sparse-intern-71089
05/24/2023, 4:36 PMwhite-balloon-205
Decrypt
and Encrypt
from the KMS API using your IAM credentials and the KMS KeyID you provide, which is consistent across rotation. So the rotation KMS does is invisible.
However, there is a separate question about whether you want to reencrypt (using rotated keys, or a new key) the secrets in your Pulumi stack. This can be accomplished with pulumi stack change-secrets-provider
(https://www.pulumi.com/docs/cli/commands/pulumi_stack_change-secrets-provider/). You can pass that the same KMS key as is already being used to have it generate a new data key and re-encrypt the data key using the KMS Encrypt API, as well as all secrets in the stack with that new data key. This part is not automatic, and you have control over when you do this, and whether you use the same KMS key (with a rotated internal key material) or a new key entirely. The same users who have IAM access to Decrypt data with this key will be able to read the secrets from the stack.cool-dress-96114
05/30/2023, 6:11 AM