pulumi-alicloud 3.56.0a1717132537__py3-none-any.whl → 3.56.0a1717175543__py3-none-any.whl

pulumi_alicloud/kms/key.py

@@ -24,61 +24,44 @@ class KeyArgs:
                  key_usage: Optional[pulumi.Input[str]] = None,
                  origin: Optional[pulumi.Input[str]] = None,
                  pending_window_in_days: Optional[pulumi.Input[int]] = None,
+                 policy: Optional[pulumi.Input[str]] = None,
                  protection_level: Optional[pulumi.Input[str]] = None,
                  rotation_interval: Optional[pulumi.Input[str]] = None,
                  status: Optional[pulumi.Input[str]] = None,
                  tags: Optional[pulumi.Input[Mapping[str, Any]]] = None):
         """
         The set of arguments for constructing a Key resource.
-        :param pulumi.Input[str] automatic_rotation: Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: 
-               - `Enabled`
-               - `Disabled`
-               **NOTE**: If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+        :param pulumi.Input[str] automatic_rotation: Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: `Enabled`, `Disabled`.
         :param pulumi.Input[int] deletion_window_in_days: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.
-        :param pulumi.Input[str] description: The description of the CMK. The description can be 0 to 8,192 characters in length.
-        :param pulumi.Input[str] dkms_instance_id: The instance ID of the exclusive KMS instance.
+        :param pulumi.Input[str] description: The description of the key.
+        :param pulumi.Input[str] dkms_instance_id: The ID of the KMS instance.
         :param pulumi.Input[bool] is_enabled: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `status` instead.
-        :param pulumi.Input[str] key_spec: The type of the CMK. Default value: `Aliyun_AES_256`. Valid values: 
-               `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
-               Note: The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
-        :param pulumi.Input[str] key_state: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
-        :param pulumi.Input[str] key_usage: The usage of the CMK. Default value: `ENCRYPT/DECRYPT`. Valid values:
-               - `ENCRYPT/DECRYPT`: encrypts or decrypts data.
-               - `SIGN/VERIFY`: generates or verifies a digital signature.
-        :param pulumi.Input[str] origin: The source of key material. Default value: `Aliyun_KMS`. Valid values: 
-               - `Aliyun_KMS`
-               - `EXTERNAL`
-               **NOTE**: The value of this parameter is case-sensitive. If you set the `key_spec` to an asymmetric CMK type,
-               you are not allowed to set the `origin` to EXTERNAL. If you set the `origin` to EXTERNAL, you must import key material.
-               For more information, see [import key material](https://www.alibabacloud.com/help/en/doc-detail/68523.htm).
-        :param pulumi.Input[int] pending_window_in_days: The number of days before the CMK is deleted. 
-               During this period, the CMK is in the PendingDeletion state.
-               After this period ends, you cannot cancel the deletion. Valid values: 7 to 366. Unit: days.
-               **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
-        :param pulumi.Input[str] protection_level: The protection level of the CMK. Default value: `SOFTWARE`. Valid values:
-               - `SOFTWARE`
-               - `HSM`
-               **NOTE**: The value of this parameter is case-sensitive. Assume that you set this parameter to HSM.
-               If you set the origin parameter to Aliyun_KMS, the CMK is created in a managed hardware security module (HSM).
-               If you set the origin parameter to EXTERNA, you can import an external key to the managed HSM.
-        :param pulumi.Input[str] rotation_interval: The interval for automatic key rotation. Specify the value in the integer[unit] format.
-               The following units are supported: d (day), h (hour), m (minute), and s (second).
-               For example, you can use either 7d or 604800s to specify a seven-day interval.
-               The interval can range from 7 days to 730 days.
-               **NOTE**: It is Required when `automatic_rotation = "Enabled"`
+               
+               > **NOTE:** If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+               
+               > **NOTE:** The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
                
                > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
-        :param pulumi.Input[str] status: The status of CMK. Default value: `Enabled`. Valid Values: 
-               - `Disabled`
-               - `Enabled`
-               - `PendingDeletion`
+        :param pulumi.Input[str] key_spec: The specification of the key. Default value: `Aliyun_AES_256`. Valid values: `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
+        :param pulumi.Input[str] key_state: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
+        :param pulumi.Input[str] key_usage: The usage of the key. Default value: `ENCRYPT/DECRYPT`. Valid values:
+               - `ENCRYPT/DECRYPT`: Encrypts or decrypts data.
+               - `SIGN/VERIFY`: Generates or verifies a digital signature.
+        :param pulumi.Input[str] origin: The key material origin. Default value: `Aliyun_KMS`. Valid values: `Aliyun_KMS`, `EXTERNAL`.
+        :param pulumi.Input[int] pending_window_in_days: The number of days before the CMK is deleted. During this period, the CMK is in the PendingDeletion state. After this period ends, you cannot cancel the deletion. Unit: days. Valid values: `7` to `366`.
+               **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
+        :param pulumi.Input[str] policy: The content of the key policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information, see [How to use it](https://www.alibabacloud.com/help/en/kms/developer-reference/api-setkeypolicy).
+        :param pulumi.Input[str] protection_level: The protection level of the key. Default value: `SOFTWARE`. Valid values: `SOFTWARE`, `HSM`.
+        :param pulumi.Input[str] rotation_interval: The period of automatic key rotation. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day interval.
+               **NOTE**: If `automatic_rotation` is set to `Enabled`, `rotation_interval` is required.
+        :param pulumi.Input[str] status: The status of key. Default value: `Enabled`. Valid values: `Enabled`, `Disabled`, `PendingDeletion`.
         :param pulumi.Input[Mapping[str, Any]] tags: A mapping of tags to assign to the resource.
         """
         if automatic_rotation is not None:
             pulumi.set(__self__, "automatic_rotation", automatic_rotation)
         if deletion_window_in_days is not None:
-            warnings.warn("""Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""", DeprecationWarning)
-            pulumi.log.warn("""deletion_window_in_days is deprecated: Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""")
+            warnings.warn("""Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""", DeprecationWarning)
+            pulumi.log.warn("""deletion_window_in_days is deprecated: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""")
         if deletion_window_in_days is not None:
             pulumi.set(__self__, "deletion_window_in_days", deletion_window_in_days)
         if description is not None:
@@ -86,15 +69,15 @@ class KeyArgs:
         if dkms_instance_id is not None:
             pulumi.set(__self__, "dkms_instance_id", dkms_instance_id)
         if is_enabled is not None:
-            warnings.warn("""Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""", DeprecationWarning)
-            pulumi.log.warn("""is_enabled is deprecated: Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""")
+            warnings.warn("""Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""", DeprecationWarning)
+            pulumi.log.warn("""is_enabled is deprecated: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""")
         if is_enabled is not None:
             pulumi.set(__self__, "is_enabled", is_enabled)
         if key_spec is not None:
             pulumi.set(__self__, "key_spec", key_spec)
         if key_state is not None:
-            warnings.warn("""Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""", DeprecationWarning)
-            pulumi.log.warn("""key_state is deprecated: Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""")
+            warnings.warn("""Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""", DeprecationWarning)
+            pulumi.log.warn("""key_state is deprecated: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""")
         if key_state is not None:
             pulumi.set(__self__, "key_state", key_state)
         if key_usage is not None:
@@ -103,6 +86,8 @@ class KeyArgs:
             pulumi.set(__self__, "origin", origin)
         if pending_window_in_days is not None:
             pulumi.set(__self__, "pending_window_in_days", pending_window_in_days)
+        if policy is not None:
+            pulumi.set(__self__, "policy", policy)
         if protection_level is not None:
             pulumi.set(__self__, "protection_level", protection_level)
         if rotation_interval is not None:
@@ -116,10 +101,7 @@ class KeyArgs:
     @pulumi.getter(name="automaticRotation")
     def automatic_rotation(self) -> Optional[pulumi.Input[str]]:
         """
-        Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: 
-        - `Enabled`
-        - `Disabled`
-        **NOTE**: If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+        Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: `Enabled`, `Disabled`.
         """
         return pulumi.get(self, "automatic_rotation")
 
@@ -133,8 +115,8 @@ class KeyArgs:
         """
         Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.
         """
-        warnings.warn("""Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""", DeprecationWarning)
-        pulumi.log.warn("""deletion_window_in_days is deprecated: Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""")
+        warnings.warn("""Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""", DeprecationWarning)
+        pulumi.log.warn("""deletion_window_in_days is deprecated: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""")
 
         return pulumi.get(self, "deletion_window_in_days")
 
@@ -146,7 +128,7 @@ class KeyArgs:
     @pulumi.getter
     def description(self) -> Optional[pulumi.Input[str]]:
         """
-        The description of the CMK. The description can be 0 to 8,192 characters in length.
+        The description of the key.
         """
         return pulumi.get(self, "description")
 
@@ -158,7 +140,7 @@ class KeyArgs:
     @pulumi.getter(name="dkmsInstanceId")
     def dkms_instance_id(self) -> Optional[pulumi.Input[str]]:
         """
-        The instance ID of the exclusive KMS instance.
+        The ID of the KMS instance.
         """
         return pulumi.get(self, "dkms_instance_id")
 
@@ -171,9 +153,15 @@ class KeyArgs:
     def is_enabled(self) -> Optional[pulumi.Input[bool]]:
         """
         Field `is_enabled` has been deprecated from provider version 1.85.0. New field `status` instead.
+
+        > **NOTE:** If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+
+        > **NOTE:** The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+
+        > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
         """
-        warnings.warn("""Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""", DeprecationWarning)
-        pulumi.log.warn("""is_enabled is deprecated: Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""")
+        warnings.warn("""Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""", DeprecationWarning)
+        pulumi.log.warn("""is_enabled is deprecated: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""")
 
         return pulumi.get(self, "is_enabled")
 
@@ -185,9 +173,7 @@ class KeyArgs:
     @pulumi.getter(name="keySpec")
     def key_spec(self) -> Optional[pulumi.Input[str]]:
         """
-        The type of the CMK. Default value: `Aliyun_AES_256`. Valid values: 
-        `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
-        Note: The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+        The specification of the key. Default value: `Aliyun_AES_256`. Valid values: `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
         """
         return pulumi.get(self, "key_spec")
 
@@ -201,8 +187,8 @@ class KeyArgs:
         """
         Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
         """
-        warnings.warn("""Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""", DeprecationWarning)
-        pulumi.log.warn("""key_state is deprecated: Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""")
+        warnings.warn("""Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""", DeprecationWarning)
+        pulumi.log.warn("""key_state is deprecated: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""")
 
         return pulumi.get(self, "key_state")
 
@@ -214,9 +200,9 @@ class KeyArgs:
     @pulumi.getter(name="keyUsage")
     def key_usage(self) -> Optional[pulumi.Input[str]]:
         """
-        The usage of the CMK. Default value: `ENCRYPT/DECRYPT`. Valid values:
-        - `ENCRYPT/DECRYPT`: encrypts or decrypts data.
-        - `SIGN/VERIFY`: generates or verifies a digital signature.
+        The usage of the key. Default value: `ENCRYPT/DECRYPT`. Valid values:
+        - `ENCRYPT/DECRYPT`: Encrypts or decrypts data.
+        - `SIGN/VERIFY`: Generates or verifies a digital signature.
         """
         return pulumi.get(self, "key_usage")
 
@@ -228,12 +214,7 @@ class KeyArgs:
     @pulumi.getter
     def origin(self) -> Optional[pulumi.Input[str]]:
         """
-        The source of key material. Default value: `Aliyun_KMS`. Valid values: 
-        - `Aliyun_KMS`
-        - `EXTERNAL`
-        **NOTE**: The value of this parameter is case-sensitive. If you set the `key_spec` to an asymmetric CMK type,
-        you are not allowed to set the `origin` to EXTERNAL. If you set the `origin` to EXTERNAL, you must import key material.
-        For more information, see [import key material](https://www.alibabacloud.com/help/en/doc-detail/68523.htm).
+        The key material origin. Default value: `Aliyun_KMS`. Valid values: `Aliyun_KMS`, `EXTERNAL`.
         """
         return pulumi.get(self, "origin")
 
@@ -245,9 +226,7 @@ class KeyArgs:
     @pulumi.getter(name="pendingWindowInDays")
     def pending_window_in_days(self) -> Optional[pulumi.Input[int]]:
         """
-        The number of days before the CMK is deleted. 
-        During this period, the CMK is in the PendingDeletion state.
-        After this period ends, you cannot cancel the deletion. Valid values: 7 to 366. Unit: days.
+        The number of days before the CMK is deleted. During this period, the CMK is in the PendingDeletion state. After this period ends, you cannot cancel the deletion. Unit: days. Valid values: `7` to `366`.
         **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
         """
         return pulumi.get(self, "pending_window_in_days")
@@ -256,16 +235,23 @@ class KeyArgs:
     def pending_window_in_days(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "pending_window_in_days", value)
 
+    @property
+    @pulumi.getter
+    def policy(self) -> Optional[pulumi.Input[str]]:
+        """
+        The content of the key policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information, see [How to use it](https://www.alibabacloud.com/help/en/kms/developer-reference/api-setkeypolicy).
+        """
+        return pulumi.get(self, "policy")
+
+    @policy.setter
+    def policy(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "policy", value)
+
     @property
     @pulumi.getter(name="protectionLevel")
     def protection_level(self) -> Optional[pulumi.Input[str]]:
         """
-        The protection level of the CMK. Default value: `SOFTWARE`. Valid values:
-        - `SOFTWARE`
-        - `HSM`
-        **NOTE**: The value of this parameter is case-sensitive. Assume that you set this parameter to HSM.
-        If you set the origin parameter to Aliyun_KMS, the CMK is created in a managed hardware security module (HSM).
-        If you set the origin parameter to EXTERNA, you can import an external key to the managed HSM.
+        The protection level of the key. Default value: `SOFTWARE`. Valid values: `SOFTWARE`, `HSM`.
         """
         return pulumi.get(self, "protection_level")
 
@@ -277,13 +263,8 @@ class KeyArgs:
     @pulumi.getter(name="rotationInterval")
     def rotation_interval(self) -> Optional[pulumi.Input[str]]:
         """
-        The interval for automatic key rotation. Specify the value in the integer[unit] format.
-        The following units are supported: d (day), h (hour), m (minute), and s (second).
-        For example, you can use either 7d or 604800s to specify a seven-day interval.
-        The interval can range from 7 days to 730 days.
-        **NOTE**: It is Required when `automatic_rotation = "Enabled"`
-
-        > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
+        The period of automatic key rotation. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day interval.
+        **NOTE**: If `automatic_rotation` is set to `Enabled`, `rotation_interval` is required.
         """
         return pulumi.get(self, "rotation_interval")
 
@@ -295,10 +276,7 @@ class KeyArgs:
     @pulumi.getter
     def status(self) -> Optional[pulumi.Input[str]]:
         """
-        The status of CMK. Default value: `Enabled`. Valid Values: 
-        - `Disabled`
-        - `Enabled`
-        - `PendingDeletion`
+        The status of key. Default value: `Enabled`. Valid values: `Enabled`, `Disabled`, `PendingDeletion`.
         """
         return pulumi.get(self, "status")
 
@@ -339,6 +317,7 @@ class _KeyState:
                  next_rotation_date: Optional[pulumi.Input[str]] = None,
                  origin: Optional[pulumi.Input[str]] = None,
                  pending_window_in_days: Optional[pulumi.Input[int]] = None,
+                 policy: Optional[pulumi.Input[str]] = None,
                  primary_key_version: Optional[pulumi.Input[str]] = None,
                  protection_level: Optional[pulumi.Input[str]] = None,
                  rotation_interval: Optional[pulumi.Input[str]] = None,
@@ -346,56 +325,38 @@ class _KeyState:
                  tags: Optional[pulumi.Input[Mapping[str, Any]]] = None):
         """
         Input properties used for looking up and filtering Key resources.
-        :param pulumi.Input[str] arn: The Alicloud Resource Name (ARN) of the key.
-        :param pulumi.Input[str] automatic_rotation: Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: 
-               - `Enabled`
-               - `Disabled`
-               **NOTE**: If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
-        :param pulumi.Input[str] creation_date: The date and time when the CMK was created. The time is displayed in UTC.
+        :param pulumi.Input[str] arn: The ARN of the key.
+        :param pulumi.Input[str] automatic_rotation: Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: `Enabled`, `Disabled`.
+        :param pulumi.Input[str] creation_date: The time when the CMK was created.
         :param pulumi.Input[str] creator: The creator of the CMK.
-        :param pulumi.Input[str] delete_date: The scheduled date to delete CMK. The time is displayed in UTC. This value is returned only when the KeyState value is PendingDeletion.
+        :param pulumi.Input[str] delete_date: The time at which the CMK is scheduled for deletion.
         :param pulumi.Input[int] deletion_window_in_days: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.
-        :param pulumi.Input[str] description: The description of the CMK. The description can be 0 to 8,192 characters in length.
-        :param pulumi.Input[str] dkms_instance_id: The instance ID of the exclusive KMS instance.
+        :param pulumi.Input[str] description: The description of the key.
+        :param pulumi.Input[str] dkms_instance_id: The ID of the KMS instance.
         :param pulumi.Input[bool] is_enabled: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `status` instead.
-        :param pulumi.Input[str] key_spec: The type of the CMK. Default value: `Aliyun_AES_256`. Valid values: 
-               `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
-               Note: The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+               
+               > **NOTE:** If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+               
+               > **NOTE:** The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+               
+               > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
+        :param pulumi.Input[str] key_spec: The specification of the key. Default value: `Aliyun_AES_256`. Valid values: `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
         :param pulumi.Input[str] key_state: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
-        :param pulumi.Input[str] key_usage: The usage of the CMK. Default value: `ENCRYPT/DECRYPT`. Valid values:
-               - `ENCRYPT/DECRYPT`: encrypts or decrypts data.
-               - `SIGN/VERIFY`: generates or verifies a digital signature.
-        :param pulumi.Input[str] last_rotation_date: The date and time the last rotation was performed. The time is displayed in UTC.
-        :param pulumi.Input[str] material_expire_time: The time and date the key material for the CMK expires. The time is displayed in UTC. If the value is empty, the key material for the CMK does not expire.
-        :param pulumi.Input[str] next_rotation_date: The time the next rotation is scheduled for execution.
-        :param pulumi.Input[str] origin: The source of key material. Default value: `Aliyun_KMS`. Valid values: 
-               - `Aliyun_KMS`
-               - `EXTERNAL`
-               **NOTE**: The value of this parameter is case-sensitive. If you set the `key_spec` to an asymmetric CMK type,
-               you are not allowed to set the `origin` to EXTERNAL. If you set the `origin` to EXTERNAL, you must import key material.
-               For more information, see [import key material](https://www.alibabacloud.com/help/en/doc-detail/68523.htm).
-        :param pulumi.Input[int] pending_window_in_days: The number of days before the CMK is deleted. 
-               During this period, the CMK is in the PendingDeletion state.
-               After this period ends, you cannot cancel the deletion. Valid values: 7 to 366. Unit: days.
+        :param pulumi.Input[str] key_usage: The usage of the key. Default value: `ENCRYPT/DECRYPT`. Valid values:
+               - `ENCRYPT/DECRYPT`: Encrypts or decrypts data.
+               - `SIGN/VERIFY`: Generates or verifies a digital signature.
+        :param pulumi.Input[str] last_rotation_date: The time when the last rotation was performed.
+        :param pulumi.Input[str] material_expire_time: The time when the key material expires.
+        :param pulumi.Input[str] next_rotation_date: The time when the next rotation will be performed.
+        :param pulumi.Input[str] origin: The key material origin. Default value: `Aliyun_KMS`. Valid values: `Aliyun_KMS`, `EXTERNAL`.
+        :param pulumi.Input[int] pending_window_in_days: The number of days before the CMK is deleted. During this period, the CMK is in the PendingDeletion state. After this period ends, you cannot cancel the deletion. Unit: days. Valid values: `7` to `366`.
                **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
+        :param pulumi.Input[str] policy: The content of the key policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information, see [How to use it](https://www.alibabacloud.com/help/en/kms/developer-reference/api-setkeypolicy).
         :param pulumi.Input[str] primary_key_version: The ID of the current primary key version of the symmetric CMK.
-        :param pulumi.Input[str] protection_level: The protection level of the CMK. Default value: `SOFTWARE`. Valid values:
-               - `SOFTWARE`
-               - `HSM`
-               **NOTE**: The value of this parameter is case-sensitive. Assume that you set this parameter to HSM.
-               If you set the origin parameter to Aliyun_KMS, the CMK is created in a managed hardware security module (HSM).
-               If you set the origin parameter to EXTERNA, you can import an external key to the managed HSM.
-        :param pulumi.Input[str] rotation_interval: The interval for automatic key rotation. Specify the value in the integer[unit] format.
-               The following units are supported: d (day), h (hour), m (minute), and s (second).
-               For example, you can use either 7d or 604800s to specify a seven-day interval.
-               The interval can range from 7 days to 730 days.
-               **NOTE**: It is Required when `automatic_rotation = "Enabled"`
-               
-               > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
-        :param pulumi.Input[str] status: The status of CMK. Default value: `Enabled`. Valid Values: 
-               - `Disabled`
-               - `Enabled`
-               - `PendingDeletion`
+        :param pulumi.Input[str] protection_level: The protection level of the key. Default value: `SOFTWARE`. Valid values: `SOFTWARE`, `HSM`.
+        :param pulumi.Input[str] rotation_interval: The period of automatic key rotation. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day interval.
+               **NOTE**: If `automatic_rotation` is set to `Enabled`, `rotation_interval` is required.
+        :param pulumi.Input[str] status: The status of key. Default value: `Enabled`. Valid values: `Enabled`, `Disabled`, `PendingDeletion`.
         :param pulumi.Input[Mapping[str, Any]] tags: A mapping of tags to assign to the resource.
         """
         if arn is not None:
@@ -409,8 +370,8 @@ class _KeyState:
         if delete_date is not None:
             pulumi.set(__self__, "delete_date", delete_date)
         if deletion_window_in_days is not None:
-            warnings.warn("""Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""", DeprecationWarning)
-            pulumi.log.warn("""deletion_window_in_days is deprecated: Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""")
+            warnings.warn("""Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""", DeprecationWarning)
+            pulumi.log.warn("""deletion_window_in_days is deprecated: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""")
         if deletion_window_in_days is not None:
             pulumi.set(__self__, "deletion_window_in_days", deletion_window_in_days)
         if description is not None:
@@ -418,15 +379,15 @@ class _KeyState:
         if dkms_instance_id is not None:
             pulumi.set(__self__, "dkms_instance_id", dkms_instance_id)
         if is_enabled is not None:
-            warnings.warn("""Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""", DeprecationWarning)
-            pulumi.log.warn("""is_enabled is deprecated: Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""")
+            warnings.warn("""Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""", DeprecationWarning)
+            pulumi.log.warn("""is_enabled is deprecated: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""")
         if is_enabled is not None:
             pulumi.set(__self__, "is_enabled", is_enabled)
         if key_spec is not None:
             pulumi.set(__self__, "key_spec", key_spec)
         if key_state is not None:
-            warnings.warn("""Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""", DeprecationWarning)
-            pulumi.log.warn("""key_state is deprecated: Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""")
+            warnings.warn("""Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""", DeprecationWarning)
+            pulumi.log.warn("""key_state is deprecated: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""")
         if key_state is not None:
             pulumi.set(__self__, "key_state", key_state)
         if key_usage is not None:
@@ -441,6 +402,8 @@ class _KeyState:
             pulumi.set(__self__, "origin", origin)
         if pending_window_in_days is not None:
             pulumi.set(__self__, "pending_window_in_days", pending_window_in_days)
+        if policy is not None:
+            pulumi.set(__self__, "policy", policy)
         if primary_key_version is not None:
             pulumi.set(__self__, "primary_key_version", primary_key_version)
         if protection_level is not None:
@@ -456,7 +419,7 @@ class _KeyState:
     @pulumi.getter
     def arn(self) -> Optional[pulumi.Input[str]]:
         """
-        The Alicloud Resource Name (ARN) of the key.
+        The ARN of the key.
         """
         return pulumi.get(self, "arn")
 
@@ -468,10 +431,7 @@ class _KeyState:
     @pulumi.getter(name="automaticRotation")
     def automatic_rotation(self) -> Optional[pulumi.Input[str]]:
         """
-        Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: 
-        - `Enabled`
-        - `Disabled`
-        **NOTE**: If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+        Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: `Enabled`, `Disabled`.
         """
         return pulumi.get(self, "automatic_rotation")
 
@@ -483,7 +443,7 @@ class _KeyState:
     @pulumi.getter(name="creationDate")
     def creation_date(self) -> Optional[pulumi.Input[str]]:
         """
-        The date and time when the CMK was created. The time is displayed in UTC.
+        The time when the CMK was created.
         """
         return pulumi.get(self, "creation_date")
 
@@ -507,7 +467,7 @@ class _KeyState:
     @pulumi.getter(name="deleteDate")
     def delete_date(self) -> Optional[pulumi.Input[str]]:
         """
-        The scheduled date to delete CMK. The time is displayed in UTC. This value is returned only when the KeyState value is PendingDeletion.
+        The time at which the CMK is scheduled for deletion.
         """
         return pulumi.get(self, "delete_date")
 
@@ -521,8 +481,8 @@ class _KeyState:
         """
         Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.
         """
-        warnings.warn("""Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""", DeprecationWarning)
-        pulumi.log.warn("""deletion_window_in_days is deprecated: Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""")
+        warnings.warn("""Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""", DeprecationWarning)
+        pulumi.log.warn("""deletion_window_in_days is deprecated: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""")
 
         return pulumi.get(self, "deletion_window_in_days")
 
@@ -534,7 +494,7 @@ class _KeyState:
     @pulumi.getter
     def description(self) -> Optional[pulumi.Input[str]]:
         """
-        The description of the CMK. The description can be 0 to 8,192 characters in length.
+        The description of the key.
         """
         return pulumi.get(self, "description")
 
@@ -546,7 +506,7 @@ class _KeyState:
     @pulumi.getter(name="dkmsInstanceId")
     def dkms_instance_id(self) -> Optional[pulumi.Input[str]]:
         """
-        The instance ID of the exclusive KMS instance.
+        The ID of the KMS instance.
         """
         return pulumi.get(self, "dkms_instance_id")
 
@@ -559,9 +519,15 @@ class _KeyState:
     def is_enabled(self) -> Optional[pulumi.Input[bool]]:
         """
         Field `is_enabled` has been deprecated from provider version 1.85.0. New field `status` instead.
+
+        > **NOTE:** If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+
+        > **NOTE:** The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+
+        > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
         """
-        warnings.warn("""Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""", DeprecationWarning)
-        pulumi.log.warn("""is_enabled is deprecated: Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""")
+        warnings.warn("""Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""", DeprecationWarning)
+        pulumi.log.warn("""is_enabled is deprecated: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""")
 
         return pulumi.get(self, "is_enabled")
 
@@ -573,9 +539,7 @@ class _KeyState:
     @pulumi.getter(name="keySpec")
     def key_spec(self) -> Optional[pulumi.Input[str]]:
         """
-        The type of the CMK. Default value: `Aliyun_AES_256`. Valid values: 
-        `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
-        Note: The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+        The specification of the key. Default value: `Aliyun_AES_256`. Valid values: `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
         """
         return pulumi.get(self, "key_spec")
 
@@ -589,8 +553,8 @@ class _KeyState:
         """
         Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
         """
-        warnings.warn("""Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""", DeprecationWarning)
-        pulumi.log.warn("""key_state is deprecated: Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""")
+        warnings.warn("""Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""", DeprecationWarning)
+        pulumi.log.warn("""key_state is deprecated: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""")
 
         return pulumi.get(self, "key_state")
 
@@ -602,9 +566,9 @@ class _KeyState:
     @pulumi.getter(name="keyUsage")
     def key_usage(self) -> Optional[pulumi.Input[str]]:
         """
-        The usage of the CMK. Default value: `ENCRYPT/DECRYPT`. Valid values:
-        - `ENCRYPT/DECRYPT`: encrypts or decrypts data.
-        - `SIGN/VERIFY`: generates or verifies a digital signature.
+        The usage of the key. Default value: `ENCRYPT/DECRYPT`. Valid values:
+        - `ENCRYPT/DECRYPT`: Encrypts or decrypts data.
+        - `SIGN/VERIFY`: Generates or verifies a digital signature.
         """
         return pulumi.get(self, "key_usage")
 
@@ -616,7 +580,7 @@ class _KeyState:
     @pulumi.getter(name="lastRotationDate")
     def last_rotation_date(self) -> Optional[pulumi.Input[str]]:
         """
-        The date and time the last rotation was performed. The time is displayed in UTC.
+        The time when the last rotation was performed.
         """
         return pulumi.get(self, "last_rotation_date")
 
@@ -628,7 +592,7 @@ class _KeyState:
     @pulumi.getter(name="materialExpireTime")
     def material_expire_time(self) -> Optional[pulumi.Input[str]]:
         """
-        The time and date the key material for the CMK expires. The time is displayed in UTC. If the value is empty, the key material for the CMK does not expire.
+        The time when the key material expires.
         """
         return pulumi.get(self, "material_expire_time")
 
@@ -640,7 +604,7 @@ class _KeyState:
     @pulumi.getter(name="nextRotationDate")
     def next_rotation_date(self) -> Optional[pulumi.Input[str]]:
         """
-        The time the next rotation is scheduled for execution.
+        The time when the next rotation will be performed.
         """
         return pulumi.get(self, "next_rotation_date")
 
@@ -652,12 +616,7 @@ class _KeyState:
     @pulumi.getter
     def origin(self) -> Optional[pulumi.Input[str]]:
         """
-        The source of key material. Default value: `Aliyun_KMS`. Valid values: 
-        - `Aliyun_KMS`
-        - `EXTERNAL`
-        **NOTE**: The value of this parameter is case-sensitive. If you set the `key_spec` to an asymmetric CMK type,
-        you are not allowed to set the `origin` to EXTERNAL. If you set the `origin` to EXTERNAL, you must import key material.
-        For more information, see [import key material](https://www.alibabacloud.com/help/en/doc-detail/68523.htm).
+        The key material origin. Default value: `Aliyun_KMS`. Valid values: `Aliyun_KMS`, `EXTERNAL`.
         """
         return pulumi.get(self, "origin")
 
@@ -669,9 +628,7 @@ class _KeyState:
     @pulumi.getter(name="pendingWindowInDays")
     def pending_window_in_days(self) -> Optional[pulumi.Input[int]]:
         """
-        The number of days before the CMK is deleted. 
-        During this period, the CMK is in the PendingDeletion state.
-        After this period ends, you cannot cancel the deletion. Valid values: 7 to 366. Unit: days.
+        The number of days before the CMK is deleted. During this period, the CMK is in the PendingDeletion state. After this period ends, you cannot cancel the deletion. Unit: days. Valid values: `7` to `366`.
         **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
         """
         return pulumi.get(self, "pending_window_in_days")
@@ -680,6 +637,18 @@ class _KeyState:
     def pending_window_in_days(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "pending_window_in_days", value)
 
+    @property
+    @pulumi.getter
+    def policy(self) -> Optional[pulumi.Input[str]]:
+        """
+        The content of the key policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information, see [How to use it](https://www.alibabacloud.com/help/en/kms/developer-reference/api-setkeypolicy).
+        """
+        return pulumi.get(self, "policy")
+
+    @policy.setter
+    def policy(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "policy", value)
+
     @property
     @pulumi.getter(name="primaryKeyVersion")
     def primary_key_version(self) -> Optional[pulumi.Input[str]]:
@@ -696,12 +665,7 @@ class _KeyState:
     @pulumi.getter(name="protectionLevel")
     def protection_level(self) -> Optional[pulumi.Input[str]]:
         """
-        The protection level of the CMK. Default value: `SOFTWARE`. Valid values:
-        - `SOFTWARE`
-        - `HSM`
-        **NOTE**: The value of this parameter is case-sensitive. Assume that you set this parameter to HSM.
-        If you set the origin parameter to Aliyun_KMS, the CMK is created in a managed hardware security module (HSM).
-        If you set the origin parameter to EXTERNA, you can import an external key to the managed HSM.
+        The protection level of the key. Default value: `SOFTWARE`. Valid values: `SOFTWARE`, `HSM`.
         """
         return pulumi.get(self, "protection_level")
 
@@ -713,13 +677,8 @@ class _KeyState:
     @pulumi.getter(name="rotationInterval")
     def rotation_interval(self) -> Optional[pulumi.Input[str]]:
         """
-        The interval for automatic key rotation. Specify the value in the integer[unit] format.
-        The following units are supported: d (day), h (hour), m (minute), and s (second).
-        For example, you can use either 7d or 604800s to specify a seven-day interval.
-        The interval can range from 7 days to 730 days.
-        **NOTE**: It is Required when `automatic_rotation = "Enabled"`
-
-        > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
+        The period of automatic key rotation. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day interval.
+        **NOTE**: If `automatic_rotation` is set to `Enabled`, `rotation_interval` is required.
         """
         return pulumi.get(self, "rotation_interval")
 
@@ -731,10 +690,7 @@ class _KeyState:
     @pulumi.getter
     def status(self) -> Optional[pulumi.Input[str]]:
         """
-        The status of CMK. Default value: `Enabled`. Valid Values: 
-        - `Disabled`
-        - `Enabled`
-        - `PendingDeletion`
+        The status of key. Default value: `Enabled`. Valid values: `Enabled`, `Disabled`, `PendingDeletion`.
         """
         return pulumi.get(self, "status")
 
@@ -770,13 +726,16 @@ class Key(pulumi.CustomResource):
                  key_usage: Optional[pulumi.Input[str]] = None,
                  origin: Optional[pulumi.Input[str]] = None,
                  pending_window_in_days: Optional[pulumi.Input[int]] = None,
+                 policy: Optional[pulumi.Input[str]] = None,
                  protection_level: Optional[pulumi.Input[str]] = None,
                  rotation_interval: Optional[pulumi.Input[str]] = None,
                  status: Optional[pulumi.Input[str]] = None,
                  tags: Optional[pulumi.Input[Mapping[str, Any]]] = None,
                  __props__=None):
         """
-        A kms key can help user to protect data security in the transmission process. For information about Alikms Key and how to use it, see [What is Resource Alikms Key](https://www.alibabacloud.com/help/doc-detail/28947.htm).
+        Provides a KMS Key resource.
+
+        For information about KMS Key and how to use it, see [What is Key](https://www.alibabacloud.com/help/en/kms/developer-reference/api-createkey).
 
         > **NOTE:** Available since v1.85.0.
 
@@ -788,15 +747,15 @@ class Key(pulumi.CustomResource):
         import pulumi
         import pulumi_alicloud as alicloud
 
-        key = alicloud.kms.Key("key",
+        default = alicloud.kms.Key("default",
             description="Hello KMS",
-            pending_window_in_days=7,
-            status="Enabled")
+            status="Enabled",
+            pending_window_in_days=7)
         ```
 
         ## Import
 
-        Alikms key can be imported using the id, e.g.
+        KMS Key can be imported using the id, e.g.
 
         ```sh
         $ pulumi import alicloud:kms/key:Key example <id>
@@ -804,48 +763,30 @@ class Key(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[str] automatic_rotation: Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: 
-               - `Enabled`
-               - `Disabled`
-               **NOTE**: If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+        :param pulumi.Input[str] automatic_rotation: Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: `Enabled`, `Disabled`.
         :param pulumi.Input[int] deletion_window_in_days: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.
-        :param pulumi.Input[str] description: The description of the CMK. The description can be 0 to 8,192 characters in length.
-        :param pulumi.Input[str] dkms_instance_id: The instance ID of the exclusive KMS instance.
+        :param pulumi.Input[str] description: The description of the key.
+        :param pulumi.Input[str] dkms_instance_id: The ID of the KMS instance.
         :param pulumi.Input[bool] is_enabled: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `status` instead.
-        :param pulumi.Input[str] key_spec: The type of the CMK. Default value: `Aliyun_AES_256`. Valid values: 
-               `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
-               Note: The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
-        :param pulumi.Input[str] key_state: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
-        :param pulumi.Input[str] key_usage: The usage of the CMK. Default value: `ENCRYPT/DECRYPT`. Valid values:
-               - `ENCRYPT/DECRYPT`: encrypts or decrypts data.
-               - `SIGN/VERIFY`: generates or verifies a digital signature.
-        :param pulumi.Input[str] origin: The source of key material. Default value: `Aliyun_KMS`. Valid values: 
-               - `Aliyun_KMS`
-               - `EXTERNAL`
-               **NOTE**: The value of this parameter is case-sensitive. If you set the `key_spec` to an asymmetric CMK type,
-               you are not allowed to set the `origin` to EXTERNAL. If you set the `origin` to EXTERNAL, you must import key material.
-               For more information, see [import key material](https://www.alibabacloud.com/help/en/doc-detail/68523.htm).
-        :param pulumi.Input[int] pending_window_in_days: The number of days before the CMK is deleted. 
-               During this period, the CMK is in the PendingDeletion state.
-               After this period ends, you cannot cancel the deletion. Valid values: 7 to 366. Unit: days.
-               **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
-        :param pulumi.Input[str] protection_level: The protection level of the CMK. Default value: `SOFTWARE`. Valid values:
-               - `SOFTWARE`
-               - `HSM`
-               **NOTE**: The value of this parameter is case-sensitive. Assume that you set this parameter to HSM.
-               If you set the origin parameter to Aliyun_KMS, the CMK is created in a managed hardware security module (HSM).
-               If you set the origin parameter to EXTERNA, you can import an external key to the managed HSM.
-        :param pulumi.Input[str] rotation_interval: The interval for automatic key rotation. Specify the value in the integer[unit] format.
-               The following units are supported: d (day), h (hour), m (minute), and s (second).
-               For example, you can use either 7d or 604800s to specify a seven-day interval.
-               The interval can range from 7 days to 730 days.
-               **NOTE**: It is Required when `automatic_rotation = "Enabled"`
+               
+               > **NOTE:** If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+               
+               > **NOTE:** The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
                
                > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
-        :param pulumi.Input[str] status: The status of CMK. Default value: `Enabled`. Valid Values: 
-               - `Disabled`
-               - `Enabled`
-               - `PendingDeletion`
+        :param pulumi.Input[str] key_spec: The specification of the key. Default value: `Aliyun_AES_256`. Valid values: `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
+        :param pulumi.Input[str] key_state: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
+        :param pulumi.Input[str] key_usage: The usage of the key. Default value: `ENCRYPT/DECRYPT`. Valid values:
+               - `ENCRYPT/DECRYPT`: Encrypts or decrypts data.
+               - `SIGN/VERIFY`: Generates or verifies a digital signature.
+        :param pulumi.Input[str] origin: The key material origin. Default value: `Aliyun_KMS`. Valid values: `Aliyun_KMS`, `EXTERNAL`.
+        :param pulumi.Input[int] pending_window_in_days: The number of days before the CMK is deleted. During this period, the CMK is in the PendingDeletion state. After this period ends, you cannot cancel the deletion. Unit: days. Valid values: `7` to `366`.
+               **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
+        :param pulumi.Input[str] policy: The content of the key policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information, see [How to use it](https://www.alibabacloud.com/help/en/kms/developer-reference/api-setkeypolicy).
+        :param pulumi.Input[str] protection_level: The protection level of the key. Default value: `SOFTWARE`. Valid values: `SOFTWARE`, `HSM`.
+        :param pulumi.Input[str] rotation_interval: The period of automatic key rotation. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day interval.
+               **NOTE**: If `automatic_rotation` is set to `Enabled`, `rotation_interval` is required.
+        :param pulumi.Input[str] status: The status of key. Default value: `Enabled`. Valid values: `Enabled`, `Disabled`, `PendingDeletion`.
         :param pulumi.Input[Mapping[str, Any]] tags: A mapping of tags to assign to the resource.
         """
         ...
@@ -855,7 +796,9 @@ class Key(pulumi.CustomResource):
                  args: Optional[KeyArgs] = None,
                  opts: Optional[pulumi.ResourceOptions] = None):
         """
-        A kms key can help user to protect data security in the transmission process. For information about Alikms Key and how to use it, see [What is Resource Alikms Key](https://www.alibabacloud.com/help/doc-detail/28947.htm).
+        Provides a KMS Key resource.
+
+        For information about KMS Key and how to use it, see [What is Key](https://www.alibabacloud.com/help/en/kms/developer-reference/api-createkey).
 
         > **NOTE:** Available since v1.85.0.
 
@@ -867,15 +810,15 @@ class Key(pulumi.CustomResource):
         import pulumi
         import pulumi_alicloud as alicloud
 
-        key = alicloud.kms.Key("key",
+        default = alicloud.kms.Key("default",
             description="Hello KMS",
-            pending_window_in_days=7,
-            status="Enabled")
+            status="Enabled",
+            pending_window_in_days=7)
         ```
 
         ## Import
 
-        Alikms key can be imported using the id, e.g.
+        KMS Key can be imported using the id, e.g.
 
         ```sh
         $ pulumi import alicloud:kms/key:Key example <id>
@@ -906,6 +849,7 @@ class Key(pulumi.CustomResource):
                  key_usage: Optional[pulumi.Input[str]] = None,
                  origin: Optional[pulumi.Input[str]] = None,
                  pending_window_in_days: Optional[pulumi.Input[int]] = None,
+                 policy: Optional[pulumi.Input[str]] = None,
                  protection_level: Optional[pulumi.Input[str]] = None,
                  rotation_interval: Optional[pulumi.Input[str]] = None,
                  status: Optional[pulumi.Input[str]] = None,
@@ -929,6 +873,7 @@ class Key(pulumi.CustomResource):
             __props__.__dict__["key_usage"] = key_usage
             __props__.__dict__["origin"] = origin
             __props__.__dict__["pending_window_in_days"] = pending_window_in_days
+            __props__.__dict__["policy"] = policy
             __props__.__dict__["protection_level"] = protection_level
             __props__.__dict__["rotation_interval"] = rotation_interval
             __props__.__dict__["status"] = status
@@ -968,6 +913,7 @@ class Key(pulumi.CustomResource):
             next_rotation_date: Optional[pulumi.Input[str]] = None,
             origin: Optional[pulumi.Input[str]] = None,
             pending_window_in_days: Optional[pulumi.Input[int]] = None,
+            policy: Optional[pulumi.Input[str]] = None,
             primary_key_version: Optional[pulumi.Input[str]] = None,
             protection_level: Optional[pulumi.Input[str]] = None,
             rotation_interval: Optional[pulumi.Input[str]] = None,
@@ -980,56 +926,38 @@ class Key(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[str] arn: The Alicloud Resource Name (ARN) of the key.
-        :param pulumi.Input[str] automatic_rotation: Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: 
-               - `Enabled`
-               - `Disabled`
-               **NOTE**: If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
-        :param pulumi.Input[str] creation_date: The date and time when the CMK was created. The time is displayed in UTC.
+        :param pulumi.Input[str] arn: The ARN of the key.
+        :param pulumi.Input[str] automatic_rotation: Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: `Enabled`, `Disabled`.
+        :param pulumi.Input[str] creation_date: The time when the CMK was created.
         :param pulumi.Input[str] creator: The creator of the CMK.
-        :param pulumi.Input[str] delete_date: The scheduled date to delete CMK. The time is displayed in UTC. This value is returned only when the KeyState value is PendingDeletion.
+        :param pulumi.Input[str] delete_date: The time at which the CMK is scheduled for deletion.
         :param pulumi.Input[int] deletion_window_in_days: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.
-        :param pulumi.Input[str] description: The description of the CMK. The description can be 0 to 8,192 characters in length.
-        :param pulumi.Input[str] dkms_instance_id: The instance ID of the exclusive KMS instance.
+        :param pulumi.Input[str] description: The description of the key.
+        :param pulumi.Input[str] dkms_instance_id: The ID of the KMS instance.
         :param pulumi.Input[bool] is_enabled: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `status` instead.
-        :param pulumi.Input[str] key_spec: The type of the CMK. Default value: `Aliyun_AES_256`. Valid values: 
-               `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
-               Note: The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+               
+               > **NOTE:** If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+               
+               > **NOTE:** The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+               
+               > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
+        :param pulumi.Input[str] key_spec: The specification of the key. Default value: `Aliyun_AES_256`. Valid values: `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
         :param pulumi.Input[str] key_state: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
-        :param pulumi.Input[str] key_usage: The usage of the CMK. Default value: `ENCRYPT/DECRYPT`. Valid values:
-               - `ENCRYPT/DECRYPT`: encrypts or decrypts data.
-               - `SIGN/VERIFY`: generates or verifies a digital signature.
-        :param pulumi.Input[str] last_rotation_date: The date and time the last rotation was performed. The time is displayed in UTC.
-        :param pulumi.Input[str] material_expire_time: The time and date the key material for the CMK expires. The time is displayed in UTC. If the value is empty, the key material for the CMK does not expire.
-        :param pulumi.Input[str] next_rotation_date: The time the next rotation is scheduled for execution.
-        :param pulumi.Input[str] origin: The source of key material. Default value: `Aliyun_KMS`. Valid values: 
-               - `Aliyun_KMS`
-               - `EXTERNAL`
-               **NOTE**: The value of this parameter is case-sensitive. If you set the `key_spec` to an asymmetric CMK type,
-               you are not allowed to set the `origin` to EXTERNAL. If you set the `origin` to EXTERNAL, you must import key material.
-               For more information, see [import key material](https://www.alibabacloud.com/help/en/doc-detail/68523.htm).
-        :param pulumi.Input[int] pending_window_in_days: The number of days before the CMK is deleted. 
-               During this period, the CMK is in the PendingDeletion state.
-               After this period ends, you cannot cancel the deletion. Valid values: 7 to 366. Unit: days.
+        :param pulumi.Input[str] key_usage: The usage of the key. Default value: `ENCRYPT/DECRYPT`. Valid values:
+               - `ENCRYPT/DECRYPT`: Encrypts or decrypts data.
+               - `SIGN/VERIFY`: Generates or verifies a digital signature.
+        :param pulumi.Input[str] last_rotation_date: The time when the last rotation was performed.
+        :param pulumi.Input[str] material_expire_time: The time when the key material expires.
+        :param pulumi.Input[str] next_rotation_date: The time when the next rotation will be performed.
+        :param pulumi.Input[str] origin: The key material origin. Default value: `Aliyun_KMS`. Valid values: `Aliyun_KMS`, `EXTERNAL`.
+        :param pulumi.Input[int] pending_window_in_days: The number of days before the CMK is deleted. During this period, the CMK is in the PendingDeletion state. After this period ends, you cannot cancel the deletion. Unit: days. Valid values: `7` to `366`.
                **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
+        :param pulumi.Input[str] policy: The content of the key policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information, see [How to use it](https://www.alibabacloud.com/help/en/kms/developer-reference/api-setkeypolicy).
         :param pulumi.Input[str] primary_key_version: The ID of the current primary key version of the symmetric CMK.
-        :param pulumi.Input[str] protection_level: The protection level of the CMK. Default value: `SOFTWARE`. Valid values:
-               - `SOFTWARE`
-               - `HSM`
-               **NOTE**: The value of this parameter is case-sensitive. Assume that you set this parameter to HSM.
-               If you set the origin parameter to Aliyun_KMS, the CMK is created in a managed hardware security module (HSM).
-               If you set the origin parameter to EXTERNA, you can import an external key to the managed HSM.
-        :param pulumi.Input[str] rotation_interval: The interval for automatic key rotation. Specify the value in the integer[unit] format.
-               The following units are supported: d (day), h (hour), m (minute), and s (second).
-               For example, you can use either 7d or 604800s to specify a seven-day interval.
-               The interval can range from 7 days to 730 days.
-               **NOTE**: It is Required when `automatic_rotation = "Enabled"`
-               
-               > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
-        :param pulumi.Input[str] status: The status of CMK. Default value: `Enabled`. Valid Values: 
-               - `Disabled`
-               - `Enabled`
-               - `PendingDeletion`
+        :param pulumi.Input[str] protection_level: The protection level of the key. Default value: `SOFTWARE`. Valid values: `SOFTWARE`, `HSM`.
+        :param pulumi.Input[str] rotation_interval: The period of automatic key rotation. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day interval.
+               **NOTE**: If `automatic_rotation` is set to `Enabled`, `rotation_interval` is required.
+        :param pulumi.Input[str] status: The status of key. Default value: `Enabled`. Valid values: `Enabled`, `Disabled`, `PendingDeletion`.
         :param pulumi.Input[Mapping[str, Any]] tags: A mapping of tags to assign to the resource.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
@@ -1053,6 +981,7 @@ class Key(pulumi.CustomResource):
         __props__.__dict__["next_rotation_date"] = next_rotation_date
         __props__.__dict__["origin"] = origin
         __props__.__dict__["pending_window_in_days"] = pending_window_in_days
+        __props__.__dict__["policy"] = policy
         __props__.__dict__["primary_key_version"] = primary_key_version
         __props__.__dict__["protection_level"] = protection_level
         __props__.__dict__["rotation_interval"] = rotation_interval
@@ -1064,7 +993,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter
     def arn(self) -> pulumi.Output[str]:
         """
-        The Alicloud Resource Name (ARN) of the key.
+        The ARN of the key.
         """
         return pulumi.get(self, "arn")
 
@@ -1072,10 +1001,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="automaticRotation")
     def automatic_rotation(self) -> pulumi.Output[str]:
         """
-        Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: 
-        - `Enabled`
-        - `Disabled`
-        **NOTE**: If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+        Specifies whether to enable automatic key rotation. Default value: `Disabled`. Valid values: `Enabled`, `Disabled`.
         """
         return pulumi.get(self, "automatic_rotation")
 
@@ -1083,7 +1009,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="creationDate")
     def creation_date(self) -> pulumi.Output[str]:
         """
-        The date and time when the CMK was created. The time is displayed in UTC.
+        The time when the CMK was created.
         """
         return pulumi.get(self, "creation_date")
 
@@ -1099,18 +1025,18 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="deleteDate")
     def delete_date(self) -> pulumi.Output[str]:
         """
-        The scheduled date to delete CMK. The time is displayed in UTC. This value is returned only when the KeyState value is PendingDeletion.
+        The time at which the CMK is scheduled for deletion.
         """
         return pulumi.get(self, "delete_date")
 
     @property
     @pulumi.getter(name="deletionWindowInDays")
-    def deletion_window_in_days(self) -> pulumi.Output[int]:
+    def deletion_window_in_days(self) -> pulumi.Output[Optional[int]]:
         """
         Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.
         """
-        warnings.warn("""Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""", DeprecationWarning)
-        pulumi.log.warn("""deletion_window_in_days is deprecated: Field 'deletion_window_in_days' has been deprecated from provider version 1.85.0. New field 'pending_window_in_days' instead.""")
+        warnings.warn("""Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""", DeprecationWarning)
+        pulumi.log.warn("""deletion_window_in_days is deprecated: Field `deletion_window_in_days` has been deprecated from provider version 1.85.0. New field `pending_window_in_days` instead.""")
 
         return pulumi.get(self, "deletion_window_in_days")
 
@@ -1118,7 +1044,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter
     def description(self) -> pulumi.Output[Optional[str]]:
         """
-        The description of the CMK. The description can be 0 to 8,192 characters in length.
+        The description of the key.
         """
         return pulumi.get(self, "description")
 
@@ -1126,18 +1052,24 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="dkmsInstanceId")
     def dkms_instance_id(self) -> pulumi.Output[Optional[str]]:
         """
-        The instance ID of the exclusive KMS instance.
+        The ID of the KMS instance.
         """
         return pulumi.get(self, "dkms_instance_id")
 
     @property
     @pulumi.getter(name="isEnabled")
-    def is_enabled(self) -> pulumi.Output[Optional[bool]]:
+    def is_enabled(self) -> pulumi.Output[bool]:
         """
         Field `is_enabled` has been deprecated from provider version 1.85.0. New field `status` instead.
+
+        > **NOTE:** If you set the origin parameter to EXTERNAL or the key_spec parameter to an asymmetric CMK type, automatic key rotation is unavailable.
+
+        > **NOTE:** The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+
+        > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
         """
-        warnings.warn("""Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""", DeprecationWarning)
-        pulumi.log.warn("""is_enabled is deprecated: Field 'is_enabled' has been deprecated from provider version 1.85.0. New field 'key_state' instead.""")
+        warnings.warn("""Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""", DeprecationWarning)
+        pulumi.log.warn("""is_enabled is deprecated: Field `is_enabled` has been deprecated from provider version 1.85.0. New field `key_state` instead.""")
 
         return pulumi.get(self, "is_enabled")
 
@@ -1145,9 +1077,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="keySpec")
     def key_spec(self) -> pulumi.Output[str]:
         """
-        The type of the CMK. Default value: `Aliyun_AES_256`. Valid values: 
-        `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
-        Note: The default type of the CMK is `Aliyun_AES_256`. Only Dedicated KMS supports `Aliyun_AES_128` and `Aliyun_AES_192`.
+        The specification of the key. Default value: `Aliyun_AES_256`. Valid values: `Aliyun_AES_256`, `Aliyun_AES_128`, `Aliyun_AES_192`, `Aliyun_SM4`, `RSA_2048`, `RSA_3072`, `EC_P256`, `EC_P256K`, `EC_SM2`.
         """
         return pulumi.get(self, "key_spec")
 
@@ -1157,8 +1087,8 @@ class Key(pulumi.CustomResource):
         """
         Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.
         """
-        warnings.warn("""Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""", DeprecationWarning)
-        pulumi.log.warn("""key_state is deprecated: Field 'key_state' has been deprecated from provider version 1.123.1. New field 'status' instead.""")
+        warnings.warn("""Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""", DeprecationWarning)
+        pulumi.log.warn("""key_state is deprecated: Field `key_state` has been deprecated from provider version 1.123.1. New field `status` instead.""")
 
         return pulumi.get(self, "key_state")
 
@@ -1166,9 +1096,9 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="keyUsage")
     def key_usage(self) -> pulumi.Output[str]:
         """
-        The usage of the CMK. Default value: `ENCRYPT/DECRYPT`. Valid values:
-        - `ENCRYPT/DECRYPT`: encrypts or decrypts data.
-        - `SIGN/VERIFY`: generates or verifies a digital signature.
+        The usage of the key. Default value: `ENCRYPT/DECRYPT`. Valid values:
+        - `ENCRYPT/DECRYPT`: Encrypts or decrypts data.
+        - `SIGN/VERIFY`: Generates or verifies a digital signature.
         """
         return pulumi.get(self, "key_usage")
 
@@ -1176,7 +1106,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="lastRotationDate")
     def last_rotation_date(self) -> pulumi.Output[str]:
         """
-        The date and time the last rotation was performed. The time is displayed in UTC.
+        The time when the last rotation was performed.
         """
         return pulumi.get(self, "last_rotation_date")
 
@@ -1184,7 +1114,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="materialExpireTime")
     def material_expire_time(self) -> pulumi.Output[str]:
         """
-        The time and date the key material for the CMK expires. The time is displayed in UTC. If the value is empty, the key material for the CMK does not expire.
+        The time when the key material expires.
         """
         return pulumi.get(self, "material_expire_time")
 
@@ -1192,7 +1122,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="nextRotationDate")
     def next_rotation_date(self) -> pulumi.Output[str]:
         """
-        The time the next rotation is scheduled for execution.
+        The time when the next rotation will be performed.
         """
         return pulumi.get(self, "next_rotation_date")
 
@@ -1200,26 +1130,27 @@ class Key(pulumi.CustomResource):
     @pulumi.getter
     def origin(self) -> pulumi.Output[str]:
         """
-        The source of key material. Default value: `Aliyun_KMS`. Valid values: 
-        - `Aliyun_KMS`
-        - `EXTERNAL`
-        **NOTE**: The value of this parameter is case-sensitive. If you set the `key_spec` to an asymmetric CMK type,
-        you are not allowed to set the `origin` to EXTERNAL. If you set the `origin` to EXTERNAL, you must import key material.
-        For more information, see [import key material](https://www.alibabacloud.com/help/en/doc-detail/68523.htm).
+        The key material origin. Default value: `Aliyun_KMS`. Valid values: `Aliyun_KMS`, `EXTERNAL`.
         """
         return pulumi.get(self, "origin")
 
     @property
     @pulumi.getter(name="pendingWindowInDays")
-    def pending_window_in_days(self) -> pulumi.Output[int]:
+    def pending_window_in_days(self) -> pulumi.Output[Optional[int]]:
         """
-        The number of days before the CMK is deleted. 
-        During this period, the CMK is in the PendingDeletion state.
-        After this period ends, you cannot cancel the deletion. Valid values: 7 to 366. Unit: days.
+        The number of days before the CMK is deleted. During this period, the CMK is in the PendingDeletion state. After this period ends, you cannot cancel the deletion. Unit: days. Valid values: `7` to `366`.
         **NOTE:** From version 1.184.0, `pending_window_in_days` can be set to `366`.
         """
         return pulumi.get(self, "pending_window_in_days")
 
+    @property
+    @pulumi.getter
+    def policy(self) -> pulumi.Output[str]:
+        """
+        The content of the key policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information, see [How to use it](https://www.alibabacloud.com/help/en/kms/developer-reference/api-setkeypolicy).
+        """
+        return pulumi.get(self, "policy")
+
     @property
     @pulumi.getter(name="primaryKeyVersion")
     def primary_key_version(self) -> pulumi.Output[str]:
@@ -1232,12 +1163,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="protectionLevel")
     def protection_level(self) -> pulumi.Output[Optional[str]]:
         """
-        The protection level of the CMK. Default value: `SOFTWARE`. Valid values:
-        - `SOFTWARE`
-        - `HSM`
-        **NOTE**: The value of this parameter is case-sensitive. Assume that you set this parameter to HSM.
-        If you set the origin parameter to Aliyun_KMS, the CMK is created in a managed hardware security module (HSM).
-        If you set the origin parameter to EXTERNA, you can import an external key to the managed HSM.
+        The protection level of the key. Default value: `SOFTWARE`. Valid values: `SOFTWARE`, `HSM`.
         """
         return pulumi.get(self, "protection_level")
 
@@ -1245,13 +1171,8 @@ class Key(pulumi.CustomResource):
     @pulumi.getter(name="rotationInterval")
     def rotation_interval(self) -> pulumi.Output[Optional[str]]:
         """
-        The interval for automatic key rotation. Specify the value in the integer[unit] format.
-        The following units are supported: d (day), h (hour), m (minute), and s (second).
-        For example, you can use either 7d or 604800s to specify a seven-day interval.
-        The interval can range from 7 days to 730 days.
-        **NOTE**: It is Required when `automatic_rotation = "Enabled"`
-
-        > **NOTE:** When the pre-deletion days elapses, the key is permanently deleted and cannot be recovered.
+        The period of automatic key rotation. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day interval.
+        **NOTE**: If `automatic_rotation` is set to `Enabled`, `rotation_interval` is required.
         """
         return pulumi.get(self, "rotation_interval")
 
@@ -1259,10 +1180,7 @@ class Key(pulumi.CustomResource):
     @pulumi.getter
     def status(self) -> pulumi.Output[str]:
         """
-        The status of CMK. Default value: `Enabled`. Valid Values: 
-        - `Disabled`
-        - `Enabled`
-        - `PendingDeletion`
+        The status of key. Default value: `Enabled`. Valid values: `Enabled`, `Disabled`, `PendingDeletion`.
         """
         return pulumi.get(self, "status")