2020/03/05 - Amazon Elastic Kubernetes Service - 3 updated api methods
Changes Amazon EKS now supports adding a KMS key to your cluster for envelope encryption of Kubernetes secrets.
{'encryptionConfig': [{'provider': {'keyArn': 'string'},
'resources': ['string']}]}
Response {'cluster': {'encryptionConfig': [{'provider': {'keyArn': 'string'},
'resources': ['string']}]}}
Creates an Amazon EKS control plane.
The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as etcd and the API server. The control plane runs in an account managed by AWS, and the Kubernetes API is exposed via the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single-tenant and unique and runs on its own set of Amazon EC2 instances.
The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the worker nodes (for example, to support kubectl exec , logs , and proxy data flows).
Amazon EKS worker nodes run in your AWS account and connect to your cluster's control plane via the Kubernetes API server endpoint and a certificate file that is created for your cluster.
You can use the endpointPublicAccess and endpointPrivateAccess parameters to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
You can use the logging parameter to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the Amazon EKS User Guide .
Note
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see Amazon CloudWatch Pricing.
Cluster creation typically takes between 10 and 15 minutes. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch worker nodes into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon EKS Worker Nodes in the Amazon EKS User Guide .
See also: AWS API Documentation
Request Syntax
client.create_cluster(
name='string',
version='string',
roleArn='string',
resourcesVpcConfig={
'subnetIds': [
'string',
],
'securityGroupIds': [
'string',
],
'endpointPublicAccess': True|False,
'endpointPrivateAccess': True|False,
'publicAccessCidrs': [
'string',
]
},
logging={
'clusterLogging': [
{
'types': [
'api'|'audit'|'authenticator'|'controllerManager'|'scheduler',
],
'enabled': True|False
},
]
},
clientRequestToken='string',
tags={
'string': 'string'
},
encryptionConfig=[
{
'resources': [
'string',
],
'provider': {
'keyArn': 'string'
}
},
]
)
string
[REQUIRED]
The unique name to give to your cluster.
string
The desired Kubernetes version for your cluster. If you don't specify a value here, the latest version available in Amazon EKS is used.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that provides permissions for Amazon EKS to make calls to other AWS API operations on your behalf. For more information, see Amazon EKS Service IAM Role in the Amazon EKS User Guide .
dict
[REQUIRED]
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide . You must specify at least two subnets. You can specify up to five security groups, but we recommend that you use a dedicated security group for your cluster control plane.
subnetIds (list) --
Specify subnets for your Amazon EKS worker nodes. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.
(string) --
securityGroupIds (list) --
Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane. If you don't specify a security group, the default security group for your VPC is used.
(string) --
endpointPublicAccess (boolean) --
Set this value to false to disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. The default value for this parameter is true , which enables public access for your Kubernetes API server. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
endpointPrivateAccess (boolean) --
Set this value to true to enable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. The default value for this parameter is false , which disables private access for your Kubernetes API server. If you disable private access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the worker nodes or Fargate pods. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that you specify the necessary CIDR blocks. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
(string) --
dict
Enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the Amazon EKS User Guide .
Note
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see Amazon CloudWatch Pricing.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
string
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
The metadata to apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define.
(string) --
(string) --
list
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is "secrets".
(string) --
provider (dict) --
AWS Key Management Service (AWS KMS) customer master key (CMK). Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide .
dict
Response Syntax
{
'cluster': {
'name': 'string',
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'version': 'string',
'endpoint': 'string',
'roleArn': 'string',
'resourcesVpcConfig': {
'subnetIds': [
'string',
],
'securityGroupIds': [
'string',
],
'clusterSecurityGroupId': 'string',
'vpcId': 'string',
'endpointPublicAccess': True|False,
'endpointPrivateAccess': True|False,
'publicAccessCidrs': [
'string',
]
},
'logging': {
'clusterLogging': [
{
'types': [
'api'|'audit'|'authenticator'|'controllerManager'|'scheduler',
],
'enabled': True|False
},
]
},
'identity': {
'oidc': {
'issuer': 'string'
}
},
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING',
'certificateAuthority': {
'data': 'string'
},
'clientRequestToken': 'string',
'platformVersion': 'string',
'tags': {
'string': 'string'
},
'encryptionConfig': [
{
'resources': [
'string',
],
'provider': {
'keyArn': 'string'
}
},
]
}
}
Response Structure
(dict) --
cluster (dict) --
The full description of your new cluster.
name (string) --
The name of the cluster.
arn (string) --
The Amazon Resource Name (ARN) of the cluster.
createdAt (datetime) --
The Unix epoch timestamp in seconds for when the cluster was created.
version (string) --
The Kubernetes server version for the cluster.
endpoint (string) --
The endpoint for your Kubernetes API server.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf.
resourcesVpcConfig (dict) --
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide .
subnetIds (list) --
The subnets associated with your cluster.
(string) --
securityGroupIds (list) --
The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your worker nodes and the Kubernetes control plane.
(string) --
clusterSecurityGroupId (string) --
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
vpcId (string) --
The VPC associated with your cluster.
endpointPublicAccess (boolean) --
This parameter indicates whether the Amazon EKS public API server endpoint is enabled. If the Amazon EKS public API server endpoint is disabled, your cluster's Kubernetes API server can only receive requests that originate from within the cluster VPC.
endpointPrivateAccess (boolean) --
This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have worker nodes or AWS Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the worker nodes or Fargate pods. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the listed CIDR blocks is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that the necessary CIDR blocks are listed. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
(string) --
logging (dict) --
The logging configuration for your cluster.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
identity (dict) --
The identity provider information for the cluster.
oidc (dict) --
The OpenID Connect identity provider information for the cluster.
issuer (string) --
The issuer URL for the OpenID Connect identity provider.
status (string) --
The current status of the cluster.
certificateAuthority (dict) --
The certificate-authority-data for your cluster.
data (string) --
The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
clientRequestToken (string) --
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
platformVersion (string) --
The platform version of your Amazon EKS cluster. For more information, see Platform Versions in the Amazon EKS User Guide .
tags (dict) --
The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags do not propagate to any other resources associated with the cluster.
(string) --
(string) --
encryptionConfig (list) --
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is "secrets".
(string) --
provider (dict) --
AWS Key Management Service (AWS KMS) customer master key (CMK). Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide .
{'cluster': {'encryptionConfig': [{'provider': {'keyArn': 'string'},
'resources': ['string']}]}}
Deletes the Amazon EKS cluster control plane.
If you have active services in your cluster that are associated with a load balancer, you must delete those services before deleting the cluster so that the load balancers are deleted properly. Otherwise, you can have orphaned resources in your VPC that prevent you from being able to delete the VPC. For more information, see Deleting a Cluster in the Amazon EKS User Guide .
If you have managed node groups or Fargate profiles attached to the cluster, you must delete them first. For more information, see DeleteNodegroup and DeleteFargateProfile.
See also: AWS API Documentation
Request Syntax
client.delete_cluster(
name='string'
)
string
[REQUIRED]
The name of the cluster to delete.
dict
Response Syntax
{
'cluster': {
'name': 'string',
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'version': 'string',
'endpoint': 'string',
'roleArn': 'string',
'resourcesVpcConfig': {
'subnetIds': [
'string',
],
'securityGroupIds': [
'string',
],
'clusterSecurityGroupId': 'string',
'vpcId': 'string',
'endpointPublicAccess': True|False,
'endpointPrivateAccess': True|False,
'publicAccessCidrs': [
'string',
]
},
'logging': {
'clusterLogging': [
{
'types': [
'api'|'audit'|'authenticator'|'controllerManager'|'scheduler',
],
'enabled': True|False
},
]
},
'identity': {
'oidc': {
'issuer': 'string'
}
},
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING',
'certificateAuthority': {
'data': 'string'
},
'clientRequestToken': 'string',
'platformVersion': 'string',
'tags': {
'string': 'string'
},
'encryptionConfig': [
{
'resources': [
'string',
],
'provider': {
'keyArn': 'string'
}
},
]
}
}
Response Structure
(dict) --
cluster (dict) --
The full description of the cluster to delete.
name (string) --
The name of the cluster.
arn (string) --
The Amazon Resource Name (ARN) of the cluster.
createdAt (datetime) --
The Unix epoch timestamp in seconds for when the cluster was created.
version (string) --
The Kubernetes server version for the cluster.
endpoint (string) --
The endpoint for your Kubernetes API server.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf.
resourcesVpcConfig (dict) --
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide .
subnetIds (list) --
The subnets associated with your cluster.
(string) --
securityGroupIds (list) --
The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your worker nodes and the Kubernetes control plane.
(string) --
clusterSecurityGroupId (string) --
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
vpcId (string) --
The VPC associated with your cluster.
endpointPublicAccess (boolean) --
This parameter indicates whether the Amazon EKS public API server endpoint is enabled. If the Amazon EKS public API server endpoint is disabled, your cluster's Kubernetes API server can only receive requests that originate from within the cluster VPC.
endpointPrivateAccess (boolean) --
This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have worker nodes or AWS Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the worker nodes or Fargate pods. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the listed CIDR blocks is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that the necessary CIDR blocks are listed. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
(string) --
logging (dict) --
The logging configuration for your cluster.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
identity (dict) --
The identity provider information for the cluster.
oidc (dict) --
The OpenID Connect identity provider information for the cluster.
issuer (string) --
The issuer URL for the OpenID Connect identity provider.
status (string) --
The current status of the cluster.
certificateAuthority (dict) --
The certificate-authority-data for your cluster.
data (string) --
The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
clientRequestToken (string) --
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
platformVersion (string) --
The platform version of your Amazon EKS cluster. For more information, see Platform Versions in the Amazon EKS User Guide .
tags (dict) --
The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags do not propagate to any other resources associated with the cluster.
(string) --
(string) --
encryptionConfig (list) --
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is "secrets".
(string) --
provider (dict) --
AWS Key Management Service (AWS KMS) customer master key (CMK). Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide .
{'cluster': {'encryptionConfig': [{'provider': {'keyArn': 'string'},
'resources': ['string']}]}}
Returns descriptive information about an Amazon EKS cluster.
The API server endpoint and certificate authority data returned by this operation are required for kubelet and kubectl to communicate with your Kubernetes API server. For more information, see Create a kubeconfig for Amazon EKS.
Note
The API server endpoint and certificate authority data aren't available until the cluster reaches the ACTIVE state.
See also: AWS API Documentation
Request Syntax
client.describe_cluster(
name='string'
)
string
[REQUIRED]
The name of the cluster to describe.
dict
Response Syntax
{
'cluster': {
'name': 'string',
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'version': 'string',
'endpoint': 'string',
'roleArn': 'string',
'resourcesVpcConfig': {
'subnetIds': [
'string',
],
'securityGroupIds': [
'string',
],
'clusterSecurityGroupId': 'string',
'vpcId': 'string',
'endpointPublicAccess': True|False,
'endpointPrivateAccess': True|False,
'publicAccessCidrs': [
'string',
]
},
'logging': {
'clusterLogging': [
{
'types': [
'api'|'audit'|'authenticator'|'controllerManager'|'scheduler',
],
'enabled': True|False
},
]
},
'identity': {
'oidc': {
'issuer': 'string'
}
},
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING',
'certificateAuthority': {
'data': 'string'
},
'clientRequestToken': 'string',
'platformVersion': 'string',
'tags': {
'string': 'string'
},
'encryptionConfig': [
{
'resources': [
'string',
],
'provider': {
'keyArn': 'string'
}
},
]
}
}
Response Structure
(dict) --
cluster (dict) --
The full description of your specified cluster.
name (string) --
The name of the cluster.
arn (string) --
The Amazon Resource Name (ARN) of the cluster.
createdAt (datetime) --
The Unix epoch timestamp in seconds for when the cluster was created.
version (string) --
The Kubernetes server version for the cluster.
endpoint (string) --
The endpoint for your Kubernetes API server.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf.
resourcesVpcConfig (dict) --
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide .
subnetIds (list) --
The subnets associated with your cluster.
(string) --
securityGroupIds (list) --
The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your worker nodes and the Kubernetes control plane.
(string) --
clusterSecurityGroupId (string) --
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
vpcId (string) --
The VPC associated with your cluster.
endpointPublicAccess (boolean) --
This parameter indicates whether the Amazon EKS public API server endpoint is enabled. If the Amazon EKS public API server endpoint is disabled, your cluster's Kubernetes API server can only receive requests that originate from within the cluster VPC.
endpointPrivateAccess (boolean) --
This parameter indicates whether the Amazon EKS private API server endpoint is enabled. If the Amazon EKS private API server endpoint is enabled, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint instead of traversing the internet. If this value is disabled and you have worker nodes or AWS Fargate pods in the cluster, then ensure that publicAccessCidrs includes the necessary CIDR blocks for communication with the worker nodes or Fargate pods. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
publicAccessCidrs (list) --
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the listed CIDR blocks is denied. The default value is 0.0.0.0/0 . If you've disabled private endpoint access and you have worker nodes or AWS Fargate pods in the cluster, then ensure that the necessary CIDR blocks are listed. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
(string) --
logging (dict) --
The logging configuration for your cluster.
clusterLogging (list) --
The cluster control plane logging configuration for your cluster.
(dict) --
An object representing the enabled or disabled Kubernetes control plane logs for your cluster.
types (list) --
The available cluster control plane log types.
(string) --
enabled (boolean) --
If a log type is enabled, that log type exports its control plane logs to CloudWatch Logs. If a log type isn't enabled, that log type doesn't export its control plane logs. Each individual log type can be enabled or disabled independently.
identity (dict) --
The identity provider information for the cluster.
oidc (dict) --
The OpenID Connect identity provider information for the cluster.
issuer (string) --
The issuer URL for the OpenID Connect identity provider.
status (string) --
The current status of the cluster.
certificateAuthority (dict) --
The certificate-authority-data for your cluster.
data (string) --
The Base64-encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster.
clientRequestToken (string) --
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
platformVersion (string) --
The platform version of your Amazon EKS cluster. For more information, see Platform Versions in the Amazon EKS User Guide .
tags (dict) --
The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags do not propagate to any other resources associated with the cluster.
(string) --
(string) --
encryptionConfig (list) --
The encryption configuration for the cluster.
(dict) --
The encryption configuration for the cluster.
resources (list) --
Specifies the resources to be encrypted. The only supported value is "secrets".
(string) --
provider (dict) --
AWS Key Management Service (AWS KMS) customer master key (CMK). Either the ARN or the alias can be used.
keyArn (string) --
Amazon Resource Name (ARN) or alias of the customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide .