in packages/aws-cdk-lib/aws-kms/lib/key.ts [768:894]
constructor(scope: Construct, id: string, props: KeyProps = {}) {
super(scope, id);
// Enhanced CDK Analytics Telemetry
addConstructMetadata(this, props);
const denyLists = {
[KeyUsage.ENCRYPT_DECRYPT]: [
KeySpec.ECC_NIST_P256,
KeySpec.ECC_NIST_P384,
KeySpec.ECC_NIST_P521,
KeySpec.ECC_SECG_P256K1,
KeySpec.HMAC_224,
KeySpec.HMAC_256,
KeySpec.HMAC_384,
KeySpec.HMAC_512,
],
[KeyUsage.SIGN_VERIFY]: [
KeySpec.SYMMETRIC_DEFAULT,
KeySpec.HMAC_224,
KeySpec.HMAC_256,
KeySpec.HMAC_384,
KeySpec.HMAC_512,
],
[KeyUsage.GENERATE_VERIFY_MAC]: [
KeySpec.RSA_2048,
KeySpec.RSA_3072,
KeySpec.RSA_4096,
KeySpec.ECC_NIST_P256,
KeySpec.ECC_NIST_P384,
KeySpec.ECC_NIST_P521,
KeySpec.ECC_SECG_P256K1,
KeySpec.SYMMETRIC_DEFAULT,
KeySpec.SM2,
],
[KeyUsage.KEY_AGREEMENT]: [
KeySpec.SYMMETRIC_DEFAULT,
KeySpec.RSA_2048,
KeySpec.RSA_3072,
KeySpec.RSA_4096,
KeySpec.ECC_SECG_P256K1,
KeySpec.HMAC_224,
KeySpec.HMAC_256,
KeySpec.HMAC_384,
KeySpec.HMAC_512,
],
};
const keySpec = props.keySpec ?? KeySpec.SYMMETRIC_DEFAULT;
const keyUsage = props.keyUsage ?? KeyUsage.ENCRYPT_DECRYPT;
if (denyLists[keyUsage].includes(keySpec)) {
throw new Error(`key spec '${keySpec}' is not valid with usage '${keyUsage}'`);
}
if (keySpec.startsWith('HMAC') && props.enableKeyRotation) {
throw new Error('key rotation cannot be enabled on HMAC keys');
}
if (keySpec !== KeySpec.SYMMETRIC_DEFAULT && props.enableKeyRotation) {
throw new Error('key rotation cannot be enabled on asymmetric keys');
}
this.enableKeyRotation = props.enableKeyRotation;
if (props.rotationPeriod) {
if (props.enableKeyRotation === false) {
throw new Error('\'rotationPeriod\' cannot be specified when \'enableKeyRotation\' is disabled');
}
if (props.rotationPeriod.toDays() < 90 || props.rotationPeriod.toDays() > 2560) {
throw new Error(`'rotationPeriod' value must between 90 and 2650 days. Received: ${props.rotationPeriod.toDays()}`);
}
// If rotationPeriod is specified, enableKeyRotation is set to true by default
if (props.enableKeyRotation === undefined) {
this.enableKeyRotation = true;
}
}
const defaultKeyPoliciesFeatureEnabled = FeatureFlags.of(this).isEnabled(cxapi.KMS_DEFAULT_KEY_POLICIES);
this.policy = props.policy ?? new iam.PolicyDocument();
if (defaultKeyPoliciesFeatureEnabled) {
if (props.trustAccountIdentities === false) {
throw new Error('`trustAccountIdentities` cannot be false if the @aws-cdk/aws-kms:defaultKeyPolicies feature flag is set');
}
this.trustAccountIdentities = true;
// Set the default key policy if one hasn't been provided by the user.
if (!props.policy) {
this.addDefaultAdminPolicy();
}
} else {
this.trustAccountIdentities = props.trustAccountIdentities ?? false;
if (this.trustAccountIdentities) {
this.addDefaultAdminPolicy();
} else {
this.addLegacyAdminPolicy();
}
}
let pendingWindowInDays;
if (props.pendingWindow) {
pendingWindowInDays = props.pendingWindow.toDays();
if (pendingWindowInDays < 7 || pendingWindowInDays > 30) {
throw new Error(`'pendingWindow' value must between 7 and 30 days. Received: ${pendingWindowInDays}`);
}
}
const resource = new CfnKey(this, 'Resource', {
description: props.description,
enableKeyRotation: this.enableKeyRotation,
rotationPeriodInDays: props.rotationPeriod?.toDays(),
enabled: props.enabled,
keySpec: props.keySpec,
keyUsage: props.keyUsage,
keyPolicy: this.policy,
multiRegion: props.multiRegion,
pendingWindowInDays: pendingWindowInDays,
});
this.keyArn = resource.attrArn;
this.keyId = resource.ref;
resource.applyRemovalPolicy(props.removalPolicy);
(props.admins ?? []).forEach((p) => this.grantAdmin(p));
if (props.alias !== undefined) {
this.addAlias(props.alias);
}
}