Docs Home
AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi
aws.kms.getPublicKey
Explore with Pulumi AI
Use this data source to get the public key about the specified KMS Key with flexible key id input. This can be useful to reference key alias without having to hard code the ARN as input.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const byAlias = aws.kms.getPublicKey({
keyId: "alias/my-key",
});
const byId = aws.kms.getPublicKey({
keyId: "1234abcd-12ab-34cd-56ef-1234567890ab",
});
const byAliasArn = aws.kms.getPublicKey({
keyId: "arn:aws:kms:us-east-1:111122223333:alias/my-key",
});
const byKeyArn = aws.kms.getPublicKey({
keyId: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
});
import pulumi
import pulumi_aws as aws
by_alias = aws.kms.get_public_key(key_id="alias/my-key")
by_id = aws.kms.get_public_key(key_id="1234abcd-12ab-34cd-56ef-1234567890ab")
by_alias_arn = aws.kms.get_public_key(key_id="arn:aws:kms:us-east-1:111122223333:alias/my-key")
by_key_arn = aws.kms.get_public_key(key_id="arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.GetPublicKey(ctx, &kms.GetPublicKeyArgs{
KeyId: "alias/my-key",
}, nil)
if err != nil {
return err
}
_, err = kms.GetPublicKey(ctx, &kms.GetPublicKeyArgs{
KeyId: "1234abcd-12ab-34cd-56ef-1234567890ab",
}, nil)
if err != nil {
return err
}
_, err = kms.GetPublicKey(ctx, &kms.GetPublicKeyArgs{
KeyId: "arn:aws:kms:us-east-1:111122223333:alias/my-key",
}, nil)
if err != nil {
return err
}
_, err = kms.GetPublicKey(ctx, &kms.GetPublicKeyArgs{
KeyId: "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var byAlias = Aws.Kms.GetPublicKey.Invoke(new()
{
KeyId = "alias/my-key",
});
var byId = Aws.Kms.GetPublicKey.Invoke(new()
{
KeyId = "1234abcd-12ab-34cd-56ef-1234567890ab",
});
var byAliasArn = Aws.Kms.GetPublicKey.Invoke(new()
{
KeyId = "arn:aws:kms:us-east-1:111122223333:alias/my-key",
});
var byKeyArn = Aws.Kms.GetPublicKey.Invoke(new()
{
KeyId = "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.KmsFunctions;
import com.pulumi.aws.kms.inputs.GetPublicKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var byAlias = KmsFunctions.getPublicKey(GetPublicKeyArgs.builder()
.keyId("alias/my-key")
.build());
final var byId = KmsFunctions.getPublicKey(GetPublicKeyArgs.builder()
.keyId("1234abcd-12ab-34cd-56ef-1234567890ab")
.build());
final var byAliasArn = KmsFunctions.getPublicKey(GetPublicKeyArgs.builder()
.keyId("arn:aws:kms:us-east-1:111122223333:alias/my-key")
.build());
final var byKeyArn = KmsFunctions.getPublicKey(GetPublicKeyArgs.builder()
.keyId("arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab")
.build());
}
}
variables:
byAlias:
fn::invoke:
function: aws:kms:getPublicKey
arguments:
keyId: alias/my-key
byId:
fn::invoke:
function: aws:kms:getPublicKey
arguments:
keyId: 1234abcd-12ab-34cd-56ef-1234567890ab
byAliasArn:
fn::invoke:
function: aws:kms:getPublicKey
arguments:
keyId: arn:aws:kms:us-east-1:111122223333:alias/my-key
byKeyArn:
fn::invoke:
function: aws:kms:getPublicKey
arguments:
keyId: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
Using getPublicKey
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPublicKey(args: GetPublicKeyArgs, opts?: InvokeOptions): Promise<GetPublicKeyResult>
function getPublicKeyOutput(args: GetPublicKeyOutputArgs, opts?: InvokeOptions): Output<GetPublicKeyResult>def get_public_key(grant_tokens: Optional[Sequence[str]] = None,
key_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPublicKeyResult
def get_public_key_output(grant_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
key_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPublicKeyResult]func GetPublicKey(ctx *Context, args *GetPublicKeyArgs, opts ...InvokeOption) (*GetPublicKeyResult, error)
func GetPublicKeyOutput(ctx *Context, args *GetPublicKeyOutputArgs, opts ...InvokeOption) GetPublicKeyResultOutput> Note: This function is named GetPublicKey in the Go SDK.
public static class GetPublicKey
{
public static Task<GetPublicKeyResult> InvokeAsync(GetPublicKeyArgs args, InvokeOptions? opts = null)
public static Output<GetPublicKeyResult> Invoke(GetPublicKeyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPublicKeyResult> getPublicKey(GetPublicKeyArgs args, InvokeOptions options)
public static Output<GetPublicKeyResult> getPublicKey(GetPublicKeyArgs args, InvokeOptions options)
fn::invoke:
function: aws:kms/getPublicKey:getPublicKey
arguments:
# arguments dictionaryThe following arguments are supported:
- Key
Id string - Key identifier which can be one of the following format:
- Key ID. E.g -
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g. -
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g. -
alias/my-key - Alias ARN - E.g. -
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g -
- Grant
Tokens List<string> - List of grant tokens
- Key
Id string - Key identifier which can be one of the following format:
- Key ID. E.g -
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g. -
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g. -
alias/my-key - Alias ARN - E.g. -
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g -
- Grant
Tokens []string - List of grant tokens
- key
Id String - Key identifier which can be one of the following format:
- Key ID. E.g -
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g. -
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g. -
alias/my-key - Alias ARN - E.g. -
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g -
- grant
Tokens List<String> - List of grant tokens
- key
Id string - Key identifier which can be one of the following format:
- Key ID. E.g -
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g. -
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g. -
alias/my-key - Alias ARN - E.g. -
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g -
- grant
Tokens string[] - List of grant tokens
- key_
id str - Key identifier which can be one of the following format:
- Key ID. E.g -
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g. -
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g. -
alias/my-key - Alias ARN - E.g. -
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g -
- grant_
tokens Sequence[str] - List of grant tokens
- key
Id String - Key identifier which can be one of the following format:
- Key ID. E.g -
1234abcd-12ab-34cd-56ef-1234567890ab - Key ARN. E.g. -
arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab - Alias name. E.g. -
alias/my-key - Alias ARN - E.g. -
arn:aws:kms:us-east-1:111122223333:alias/my-key
- Key ID. E.g -
- grant
Tokens List<String> - List of grant tokens
getPublicKey Result
The following output properties are available:
- Arn string
- Key ARN of the asymmetric CMK from which the public key was downloaded.
- Customer
Master stringKey Spec - Type of the public key that was downloaded.
- Encryption
Algorithms List<string> - Encryption algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isENCRYPT_DECRYPT. - Id string
- The provider-assigned unique ID for this managed resource.
- Key
Id string - Key
Usage string - Permitted use of the public key. Valid values are
ENCRYPT_DECRYPTorSIGN_VERIFY - Public
Key string - Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. The value is Base64-encoded.
- Public
Key stringPem - Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.
- Signing
Algorithms List<string> - Signing algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isSIGN_VERIFY. - Grant
Tokens List<string>
- Arn string
- Key ARN of the asymmetric CMK from which the public key was downloaded.
- Customer
Master stringKey Spec - Type of the public key that was downloaded.
- Encryption
Algorithms []string - Encryption algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isENCRYPT_DECRYPT. - Id string
- The provider-assigned unique ID for this managed resource.
- Key
Id string - Key
Usage string - Permitted use of the public key. Valid values are
ENCRYPT_DECRYPTorSIGN_VERIFY - Public
Key string - Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. The value is Base64-encoded.
- Public
Key stringPem - Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.
- Signing
Algorithms []string - Signing algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isSIGN_VERIFY. - Grant
Tokens []string
- arn String
- Key ARN of the asymmetric CMK from which the public key was downloaded.
- customer
Master StringKey Spec - Type of the public key that was downloaded.
- encryption
Algorithms List<String> - Encryption algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isENCRYPT_DECRYPT. - id String
- The provider-assigned unique ID for this managed resource.
- key
Id String - key
Usage String - Permitted use of the public key. Valid values are
ENCRYPT_DECRYPTorSIGN_VERIFY - public
Key String - Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. The value is Base64-encoded.
- public
Key StringPem - Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.
- signing
Algorithms List<String> - Signing algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isSIGN_VERIFY. - grant
Tokens List<String>
- arn string
- Key ARN of the asymmetric CMK from which the public key was downloaded.
- customer
Master stringKey Spec - Type of the public key that was downloaded.
- encryption
Algorithms string[] - Encryption algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isENCRYPT_DECRYPT. - id string
- The provider-assigned unique ID for this managed resource.
- key
Id string - key
Usage string - Permitted use of the public key. Valid values are
ENCRYPT_DECRYPTorSIGN_VERIFY - public
Key string - Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. The value is Base64-encoded.
- public
Key stringPem - Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.
- signing
Algorithms string[] - Signing algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isSIGN_VERIFY. - grant
Tokens string[]
- arn str
- Key ARN of the asymmetric CMK from which the public key was downloaded.
- customer_
master_ strkey_ spec - Type of the public key that was downloaded.
- encryption_
algorithms Sequence[str] - Encryption algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isENCRYPT_DECRYPT. - id str
- The provider-assigned unique ID for this managed resource.
- key_
id str - key_
usage str - Permitted use of the public key. Valid values are
ENCRYPT_DECRYPTorSIGN_VERIFY - public_
key str - Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. The value is Base64-encoded.
- public_
key_ strpem - Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.
- signing_
algorithms Sequence[str] - Signing algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isSIGN_VERIFY. - grant_
tokens Sequence[str]
- arn String
- Key ARN of the asymmetric CMK from which the public key was downloaded.
- customer
Master StringKey Spec - Type of the public key that was downloaded.
- encryption
Algorithms List<String> - Encryption algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isENCRYPT_DECRYPT. - id String
- The provider-assigned unique ID for this managed resource.
- key
Id String - key
Usage String - Permitted use of the public key. Valid values are
ENCRYPT_DECRYPTorSIGN_VERIFY - public
Key String - Exported public key. The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280. The value is Base64-encoded.
- public
Key StringPem - Exported public key. The value is Privacy Enhanced Mail (PEM) encoded.
- signing
Algorithms List<String> - Signing algorithms that AWS KMS supports for this key. Only set when the
key_usageof the public key isSIGN_VERIFY. - grant
Tokens List<String>
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.