[英]How to create KMS asymmetric signing key resource with Cloudformation?
I've tried the following resource in my template:我在我的模板中尝试了以下资源:
SigningKey:
Type: AWS::KMS::Key
Properties:
Description: "Auth API signing key"
Enabled: true
# Grant all permissions for root account
KeyPolicy:
Version: "2012-10-17"
Id: "key-default-1"
Statement:
-
Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
- AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"
EnableKeyRotation: true
KeyUsage: SIGN_VERIFY
But this gives an error:但这给出了一个错误:
The operation failed because the KeyUsage value of the CMK is SIGN_VERIFY.
操作失败,因为 CMK 的 KeyUsage 值为 SIGN_VERIFY。 To perform this operation, the KeyUsage value must be ENCRYPT_DECRYPT.
要执行此操作,KeyUsage 值必须为 ENCRYPT_DECRYPT。
It's also unclear where to specify the key type (eg. RSA_2048
) in the template from the docs .还不清楚在文档中的模板中的何处指定密钥类型(例如
RSA_2048
)。
According to AWS CloudFormation , you specify key type in KeySpec
field.根据AWS CloudFormation ,您在
KeySpec
字段中指定密钥类型。 You can also see what types are currently supported in the document.您还可以在文档中查看当前支持的类型。 Also, AWS KMS does not support automatic key rotation on asymmetric CMKs.
此外,AWS KMS 不支持非对称 CMK 上的自动密钥轮换。 For asymmetric CMKs, omit the EnableKeyRotation property or set it to false.
对于非对称 CMK,省略 EnableKeyRotation 属性或将其设置为 false。 Above doc also has example to create asymmetric CMKs that you can refer.
上面的文档还有创建非对称 CMK 的示例,您可以参考。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.