Has anybody tried to create a key in AWS KMS based on external material in Python (or any other runtime)? In my case, I need a HMAC that I can share with 3rd parties but you cannot export a HMAC secret key from AWS. I therefore want to create the HMAC secret in my code, and make an ExternalKey from this. But... I cannot get it to work. Among the basic issues, is that I cannot specify key usage and spec with the ExternalKey resource. The resulting resource does not have a "key_id"... (The AI is no help 😄 )

What do you expect

key_id

to contain? According to https://www.pulumi.com/registry/packages/aws/api-docs/kms/externalkey/#outputs you should get an ARN as well as a provider-specific ID. It looks like the Terraform provider that's used by AWS classic does not support specifying the key type: https://github.com/hashicorp/terraform-provider-aws/issues/32561

Re key_id - I expected the interface to be parallel to the Key function. Given the limits of the Terraform provider, I guess I will move to the native version

My guess is that

key_id

is the AWS-internal unique identifier for the key material, which in the case of an external key does not exist.