State module for managing Amazon KMS Keys.

async, ctx, name: str, resource_id: str = None, description: str = '', key_usage: str = 'ENCRYPT_DECRYPT', key_spec: str = 'SYMMETRIC_DEFAULT', key_state: str = 'Enabled', origin: str = 'AWS_KMS', multi_region: bool = False, policy: str = None, bypass_policy_lockout_safety_check: bool = False, enable_key_rotation: bool = False, tags: List[Dict[str, Any]] = None, timeout: Dict = None) Dict[str, Any][source]#

Creates an AWS KMS key.

Update limitations:
  • policy can be updated, but cannot be cleared once set.

  • multi_region, key_usage, and key_spec cannot be updated.

  • enable_key_rotation cannot be enabled on asymmetric KMS keys.

  • name (str) – An Idem name of the resource.

  • resource_id (str, Optional) – The ID or ARN of the key in Amazon Web Services.

  • description (str, Optional) – A description of the KMS key.

  • key_usage (str, Optional) – Determines the cryptographic operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. Valid values are ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, SIGN_VERIFY.

  • key_spec (str, Optional) – Specifies the type of KMS key to create. The default value is SYMMETRIC_DEFAULT. Valid values are SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2.

  • key_state (str, Optional) – Whether the key is enabled or not. The default value is Enabled. Valid values are Enabled, Disabled.

  • origin (str, Optional) – The source of the key material for the KMS key. The default value is AWS_KMS. Valid values are AWS_KMS, EXTERNAL, AWS_CLOUDHSM.

  • multi_region (bool, Optional) – Creates a multi-Region primary key that you can replicate into other Amazon Web Services Regions. Default value is False.

  • policy (str, Optional) – The key policy to attach to the KMS key. If you do not specify a key policy, KMS attaches a default key policy to the KMS key.

  • bypass_policy_lockout_safety_check (bool, Optional) –

    A flag to indicate whether to bypass the key policy lockout safety check. Default value is False.


    Setting this value to True increases the risk that the KMS key becomes unmanageable. Do not set this value to True indiscriminately.

  • enable_key_rotation (bool, Optional) – Whether to enable or disable automatic rotation of the key material of the specified symmetric encryption KMS key. Default value is False.

  • tags (dict or list, Optional) –

    Dict in the format of {tag-key: tag-value} or List of tags in the format of [{"TagKey": tag-key, "TagValue": tag-value}] to associate with the key. To use this parameter, you must have kms:TagResource permission in an IAM policy.

    • TagKey (str):

      The key of the tag.

    • TagValue (str):

      The value of the tag.

  • timeout (dict, Optional) –

    Timeout configuration for update of AWS KMS key.

    • update (dict, Optional):

      Timeout configuration when updating a KMS key.

      • delay (int, Optional):

        The amount of time in seconds to wait between attempts. Default value is 2.

      • max_attempts (int, Optional):

        Max attempts of waiting for change. Default value is 120.

Request Syntax:
    - name: 'string'
    - resource_id: 'string'
    - description: 'string'
    - key_spec: 'SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|
    - key_state: 'Enabled|Disabled'
    - multi_region: True|False
    - policy: 'string'
    - bypass_policy_lockout_safety_check: True|False
    - enable_key_rotation: True|False
    - tags:
        - TagKey: 'string'
          TagValue: 'string'
    - timeout:
          delay: int
          max_attemps: int

Dict[str, Any]


    - name: idem_test_kms_key
    - description: 'AWS KMS KEY'
    - key_usage: 'ENCRYPT_DECRYPT'
    - key_spec: 'SYMMETRIC_DEFAULT'
    - key_state: 'Enabled'
    - origin: 'AWS_KMS'
    - multi_region: False
    - policy:
        Version: '2012-10-17'
          - Sid: 'EnableIAMUserPermissions'
            Effect: 'Allow'
              AWS: 'arn:aws:iam::111122223333:root'
            Action: ['kms:*']
            Resource: '*'
    - bypass_policy_lockout_safety_check: False
    - enable_key_rotation: False
    - tags:
        - TagKey: provider
          TagValue: idem
async, ctx, name: str, resource_id: str = None, pending_window_in_days: int = 7) Dict[str, Any][source]#

Deletes an AWS KMS key.

Key cannot be immediately deleted but can be scheduled to be deleted. Once the key is set to be deleted in pending_window_in_days a deletion date is set on the key and it cannot be modified. So deleting again with a different pending_window_in_days is ignored. Also key can be disabled using the “present” function with key_state: 'Disabled'.

  • name (str) – An Idem name of the resource.

  • resource_id (str, Optional) –

    The ID or ARN of the key in Amazon Web Services.


    Idem automatically considers this resource being absent if this field is not specified.

  • pending_window_in_days (int, Optional) – The waiting period, specified in number of days. After the waiting period ends, KMS deletes the KMS key. Default value is 7.


Dict[str, Any]

Request Syntax:
    - name: 'string'
    - resource_id: 'string'
    - pending_window_in_days: 'int'


    - name: idem_test_kms_key
    - resource_id: 1234abcd-12ab-34cd-56ef-1234567890ab
    - pending_window_in_days: 2
async, ctx) Dict[str, Dict[str, Any]][source]#

Describes AWS KMS keys in a way that can be recreated/managed with the corresponding “present” function.


Dict[str, Dict[str, Any]]


$ idem describe aws.kms.key