Get a key URI

Once you create a key, your KMS gives you an ID that uniquely identifies that key. From this ID, you can form a key Uniform Resource Identifier (URI) by adding an appropriate prefix for your KMS. This key URI helps Tink identify your key.

The following table shows the format of supported key URIs. Note that Tink supports all options, but Tinkey (Tink’s command line utility) only supports AWS KMS and Google Cloud KMS.

KMS KMS identifier prefix Key URI format
AWS KMS aws-kms:// aws-kms://arn:aws:kms:<region>:<account-id>:key/<key-id>
GCP KMS gcp-kms:// gcp-kms://projects/*/locations/*/keyRings/*/cryptoKeys/*
HashiCorp Vault hcvault:// hcvault://<key-id>