All Products
Search

This Product

    Resource Orchestration Service:ALIYUN::KMS::Key

    Document Center

    Resource Orchestration Service:ALIYUN::KMS::Key

    Last Updated:May 06, 2023

    ALIYUN::KMS::Key is used to create a customer master key (CMK).

    Syntax

    {
  "Type": "ALIYUN::KMS::Key",
  "Properties": {
    "KeyUsage": String,
    "Enable": Boolean,
    "PendingWindowInDays": Integer,
    "Description": String,
    "KeySpec": String,
    "EnableAutomaticRotation": Boolean,
    "RotationInterval": String,
    "ProtectionLevel": String,
    "DKMSInstanceId": String
  }
}

    Properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    KeyUsage

    String

    No

    No

    The usage of the CMK.

    Valid values:

    • ENCRYPT/DECRYPT: The CMK is used to encrypt or decrypt data.

    • SIGN/VERIFY: The CMK is used to generate or verify a digital signature.

    Enable

    Boolean

    No

    Yes

    Specifies whether to enable the CMK.

    Valid values:

    • true (default)

    • false

    PendingWindowInDays

    Integer

    No

    No

    The scheduled period after when the CMK is deleted. During the period, the CMK is in the PendingDeletion state. After the period ends, you cannot cancel the deletion task.

    Valid values: 7 to 30.

    Default value: 30.

    Unit: day.

    Description

    String

    No

    Yes

    The description of the CMK.

    The description can be up to 8,192 characters in length.

    KeySpec

    String

    No

    No

    The type of the CMK.

    Valid values:

    • Aliyun_AES_256

    • Aliyun_SM4

    • RSA_2048

    • EC_P256

    • EC_P256K

    • EC_SM2

    Note

    If you want to create the CMK in a managed hardware security module (HSM) in the Chinese mainland, the default value is Aliyun_SM4. In other cases, the default value is Aliyun_AES_256.

    EnableAutomaticRotation

    Boolean

    No

    Yes

    Specifies whether to enable automatic key rotation.

    Valid values:

    • true

    • false (default)

    RotationInterval

    String

    No

    Yes

    The interval of automatic key rotation. Example: 365d.

    Specify the interval in the integer[unit] format. integer specifies the length of time. unit specifies the unit of time.

    Valid values of unit:

    • d: day

    • h: hour

    • m: minute

    • s: second

    For example, you can use 7d or 604800s to specify a seven-day interval.

    The interval ranges from 7 days to 730 days.

    ProtectionLevel

    String

    No

    No

    The protection level of the CMK.

    Valid values:

    • SOFTWARE (default)

    • HSM

    DKMSInstanceId

    String

    No

    No

    The ID of the dedicated Key Management Service (KMS) instance.

    None.

    Return values

    Fn::GetAtt

    KeyId: the ID of the CMK.

    Examples

    • YAML format 

      ROSTemplateFormatVersion: '2015-09-01'
Parameters: {}
Resources:
  Key:
    Type: ALIYUN::KMS::Key
    Properties:
      KeyUsage: ENCRYPT/DECRYPT
      Enable: false
      PendingWindowInDays: 15
      Description: Test create key
Outputs:
  KeyId:
    Description: The globally unique identifier for the CMK.
    Value:
      Fn::GetAtt:
        - Key
        - KeyId

    • JSON format 

      {
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
  },
  "Resources": {
    "Key": {
      "Type": "ALIYUN::KMS::Key",
      "Properties": {
        "KeyUsage": "ENCRYPT/DECRYPT",
        "Enable": false,
        "PendingWindowInDays": 15,
        "Description": "Test create key"
      }
    }
  },
  "Outputs": {
    "KeyId": {
      "Description": "The globally unique identifier for the CMK.",
      "Value": {
        "Fn::GetAtt": [
          "Key",
          "KeyId"
        ]
      }
    }
  }
}