docs: AWS KMS updates for key management secrets engine (hashicorp#11958

)
jartek · Sep 11, 2021 · b56e89d · b56e89d
1 parent 3276d79
commit b56e89d
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/changelog/11958.txt b/changelog/11958.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+secrets/keymgmt (enterprise): Adds general availability for distributing and managing keys in AWS KMS.
+```
diff --git a/website/content/api-docs/secret/key-management/awskms.mdx b/website/content/api-docs/secret/key-management/awskms.mdx
@@ -6,9 +6,6 @@ description: The AWS KMS API documentation for the Key Management secrets engine
 
 # AWS KMS (API)
 
-~> **Note:** This provider is currently a **_beta_** feature and not recommended
-for deployment in production.
-
 The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/)
 regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and
 other provider-specific parameter values.

diff --git a/website/content/docs/secrets/key-management/awskms.mdx b/website/content/docs/secrets/key-management/awskms.mdx
@@ -6,9 +6,6 @@ description: AWS KMS is a supported KMS provider of the Key Management secrets e
 
 # AWS KMS
 
-~> **Note:** This provider is currently a **_beta_** feature and not recommended
-for deployment in production.
-
 The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/)
 regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and
 other provider-specific parameter values.
@@ -64,3 +61,12 @@ for a detailed description of individual configuration parameters.
 Keys are securely transferred from the secrets engine to AWS KMS regions in accordance
 with the AWS KMS [Bring Your Own Key](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
 specification.
+
+## Key Rotation
+
+Customer master keys (CMKs) with imported key material are not eligible for
+[automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
+within AWS KMS. As such, key rotations performed by the secrets engine use the
+[manual key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually)
+process. Applications should refer to the [alias](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html)
+associated with imported keys. Aliases will always have the form: `hashicorp/<key_name>-<unix_timestamp>`.
diff --git a/website/content/docs/secrets/key-management/index.mdx b/website/content/docs/secrets/key-management/index.mdx
@@ -9,7 +9,7 @@ description: >-
 # Key Management Secrets Engine
 
 -> **Note**: This secrets engine requires [Vault
-Enterprise](https://www.hashicorp.com/products/vault/) with the Advanced Data
+Enterprise](https://www.hashicorp.com/products/vault/) (1.6.0+) with the Advanced Data
 Protection Module.
 
 The Key Management secrets engine provides a consistent workflow for distribution and lifecycle