Data Source: oci_kms_keys
This data source provides the list of Keys in Oracle Cloud Infrastructure Kms service.
Lists the master encryption keys in the specified vault and compartment.
As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management read operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management read operations exceeds 10 requests per second for a given tenancy.
Example Usage
data "oci_kms_keys" "test_keys" {
#Required
compartment_id = var.compartment_id
management_endpoint = var.key_management_endpoint
#Optional
algorithm = var.key_algorithm
length = var.key_length
curve_id = oci_kms_curve.test_curve.id
protection_mode = var.key_protection_mode
}
Argument Reference
The following arguments are supported:
algorithm
- (Optional) The algorithm used by a key’s key versions to encrypt or decrypt data. Currently, support includes AES, RSA, and ECDSA algorithms.compartment_id
- (Required) The OCID of the compartment.curve_id
- (Optional) The curve ID of the keys. (This pertains only to ECDSA keys.)length
- (Optional) The length of the key in bytes, expressed as an integer. Supported values include 16, 24, or 32.management_endpoint
- (Required) The service endpoint to perform management operations against. Management operations include ‘Create,’ ‘Update,’ ‘List,’ ‘Get,’ and ‘Delete’ operations. See Vault Management endpoint.protection_mode
- (Optional) A key’s protection mode indicates how the key persists and where cryptographic operations that use the key are performed. A protection mode ofHSM
means that the key persists on a hardware security module (HSM) and all cryptographic operations are performed inside the HSM. A protection mode ofSOFTWARE
means that the key persists on the server, protected by the vault’s RSA wrapping key which persists on the HSM. All cryptographic operations that use a key with a protection mode ofSOFTWARE
are performed on the server. A protection mode ofEXTERNAL
mean that the key persists on the customer’s external key manager which is hosted externally outside of oracle. Oracle only hold a reference to that key. All cryptographic operations that use a key with a protection mode ofEXTERNAL
are performed by external key manager.
Attributes Reference
The following attributes are exported:
keys
- The list of keys.
Key Reference
The following attributes are exported:
auto_key_rotation_details
- The details of auto rotation schedule for the Key being create updated or imported.last_rotation_message
- The last execution status message of auto key rotation.last_rotation_status
- The status of last execution of auto key rotation.rotation_interval_in_days
- The interval of auto key rotation. For auto key rotation the interval should between 60 day and 365 days (1 year). Note: User must specify this parameter when creating a new schedule.time_of_last_rotation
- A property indicating Last rotation Date. Example:2023-04-04T00:00:00Z
.time_of_next_rotation
- A property indicating Next estimated scheduled Time, as per the interval, expressed as date YYYY-MM-DD String. Example:2023-04-04T00:00:00Z
. The time has no significance when scheduling an auto key rotation as this can be done anytime approximately the scheduled day, KMS ignores the time and replaces it with 00:00, for example 2023-04-04T15:14:13Z will be used as 2023-04-04T00:00:00Z.time_of_schedule_start
- A property indicating scheduled start date expressed as date YYYY-MM-DD String. Example: `2023-04-04T00:00:00Z. The time has no significance when scheduling an auto key rotation as this can be done anytime approximately the scheduled day, KMS ignores the time and replaces it with 00:00, for example 2023-04-04T15:14:13Z will be used as 2023-04-04T00:00:00Z . Note : Today’s date will be used if not specified by customer.
compartment_id
- The OCID of the compartment that contains this master encryption key.current_key_version
- The OCID of the key version used in cryptographic operations. During key rotation, the service might be in a transitional state where this or a newer key version are used intermittently. ThecurrentKeyVersion
property is updated when the service is guaranteed to use the new key version for all subsequent encryption operations.defined_tags
- Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags. Example:{"Operations.CostCenter": "42"}
display_name
- A user-friendly name for the key. It does not have to be unique, and it is changeable. Avoid entering confidential information.external_key_reference_details
- Key reference data to be returned to the customer as a response.external_key_id
- ExternalKeyId refers to the globally unique key Id associated with the key created in external vault in CTM.external_key_version_id
- Key version ID associated with the external key.
freeform_tags
- Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags. Example:{"Department": "Finance"}
id
- The OCID of the key.is_auto_rotation_enabled
- A parameter specifying whether the auto key rotation is enabled or not.is_primary
- A Boolean value that indicates whether the Key belongs to primary Vault or replica vault.key_shape
- The cryptographic properties of a key.algorithm
- The algorithm used by a key’s key versions to encrypt or decrypt. Only AES algorithm is supported forExternal
keys.curve_id
- Supported curve IDs for ECDSA keys.length
- The length of the key in bytes, expressed as an integer. Supported values include the following:- AES: 16, 24, or 32
- RSA: 256, 384, or 512
- ECDSA: 32, 48, or 66
protection_mode
- The key’s protection mode indicates how the key persists and where cryptographic operations that use the key are performed. A protection mode ofHSM
means that the key persists on a hardware security module (HSM) and all cryptographic operations are performed inside the HSM. A protection mode ofSOFTWARE
means that the key persists on the server, protected by the vault’s RSA wrapping key which persists on the HSM. All cryptographic operations that use a key with a protection mode ofSOFTWARE
are performed on the server. By default, a key’s protection mode is set toHSM
. You can’t change a key’s protection mode after the key is created or imported. A protection mode ofEXTERNAL
mean that the key persists on the customer’s external key manager which is hosted externally outside of oracle. Oracle only hold a reference to that key. All cryptographic operations that use a key with a protection mode ofEXTERNAL
are performed by external key manager.replica_details
- Key replica detailsreplication_id
- ReplicationId associated with a key operation
state
- The key’s current lifecycle state. Example:ENABLED
time_created
- The date and time the key was created, expressed in RFC 3339 timestamp format. Example:2018-04-03T21:10:29.600Z
time_of_deletion
- An optional property indicating when to delete the key, expressed in RFC 3339 timestamp format. Example:2019-04-03T21:10:29.600Z
vault_id
- The OCID of the vault that contains this key.