key was not found
by the Key.fromLookup() method.
Static ReadonlyPROPERTY_Uniquely identifies this class.
InternalCalled when this resource is referenced across environments (account/region) to order to request that a physical name will be generated for this resource during synthesis, so the resource can be referenced through its absolute name/arn.
Defines a new alias for the key.
Adds a statement to the KMS key resource policy.
The policy statement to add
OptionalallowNoOp: booleanIf this is set to false and there is no policy
defined (i.e. external key), the operation will fail. Otherwise, it will
no-op.
Apply the given removal policy to this resource
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
ProtectedgenerateProtectedgetReturns an environment-sensitive token that should be used for the
resource's "ARN" attribute (e.g. bucket.bucketArn).
Normally, this token will resolve to arnAttr, but if the resource is
referenced across environments, arnComponents will be used to synthesize
a concrete ARN with the resource's physical name. Make sure to reference
this.physicalName in arnComponents.
The CFN attribute which resolves to the ARN of the resource.
Commonly it will be called "Arn" (e.g. resource.attrArn), but sometimes
it's the CFN resource's ref.
The format of the ARN of this resource. You must
reference this.physicalName somewhere within the ARN in order for
cross-environment references to work.
ProtectedgetReturns an environment-sensitive token that should be used for the
resource's "name" attribute (e.g. bucket.bucketName).
Normally, this token will resolve to nameAttr, but if the resource is
referenced across environments, it will be resolved to this.physicalName,
which will be a concrete name.
The CFN attribute which resolves to the resource's name.
Commonly this is the resource's ref.
Grant the indicated permissions on this key to the given principal
This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.
Grant admins permissions using this key to the given principal
Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).
Grant decryption permissions using this key to the given principal
Grant encryption permissions using this key to the given principal
Grant encryption and decryption permissions using this key to the given principal
Grant permissions to generating MACs to the given principal
Grant sign permissions using this key to the given principal
Grant sign and verify permissions using this key to the given principal
Grant verify permissions using this key to the given principal
Grant permissions to verifying MACs to the given principal
Returns a string representation of this construct.
StaticfromCreate a mutable IKey based on a low-level CfnKey.
This is most useful when combined with the cloudformation-include module.
This method is different than fromKeyArn() because the IKey
returned from this method is mutable;
meaning, calling any mutating methods on it,
like IKey.addToResourcePolicy(),
will actually be reflected in the resulting template,
as opposed to the object returned from fromKeyArn(),
on which calling those methods would have no effect.
StaticfromImport an externally defined KMS Key using its ARN.
the construct that will "own" the imported key.
the id of the imported key in the construct tree.
the ARN of an existing KMS key.
StaticfromImport an existing Key by querying the AWS environment this stack is deployed to.
This function only needs to be used to use Keys not defined in your CDK
application. If you are looking to share a Key between stacks, you can
pass the Key object between stacks and use it as normal. In addition,
it's not necessary to use this method if an interface accepts an IKey.
In this case, Alias.fromAliasName() can be used which returns an alias
that extends IKey.
Calling this method will lead to a lookup when the CDK CLI is executed. You can therefore not use any values that will only be available at CloudFormation execution time (i.e., Tokens).
If you set returnDummyKeyOnMissing to true in options and the key was not found,
this method will return a dummy key with a key id '1234abcd-12ab-34cd-56ef-1234567890ab'.
The value of the dummy key id can also be referenced using the Key.DEFAULT_DUMMY_KEY_ID
variable, and you can check if the key is a dummy key by using the Key.isLookupDummy()
method.
The Key information will be cached in cdk.context.json and the same Key
will be used on future runs. To refresh the lookup, you will have to
evict the value from the cache using the cdk context command. See
https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.
StaticisChecks if x is a construct.
Use this method instead of instanceof to properly detect Construct
instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the constructs library on
disk are seen as independent, completely different libraries. As a
consequence, the class Construct in each copy of the constructs library
is seen as a different class, and an instance of one class will not test as
instanceof the other class. npm install will not create installations
like this, but users may manually symlink construct libraries together or
use a monorepo tool: in those cases, multiple copies of the constructs
library can be accidentally installed, and instanceof will behave
unpredictably. It is safest to avoid using instanceof, and using
this type-testing method instead.
Any object
true if x is an object created from a class which extends Construct.
StaticisChecks if the key returned by the Key.fromLookup() method is a dummy key,
i.e., a key that was not found.
This method can only be used if the returnDummyKeyOnMissing option
is set to true in the options for the Key.fromLookup() method.
StaticisReturns true if the construct was created by CDK, and false otherwise
StaticisCheck whether the given construct is a Resource
Construct for a compliance KMS Key. Ensures the following: