--- layout: docs page_title: AWS KMS - Key Management - Secrets Engines sidebar_title: AWS KMS description: AWS KMS is a supported KMS provider of the Key Management secrets engine. --- # AWS KMS ~> **Note:** This provider is currently a **_beta_** feature and not recommended for deployment in production. The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/) regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and other provider-specific parameter values. The following sections describe how to properly configure the secrets engine to enable the functionality. ## Authentication The Key Management secrets engine must be configured with credentials that have sufficient permissions to manage keys in an AWS KMS region. The authentication parameters are described in the [credentials](/api/secret/key-management/awskms#credentials) section of the API documentation. The authentication parameters will be set with the following order of precedence: 1. [KMS provider credentials](/api/secret/key-management/awskms#credentials) 2. Environment variables 3. Shared credentials file 4. IAM role for AWS EC2 or ECS task The IAM principal associated with the provided credentials must have the following minimum [AWS KMS permissions](https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html): - `kms:CreateKey` - `kms:GetParametersForImport` - `kms:ImportKeyMaterial` - `kms:EnableKey` - `kms:DisableKey` - `kms:ScheduleKeyDeletion` - `kms:CreateAlias` - `kms:UpdateAlias` - `kms:DeleteAlias` - `kms:ListAliases` - `kms:TagResource` ## Configuration The following is an example of how to configure the KMS provider resource using the Vault CLI: ```text $ vault write keymgmt/kms/example-kms \ provider="awskms" \ key_collection="us-west-1" \ credentials=access_key="ASIADJO3WTX6WPLJM42V" \ credentials=secret_key="bCiYmNroLxLmPNQ47VIvjlm8mQu5oktZcQdq195w" ``` Refer to the AWS KMS [API documentation](/api/secret/key-management/awskms) for a detailed description of individual configuration parameters. ## Key Transfer Specification Keys are securely transferred from the secrets engine to AWS KMS regions in accordance with the AWS KMS [Bring Your Own Key](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) specification.