KMS
AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the encryption keys used to encrypt your data.
Example yaml file:
apiVersion: aws.boundless.software/v1alpha1
kind: Kms
metadata:
name: example-kms
spec:
provider:
region: us-east-1
aliases:
- example-alias
description: example key
policy:
Statement:
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: "arn:aws:iam::<id>:root"
Action:
- kms:*
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: "arn:aws:iam::<id>:root"
Action:
- kms:Encrypt
- kms:Decrypt
- kms:ReEncrypt*
- kms:GenerateDataKey*
- kms:DescribeKey
Resource: '*'
KmsSpec
| Name | Type | Description |
|---|
| provider* | AwsProviderSpec | Provider specifies the AWS provider settings for this KMS key. Required |
| aliases | []string | Aliases are the aliases to be mapped to the KMS key. Optional |
| description | string | Description is the description of the KMS key. Optional |
| policy | map[string]apiext.JSON | Policy defines the policy for the KMS key. Optional |
| replicas | map[string]KmsReplicaSpec | Replicas specifies the regions where replicas of this KMS key should exist. Optional |
KmsReplicaSpec
| Name | Type | Description |
|---|
| aliases | []string | Aliases are the aliases to be mapped to the replica KMS key. Optional |
Outputs
KmsStatus
| Name | Type | Description |
|---|
| condition | metav1.Condition | Condition provides the current condition of this KMS key. Optional |
| keyId | string | KeyId is the AWS KMS key ID. Optional |
| region | string | Region is the AWS region where this key exists. Optional |
| aliases | []*KmsAliasStatus | Aliases provides the status of each alias for this KMS key. Optional |
| replicas | map[string]*KmsReplicaStatus | Replicas provides the status of each replica for this KMS key. Optional |
KmsReplicaStatus
| Name | Type | Description |
|---|
| condition | metav1.Condition | Condition provides the current condition of this replica KMS key. Optional |
| keyId | string | KeyId is the AWS KMS key ID for this replica. Optional |
| region | string | Region is the AWS region where this replica key exists. Optional |
| aliases | []*KmsAliasStatus | Aliases provides the status of each alias for this replica KMS key. Optional |
KmsAliasStatus
| Name | Type | Description |
|---|
| condition | metav1.Condition | Condition provides the current condition of this alias. Optional |
| name | string | Name is the alias name. Optional |
