Use ALIYUN::KMS::Key to create a CMK - Resource Orchestration Service

ALIYUN::KMS::Key is used to create a customer master key (CMK).

Syntax

{
  "Type": "ALIYUN::KMS::Key",
  "Properties": {
    "KeyUsage": String,
    "Enable": Boolean,
    "PendingWindowInDays": Integer,
    "Description": String,
    "KeySpec": String,
    "EnableAutomaticRotation": Boolean,
    "RotationInterval": String,
    "ProtectionLevel": String,
    "DKMSInstanceId": String,
    "Policy": Map
  }
}

Properties

Property	Type	Required	Editable	Description	Constraint
KeyUsage	String	No	No	The usage of the CMK.	Valid values: ENCRYPT/DECRYPT: The CMK is used to encrypt or decrypt data. SIGN/VERIFY: The CMK is used to generate or verify a digital signature.
Enable	Boolean	No	Yes	Specifies whether to enable the CMK.	Valid values: true (default) false
PendingWindowInDays	Integer	No	No	The scheduled period after which the CMK is deleted. During the period, the CMK is in the PendingDeletion state. After the period ends, you cannot cancel the deletion task.	Valid values: 7 to 30. Default value: 30. Unit: day.
Description	String	No	Yes	The description of the CMK.	The description can be up to 8,192 characters in length.
KeySpec	String	No	No	The CMK type.	Valid values: Aliyun_AES_256 Aliyun_SM4 RSA_2048 EC_P256 EC_P256K EC_SM2 Note If you want to create the CMK in a managed hardware security module (HSM) in the Chinese mainland, the default value is Aliyun_SM4. In other cases, the default value is Aliyun_AES_256.
EnableAutomaticRotation	Boolean	No	Yes	Specifies whether to enable automatic key rotation.	Valid values: true false (default)
RotationInterval	String	No	Yes	The interval of automatic key rotation. Example: `365d`.	Specify the interval in the `integer[unit]` format. `integer` specifies the time period. `unit` specifies the unit of the time period. Valid values of `unit`: d: day h: hour m: minute s: second For example, you can use 7d or 604800s to specify an interval of 7 days. The interval ranges from 7 days to 730 days.
ProtectionLevel	String	No	No	The protection level of the CMK.	Valid values: SOFTWARE (default) HSM
DKMSInstanceId	String	No	No	The ID of the dedicated Key Management Service (KMS) instance.	None.
Policy	Map	No	No	The key policy.	The property value must be in the JSON format. The value can be up to 32,768 bytes in length. For more information about key policies, see Overview. If you do not specify this property, the default secret policy is used. A key policy contains the following content: Version: the version of the key policy. Set the value to 1. Statement: the statements of the key policy. Each key policy contains one or more statements. Example of a key policy: `{ "Version": "1", "Statement": [ { "Sid": "Enable RAM User Permissions", "Effect": "Allow", "Principal": { "RAM": "acs:ram::112890462***:root" } "Action": [ "kms:" ], "Resource": [ "*" ] } ] }`

Return values

Fn::GetAtt

KeyId: the CMK ID.

Examples

`YAML` format

ROSTemplateFormatVersion: '2015-09-01'
Parameters: {}
Resources:
  Key:
    Type: ALIYUN::KMS::Key
    Properties:
      KeyUsage: ENCRYPT/DECRYPT
      Enable: false
      PendingWindowInDays: 15
      Description: Test create key
Outputs:
  KeyId:
    Description: The globally unique identifier for the CMK.
    Value:
      Fn::GetAtt:
        - Key
        - KeyId

`JSON` format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
  },
  "Resources": {
    "Key": {
      "Type": "ALIYUN::KMS::Key",
      "Properties": {
        "KeyUsage": "ENCRYPT/DECRYPT",
        "Enable": false,
        "PendingWindowInDays": 15,
        "Description": "Test create key"
      }
    }
  },
  "Outputs": {
    "KeyId": {
      "Description": "The globally unique identifier for the CMK.",
      "Value": {
        "Fn::GetAtt": [
          "Key",
          "KeyId"
        ]
      }
    }
  }
}

Syntax

Properties

Return values

Examples

YAML format

JSON format

`YAML` format

`JSON` format