All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::KMS::Key

Last Updated:Jul 02, 2024

ALIYUN::KMS::Key is used to create a customer master key (CMK).

Syntax

{
  "Type": "ALIYUN::KMS::Key",
  "Properties": {
    "KeyUsage": String,
    "Enable": Boolean,
    "PendingWindowInDays": Integer,
    "Description": String,
    "KeySpec": String,
    "EnableAutomaticRotation": Boolean,
    "RotationInterval": String,
    "ProtectionLevel": String,
    "DKMSInstanceId": String,
    "Policy": Map
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

KeyUsage

String

No

No

The usage of the CMK.

Valid values:

  • ENCRYPT/DECRYPT: The CMK is used to encrypt or decrypt data.

  • SIGN/VERIFY: The CMK is used to generate or verify a digital signature.

Enable

Boolean

No

Yes

Specifies whether to enable the CMK.

Valid values:

  • true (default)

  • false

PendingWindowInDays

Integer

No

No

The scheduled period after which the CMK is deleted. During the period, the CMK is in the PendingDeletion state. After the period ends, you cannot cancel the deletion task.

Valid values: 7 to 30.

Default value: 30.

Unit: day.

Description

String

No

Yes

The description of the CMK.

The description can be up to 8,192 characters in length.

KeySpec

String

No

No

The CMK type.

Valid values:

  • Aliyun_AES_256

  • Aliyun_SM4

  • RSA_2048

  • EC_P256

  • EC_P256K

  • EC_SM2

Note

If you want to create the CMK in a managed hardware security module (HSM) in the Chinese mainland, the default value is Aliyun_SM4. In other cases, the default value is Aliyun_AES_256.

EnableAutomaticRotation

Boolean

No

Yes

Specifies whether to enable automatic key rotation.

Valid values:

  • true

  • false (default)

RotationInterval

String

No

Yes

The interval of automatic key rotation. Example: 365d.

Specify the interval in the integer[unit] format. integer specifies the time period. unit specifies the unit of the time period.

Valid values of unit:

  • d: day

  • h: hour

  • m: minute

  • s: second

For example, you can use 7d or 604800s to specify an interval of 7 days.

The interval ranges from 7 days to 730 days.

ProtectionLevel

String

No

No

The protection level of the CMK.

Valid values:

  • SOFTWARE (default)

  • HSM

DKMSInstanceId

String

No

No

The ID of the dedicated Key Management Service (KMS) instance.

None.

Policy

Map

No

No

The key policy.

The property value must be in the JSON format. The value can be up to 32,768 bytes in length.

For more information about key policies, see Overview. If you do not specify this property, the default secret policy is used.

A key policy contains the following content:

  • Version: the version of the key policy. Set the value to 1.

  • Statement: the statements of the key policy. Each key policy contains one or more statements.

Example of a key policy:

{
    "Version": "1",
    "Statement": [
        {
            "Sid": "Enable RAM User Permissions",
            "Effect": "Allow",
            "Principal": {
              "RAM": "acs:ram::112890462****:root"
            }
            "Action": [
                "kms:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Return values

Fn::GetAtt

KeyId: the CMK ID.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters: {}
Resources:
  Key:
    Type: ALIYUN::KMS::Key
    Properties:
      KeyUsage: ENCRYPT/DECRYPT
      Enable: false
      PendingWindowInDays: 15
      Description: Test create key
Outputs:
  KeyId:
    Description: The globally unique identifier for the CMK.
    Value:
      Fn::GetAtt:
        - Key
        - KeyId

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
  },
  "Resources": {
    "Key": {
      "Type": "ALIYUN::KMS::Key",
      "Properties": {
        "KeyUsage": "ENCRYPT/DECRYPT",
        "Enable": false,
        "PendingWindowInDays": 15,
        "Description": "Test create key"
      }
    }
  },
  "Outputs": {
    "KeyId": {
      "Description": "The globally unique identifier for the CMK.",
      "Value": {
        "Fn::GetAtt": [
          "Key",
          "KeyId"
        ]
      }
    }
  }
}