KMS - Ability to import an AWS managed key by its alias
See original GitHub issueIt would be nice to be able to reuse existing/default keys that come with every AWS account, without having to hardcode their full ARNs, e.g. by providing just their alias.
Currently, it’s only possible through:
const key = kms.Key.fromKeyArn(this, "default", "arn:aws:kms:us-east-1:xxxxx:key/390a2c1f-xxxx-4abd-xxxx-c17e04362ba9")
It would be nice to have something like:
const key = kms.Key.fromKeyAlias(this, "default", "alias:aws/s3")
Like it is currently possible to be done using Terraform: https://www.terraform.io/docs/providers/aws/d/kms_key.html
Use Case
I am currently creating a CloudTrail that sends log files to an S3 bucket. The CloudTrail has the option for “encrypting logs using KMS”. However, in order to pass it the default S3 key that AWS provided me, I need to be able to find/import it. The only possibility currently, is the following method, which is far from an ideal solution because it requires me to hardcode the key ID in the ARN (a highly dynamic string). This makes the CDK stack less reusable and portable across regions and AWS accounts (another account will have a different key ID for the default S3 key for example).
Proposed Solution
A new method like:
const key = kms.Key.fromAlias(this, "default", "alias:kms/s3")
Other
Current code:
export class Cloudtrail extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const key = kms.Key.fromKeyArn(this, "default", "arn:aws:kms:us-east-1:xxxxx:key/390a2c1f-xxxx-4abd-xxxx-c17e04362ba9")
const trail = new cloudtrail.Trail(this, 'CloudTrail', {
sendToCloudWatchLogs: true,
includeGlobalServiceEvents: true,
kmsKey: key
});
}
}
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 4 years ago
- Reactions:14
- Comments:7 (5 by maintainers)
Top GitHub Comments
Hello, I don’t think this addresses the initial request/concern. Sometimes, Alias name cannot be used in IAM Policies, but the actual KMS key ARN must be used. The above call, kms.Alias.fromAliasName(this, ‘myKey’, ‘alias/myTestKey’), returns aliasName, which is great. But then I would like to get a Key ARN from that alias name.
If I do it like this (I’m using python),
kms.Alias.from_alias_name(self, “myKey”, “alias/myTestKey”).alias_target_key , but I get this error:
jsii.errors.JSIIError: Cannot access aliasTargetKey on an Alias imnported by Alias.fromAliasName().
Please advise. How can I lookup key arn from its alias name/arn?
@njlynch Opened https://github.com/aws/aws-cdk/issues/8822. Thanks.