All Products
Search

This Product

    Key Management Service:Create a key

    Document Center

    Key Management Service:Create a key

    Last Updated:Nov 07, 2023

    You can use Terraform to create and manage keys. This topic describes how to create a key.

    Overview

    Key Management Service (KMS) allows you to create a default key of the customer master key (CMK) type. You do not need to purchase a KMS instance. You can also create keys in a KMS instance. For more information about keys, see Overview of Key Management.

    For more information about how to configure Terraform to manage keys, see alicloud_kms_key.

    Limits

    The Terraform version must be 0.14.0 or later. We recommend that you use the latest version. You can go to the Terraform official website to download the latest version.

    Prerequisites

    A Resource Access Management (RAM) user is created, and the AliyunKMSFullAccess policy is attached to the RAM user. This condition is used when a RAM user is used to log on to Terraform. The AliyunKMSFullAccess policy grants permissions to manage KMS resources. For more information, see Grant permissions to RAM users.

    Create a default key of the CMK type

    1. Create a working directory and a file named main.tf in the directory.

      main.tf: This file is the main file of Terraform and defines the resources that you want to deploy. 

      // Create a default key of the CMK type.
resource "alicloud_kms_key" "default_key_encrypt_decrypt" {
  description = "default_key_encrypt_decrypt description"
  key_usage = "ENCRYPT/DECRYPT"
  key_spec = "Aliyun_AES_256"
  origin = "Aliyun_KMS"
  pending_window_in_days = 7
  tags = {
      "Environment" = "Production"
      "Name" = "KMS-01"
      "SupportTeam" = "PlatformEngineering"
      "Contact" = "group@example.com"
    }
}
// The key alias is alias/default_key_encrypt_decrypt_alias, which is unique within the Alibaba Cloud account. 
resource "alicloud_kms_alias" "default_key_encrypt_decrypt_alias" {
  alias_name = "alias/default_key_encrypt_decrypt_alias"
  key_id = alicloud_kms_key.default_key_encrypt_decrypt.id
}

    2. Run the terraform init command to initialize the Terraform runtime environment.

    3. Run the terraform plan command to generate a resource plan.

    4. Run the terraform apply command to create the key.

    Create a key in a KMS instance

    1. Create a working directory and a file named main.tf in the directory.

      2. main.tf: This file is the main file of Terraform and defines the resources that you want to deploy. 

      //A KMS instance kst-shh634e71ecu88d6e**** is created.
variable "soft_kms_instance" {
  default  = "kst-shh634e71ecu88d6e****"
}

//Create a key in the instance kst-shh634e71ecu88d6e****.
//The key type is Aliyun_AES_256. The key is used for encryption and decryption (ENCRYPT/DECRYPT).
resource "alicloud_kms_key" "kms_software_key_encrypt_decrypt" {
  description = "default_key_encrypt_decrypt description"
  key_usage = "ENCRYPT/DECRYPT"
  key_spec = "Aliyun_AES_256"
  dkms_instance_id = var.soft_kms_instance
  pending_window_in_days = 7
  tags = {
      "Environment" = "Production"
      "Name" = "KMS-01"
      "SupportTeam" = "PlatformEngineering"
      "Contact" = "aliyun@example.com"
    }
}
//The key alias is alias/kms_software_key_encrypt_decrypt, which is unique within the Alibaba Cloud account. 
resource "alicloud_kms_alias" "kms_software_key_encrypt_decrypt_alias" {
  alias_name = "alias/kms_software_key_encrypt_decrypt"
  key_id = alicloud_kms_key.kms_software_key_encrypt_decrypt.id
}

    2. Run the terraform init command to initialize the runtime environment for Terraform.

    3. Run the terraform plan command to create an execution plan.

    4. Run the terraform apply command to create the key.