KeyMetadata
Contains metadata about a KMS key.
This data type is used as a response element for the CreateKey, DescribeKey, and ReplicateKey operations.
Types
Properties
The Amazon Resource Name (ARN) of the KMS key. For examples, see Key Management Service (KMS) in the Example ARNs section of the Amazon Web Services General Reference.
The twelve-digit account ID of the Amazon Web Services account that owns the KMS key.
The cluster ID of the CloudHSM cluster that contains the key material for the KMS key. When you create a KMS key in an CloudHSM custom key store, KMS creates the key material for the KMS key in the associated CloudHSM cluster. This field is present only when the KMS key is created in an CloudHSM key store.
The date and time when the KMS key was created.
Identifies the current key material. This value is present for symmetric encryption keys with AWS_KMS origin and single-Region, symmetric encryption keys with EXTERNAL origin. These KMS keys support automatic or on-demand key rotation and can have multiple key materials associated with them. KMS uses the current key material for both encryption and decryption, and the non-current key material for decryption operations only.
Instead, use the KeySpec field.
A unique identifier for the custom key store that contains the KMS key. This field is present only when the KMS key is created in a custom key store.
The date and time after which KMS deletes this KMS key. This value is present only when the KMS key is scheduled for deletion, that is, when its KeyState is PendingDeletion.
The description of the KMS key.
The encryption algorithms that the KMS key supports. You cannot use the KMS key with other encryption algorithms within KMS.
Specifies whether the KMS key's key material expires. This value is present only when Origin is EXTERNAL, otherwise this value is omitted.
The key agreement algorithm used to derive a shared secret.
The manager of the KMS key. KMS keys in your Amazon Web Services account are either customer managed or Amazon Web Services managed. For more information about the difference, see KMS keys in the Key Management Service Developer Guide.
The cryptographic operations for which you can use the KMS key.
The message authentication code (MAC) algorithm that the HMAC KMS key supports.
Indicates whether the KMS key is a multi-Region (True) or regional (False) key. This value is True for multi-Region primary and replica keys and False for regional KMS keys.
Lists the primary and replica keys in same multi-Region key. This field is present only when the value of the MultiRegion field is True.
The source of the key material for the KMS key. When this value is AWS_KMS, KMS created the key material. When this value is EXTERNAL, the key material was imported or the KMS key doesn't have any key material. When this value is AWS_CLOUDHSM, the key material was created in the CloudHSM cluster associated with a custom key store.
The waiting period before the primary key in a multi-Region key is deleted. This waiting period begins when the last of its replica keys is deleted. This value is present only when the KeyState of the KMS key is PendingReplicaDeletion. That indicates that the KMS key is the primary key in a multi-Region key, it is scheduled for deletion, and it still has existing replica keys.
The signing algorithms that the KMS key supports. You cannot use the KMS key with other signing algorithms within KMS.
The earliest time at which any imported key material permanently associated with this KMS key expires. When a key material expires, KMS deletes the key material and the KMS key becomes unusable. This value is present only for KMS keys whose Origin is EXTERNAL and the ExpirationModel is KEY_MATERIAL_EXPIRES, otherwise this value is omitted.
Information about the external key that is associated with a KMS key in an external key store.