AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Outputs:
KMSKeyIdGetAtt:
Description: Key ID GetAtt
Value: !GetAtt KMSKey.KeyId
KMSKeyIdGetRef:
Description: Key ID Ref
Value: !Ref KMSKey
KMSKeyArn:
Description: The ID of the KMS key
Value: !GetAtt KMSKey.Arn
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the key ID, such as 1234abcd-12ab-34cd-56ef-1234567890ab.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn
The Amazon Resource Name (ARN) of the KMS key, such as arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
For information about the key ARN of a KMS key, see Key ARN in the AWS Key Management Service Developer Guide.
KeyId
The key ID of the KMS key, such as 1234abcd-12ab-34cd-56ef-1234567890ab.
For information about the key ID of a KMS key, see Key ID in the AWS Key Management Service Developer Guide.
It seems that AWS::KMS::Key resources are returning the incorrect values.
Expected: KMS ID Actual: KMS ARN
Test
Deployment
aws cloudformation deploy --template-file template.yaml --stack-name test
Observation
seems to resolve correctly in the template itself....
and looking in the corresponding
CreateCluster
API call...it would appear that Cloudformation is sending the correct value (Key id)...but KMS is returning the incorrect value (KMS Arn) in the response!
Documented return values