Skip to main content

CDK Constructs for AWS KMS

Project description

AWS Key Management Service Construct Library

Stability: Stable

Define a KMS key:

import kms = require('@aws-cdk/aws-kms');

new kms.Key(this, 'MyKey', {
    enableKeyRotation: true

Add a couple of aliases:

const key = new kms.Key(this, 'MyKey');

Sharing keys between stacks

To use a KMS key in a different stack in the same CDK application, pass the construct to the other stack:

 * Stack that defines the key
class KeyStack extends cdk.Stack {
  public readonly key: kms.Key;

  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    this.key = new kms.Key(this, 'MyKey', { removalPolicy: RemovalPolicy.DESTROY });

interface UseStackProps extends cdk.StackProps {
  key: kms.IKey; // Use IKey here

 * Stack that uses the key
class UseStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props: UseStackProps) {
    super(scope, id, props);

    // Use the IKey object here.
    new kms.Alias(this, 'Alias', {
      aliasName: 'alias/foo',
      targetKey: props.key

const keyStack = new KeyStack(app, 'KeyStack');
new UseStack(app, 'UseStack', { key: keyStack.key });

Importing existing keys

To use a KMS key that is not defined in this CDK app, but is created through other means, use Key.fromKeyArn(parent, name, ref):

const myKeyImported = kms.Key.fromKeyArn(this, 'MyImportedKey', 'arn:aws:...');

// you can do stuff with this imported key.

Note that a call to .addToPolicy(statement) on myKeyImported will not have an affect on the key's policy because it is not owned by your stack. The call will be a no-op.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for, version 1.5.0
Filename, size & hash File type Python version Upload date
aws_cdk.aws_kms-1.5.0-py3-none-any.whl (55.4 kB) View hashes Wheel py3 (57.6 kB) View hashes Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page