aws-cdk-lib/aws-kms: No available option to get the a Alias ARN

[rafaelrcamargo]

Describe the bug

Currently, there is no available option to retrieve an Alias ARN within the AWS KMS module of the AWS CDK.

Expected Behavior

I expected to find a method or property within the AWS KMS construct that allows retrieving the Alias ARN associated with a specific key.

Current Behavior

There isn't a direct method or property available to retrieve the Alias ARN associated with a KMS key in the AWS CDK AWS KMS module.

Reproduction Steps

const key = new Key(this, "app_key")
const alias = new Alias(this, "app_key_alias", {
    aliasName: "app/key",
    targetKey: key
})

Now there should be a way to get the ARN like: alias.aliasArn

Possible Solution

One potential fix for this issue could be to introduce a method or property within the KMS module that exposes the Alias ARN associated with a key. Like there is for the kms.Key

Additional Information/Context

Understanding the Alias ARN is crucial for various operational and management tasks involving KMS keys. Having a direct way to retrieve this information within the CDK AWS KMS module would streamline many use cases.

CDK CLI Version

2.110.0 (build c6471f2)

Framework Version

No response

Node.js Version

v20.9.0

OS

Ubuntu 22.04.3 LTS

Language

TypeScript

Language Version

Typescript (3.9.10)

Other information

The ARN is accessible on the AWS Dashboard.

[pahud]

Looks like the only return attribute is the alias name:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-alias.html

Yes it would be great to return the ARN from L2 construct.

[daschaa]

Isn't the keyArn method already returning the correct ARN? It looks like it's creating an ARN with the alias name, which should be the desired format. (I've checked the documentation here: https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-alias.html#find-alias-console)

aws-cdk/packages/aws-cdk-lib/aws-kms/lib/alias.ts

Lines 62 to 68 in b865320

	public get keyArn(): string {
	return Stack.of(this).formatArn({
	service: 'kms',
	// aliasName already contains the '/'
	resource: this.aliasName,
	});
	}

[rafaelrcamargo]

Thanks for the quick feedback @daschaa. I noticed that using keyArn gives the Key ARN for a key, but for an alias, it returns the Alias ARN. It's a bit puzzling since the same name refers to different things. This solves the issue, but it might confuse users.

I noticed too that this alias.aliasTargetKey.keyArn also retrieves the Key ARN. Which makes this a confusing situation:

const key = new Key(this, "app_key") // My KMS Key
const alias = new Alias(this, "app_key_alias", { targetKey: key })

key.keyArn // My Key ARN
alias.keyArn // My Alias ARN
alias.aliasTargetKey.keyArn // My Key ARN

As we are in the same kms context this can be confusing.

Is there a reason behind this naming variation?

[daschaa]

I agree, this is indeed very confusing for users. And I don't think there is a purpose behind the naming.

How could we improve this here? Renaming the attribute is not possible, because we have to be backwards compatible. Do you think it would be sufficient to change the documentation?

[rafaelrcamargo]

May creating a new aliasArn that just mirrors the value from keyArn solve this. Of course, this can be bad to maintain due to the duplication of code, but would for sure make things simpler.

Other than that updating the docs would for sure help too, was looking into it and I think this one may be straight up wrong about this: class Alias (construct).

Let me know what you think about those points and if I can help further.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.