Get a key URI

External KMSs assign a unique identifier to each key when it is created. You can use this identifier to form a Uniform Resource Identifier (URI) by adding an appropriate KMS-specific prefix. Tink uses URIs to work with KMS keys.

The following table shows the format of supported key URIs:

KMS KMS identifier prefix Key URI format
AWS KMS aws-kms:// aws-kms://arn:aws:kms:<region>:<account-id>:key/<key-id>
GCP KMS gcp-kms:// gcp-kms://projects/*/locations/*/keyRings/*/cryptoKeys/*
HashiCorp Vault hcvault:// hcvault://<key-id>