Docs
PackagesTry AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi
aws.route53.KeySigningKey
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi
Manages a Route 53 Key Signing Key. To manage Domain Name System Security Extensions (DNSSEC) for a Hosted Zone, see the aws.route53.HostedZoneDnsSec resource. For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const example = new aws.kms.Key("example", {
customerMasterKeySpec: "ECC_NIST_P256",
deletionWindowInDays: 7,
keyUsage: "SIGN_VERIFY",
policy: JSON.stringify({
Statement: [
{
Action: [
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
],
Effect: "Allow",
Principal: {
Service: "dnssec-route53.amazonaws.com",
},
Sid: "Allow Route 53 DNSSEC Service",
Resource: "*",
Condition: {
StringEquals: {
"aws:SourceAccount": current.then(current => current.accountId),
},
ArnLike: {
"aws:SourceArn": "arn:aws:route53:::hostedzone/*",
},
},
},
{
Action: "kms:CreateGrant",
Effect: "Allow",
Principal: {
Service: "dnssec-route53.amazonaws.com",
},
Sid: "Allow Route 53 DNSSEC Service to CreateGrant",
Resource: "*",
Condition: {
Bool: {
"kms:GrantIsForAWSResource": "true",
},
},
},
{
Action: "kms:*",
Effect: "Allow",
Principal: {
AWS: current.then(current => `arn:aws:iam::${current.accountId}:root`),
},
Resource: "*",
Sid: "Enable IAM User Permissions",
},
],
Version: "2012-10-17",
}),
});
const exampleZone = new aws.route53.Zone("example", {name: "example.com"});
const exampleKeySigningKey = new aws.route53.KeySigningKey("example", {
hostedZoneId: test.id,
keyManagementServiceArn: testAwsKmsKey.arn,
name: "example",
});
const exampleHostedZoneDnsSec = new aws.route53.HostedZoneDnsSec("example", {hostedZoneId: exampleKeySigningKey.hostedZoneId}, {
dependsOn: [exampleKeySigningKey],
});
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
example = aws.kms.Key("example",
customer_master_key_spec="ECC_NIST_P256",
deletion_window_in_days=7,
key_usage="SIGN_VERIFY",
policy=json.dumps({
"Statement": [
{
"Action": [
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
],
"Effect": "Allow",
"Principal": {
"Service": "dnssec-route53.amazonaws.com",
},
"Sid": "Allow Route 53 DNSSEC Service",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": current.account_id,
},
"ArnLike": {
"aws:SourceArn": "arn:aws:route53:::hostedzone/*",
},
},
},
{
"Action": "kms:CreateGrant",
"Effect": "Allow",
"Principal": {
"Service": "dnssec-route53.amazonaws.com",
},
"Sid": "Allow Route 53 DNSSEC Service to CreateGrant",
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true",
},
},
},
{
"Action": "kms:*",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{current.account_id}:root",
},
"Resource": "*",
"Sid": "Enable IAM User Permissions",
},
],
"Version": "2012-10-17",
}))
example_zone = aws.route53.Zone("example", name="example.com")
example_key_signing_key = aws.route53.KeySigningKey("example",
hosted_zone_id=test["id"],
key_management_service_arn=test_aws_kms_key["arn"],
name="example")
example_hosted_zone_dns_sec = aws.route53.HostedZoneDnsSec("example", hosted_zone_id=example_key_signing_key.hosted_zone_id,
opts = pulumi.ResourceOptions(depends_on=[example_key_signing_key]))
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/route53"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, nil, nil)
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Statement": []interface{}{
map[string]interface{}{
"Action": []string{
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
},
"Effect": "Allow",
"Principal": map[string]interface{}{
"Service": "dnssec-route53.amazonaws.com",
},
"Sid": "Allow Route 53 DNSSEC Service",
"Resource": "*",
"Condition": map[string]interface{}{
"StringEquals": map[string]interface{}{
"aws:SourceAccount": current.AccountId,
},
"ArnLike": map[string]interface{}{
"aws:SourceArn": "arn:aws:route53:::hostedzone/*",
},
},
},
map[string]interface{}{
"Action": "kms:CreateGrant",
"Effect": "Allow",
"Principal": map[string]interface{}{
"Service": "dnssec-route53.amazonaws.com",
},
"Sid": "Allow Route 53 DNSSEC Service to CreateGrant",
"Resource": "*",
"Condition": map[string]interface{}{
"Bool": map[string]interface{}{
"kms:GrantIsForAWSResource": "true",
},
},
},
map[string]interface{}{
"Action": "kms:*",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:aws:iam::%v:root", current.AccountId),
},
"Resource": "*",
"Sid": "Enable IAM User Permissions",
},
},
"Version": "2012-10-17",
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kms.NewKey(ctx, "example", &kms.KeyArgs{
CustomerMasterKeySpec: pulumi.String("ECC_NIST_P256"),
DeletionWindowInDays: pulumi.Int(7),
KeyUsage: pulumi.String("SIGN_VERIFY"),
Policy: pulumi.String(json0),
})
if err != nil {
return err
}
_, err = route53.NewZone(ctx, "example", &route53.ZoneArgs{
Name: pulumi.String("example.com"),
})
if err != nil {
return err
}
exampleKeySigningKey, err := route53.NewKeySigningKey(ctx, "example", &route53.KeySigningKeyArgs{
HostedZoneId: pulumi.Any(test.Id),
KeyManagementServiceArn: pulumi.Any(testAwsKmsKey.Arn),
Name: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = route53.NewHostedZoneDnsSec(ctx, "example", &route53.HostedZoneDnsSecArgs{
HostedZoneId: exampleKeySigningKey.HostedZoneId,
}, pulumi.DependsOn([]pulumi.Resource{
exampleKeySigningKey,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var example = new Aws.Kms.Key("example", new()
{
CustomerMasterKeySpec = "ECC_NIST_P256",
DeletionWindowInDays = 7,
KeyUsage = "SIGN_VERIFY",
Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Action"] = new[]
{
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
},
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["Service"] = "dnssec-route53.amazonaws.com",
},
["Sid"] = "Allow Route 53 DNSSEC Service",
["Resource"] = "*",
["Condition"] = new Dictionary<string, object?>
{
["StringEquals"] = new Dictionary<string, object?>
{
["aws:SourceAccount"] = current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId),
},
["ArnLike"] = new Dictionary<string, object?>
{
["aws:SourceArn"] = "arn:aws:route53:::hostedzone/*",
},
},
},
new Dictionary<string, object?>
{
["Action"] = "kms:CreateGrant",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["Service"] = "dnssec-route53.amazonaws.com",
},
["Sid"] = "Allow Route 53 DNSSEC Service to CreateGrant",
["Resource"] = "*",
["Condition"] = new Dictionary<string, object?>
{
["Bool"] = new Dictionary<string, object?>
{
["kms:GrantIsForAWSResource"] = "true",
},
},
},
new Dictionary<string, object?>
{
["Action"] = "kms:*",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = $"arn:aws:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root",
},
["Resource"] = "*",
["Sid"] = "Enable IAM User Permissions",
},
},
["Version"] = "2012-10-17",
}),
});
var exampleZone = new Aws.Route53.Zone("example", new()
{
Name = "example.com",
});
var exampleKeySigningKey = new Aws.Route53.KeySigningKey("example", new()
{
HostedZoneId = test.Id,
KeyManagementServiceArn = testAwsKmsKey.Arn,
Name = "example",
});
var exampleHostedZoneDnsSec = new Aws.Route53.HostedZoneDnsSec("example", new()
{
HostedZoneId = exampleKeySigningKey.HostedZoneId,
}, new CustomResourceOptions
{
DependsOn =
{
exampleKeySigningKey,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.route53.Zone;
import com.pulumi.aws.route53.ZoneArgs;
import com.pulumi.aws.route53.KeySigningKey;
import com.pulumi.aws.route53.KeySigningKeyArgs;
import com.pulumi.aws.route53.HostedZoneDnsSec;
import com.pulumi.aws.route53.HostedZoneDnsSecArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var example = new Key("example", KeyArgs.builder()
.customerMasterKeySpec("ECC_NIST_P256")
.deletionWindowInDays(7)
.keyUsage("SIGN_VERIFY")
.policy(serializeJson(
jsonObject(
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Action", jsonArray(
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign"
)),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("Service", "dnssec-route53.amazonaws.com")
)),
jsonProperty("Sid", "Allow Route 53 DNSSEC Service"),
jsonProperty("Resource", "*"),
jsonProperty("Condition", jsonObject(
jsonProperty("StringEquals", jsonObject(
jsonProperty("aws:SourceAccount", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))
)),
jsonProperty("ArnLike", jsonObject(
jsonProperty("aws:SourceArn", "arn:aws:route53:::hostedzone/*")
))
))
),
jsonObject(
jsonProperty("Action", "kms:CreateGrant"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("Service", "dnssec-route53.amazonaws.com")
)),
jsonProperty("Sid", "Allow Route 53 DNSSEC Service to CreateGrant"),
jsonProperty("Resource", "*"),
jsonProperty("Condition", jsonObject(
jsonProperty("Bool", jsonObject(
jsonProperty("kms:GrantIsForAWSResource", "true")
))
))
),
jsonObject(
jsonProperty("Action", "kms:*"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Resource", "*"),
jsonProperty("Sid", "Enable IAM User Permissions")
)
)),
jsonProperty("Version", "2012-10-17")
)))
.build());
var exampleZone = new Zone("exampleZone", ZoneArgs.builder()
.name("example.com")
.build());
var exampleKeySigningKey = new KeySigningKey("exampleKeySigningKey", KeySigningKeyArgs.builder()
.hostedZoneId(test.id())
.keyManagementServiceArn(testAwsKmsKey.arn())
.name("example")
.build());
var exampleHostedZoneDnsSec = new HostedZoneDnsSec("exampleHostedZoneDnsSec", HostedZoneDnsSecArgs.builder()
.hostedZoneId(exampleKeySigningKey.hostedZoneId())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleKeySigningKey)
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
customerMasterKeySpec: ECC_NIST_P256
deletionWindowInDays: 7
keyUsage: SIGN_VERIFY
policy:
fn::toJSON:
Statement:
- Action:
- kms:DescribeKey
- kms:GetPublicKey
- kms:Sign
Effect: Allow
Principal:
Service: dnssec-route53.amazonaws.com
Sid: Allow Route 53 DNSSEC Service
Resource: '*'
Condition:
StringEquals:
aws:SourceAccount: ${current.accountId}
ArnLike:
aws:SourceArn: arn:aws:route53:::hostedzone/*
- Action: kms:CreateGrant
Effect: Allow
Principal:
Service: dnssec-route53.amazonaws.com
Sid: Allow Route 53 DNSSEC Service to CreateGrant
Resource: '*'
Condition:
Bool:
kms:GrantIsForAWSResource: 'true'
- Action: kms:*
Effect: Allow
Principal:
AWS: arn:aws:iam::${current.accountId}:root
Resource: '*'
Sid: Enable IAM User Permissions
Version: 2012-10-17
exampleZone:
type: aws:route53:Zone
name: example
properties:
name: example.com
exampleKeySigningKey:
type: aws:route53:KeySigningKey
name: example
properties:
hostedZoneId: ${test.id}
keyManagementServiceArn: ${testAwsKmsKey.arn}
name: example
exampleHostedZoneDnsSec:
type: aws:route53:HostedZoneDnsSec
name: example
properties:
hostedZoneId: ${exampleKeySigningKey.hostedZoneId}
options:
dependson:
- ${exampleKeySigningKey}
variables:
current:
fn::invoke:
Function: aws:getCallerIdentity
Arguments: {}
Create KeySigningKey Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new KeySigningKey(name: string, args: KeySigningKeyArgs, opts?: CustomResourceOptions);@overload
def KeySigningKey(resource_name: str,
args: KeySigningKeyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def KeySigningKey(resource_name: str,
opts: Optional[ResourceOptions] = None,
hosted_zone_id: Optional[str] = None,
key_management_service_arn: Optional[str] = None,
name: Optional[str] = None,
status: Optional[str] = None)func NewKeySigningKey(ctx *Context, name string, args KeySigningKeyArgs, opts ...ResourceOption) (*KeySigningKey, error)public KeySigningKey(string name, KeySigningKeyArgs args, CustomResourceOptions? opts = null)
public KeySigningKey(String name, KeySigningKeyArgs args)
public KeySigningKey(String name, KeySigningKeyArgs args, CustomResourceOptions options)
type: aws:route53:KeySigningKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KeySigningKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KeySigningKeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KeySigningKeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KeySigningKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KeySigningKeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var keySigningKeyResource = new Aws.Route53.KeySigningKey("keySigningKeyResource", new()
{
HostedZoneId = "string",
KeyManagementServiceArn = "string",
Name = "string",
Status = "string",
});
example, err := route53.NewKeySigningKey(ctx, "keySigningKeyResource", &route53.KeySigningKeyArgs{
HostedZoneId: pulumi.String("string"),
KeyManagementServiceArn: pulumi.String("string"),
Name: pulumi.String("string"),
Status: pulumi.String("string"),
})
var keySigningKeyResource = new KeySigningKey("keySigningKeyResource", KeySigningKeyArgs.builder()
.hostedZoneId("string")
.keyManagementServiceArn("string")
.name("string")
.status("string")
.build());
key_signing_key_resource = aws.route53.KeySigningKey("keySigningKeyResource",
hosted_zone_id="string",
key_management_service_arn="string",
name="string",
status="string")
const keySigningKeyResource = new aws.route53.KeySigningKey("keySigningKeyResource", {
hostedZoneId: "string",
keyManagementServiceArn: "string",
name: "string",
status: "string",
});
type: aws:route53:KeySigningKey
properties:
hostedZoneId: string
keyManagementServiceArn: string
name: string
status: string
KeySigningKey Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The KeySigningKey resource accepts the following input properties:
- Hosted
Zone stringId - Identifier of the Route 53 Hosted Zone.
- Key
Management stringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - Name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- Status string
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- Hosted
Zone stringId - Identifier of the Route 53 Hosted Zone.
- Key
Management stringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - Name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- Status string
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- hosted
Zone StringId - Identifier of the Route 53 Hosted Zone.
- key
Management StringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - name String
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- status String
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- hosted
Zone stringId - Identifier of the Route 53 Hosted Zone.
- key
Management stringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- status string
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- hosted_
zone_ strid - Identifier of the Route 53 Hosted Zone.
- key_
management_ strservice_ arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - name str
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- status str
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- hosted
Zone StringId - Identifier of the Route 53 Hosted Zone.
- key
Management StringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - name String
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- status String
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
Outputs
All input properties are implicitly available as output properties. Additionally, the KeySigningKey resource produces the following output properties:
- Digest
Algorithm stringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- Digest
Algorithm intType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- Digest
Value string - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- Dnskey
Record string - A string that represents a DNSKEY record.
- Ds
Record string - A string that represents a delegation signer (DS) record.
- Flag int
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Tag int - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- Public
Key string - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- Signing
Algorithm stringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- Signing
Algorithm intType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- Digest
Algorithm stringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- Digest
Algorithm intType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- Digest
Value string - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- Dnskey
Record string - A string that represents a DNSKEY record.
- Ds
Record string - A string that represents a delegation signer (DS) record.
- Flag int
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Tag int - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- Public
Key string - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- Signing
Algorithm stringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- Signing
Algorithm intType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- digest
Algorithm StringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Algorithm IntegerType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Value String - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- dnskey
Record String - A string that represents a DNSKEY record.
- ds
Record String - A string that represents a delegation signer (DS) record.
- flag Integer
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Tag Integer - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- public
Key String - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- signing
Algorithm StringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- signing
Algorithm IntegerType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- digest
Algorithm stringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Algorithm numberType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Value string - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- dnskey
Record string - A string that represents a DNSKEY record.
- ds
Record string - A string that represents a delegation signer (DS) record.
- flag number
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- id string
- The provider-assigned unique ID for this managed resource.
- key
Tag number - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- public
Key string - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- signing
Algorithm stringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- signing
Algorithm numberType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- digest_
algorithm_ strmnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest_
algorithm_ inttype - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest_
value str - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- dnskey_
record str - A string that represents a DNSKEY record.
- ds_
record str - A string that represents a delegation signer (DS) record.
- flag int
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- id str
- The provider-assigned unique ID for this managed resource.
- key_
tag int - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- public_
key str - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- signing_
algorithm_ strmnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- signing_
algorithm_ inttype - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- digest
Algorithm StringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Algorithm NumberType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Value String - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- dnskey
Record String - A string that represents a DNSKEY record.
- ds
Record String - A string that represents a delegation signer (DS) record.
- flag Number
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Tag Number - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- public
Key String - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- signing
Algorithm StringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- signing
Algorithm NumberType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
Look up Existing KeySigningKey Resource
Get an existing KeySigningKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KeySigningKeyState, opts?: CustomResourceOptions): KeySigningKey@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
digest_algorithm_mnemonic: Optional[str] = None,
digest_algorithm_type: Optional[int] = None,
digest_value: Optional[str] = None,
dnskey_record: Optional[str] = None,
ds_record: Optional[str] = None,
flag: Optional[int] = None,
hosted_zone_id: Optional[str] = None,
key_management_service_arn: Optional[str] = None,
key_tag: Optional[int] = None,
name: Optional[str] = None,
public_key: Optional[str] = None,
signing_algorithm_mnemonic: Optional[str] = None,
signing_algorithm_type: Optional[int] = None,
status: Optional[str] = None) -> KeySigningKeyfunc GetKeySigningKey(ctx *Context, name string, id IDInput, state *KeySigningKeyState, opts ...ResourceOption) (*KeySigningKey, error)public static KeySigningKey Get(string name, Input<string> id, KeySigningKeyState? state, CustomResourceOptions? opts = null)public static KeySigningKey get(String name, Output<String> id, KeySigningKeyState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Digest
Algorithm stringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- Digest
Algorithm intType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- Digest
Value string - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- Dnskey
Record string - A string that represents a DNSKEY record.
- Ds
Record string - A string that represents a delegation signer (DS) record.
- Flag int
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- Hosted
Zone stringId - Identifier of the Route 53 Hosted Zone.
- Key
Management stringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - Key
Tag int - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- Name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- Public
Key string - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- Signing
Algorithm stringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- Signing
Algorithm intType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- Status string
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- Digest
Algorithm stringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- Digest
Algorithm intType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- Digest
Value string - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- Dnskey
Record string - A string that represents a DNSKEY record.
- Ds
Record string - A string that represents a delegation signer (DS) record.
- Flag int
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- Hosted
Zone stringId - Identifier of the Route 53 Hosted Zone.
- Key
Management stringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - Key
Tag int - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- Name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- Public
Key string - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- Signing
Algorithm stringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- Signing
Algorithm intType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- Status string
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- digest
Algorithm StringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Algorithm IntegerType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Value String - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- dnskey
Record String - A string that represents a DNSKEY record.
- ds
Record String - A string that represents a delegation signer (DS) record.
- flag Integer
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- hosted
Zone StringId - Identifier of the Route 53 Hosted Zone.
- key
Management StringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - key
Tag Integer - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- name String
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- public
Key String - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- signing
Algorithm StringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- signing
Algorithm IntegerType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- status String
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- digest
Algorithm stringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Algorithm numberType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Value string - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- dnskey
Record string - A string that represents a DNSKEY record.
- ds
Record string - A string that represents a delegation signer (DS) record.
- flag number
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- hosted
Zone stringId - Identifier of the Route 53 Hosted Zone.
- key
Management stringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - key
Tag number - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- name string
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- public
Key string - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- signing
Algorithm stringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- signing
Algorithm numberType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- status string
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- digest_
algorithm_ strmnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest_
algorithm_ inttype - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest_
value str - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- dnskey_
record str - A string that represents a DNSKEY record.
- ds_
record str - A string that represents a delegation signer (DS) record.
- flag int
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- hosted_
zone_ strid - Identifier of the Route 53 Hosted Zone.
- key_
management_ strservice_ arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - key_
tag int - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- name str
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- public_
key str - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- signing_
algorithm_ strmnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- signing_
algorithm_ inttype - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- status str
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
- digest
Algorithm StringMnemonic - A string used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Algorithm NumberType - An integer used to represent the delegation signer digest algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.3.
- digest
Value String - A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system.
- dnskey
Record String - A string that represents a DNSKEY record.
- ds
Record String - A string that represents a delegation signer (DS) record.
- flag Number
- An integer that specifies how the key is used. For key-signing key (KSK), this value is always 257.
- hosted
Zone StringId - Identifier of the Route 53 Hosted Zone.
- key
Management StringService Arn - Amazon Resource Name (ARN) of the Key Management Service (KMS) Key. This must be unique for each key-signing key (KSK) in a single hosted zone. This key must be in the
us-east-1Region and meet certain requirements, which are described in the Route 53 Developer Guide and Route 53 API Reference. - key
Tag Number - An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B.
- name String
Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone.
The following arguments are optional:
- public
Key String - The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5.
- signing
Algorithm StringMnemonic - A string used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- signing
Algorithm NumberType - An integer used to represent the signing algorithm. This value must follow the guidelines provided by RFC-8624 Section 3.1.
- status String
- Status of the key-signing key (KSK). Valid values:
ACTIVE,INACTIVE. Defaults toACTIVE.
Import
Using pulumi import, import aws_route53_key_signing_key resources using the Route 53 Hosted Zone identifier and KMS Key identifier, separated by a comma (,). For example:
$ pulumi import aws:route53/keySigningKey:KeySigningKey example Z1D633PJN98FT9,example
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
Try AWS Native preview for resources not in the classic version.
AWS Classic v6.42.0 published on Wednesday, Jun 26, 2024 by Pulumi