(aws-kms): Add support for HMAC keys

[matthias-pichler]

Describe the feature

KMS not only supports symmetric and asymmetric keys but also HMAC keys: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keyspec

It would be great to have 1st class support for them in the cdk.

Use Case

I want to implement the OAuth2 authorization_code flow with a nonce that is hmac verified and use KMS to do the signing.

Proposed Solution

Add the missing values to the KeySpec and KeyUsage enums:

 const hmacKey = new kms.Key(this, "HMACSecret", {
      enabled: true,
      enableKeyRotation: true,
      keySpec: kms.KeySpec.HMAC_256,
      keyUsage: kms.KeyUsage.GENERATE_VERIFY_MAC,
    });

Other Information

Trying to override the enum values with strings directly (like this):

const hmacKey = new kms.Key(this, "HMACSecret", {
      enabled: true,
      enableKeyRotation: true,
      keySpec: "HMAC_256" as any,
      keyUsage: "GENERATE_VERIFY_MAC" as any,
    });

currently fails due to the validation here

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.60.0

Environment details (OS name and version, etc.)

MacOS, Node 18

[peterwoodworth]

Thanks for the request, it looks like we can also add SM2 as well as HMAC keys 🙂

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself!

For now, you can override the key after it's been generated:

const hmacKey = new Key(...);
(hmacKey.node.defaultChild as CfnKey).addPropertyOverride('KeySpec', 'HMAC_XXX');

[daschaa]

@peterwoodworth I would like to work on this issue :-)
However, I have one more question before I start: I have read that for HMAC keys key rotation can not be enabled. How would I prevent it in the CDK? Should I throw an error when a combination of enableKeyRotation and keySpec: "HMAC512" is given? What is a best practice here?