My Saved Presets
You must be logged in to view saved presets

Loading Library ...

HMAC KMS Key for Token Generation and Verification

Sets up an HMAC KMS key for generating and verifying tokens, including detailed administrative permissions.

example

aws_kms_key





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



current

aws_caller_identity

depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



Terraform Template

data "aws_caller_identity" "current" {
}

resource "aws_kms_key" "example" {
  customer_master_key_spec = "HMAC_384"
  description = "HMAC_384 key for tokens"
  enable_key_rotation = false
  key_usage = "GENERATE_VERIFY_MAC"
  policy = jsonencode({
 Version = "2012-10-17"
 Id = "key-default-1"
 Statement = [
 {
 Sid = "Enable IAM User Permissions"
 Effect = "Allow"
 Principal = {
 AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
 },
 Action = "kms:*"
 Resource = "*"
 },
 {
 Sid = "Allow administration of the key"
 Effect = "Allow"
 Principal = {
 AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Admin"
 },
 Action = [
 "kms:Create*",
 "kms:Describe*",
 "kms:Enable*",
 "kms:List*",
 "kms:Put*",
 "kms:Update*",
 "kms:Revoke*",
 "kms:Disable*",
 "kms:Get*",
 "kms:Delete*",
 "kms:ScheduleKeyDeletion",
 "kms:CancelKeyDeletion"
 ],
 Resource = "*"
 },
 {
 Sid = "Allow use of the key"
 Effect = "Allow"
 Principal = {
 AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Developer"
 },
 Action = [
 "kms:GenerateMac",
 "kms:VerifyMac",
 "kms:DescribeKey"
 ],
 Resource = "*"
 }
 ]
 })
}

© 2024 asecurecloud. All rights reserved.