An npm package for providing AwsKmsKeyStore
, an implementation of KeyStore
from @planetarium/account that uses AWS KMS as the backend.
Method | Required permissions | Required for AwsKmsKeyStoreOptions.scopingTags
|
---|---|---|
AwsKmsKeyStore.list() |
kms:ListKeys |
kms:ListResourceTags |
AwsKmsKeyStore.get() |
kms:ListKeys |
kms:ListResourceTags |
AwsKmsKeyStore.generate() |
kms:CreateKey , kms:GetPublicKey
|
kms:TagResource |
AwsKmsKeyStore.delete() |
kms:ScheduleKeyDeletion |
|
AwsKmsAccount.sign() 1
|
kms:Sign |
Replace [NUMERIC_ROOT_ACCOUNT_ID]
with your [12-digit root account ID][AWSId]:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:GetPublicKey",
"kms:ScheduleKeyDeletion",
"kms:DescribeKey",
"kms:ListResourceTags",
"kms:Sign",
"kms:TagResource"
],
"Resource": "arn:aws:kms:*:[NUMERIC_ROOT_ACCOUNT_ID]:key/*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:CreateKey"
],
"Resource": "*"
}
]
}
-
An
AwsKmsAccount
instance can be obtained fromAwsKmsKeyStore.get()
. [AWSId]: https://docs.aws.amazon.com/signin/latest/userguide/FindingYourAWSId.html ↩