堆栈内存溢出
  简体   繁体   English

如何使用 Cloudformation 创建 KMS 非对称签名密钥资源?

[英]How to create KMS asymmetric signing key resource with Cloudformation?

 原文  2020-01-07 17:53:03       amazon-web-services/ amazon-cloudformation/ aws-kms

问题描述

I've tried the following resource in my template:我在我的模板中尝试了以下资源:

  SigningKey:
    Type: AWS::KMS::Key
    Properties:
      Description: "Auth API signing key"
      Enabled: true
      # Grant all permissions for root account
      KeyPolicy:
        Version: "2012-10-17"
        Id: "key-default-1"
        Statement:
          -
            Sid: "Enable IAM User Permissions"
            Effect: "Allow"
            Principal:
              - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action: "kms:*"
            Resource: "*"
      EnableKeyRotation: true
      KeyUsage: SIGN_VERIFY

But this gives an error:但这给出了一个错误:

The operation failed because the KeyUsage value of the CMK is SIGN_VERIFY.操作失败,因为 CMK 的 KeyUsage 值为 SIGN_VERIFY。 To perform this operation, the KeyUsage value must be ENCRYPT_DECRYPT.要执行此操作,KeyUsage 值必须为 ENCRYPT_DECRYPT。

It's also unclear where to specify the key type (eg. RSA_2048 ) in the template from the docs .还不清楚在文档中的模板中的何处指定密钥类型(例如RSA_2048 )。

1 个解决方案

解决方案1
 0 已采纳  2021-08-25 21:17:11

According to AWS CloudFormation , you specify key type in KeySpec field.根据AWS CloudFormation ,您在KeySpec字段中指定密钥类型。 You can also see what types are currently supported in the document.您还可以在文档中查看当前支持的类型。 Also, AWS KMS does not support automatic key rotation on asymmetric CMKs.此外,AWS KMS 不支持非对称 CMK 上的自动密钥轮换。 For asymmetric CMKs, omit the EnableKeyRotation property or set it to false.对于非对称 CMK,省略 EnableKeyRotation 属性或将其设置为 false。 Above doc also has example to create asymmetric CMKs that you can refer.上面的文档还有创建非对称 CMK 的示例,您可以参考。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在Go创建KMS密钥策略 - Create KMS key policy in Go 如何验证在 C# 中使用 google KMS(非对称符号,椭圆曲线 P-256 密钥 SHA256 摘要)签名的签名真实性 - How to verify signature authenticity that was signed using google KMS (Asymmetric sign, Elliptic Curve P-256 key SHA256 Digest) in C# 是否可以将非对称密钥作为您自己的密钥 (BYOK) 提供给任何云提供商的云 KMS(密钥管理服务)? - Is it possible to provide asymmetric keys as your own keys (BYOK) to a cloud KMS (key management service) for any cloud providers? aws cli:如何找到 kms 密钥 ID? - aws cli: how to find kms key id? 如何检查资源是否由 CloudFormation 创建? - How can I check if a resource was created by CloudFormation? 如何使用 CloudFormation 为 CloudWatch Logs 定义资源策略? - How to define Resource Policy for CloudWatch Logs with CloudFormation? 如何在 CloudFormation 中包含/引用多个资源文件? - How to Include/Reference Multiple Resource files in CloudFormation? CloudFormation 声称 KMS 策略声明主体无效 - CloudFormation claims KMS policy statement principals are invalid KMS:密钥用途不正确 - KMS : Incorrect key purpose AWS KMS 如何确定解密时使用哪个密钥? - How AWS KMS determine which key to use when decrypt?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM