open-vault/website/content/docs/secrets/key-management/awskms.mdx

---
layout: docs
page_title: AWS KMS - Key Management - Secrets Engines
sidebar_title: AWS KMS
description: AWS KMS is a supported KMS provider of the Key Management secrets engine.
---

# AWS KMS

~> **Note:** This provider is currently a **_beta_** feature and not recommended
for deployment in production.

The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/)
regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and
other provider-specific parameter values.

The following sections describe how to properly configure the secrets engine to enable
the functionality.

## Authentication

The Key Management secrets engine must be configured with credentials that have sufficient
permissions to manage keys in an AWS KMS region. The authentication parameters are described
in the [credentials](/api/secret/key-management/awskms#credentials) section of the API
documentation. The authentication parameters will be set with the following order of
precedence:

1. [KMS provider credentials](/api/secret/key-management/awskms#credentials)
2. Environment variables
3. Shared credentials file
4. IAM role for AWS EC2 or ECS task

The IAM principal associated with the provided credentials must have the following minimum
[AWS KMS permissions](https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html):

- `kms:CreateKey`
- `kms:GetParametersForImport`
- `kms:ImportKeyMaterial`
- `kms:EnableKey`
- `kms:DisableKey`
- `kms:ScheduleKeyDeletion`
- `kms:CreateAlias`
- `kms:UpdateAlias`
- `kms:DeleteAlias`
- `kms:ListAliases`
- `kms:TagResource`

## Configuration

The following is an example of how to configure the KMS provider resource using the Vault CLI:

   ```text
   $ vault write keymgmt/kms/example-kms \
       provider="awskms" \
       key_collection="us-west-1" \
       credentials=access_key="ASIADJO3WTX6WPLJM42V" \
       credentials=secret_key="bCiYmNroLxLmPNQ47VIvjlm8mQu5oktZcQdq195w"
   ```

Refer to the AWS KMS [API documentation](/api/secret/key-management/awskms)
for a detailed description of individual configuration parameters.

## Key Transfer Specification

Keys are securely transferred from the secrets engine to AWS KMS regions in accordance
with the AWS KMS [Bring Your Own Key](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
specification.
Updates documentation for key management secrets engine (#11172) 2021-03-23 21:14:25 +00:00			`---`
			`layout: docs`
			`page_title: AWS KMS - Key Management - Secrets Engines`
			`sidebar_title: AWS KMS`
			`description: AWS KMS is a supported KMS provider of the Key Management secrets engine.`
			`---`

			`# AWS KMS`

			`~> Note: This provider is currently a _beta_ feature and not recommended`
			`for deployment in production.`

			`The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/)`
			regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and
			`other provider-specific parameter values.`

			`The following sections describe how to properly configure the secrets engine to enable`
			`the functionality.`

			`## Authentication`

			`The Key Management secrets engine must be configured with credentials that have sufficient`
			`permissions to manage keys in an AWS KMS region. The authentication parameters are described`
			`in the [credentials](/api/secret/key-management/awskms#credentials) section of the API`
			`documentation. The authentication parameters will be set with the following order of`
			`precedence:`

			`1. [KMS provider credentials](/api/secret/key-management/awskms#credentials)`
			`2. Environment variables`
			`3. Shared credentials file`
			`4. IAM role for AWS EC2 or ECS task`

			`The IAM principal associated with the provided credentials must have the following minimum`
			`[AWS KMS permissions](https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html):`

			- `kms:CreateKey`
			- `kms:GetParametersForImport`
			- `kms:ImportKeyMaterial`
			- `kms:EnableKey`
			- `kms:DisableKey`
			- `kms:ScheduleKeyDeletion`
			- `kms:CreateAlias`
			- `kms:UpdateAlias`
			- `kms:DeleteAlias`
			- `kms:ListAliases`
			- `kms:TagResource`

			`## Configuration`

			`The following is an example of how to configure the KMS provider resource using the Vault CLI:`

			```text
			`$ vault write keymgmt/kms/example-kms \`
			`provider="awskms" \`
			`key_collection="us-west-1" \`
			`credentials=access_key="ASIADJO3WTX6WPLJM42V" \`
			`credentials=secret_key="bCiYmNroLxLmPNQ47VIvjlm8mQu5oktZcQdq195w"`
			```

			`Refer to the AWS KMS [API documentation](/api/secret/key-management/awskms)`
			`for a detailed description of individual configuration parameters.`

			`## Key Transfer Specification`

			`Keys are securely transferred from the secrets engine to AWS KMS regions in accordance`
			`with the AWS KMS [Bring Your Own Key](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)`
			`specification.`