The ALIYUN::KMS::Key resource creates a master key.
Syntax
{
"Type": "ALIYUN::KMS::Key",
"Properties": {
"KeyUsage": String,
"Enable": Boolean,
"PendingWindowInDays": Integer,
"Description": String,
"KeySpec": String,
"EnableAutomaticRotation": Boolean,
"RotationInterval": String,
"ProtectionLevel": String,
"DKMSInstanceId": String,
"KeyUsage": String,
"Policy": Map,
"DeletionProtection": Boolean,
"Tags": List
}
}Properties
Property name | Type | Required | Updateable | Description | Constraint |
DKMSInstanceId | String | Yes | No | The instance ID of your dedicated KMS. | Your existing KMS is upgraded to a dedicated KMS. For more information about the upgrade, see [Upgrade notice] KMS is upgraded to a dedicated KMS. |
DeletionProtection | Boolean | No | Yes | Specifies whether to enable deletion protection. | Valid values:
|
Description | String | No | Yes | A description of the key. | The description must be 0 to 8192 characters in length. |
Enable | Boolean | No | Yes | Specifies whether to enable or disable the key. | Valid values:
|
KeyUsage | String | No | No | The intended use of the key. | Valid values:
Default value: SIGN/VERIFY if the key supports signature verification. Otherwise, the default value is ENCRYPT/DECRYPT. |
EnableAutomaticRotation | Boolean | No | Yes | Specifies whether to enable automatic key rotation. | Valid values:
|
KeySpec | String | No | No | The type of the key. | Valid values:
Note In the Chinese mainland, keys created using managed HSMs default to Aliyun_SM4. In all other cases, keys default to Aliyun_AES_256. |
PendingWindowInDays | Integer | No | No | The pending deletion period. During this period, you can revoke the deletion of a key that is in the pending-deletion state. After this period ends, you cannot revoke the deletion. | Valid values: 7 to 30. Default value: 30. Unit: days. |
Policy | Map | No | No | The key policy. | JSON format. Maximum size: 32768 bytes. For more information about key policies, see Overview of key policies. If you do not specify this property, the default credential policy is used. A key policy contains the following elements:
A key policy has the following format: |
ProtectionLevel | String | No | No | The protection level of the key. | Valid values:
|
RotationInterval | String | No | Yes | The time interval for automatic key rotation. Example: | Format: Valid values for
Both 7d and 604800s represent a 7-day interval. Valid values: 7 to 730 days. |
Tags | List | No | Yes | label. | You can add up to 20 tags. For more information, see Tags property. |
Tags syntax
"Tags": [
{
"Key": String,
"Value": String
}
]Tags property
Property name | Type | Required | Enable updates | Description | Constraint |
Key | String | Yes | No | The tag key. | Length: 1 to 128 characters. Cannot start with |
Value | String | No | No | The tag value. | Length: 0 to 128 characters. Cannot start with |
Return values
Fn::GetAtt
KeyId: the globally unique identifier of the key.
Examples
Scenario 1: Create a KMS key using an existing KMS instance
Metadata: {}
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
KMSInstance:
Type: String
Description:
en: KMS Instance Id.
Resources:
KMS-Key-bhs-registry-secret:
Type: ALIYUN::KMS::Key
Properties:
DKMSInstanceId:
Ref: KMSInstance
DeletionProtection: false
Enable: true
EnableAutomaticRotation: true
KeySpec: Aliyun_AES_256
KeyUsage: ENCRYPT/DECRYPT
PendingWindowInDays: 7
RotationInterval: 30d
{
"Metadata": {
},
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"KMSInstance": {
"Type": "String",
"Description": {
"en": "KMS Instance Id."
}
}
},
"Resources": {
"KMS-Key-bhs-registry-secret": {
"Type": "ALIYUN::KMS::Key",
"Properties": {
"DKMSInstanceId": {
"Ref": "KMSInstance"
},
"DeletionProtection": false,
"Enable": true,
"EnableAutomaticRotation": true,
"KeySpec": "Aliyun_AES_256",
"KeyUsage": "ENCRYPT/DECRYPT",
"PendingWindowInDays": 7,
"RotationInterval": "30d"
}
}
}
}Scenario 2: Create a KMS instance and then create a KMS key
Metadata: {}
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
ProductVersion:
Type: String
Description:
en: KMS Instance commodity type (software/software-small/hardware/hardware-small).
AllowedValues:
- software
- software-small
- hardware
- hardware-small
Required: true
Resources:
KMSInstance:
Type: ALIYUN::KMS::Instance
Properties:
ProductVersion:
Ref: ProductVersion
KMSKey:
Type: ALIYUN::KMS::Key
Properties:
DKMSInstanceId:
Ref: KMSInstance
DeletionProtection: false
Enable: true
EnableAutomaticRotation: true
KeySpec: Aliyun_AES_256
KeyUsage: ENCRYPT/DECRYPT
PendingWindowInDays: 7
RotationInterval: 30d
KMSAlias:
Type: ALIYUN::KMS::Alias
Properties:
AliasName: bhs-registry-secretDev
KeyId:
Fn::GetAtt:
- KMSKey
- KeyId
{
"Metadata": {
},
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"ProductVersion": {
"Type": "String",
"Description": {
"en": "KMS Instance commodity type (software/software-small/hardware/hardware-small)."
},
"AllowedValues": [
"software",
"software-small",
"hardware",
"hardware-small"
],
"Required": true
}
},
"Resources": {
"KMSInstance": {
"Type": "ALIYUN::KMS::Instance",
"Properties": {
"ProductVersion": {
"Ref": "ProductVersion"
}
}
},
"KMSKey": {
"Type": "ALIYUN::KMS::Key",
"Properties": {
"DKMSInstanceId": {
"Ref": "KMSInstance"
},
"DeletionProtection": false,
"Enable": true,
"EnableAutomaticRotation": true,
"KeySpec": "Aliyun_AES_256",
"KeyUsage": "ENCRYPT/DECRYPT",
"PendingWindowInDays": 7,
"RotationInterval": "30d"
}
},
"KMSAlias": {
"Type": "ALIYUN::KMS::Alias",
"Properties": {
"AliasName": "bhs-registry-secretDev",
"KeyId": {
"Fn::GetAtt": [
"KMSKey",
"KeyId"
]
}
}
}
}
}For more examples, see Public templates that include this resource.