Key is the Schema for the Keys API
Type
CRD
Group
kms.aws.crossplane.io
Version
v1alpha1
apiVersion: kms.aws.crossplane.io/v1alpha1
kind: Key
KeySpec defines the desired state of Key
KeyParameters defines the desired state of Key
Assigns one or more tags to the KMS key. Use this parameter to tag the KMS key when it is created. To tag an existing KMS key, use the TagResource operation.
Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the Key Management Service Developer Guide.
To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) permission in an IAM policy.
Each tag consists of a tag key and a tag value. Both the tag key and the tag value are required, but the tag value can be an empty (null) string. You cannot have more than one tag on a KMS key with the same tag key. If you specify an existing tag key with a different tag value, KMS replaces the current tag value with the specified one.
When you add tags to an Amazon Web Services resource, Amazon Web Services generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html).
THIS IS A BETA FIELD. It is on by default but can be opted out through a Crossplane feature flag. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
KeyStatus defines the observed state of Key.
KeyObservation defines the observed state of Key
The encryption algorithms that the KMS key supports. You cannot use the KMS key with other encryption algorithms within KMS.
This value is present only when the KeyUsage of the KMS key is ENCRYPT_DECRYPT.
The message authentication code (MAC) algorithm that the HMAC KMS key supports.
This value is present only when the KeyUsage of the KMS key is GENERATE_VERIFY_MAC.
Lists the primary and replica keys in same multi-Region key. This field is present only when the value of the MultiRegion field is True.
For more information about any listed KMS key, use the DescribeKey operation.
-
MultiRegionKeyType indicates whether the KMS key is a PRIMARY or REPLICA key.
-
PrimaryKey displays the key ARN and Region of the primary key. This field displays the current KMS key if it is the primary key.
-
ReplicaKeys displays the key ARNs and Regions of all replica keys. This field includes the current KMS key if it is a replica key.
The signing algorithms that the KMS key supports. You cannot use the KMS key with other signing algorithms within KMS.
This field appears only when the KeyUsage of the KMS key is SIGN_VERIFY.
Information about the external key that is associated with a KMS key in an external key store.
For more information, see External key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key) in the Key Management Service Developer Guide.
Conditions of the resource.
dev-key
apiVersion: kms.aws.crossplane.io/v1alpha1
kind: Key
metadata:
name: dev-key
spec:
forProvider:
enableKeyRotation: true
policy: |-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
region: us-east-1
tags:
- tagKey: k1
tagValue: v1
providerConfigRef:
name: example