diff --git a/packages/aws-cdk-lib/aws-kms/lib/alias.ts b/packages/aws-cdk-lib/aws-kms/lib/alias.ts index 0fa6e8c407768..aedf26d4c6490 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/alias.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/alias.ts @@ -69,7 +69,13 @@ abstract class AliasBase extends Resource implements IAlias { } public get keyRef(): KeyReference { - return this.aliasTargetKey.keyRef; + // Not actually referering to the key: `IKeyRef` here is being used as a + // hypothetical `IKeyLikeRef`, and we need to return the Alias values using + // the Key interface. + return { + keyArn: this.aliasArn, + keyId: this.keyId, + }; } /** diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts index 461a309cafe55..01488ca758089 100644 --- a/packages/aws-cdk-lib/aws-kms/lib/key.ts +++ b/packages/aws-cdk-lib/aws-kms/lib/key.ts @@ -26,6 +26,9 @@ import * as cxapi from '../../cx-api'; /** * A KMS Key, either managed by this CDK app, or imported. + * + * This interface does double duty: it represents an actual KMS keys, but it + * also represents things that can behave like KMS keys, like a key alias. */ export interface IKey extends IResource, IKeyRef { /** diff --git a/packages/aws-cdk-lib/aws-kms/test/alias.test.ts b/packages/aws-cdk-lib/aws-kms/test/alias.test.ts index 399747167a1f4..2c209274a945e 100644 --- a/packages/aws-cdk-lib/aws-kms/test/alias.test.ts +++ b/packages/aws-cdk-lib/aws-kms/test/alias.test.ts @@ -911,6 +911,19 @@ test('aliasArn should be a valid ARN', () => { }, stack)); }); +test('Alias keyRef should reference the Alias, not the underlying key', () => { + // GIVEN + const app = new App(); + const stack = new Stack(app, 'Test'); + const key = new Key(stack, 'Key'); + + // WHEN + const alias = key.addAlias('alias/foo'); + + // THEN + expect(alias.keyRef.keyArn).toEqual(alias.aliasArn); +}); + class AliasOutputsConstruct extends Construct { constructor(scope: Construct, id: string, key: IKey) { super(scope, id);