Get a key URI

Stay organized with collections Save and categorize content based on your preferences.

Once you create a key, your KMS gives you an ID that uniquely identifies that key. From this ID, you can form a key Uniform Resource Identifier (URI) by adding an appropriate prefix for your KMS. This key URI helps Tink identify your key.

The following table shows the format of supported key URIs. Note that HashiCorp Vault is currently only supported in Golang. All other implementation and Tinkey (Tink’s command line utility) only supports AWS KMS and Google Cloud KMS.

KMS KMS identifier prefix Key URI format
AWS KMS aws-kms:// aws-kms://arn:aws:kms:<region>:<account-id>:key/<key-id>
GCP KMS gcp-kms:// gcp-kms://projects/*/locations/*/keyRings/*/cryptoKeys/*
HashiCorp Vault hcvault:// hcvault://<key-id>

NOTE: HashiCorp Vault integration is currently only available in Golang