Skip to content

awsKmsPublicKey

Use this data source to get the public key about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsKmsPublicKey.DataAwsKmsPublicKey(this, "by_alias", {
  keyId: "alias/my-key",
});
new aws.dataAwsKmsPublicKey.DataAwsKmsPublicKey(this, "by_alias_arn", {
  keyId: "arn:aws:kms:us-east-1:111122223333:alias/my-key",
});
new aws.dataAwsKmsPublicKey.DataAwsKmsPublicKey(this, "by_id", {
  keyId: "1234abcd-12ab-34cd-56ef-1234567890ab",
});
new aws.dataAwsKmsPublicKey.DataAwsKmsPublicKey(this, "by_key_arn", {
  keyId:
    "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
});

Argument Reference

The following arguments are supported:

  • keyId - (Required) Key identifier which can be one of the following format:
  • Key ID. E.g - 1234Abcd12Ab34Cd56Ef1234567890Ab
  • Key ARN. E.g. - arn:aws:kms:usEast1:111122223333:key/1234Abcd12Ab34Cd56Ef1234567890Ab
  • Alias name. E.g. - alias/myKey
  • Alias ARN - E.g. - arn:aws:kms:usEast1:111122223333:alias/myKey
  • grantTokens - (Optional) List of grant tokens

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - Key ARN of the asymmetric CMK from which the public key was downloaded.
  • customerMasterKeySpec - Type of the public key that was downloaded.
  • encryptionAlgorithms - Encryption algorithms that AWS KMS supports for this key. Only set when the keyUsage of the public key is ENCRYPT_DECRYPT.
  • id - Key ARN of the asymmetric CMK from which the public key was downloaded.
  • keyUsage - Permitted use of the public key. Valid values are ENCRYPT_DECRYPT or SIGN_VERIFY
  • publicKey - Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. The value is Base64-encoded.
  • publicKeyPem - Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.
  • signingAlgorithms - Signing algorithms that AWS KMS supports for this key. Only set when the keyUsage of the public key is SIGN_VERIFY.