Has anybody tried to create a key in AWS KMS based on extern Pulumi Community #aws

Has anybody tried to create a key in AWS KMS based...

alert-zebra-27114

11/15/2024, 2:01 PM

Has anybody tried to create a key in AWS KMS based on external material in Python (or any other runtime)? In my case, I need a HMAC that I can share with 3rd parties but you cannot export a HMAC secret key from AWS. I therefore want to create the HMAC secret in my code, and make an ExternalKey from this. But... I cannot get it to work. Among the basic issues, is that I cannot specify key usage and spec with the ExternalKey resource. The resulting resource does not have a "key_id"... (The AI is no help 😄 )

modern-zebra-45309

11/15/2024, 3:25 PM

What do you expect

key_id

to contain? According to https://www.pulumi.com/registry/packages/aws/api-docs/kms/externalkey/#outputs you should get an ARN as well as a provider-specific ID. It looks like the Terraform provider that's used by AWS classic does not support specifying the key type: https://github.com/hashicorp/terraform-provider-aws/issues/32561

modern-zebra-45309

11/15/2024, 3:30 PM

You should be able to use the kms.Key resource in AWS Native to create an external key if you set

origin

EXTERNAL

. Presumably you would have to import the key material separately.

alert-zebra-27114

11/15/2024, 3:37 PM

Re key_id - I expected the interface to be parallel to the Key function. Given the limits of the Terraform provider, I guess I will move to the native version

modern-zebra-45309

11/15/2024, 4:18 PM

My guess is that

key_id

is the AWS-internal unique identifier for the key material, which in the case of an external key does not exist.

Open in Slack

Previous Next