163 lines
5.5 KiB
TypeScript
163 lines
5.5 KiB
TypeScript
import type { Construct } from 'constructs';
|
|
import type { IKey } from './key';
|
|
import type { AliasReference, IAliasRef, KeyReference } from './kms.generated';
|
|
import * as iam from '../../aws-iam';
|
|
import type { RemovalPolicy } from '../../core';
|
|
import { Resource } from '../../core';
|
|
/**
|
|
* A KMS Key alias.
|
|
* An alias can be used in all places that expect a key.
|
|
*/
|
|
export interface IAlias extends IKey, IAliasRef {
|
|
/**
|
|
* The name of the alias.
|
|
*
|
|
* @attribute
|
|
*/
|
|
readonly aliasName: string;
|
|
/**
|
|
* The Key to which the Alias refers.
|
|
*
|
|
* @attribute
|
|
*/
|
|
readonly aliasTargetKey: IKey;
|
|
}
|
|
/**
|
|
* Construction properties for a KMS Key Alias object.
|
|
*/
|
|
export interface AliasProps {
|
|
/**
|
|
* The name of the alias. The name must start with alias followed by a
|
|
* forward slash, such as alias/. You can't specify aliases that begin with
|
|
* alias/AWS. These aliases are reserved.
|
|
*/
|
|
readonly aliasName: string;
|
|
/**
|
|
* The ID of the key for which you are creating the alias. Specify the key's
|
|
* globally unique identifier or Amazon Resource Name (ARN). You can't
|
|
* specify another alias.
|
|
*/
|
|
readonly targetKey: IKey;
|
|
/**
|
|
* Policy to apply when the alias is removed from this stack.
|
|
*
|
|
* @default - The alias will be deleted
|
|
*/
|
|
readonly removalPolicy?: RemovalPolicy;
|
|
}
|
|
declare abstract class AliasBase extends Resource implements IAlias {
|
|
abstract readonly aliasName: string;
|
|
abstract readonly aliasTargetKey: IKey;
|
|
get aliasRef(): AliasReference;
|
|
get keyRef(): KeyReference;
|
|
/**
|
|
* The ARN of the alias.
|
|
*
|
|
* @attribute
|
|
* @deprecated use `aliasArn` instead
|
|
*/
|
|
get keyArn(): string;
|
|
/**
|
|
* The ARN of the alias.
|
|
*
|
|
* @attribute
|
|
*/
|
|
get aliasArn(): string;
|
|
get keyId(): string;
|
|
addAlias(alias: string): Alias;
|
|
addToResourcePolicy(statement: iam.PolicyStatement, allowNoOp?: boolean): iam.AddToResourcePolicyResult;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantDecrypt(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantEncrypt(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantEncryptDecrypt(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantSign(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantVerify(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantSignVerify(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantGenerateMac(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* [disable-awslint:no-grants]
|
|
*/
|
|
grantVerifyMac(grantee: iam.IGrantable): iam.Grant;
|
|
}
|
|
/**
|
|
* Properties of a reference to an existing KMS Alias
|
|
*/
|
|
export interface AliasAttributes {
|
|
/**
|
|
* Specifies the alias name. This value must begin with alias/ followed by a name (i.e. alias/ExampleAlias)
|
|
*/
|
|
readonly aliasName: string;
|
|
/**
|
|
* The customer master key (CMK) to which the Alias refers.
|
|
*/
|
|
readonly aliasTargetKey: IKey;
|
|
}
|
|
/**
|
|
* Defines a display name for a customer master key (CMK) in AWS Key Management
|
|
* Service (AWS KMS). Using an alias to refer to a key can help you simplify key
|
|
* management. For example, when rotating keys, you can just update the alias
|
|
* mapping instead of tracking and changing key IDs. For more information, see
|
|
* Working with Aliases in the AWS Key Management Service Developer Guide.
|
|
*
|
|
* You can also add an alias for a key by calling `key.addAlias(alias)`.
|
|
*
|
|
* @resource AWS::KMS::Alias
|
|
*/
|
|
export declare class Alias extends AliasBase {
|
|
/** Uniquely identifies this class. */
|
|
static readonly PROPERTY_INJECTION_ID: string;
|
|
/**
|
|
* Import an existing KMS Alias defined outside the CDK app.
|
|
*
|
|
* @param scope The parent creating construct (usually `this`).
|
|
* @param id The construct's name.
|
|
* @param attrs the properties of the referenced KMS Alias
|
|
*/
|
|
static fromAliasAttributes(scope: Construct, id: string, attrs: AliasAttributes): IAlias;
|
|
/**
|
|
* Import an existing KMS Alias defined outside the CDK app, by the alias name. This method should be used
|
|
* instead of 'fromAliasAttributes' when the underlying KMS Key ARN is not available.
|
|
* This Alias will not have a direct reference to the KMS Key, so addAlias method is not supported.
|
|
*
|
|
* If the `@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal` feature flag is set to `true`,
|
|
* the grant* methods will use the kms:ResourceAliases condition to grant permissions to the specific alias name.
|
|
* They will only modify the principal policy, not the key resource policy.
|
|
* Without the feature flag `grant*` methods will be a no-op.
|
|
*
|
|
* @param scope The parent creating construct (usually `this`).
|
|
* @param id The construct's name.
|
|
* @param aliasName The full name of the KMS Alias (e.g., 'alias/aws/s3', 'alias/myKeyAlias').
|
|
*/
|
|
static fromAliasName(scope: Construct, id: string, aliasName: string): IAlias;
|
|
private readonly resource;
|
|
readonly aliasTargetKey: IKey;
|
|
get aliasName(): string;
|
|
constructor(scope: Construct, id: string, props: AliasProps);
|
|
protected generatePhysicalName(): string;
|
|
}
|
|
export {};
|