aws-sdk-kms 1.0.0.rc1 → 1.0.0.rc2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b550ddbb43764a42cccda6f4cc81bbd731970cfc
4
- data.tar.gz: 988e4adcf959f4ec893ffce5261488fc47310271
3
+ metadata.gz: be4b307da3ae6b5a132ef34883ec9f7fb8050173
4
+ data.tar.gz: d765f24a443f99852047990e57eaee77f132d09e
5
5
  SHA512:
6
- metadata.gz: 8f305e6cd783332f432ab9e7e38a6a3166ddd9c598879f365c711433e8e8b571d9b94e96d12ba2819793d69ab8c685406a6a01aee6b5c36959978e95b9ce08f4
7
- data.tar.gz: c59213a82532eb4790a60a7f4955861ad1d16f01e65e2b07ec5d98c17a72ccf5e7ecfda8605566cdc7d22150f9571fa4497eb6f3a93a4ea13b4303c0e0e8edce
6
+ metadata.gz: c9e1dfb9f0db2c751c7805ee9a5814160df0e8c7138fad582ff93c7a4307f6c4c6920e3b41a9ecb2e837afe1e941f4426ecc73b349479381d47bbb9851165c2a
7
+ data.tar.gz: 61d34aacbca1ecb33fac73087f977d708e7dc6c9ad58e1a1c0ae88f9294aca3de6a81905503af114d2a094c6b1ce75b3a1c9511b4beb01b11ff1a52cd05aaf12
data/lib/aws-sdk-kms.rb CHANGED
@@ -1,6 +1,6 @@
1
1
  # WARNING ABOUT GENERATED CODE
2
2
  #
3
- # This file is generated. See the contributing for info on making contributions:
3
+ # This file is generated. See the contributing guide for more information:
4
4
  # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
5
5
  #
6
6
  # WARNING ABOUT GENERATED CODE
@@ -1,6 +1,6 @@
1
1
  # WARNING ABOUT GENERATED CODE
2
2
  #
3
- # This file is generated. See the contributing for info on making contributions:
3
+ # This file is generated. See the contributing guide for more information:
4
4
  # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
5
5
  #
6
6
  # WARNING ABOUT GENERATED CODE
@@ -23,1937 +23,2121 @@ require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
23
23
 
24
24
  Aws::Plugins::GlobalConfiguration.add_identifier(:kms)
25
25
 
26
- module Aws
27
- module KMS
28
- class Client < Seahorse::Client::Base
26
+ module Aws::KMS
27
+ class Client < Seahorse::Client::Base
29
28
 
30
- include Aws::ClientStubs
29
+ include Aws::ClientStubs
31
30
 
32
- @identifier = :kms
31
+ @identifier = :kms
33
32
 
34
- set_api(ClientApi::API)
33
+ set_api(ClientApi::API)
35
34
 
36
- add_plugin(Seahorse::Client::Plugins::ContentLength)
37
- add_plugin(Aws::Plugins::CredentialsConfiguration)
38
- add_plugin(Aws::Plugins::Logging)
39
- add_plugin(Aws::Plugins::ParamConverter)
40
- add_plugin(Aws::Plugins::ParamValidator)
41
- add_plugin(Aws::Plugins::UserAgent)
42
- add_plugin(Aws::Plugins::HelpfulSocketErrors)
43
- add_plugin(Aws::Plugins::RetryErrors)
44
- add_plugin(Aws::Plugins::GlobalConfiguration)
45
- add_plugin(Aws::Plugins::RegionalEndpoint)
46
- add_plugin(Aws::Plugins::ResponsePaging)
47
- add_plugin(Aws::Plugins::StubResponses)
48
- add_plugin(Aws::Plugins::IdempotencyToken)
49
- add_plugin(Aws::Plugins::SignatureV4)
50
- add_plugin(Aws::Plugins::Protocols::JsonRpc)
35
+ add_plugin(Seahorse::Client::Plugins::ContentLength)
36
+ add_plugin(Aws::Plugins::CredentialsConfiguration)
37
+ add_plugin(Aws::Plugins::Logging)
38
+ add_plugin(Aws::Plugins::ParamConverter)
39
+ add_plugin(Aws::Plugins::ParamValidator)
40
+ add_plugin(Aws::Plugins::UserAgent)
41
+ add_plugin(Aws::Plugins::HelpfulSocketErrors)
42
+ add_plugin(Aws::Plugins::RetryErrors)
43
+ add_plugin(Aws::Plugins::GlobalConfiguration)
44
+ add_plugin(Aws::Plugins::RegionalEndpoint)
45
+ add_plugin(Aws::Plugins::ResponsePaging)
46
+ add_plugin(Aws::Plugins::StubResponses)
47
+ add_plugin(Aws::Plugins::IdempotencyToken)
48
+ add_plugin(Aws::Plugins::SignatureV4)
49
+ add_plugin(Aws::Plugins::Protocols::JsonRpc)
51
50
 
52
- # @option options [required, Aws::CredentialProvider] :credentials
53
- # Your AWS credentials. This can be an instance of any one of the
54
- # following classes:
55
- #
56
- # * `Aws::Credentials` - Used for configuring static, non-refreshing
57
- # credentials.
58
- #
59
- # * `Aws::InstanceProfileCredentials` - Used for loading credentials
60
- # from an EC2 IMDS on an EC2 instance.
61
- #
62
- # * `Aws::SharedCredentials` - Used for loading credentials from a
63
- # shared file, such as `~/.aws/config`.
64
- #
65
- # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
66
- #
67
- # When `:credentials` are not configured directly, the following
68
- # locations will be searched for credentials:
69
- #
70
- # * `Aws.config[:credentials]`
71
- # * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
72
- # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
73
- # * `~/.aws/credentials`
74
- # * `~/.aws/config`
75
- # * EC2 IMDS instance profile - When used by default, the timeouts are
76
- # very aggressive. Construct and pass an instance of
77
- # `Aws::InstanceProfileCredentails` to enable retries and extended
78
- # timeouts.
79
- # @option options [required, String] :region
80
- # The AWS region to connect to. The configured `:region` is
81
- # used to determine the service `:endpoint`. When not passed,
82
- # a default `:region` is search for in the following locations:
83
- #
84
- # * `Aws.config[:region]`
85
- # * `ENV['AWS_REGION']`
86
- # * `ENV['AMAZON_REGION']`
87
- # * `ENV['AWS_DEFAULT_REGION']`
88
- # * `~/.aws/credentials`
89
- # * `~/.aws/config`
90
- # @option options [String] :access_key_id
91
- # @option options [Boolean] :convert_params (true)
92
- # When `true`, an attempt is made to coerce request parameters into
93
- # the required types.
94
- # @option options [String] :endpoint
95
- # The client endpoint is normally constructed from the `:region`
96
- # option. You should only configure an `:endpoint` when connecting
97
- # to test endpoints. This should be avalid HTTP(S) URI.
98
- # @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
99
- # The log formatter.
100
- # @option options [Symbol] :log_level (:info)
101
- # The log level to send messages to the `:logger` at.
102
- # @option options [Logger] :logger
103
- # The Logger instance to send log messages to. If this option
104
- # is not set, logging will be disabled.
105
- # @option options [String] :profile ("default")
106
- # Used when loading credentials from the shared credentials file
107
- # at HOME/.aws/credentials. When not specified, 'default' is used.
108
- # @option options [Integer] :retry_limit (3)
109
- # The maximum number of times to retry failed requests. Only
110
- # ~ 500 level server errors and certain ~ 400 level client errors
111
- # are retried. Generally, these are throttling errors, data
112
- # checksum errors, networking errors, timeout errors and auth
113
- # errors from expired credentials.
114
- # @option options [String] :secret_access_key
115
- # @option options [String] :session_token
116
- # @option options [Boolean] :simple_json (false)
117
- # Disables request parameter conversion, validation, and formatting.
118
- # Also disable response data type conversions. This option is useful
119
- # when you want to ensure the highest level of performance by
120
- # avoiding overhead of walking request parameters and response data
121
- # structures.
122
- #
123
- # When `:simple_json` is enabled, the request parameters hash must
124
- # be formatted exactly as the DynamoDB API expects.
125
- # @option options [Boolean] :stub_responses (false)
126
- # Causes the client to return stubbed responses. By default
127
- # fake responses are generated and returned. You can specify
128
- # the response data to return or errors to raise by calling
129
- # {ClientStubs#stub_responses}. See {ClientStubs} for more information.
130
- #
131
- # ** Please note ** When response stubbing is enabled, no HTTP
132
- # requests are made, and retries are disabled.
133
- # @option options [Boolean] :validate_params (true)
134
- # When `true`, request parameters are validated before
135
- # sending the request.
136
- def initialize(*args)
137
- super
138
- end
51
+ # @option options [required, Aws::CredentialProvider] :credentials
52
+ # Your AWS credentials. This can be an instance of any one of the
53
+ # following classes:
54
+ #
55
+ # * `Aws::Credentials` - Used for configuring static, non-refreshing
56
+ # credentials.
57
+ #
58
+ # * `Aws::InstanceProfileCredentials` - Used for loading credentials
59
+ # from an EC2 IMDS on an EC2 instance.
60
+ #
61
+ # * `Aws::SharedCredentials` - Used for loading credentials from a
62
+ # shared file, such as `~/.aws/config`.
63
+ #
64
+ # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
65
+ #
66
+ # When `:credentials` are not configured directly, the following
67
+ # locations will be searched for credentials:
68
+ #
69
+ # * `Aws.config[:credentials]`
70
+ # * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
71
+ # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
72
+ # * `~/.aws/credentials`
73
+ # * `~/.aws/config`
74
+ # * EC2 IMDS instance profile - When used by default, the timeouts are
75
+ # very aggressive. Construct and pass an instance of
76
+ # `Aws::InstanceProfileCredentails` to enable retries and extended
77
+ # timeouts.
78
+ #
79
+ # @option options [required, String] :region
80
+ # The AWS region to connect to. The configured `:region` is
81
+ # used to determine the service `:endpoint`. When not passed,
82
+ # a default `:region` is search for in the following locations:
83
+ #
84
+ # * `Aws.config[:region]`
85
+ # * `ENV['AWS_REGION']`
86
+ # * `ENV['AMAZON_REGION']`
87
+ # * `ENV['AWS_DEFAULT_REGION']`
88
+ # * `~/.aws/credentials`
89
+ # * `~/.aws/config`
90
+ #
91
+ # @option options [String] :access_key_id
92
+ #
93
+ # @option options [Boolean] :convert_params (true)
94
+ # When `true`, an attempt is made to coerce request parameters into
95
+ # the required types.
96
+ #
97
+ # @option options [String] :endpoint
98
+ # The client endpoint is normally constructed from the `:region`
99
+ # option. You should only configure an `:endpoint` when connecting
100
+ # to test endpoints. This should be avalid HTTP(S) URI.
101
+ #
102
+ # @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
103
+ # The log formatter.
104
+ #
105
+ # @option options [Symbol] :log_level (:info)
106
+ # The log level to send messages to the `:logger` at.
107
+ #
108
+ # @option options [Logger] :logger
109
+ # The Logger instance to send log messages to. If this option
110
+ # is not set, logging will be disabled.
111
+ #
112
+ # @option options [String] :profile ("default")
113
+ # Used when loading credentials from the shared credentials file
114
+ # at HOME/.aws/credentials. When not specified, 'default' is used.
115
+ #
116
+ # @option options [Integer] :retry_limit (3)
117
+ # The maximum number of times to retry failed requests. Only
118
+ # ~ 500 level server errors and certain ~ 400 level client errors
119
+ # are retried. Generally, these are throttling errors, data
120
+ # checksum errors, networking errors, timeout errors and auth
121
+ # errors from expired credentials.
122
+ #
123
+ # @option options [String] :secret_access_key
124
+ #
125
+ # @option options [String] :session_token
126
+ #
127
+ # @option options [Boolean] :simple_json (false)
128
+ # Disables request parameter conversion, validation, and formatting.
129
+ # Also disable response data type conversions. This option is useful
130
+ # when you want to ensure the highest level of performance by
131
+ # avoiding overhead of walking request parameters and response data
132
+ # structures.
133
+ #
134
+ # When `:simple_json` is enabled, the request parameters hash must
135
+ # be formatted exactly as the DynamoDB API expects.
136
+ #
137
+ # @option options [Boolean] :stub_responses (false)
138
+ # Causes the client to return stubbed responses. By default
139
+ # fake responses are generated and returned. You can specify
140
+ # the response data to return or errors to raise by calling
141
+ # {ClientStubs#stub_responses}. See {ClientStubs} for more information.
142
+ #
143
+ # ** Please note ** When response stubbing is enabled, no HTTP
144
+ # requests are made, and retries are disabled.
145
+ #
146
+ # @option options [Boolean] :validate_params (true)
147
+ # When `true`, request parameters are validated before
148
+ # sending the request.
149
+ #
150
+ def initialize(*args)
151
+ super
152
+ end
139
153
 
140
- # @!group API Operations
154
+ # @!group API Operations
141
155
 
142
- # Cancels the deletion of a customer master key (CMK). When this
143
- # operation is successful, the CMK is set to the `Disabled` state. To
144
- # enable a CMK, use EnableKey.
145
- #
146
- # For more information about scheduling and canceling deletion of a CMK,
147
- # see [Deleting Customer Master Keys][1] in the *AWS Key Management
148
- # Service Developer Guide*.
149
- #
150
- #
151
- #
152
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
153
- # @option params [required, String] :key_id
154
- # The unique identifier for the customer master key (CMK) for which to
155
- # cancel deletion.
156
- #
157
- # To specify this value, use the unique key ID or the Amazon Resource
158
- # Name (ARN) of the CMK. Examples:
159
- #
160
- # * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
161
- #
162
- # * Key ARN:
163
- # arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
164
- #
165
- # To obtain the unique key ID and key ARN for a given CMK, use ListKeys
166
- # or DescribeKey.
167
- # @return [Types::CancelKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
168
- #
169
- # * {Types::CancelKeyDeletionResponse#key_id #KeyId} => String
170
- #
171
- # @example Request syntax with placeholder values
172
- # resp = client.cancel_key_deletion({
173
- # key_id: "KeyIdType", # required
174
- # })
175
- #
176
- # @example Response structure
177
- # resp.key_id #=> String
178
- # @overload cancel_key_deletion(params = {})
179
- # @param [Hash] params ({})
180
- def cancel_key_deletion(params = {}, options = {})
181
- req = build_request(:cancel_key_deletion, params)
182
- req.send_request(options)
183
- end
184
-
185
- # Creates a display name for a customer master key. An alias can be used
186
- # to identify a key and should be unique. The console enforces a
187
- # one-to-one mapping between the alias and a key. An alias name can
188
- # contain only alphanumeric characters, forward slashes (/), underscores
189
- # (\_), and dashes (-). An alias must start with the word "alias"
190
- # followed by a forward slash (alias/). An alias that begins with
191
- # "aws" after the forward slash (alias/aws...) is reserved by Amazon
192
- # Web Services (AWS).
193
- #
194
- # The alias and the key it is mapped to must be in the same AWS account
195
- # and the same region.
196
- #
197
- # To map an alias to a different key, call UpdateAlias.
198
- # @option params [required, String] :alias_name
199
- # String that contains the display name. The name must start with the
200
- # word "alias" followed by a forward slash (alias/). Aliases that
201
- # begin with "alias/AWS" are reserved.
202
- # @option params [required, String] :target_key_id
203
- # An identifier of the key for which you are creating the alias. This
204
- # value cannot be another alias but can be a globally unique identifier
205
- # or a fully specified ARN to a key.
206
- #
207
- # * Key ARN Example -
208
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
209
- #
210
- # * Globally Unique Key ID Example -
211
- # 12345678-1234-1234-1234-123456789012
212
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
213
- #
214
- # @example Request syntax with placeholder values
215
- # resp = client.create_alias({
216
- # alias_name: "AliasNameType", # required
217
- # target_key_id: "KeyIdType", # required
218
- # })
219
- # @overload create_alias(params = {})
220
- # @param [Hash] params ({})
221
- def create_alias(params = {}, options = {})
222
- req = build_request(:create_alias, params)
223
- req.send_request(options)
224
- end
156
+ # Cancels the deletion of a customer master key (CMK). When this
157
+ # operation is successful, the CMK is set to the `Disabled` state. To
158
+ # enable a CMK, use EnableKey.
159
+ #
160
+ # For more information about scheduling and canceling deletion of a CMK,
161
+ # see [Deleting Customer Master Keys][1] in the *AWS Key Management
162
+ # Service Developer Guide*.
163
+ #
164
+ #
165
+ #
166
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
167
+ #
168
+ # @option params [required, String] :key_id
169
+ # The unique identifier for the customer master key (CMK) for which to
170
+ # cancel deletion.
171
+ #
172
+ # To specify this value, use the unique key ID or the Amazon Resource
173
+ # Name (ARN) of the CMK. Examples:
174
+ #
175
+ # * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
176
+ #
177
+ # * Key ARN:
178
+ # arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
179
+ #
180
+ # To obtain the unique key ID and key ARN for a given CMK, use ListKeys
181
+ # or DescribeKey.
182
+ #
183
+ # @return [Types::CancelKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
184
+ #
185
+ # * {Types::CancelKeyDeletionResponse#key_id #key_id} => String
186
+ #
187
+ # @example Request syntax with placeholder values
188
+ #
189
+ # resp = client.cancel_key_deletion({
190
+ # key_id: "KeyIdType", # required
191
+ # })
192
+ #
193
+ # @example Response structure
194
+ #
195
+ # resp.key_id #=> String
196
+ #
197
+ # @overload cancel_key_deletion(params = {})
198
+ # @param [Hash] params ({})
199
+ def cancel_key_deletion(params = {}, options = {})
200
+ req = build_request(:cancel_key_deletion, params)
201
+ req.send_request(options)
202
+ end
225
203
 
226
- # Adds a grant to a key to specify who can use the key and under what
227
- # conditions. Grants are alternate permission mechanisms to key
228
- # policies.
229
- #
230
- # For more information about grants, see [Grants][1] in the *AWS Key
231
- # Management Service Developer Guide*.
232
- #
233
- #
234
- #
235
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/grants.html
236
- # @option params [required, String] :key_id
237
- # The unique identifier for the customer master key (CMK) that the grant
238
- # applies to.
239
- #
240
- # To specify this value, use the globally unique key ID or the Amazon
241
- # Resource Name (ARN) of the key. Examples:
242
- #
243
- # * Globally unique key ID: 12345678-1234-1234-1234-123456789012
244
- #
245
- # * Key ARN:
246
- # arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012
247
- # @option params [required, String] :grantee_principal
248
- # The principal that is given permission to perform the operations that
249
- # the grant permits.
250
- #
251
- # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
252
- # an AWS principal. Valid AWS principals include AWS accounts (root),
253
- # IAM users, federated users, and assumed role users. For examples of
254
- # the ARN syntax to use for specifying a principal, see [AWS Identity
255
- # and Access Management (IAM)][2] in the Example ARNs section of the
256
- # *AWS General Reference*.
257
- #
258
- #
259
- #
260
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
261
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
262
- # @option params [String] :retiring_principal
263
- # The principal that is given permission to retire the grant by using
264
- # RetireGrant operation.
265
- #
266
- # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
267
- # an AWS principal. Valid AWS principals include AWS accounts (root),
268
- # IAM users, federated users, and assumed role users. For examples of
269
- # the ARN syntax to use for specifying a principal, see [AWS Identity
270
- # and Access Management (IAM)][2] in the Example ARNs section of the
271
- # *AWS General Reference*.
272
- #
273
- #
274
- #
275
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
276
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
277
- # @option params [Array<String>] :operations
278
- # A list of operations that the grant permits. The list can contain any
279
- # combination of one or more of the following values:
280
- #
281
- # * Decrypt
282
- #
283
- # * Encrypt
284
- #
285
- # * GenerateDataKey
286
- #
287
- # * GenerateDataKeyWithoutPlaintext
288
- #
289
- # * [ReEncryptFrom][1]
290
- #
291
- # * [ReEncryptTo][1]
292
- #
293
- # * CreateGrant
294
- #
295
- # * RetireGrant
296
- #
297
- # * DescribeKey
298
- #
299
- #
300
- #
301
- # [1]: http://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html
302
- # @option params [Types::GrantConstraints] :constraints
303
- # The conditions under which the operations permitted by the grant are
304
- # allowed.
305
- #
306
- # You can use this value to allow the operations permitted by the grant
307
- # only when a specified encryption context is present. For more
308
- # information, see [Encryption Context][1] in the *AWS Key Management
309
- # Service Developer Guide*.
310
- #
311
- #
312
- #
313
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
314
- # @option params [Array<String>] :grant_tokens
315
- # A list of grant tokens.
316
- #
317
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
318
- # Service Developer Guide*.
319
- #
320
- #
321
- #
322
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
323
- # @option params [String] :name
324
- # A friendly name for identifying the grant. Use this value to prevent
325
- # unintended creation of duplicate grants when retrying this request.
326
- #
327
- # When this value is absent, all `CreateGrant` requests result in a new
328
- # grant with a unique `GrantId` even if all the supplied parameters are
329
- # identical. This can result in unintended duplicates when you retry the
330
- # `CreateGrant` request.
331
- #
332
- # When this value is present, you can retry a `CreateGrant` request with
333
- # identical parameters; if the grant already exists, the original
334
- # `GrantId` is returned without creating a new grant. Note that the
335
- # returned grant token is unique with every `CreateGrant` request, even
336
- # when a duplicate `GrantId` is returned. All grant tokens obtained in
337
- # this way can be used interchangeably.
338
- # @return [Types::CreateGrantResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
339
- #
340
- # * {Types::CreateGrantResponse#grant_token #GrantToken} => String
341
- # * {Types::CreateGrantResponse#grant_id #GrantId} => String
342
- #
343
- # @example Request syntax with placeholder values
344
- # resp = client.create_grant({
345
- # key_id: "KeyIdType", # required
346
- # grantee_principal: "PrincipalIdType", # required
347
- # retiring_principal: "PrincipalIdType",
348
- # operations: ["Decrypt"], # accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
349
- # constraints: {
350
- # encryption_context_subset: {
351
- # "EncryptionContextKey" => "EncryptionContextValue",
352
- # },
353
- # encryption_context_equals: {
354
- # "EncryptionContextKey" => "EncryptionContextValue",
355
- # },
356
- # },
357
- # grant_tokens: ["GrantTokenType"],
358
- # name: "GrantNameType",
359
- # })
360
- #
361
- # @example Response structure
362
- # resp.grant_token #=> String
363
- # resp.grant_id #=> String
364
- # @overload create_grant(params = {})
365
- # @param [Hash] params ({})
366
- def create_grant(params = {}, options = {})
367
- req = build_request(:create_grant, params)
368
- req.send_request(options)
369
- end
204
+ # Creates a display name for a customer master key. An alias can be used
205
+ # to identify a key and should be unique. The console enforces a
206
+ # one-to-one mapping between the alias and a key. An alias name can
207
+ # contain only alphanumeric characters, forward slashes (/), underscores
208
+ # (\_), and dashes (-). An alias must start with the word "alias"
209
+ # followed by a forward slash (alias/). An alias that begins with
210
+ # "aws" after the forward slash (alias/aws...) is reserved by Amazon
211
+ # Web Services (AWS).
212
+ #
213
+ # The alias and the key it is mapped to must be in the same AWS account
214
+ # and the same region.
215
+ #
216
+ # To map an alias to a different key, call UpdateAlias.
217
+ #
218
+ # @option params [required, String] :alias_name
219
+ # String that contains the display name. The name must start with the
220
+ # word "alias" followed by a forward slash (alias/). Aliases that
221
+ # begin with "alias/AWS" are reserved.
222
+ #
223
+ # @option params [required, String] :target_key_id
224
+ # An identifier of the key for which you are creating the alias. This
225
+ # value cannot be another alias but can be a globally unique identifier
226
+ # or a fully specified ARN to a key.
227
+ #
228
+ # * Key ARN Example -
229
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
230
+ #
231
+ # * Globally Unique Key ID Example -
232
+ # 12345678-1234-1234-1234-123456789012
233
+ #
234
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
235
+ #
236
+ # @example Request syntax with placeholder values
237
+ #
238
+ # resp = client.create_alias({
239
+ # alias_name: "AliasNameType", # required
240
+ # target_key_id: "KeyIdType", # required
241
+ # })
242
+ #
243
+ # @overload create_alias(params = {})
244
+ # @param [Hash] params ({})
245
+ def create_alias(params = {}, options = {})
246
+ req = build_request(:create_alias, params)
247
+ req.send_request(options)
248
+ end
370
249
 
371
- # Creates a customer master key (CMK).
372
- #
373
- # You can use a CMK to encrypt small amounts of data (4 KiB or less)
374
- # directly, but CMKs are more commonly used to encrypt data encryption
375
- # keys (DEKs), which are used to encrypt raw data. For more information
376
- # about DEKs and the difference between CMKs and DEKs, see the
377
- # following:
378
- #
379
- # * The GenerateDataKey operation
380
- #
381
- # * [AWS Key Management Service Concepts][1] in the *AWS Key Management
382
- # Service Developer Guide*
383
- #
384
- #
385
- #
386
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
387
- # @option params [String] :policy
388
- # The key policy to attach to the CMK.
389
- #
390
- # If you specify a policy and do not set
391
- # `BypassPolicyLockoutSafetyCheck` to true, the policy must meet the
392
- # following criteria:
393
- #
394
- # * It must allow the principal making the `CreateKey` request to make a
395
- # subsequent PutKeyPolicy request on the CMK. This reduces the
396
- # likelihood that the CMK becomes unmanageable. For more information,
397
- # refer to the scenario in the [Default Key Policy][1] section in the
398
- # *AWS Key Management Service Developer Guide*.
399
- #
400
- # * The principal(s) specified in the key policy must exist and be
401
- # visible to AWS KMS. When you create a new AWS principal (for
402
- # example, an IAM user or role), you might need to enforce a delay
403
- # before specifying the new principal in a key policy because the new
404
- # principal might not immediately be visible to AWS KMS. For more
405
- # information, see [Changes that I make are not always immediately
406
- # visible][2] in the *IAM User Guide*.
407
- #
408
- # If you do not specify a policy, AWS KMS attaches a default key policy
409
- # to the CMK. For more information, see [Default Key Policy][3] in the
410
- # *AWS Key Management Service Developer Guide*.
411
- #
412
- # The policy size limit is 32 KiB (32768 bytes).
413
- #
414
- #
415
- #
416
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
417
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
418
- # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
419
- # @option params [String] :description
420
- # A description of the CMK.
421
- #
422
- # Use a description that helps you decide whether the CMK is appropriate
423
- # for a task.
424
- # @option params [String] :key_usage
425
- # The intended use of the CMK.
426
- #
427
- # You can use CMKs only for symmetric encryption and decryption.
428
- # @option params [String] :origin
429
- # The source of the CMK's key material.
430
- #
431
- # The default is `AWS_KMS`, which means AWS KMS creates the key
432
- # material. When this parameter is set to `EXTERNAL`, the request
433
- # creates a CMK without key material so that you can import key material
434
- # from your existing key management infrastructure. For more information
435
- # about importing key material into AWS KMS, see [Importing Key
436
- # Material][1] in the *AWS Key Management Service Developer Guide*.
437
- #
438
- # The CMK's `Origin` is immutable and is set when the CMK is created.
439
- #
440
- #
441
- #
442
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
443
- # @option params [Boolean] :bypass_policy_lockout_safety_check
444
- # A flag to indicate whether to bypass the key policy lockout safety
445
- # check.
446
- #
447
- # Setting this value to true increases the likelihood that the CMK
448
- # becomes unmanageable. Do not set this value to true indiscriminately.
449
- #
450
- # For more information, refer to the scenario in the [Default Key
451
- # Policy][1] section in the *AWS Key Management Service Developer
452
- # Guide*.
453
- #
454
- # Use this parameter only when you include a policy in the request and
455
- # you intend to prevent the principal making the request from making a
456
- # subsequent PutKeyPolicy request on the CMK.
457
- #
458
- # The default value is false.
459
- #
460
- #
461
- #
462
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
463
- # @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
464
- #
465
- # * {Types::CreateKeyResponse#key_metadata #KeyMetadata} => Types::KeyMetadata
466
- #
467
- # @example Request syntax with placeholder values
468
- # resp = client.create_key({
469
- # policy: "PolicyType",
470
- # description: "DescriptionType",
471
- # key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
472
- # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL
473
- # bypass_policy_lockout_safety_check: false,
474
- # })
475
- #
476
- # @example Response structure
477
- # resp.key_metadata.aws_account_id #=> String
478
- # resp.key_metadata.key_id #=> String
479
- # resp.key_metadata.arn #=> String
480
- # resp.key_metadata.creation_date #=> Time
481
- # resp.key_metadata.enabled #=> Boolean
482
- # resp.key_metadata.description #=> String
483
- # resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
484
- # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
485
- # resp.key_metadata.deletion_date #=> Time
486
- # resp.key_metadata.valid_to #=> Time
487
- # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
488
- # resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
489
- # @overload create_key(params = {})
490
- # @param [Hash] params ({})
491
- def create_key(params = {}, options = {})
492
- req = build_request(:create_key, params)
493
- req.send_request(options)
494
- end
250
+ # Adds a grant to a key to specify who can use the key and under what
251
+ # conditions. Grants are alternate permission mechanisms to key
252
+ # policies.
253
+ #
254
+ # For more information about grants, see [Grants][1] in the *AWS Key
255
+ # Management Service Developer Guide*.
256
+ #
257
+ #
258
+ #
259
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/grants.html
260
+ #
261
+ # @option params [required, String] :key_id
262
+ # The unique identifier for the customer master key (CMK) that the grant
263
+ # applies to.
264
+ #
265
+ # To specify this value, use the globally unique key ID or the Amazon
266
+ # Resource Name (ARN) of the key. Examples:
267
+ #
268
+ # * Globally unique key ID: 12345678-1234-1234-1234-123456789012
269
+ #
270
+ # * Key ARN:
271
+ # arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012
272
+ #
273
+ # @option params [required, String] :grantee_principal
274
+ # The principal that is given permission to perform the operations that
275
+ # the grant permits.
276
+ #
277
+ # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
278
+ # an AWS principal. Valid AWS principals include AWS accounts (root),
279
+ # IAM users, federated users, and assumed role users. For examples of
280
+ # the ARN syntax to use for specifying a principal, see [AWS Identity
281
+ # and Access Management (IAM)][2] in the Example ARNs section of the
282
+ # *AWS General Reference*.
283
+ #
284
+ #
285
+ #
286
+ # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
287
+ # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
288
+ #
289
+ # @option params [String] :retiring_principal
290
+ # The principal that is given permission to retire the grant by using
291
+ # RetireGrant operation.
292
+ #
293
+ # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
294
+ # an AWS principal. Valid AWS principals include AWS accounts (root),
295
+ # IAM users, federated users, and assumed role users. For examples of
296
+ # the ARN syntax to use for specifying a principal, see [AWS Identity
297
+ # and Access Management (IAM)][2] in the Example ARNs section of the
298
+ # *AWS General Reference*.
299
+ #
300
+ #
301
+ #
302
+ # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
303
+ # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
304
+ #
305
+ # @option params [Array<String>] :operations
306
+ # A list of operations that the grant permits.
307
+ #
308
+ # @option params [Types::GrantConstraints] :constraints
309
+ # The conditions under which the operations permitted by the grant are
310
+ # allowed.
311
+ #
312
+ # You can use this value to allow the operations permitted by the grant
313
+ # only when a specified encryption context is present. For more
314
+ # information, see [Encryption Context][1] in the *AWS Key Management
315
+ # Service Developer Guide*.
316
+ #
317
+ #
318
+ #
319
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
320
+ #
321
+ # @option params [Array<String>] :grant_tokens
322
+ # A list of grant tokens.
323
+ #
324
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
325
+ # Service Developer Guide*.
326
+ #
327
+ #
328
+ #
329
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
330
+ #
331
+ # @option params [String] :name
332
+ # A friendly name for identifying the grant. Use this value to prevent
333
+ # unintended creation of duplicate grants when retrying this request.
334
+ #
335
+ # When this value is absent, all `CreateGrant` requests result in a new
336
+ # grant with a unique `GrantId` even if all the supplied parameters are
337
+ # identical. This can result in unintended duplicates when you retry the
338
+ # `CreateGrant` request.
339
+ #
340
+ # When this value is present, you can retry a `CreateGrant` request with
341
+ # identical parameters; if the grant already exists, the original
342
+ # `GrantId` is returned without creating a new grant. Note that the
343
+ # returned grant token is unique with every `CreateGrant` request, even
344
+ # when a duplicate `GrantId` is returned. All grant tokens obtained in
345
+ # this way can be used interchangeably.
346
+ #
347
+ # @return [Types::CreateGrantResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
348
+ #
349
+ # * {Types::CreateGrantResponse#grant_token #grant_token} => String
350
+ # * {Types::CreateGrantResponse#grant_id #grant_id} => String
351
+ #
352
+ # @example Request syntax with placeholder values
353
+ #
354
+ # resp = client.create_grant({
355
+ # key_id: "KeyIdType", # required
356
+ # grantee_principal: "PrincipalIdType", # required
357
+ # retiring_principal: "PrincipalIdType",
358
+ # operations: ["Decrypt"], # accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
359
+ # constraints: {
360
+ # encryption_context_subset: {
361
+ # "EncryptionContextKey" => "EncryptionContextValue",
362
+ # },
363
+ # encryption_context_equals: {
364
+ # "EncryptionContextKey" => "EncryptionContextValue",
365
+ # },
366
+ # },
367
+ # grant_tokens: ["GrantTokenType"],
368
+ # name: "GrantNameType",
369
+ # })
370
+ #
371
+ # @example Response structure
372
+ #
373
+ # resp.grant_token #=> String
374
+ # resp.grant_id #=> String
375
+ #
376
+ # @overload create_grant(params = {})
377
+ # @param [Hash] params ({})
378
+ def create_grant(params = {}, options = {})
379
+ req = build_request(:create_grant, params)
380
+ req.send_request(options)
381
+ end
495
382
 
496
- # Decrypts ciphertext. Ciphertext is plaintext that has been previously
497
- # encrypted by using any of the following functions:
498
- #
499
- # * GenerateDataKey
500
- #
501
- # * GenerateDataKeyWithoutPlaintext
502
- #
503
- # * Encrypt
504
- #
505
- # Note that if a caller has been granted access permissions to all keys
506
- # (through, for example, IAM user policies that grant `Decrypt`
507
- # permission on all resources), then ciphertext encrypted by using keys
508
- # in other accounts where the key grants access to the caller can be
509
- # decrypted. To remedy this, we recommend that you do not grant
510
- # `Decrypt` access in an IAM user policy. Instead grant `Decrypt` access
511
- # only in key policies. If you must grant `Decrypt` access in an IAM
512
- # user policy, you should scope the resource to specific keys or to
513
- # specific trusted accounts.
514
- # @option params [required, String, IO] :ciphertext_blob
515
- # Ciphertext to be decrypted. The blob includes metadata.
516
- # @option params [Hash<String,String>] :encryption_context
517
- # The encryption context. If this was specified in the Encrypt function,
518
- # it must be specified here or the decryption operation will fail. For
519
- # more information, see [Encryption Context][1].
520
- #
521
- #
522
- #
523
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
524
- # @option params [Array<String>] :grant_tokens
525
- # A list of grant tokens.
526
- #
527
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
528
- # Service Developer Guide*.
529
- #
530
- #
531
- #
532
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
533
- # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
534
- #
535
- # * {Types::DecryptResponse#key_id #KeyId} => String
536
- # * {Types::DecryptResponse#plaintext #Plaintext} => String
537
- #
538
- # @example Request syntax with placeholder values
539
- # resp = client.decrypt({
540
- # ciphertext_blob: "data", # required
541
- # encryption_context: {
542
- # "EncryptionContextKey" => "EncryptionContextValue",
543
- # },
544
- # grant_tokens: ["GrantTokenType"],
545
- # })
546
- #
547
- # @example Response structure
548
- # resp.key_id #=> String
549
- # resp.plaintext #=> String
550
- # @overload decrypt(params = {})
551
- # @param [Hash] params ({})
552
- def decrypt(params = {}, options = {})
553
- req = build_request(:decrypt, params)
554
- req.send_request(options)
555
- end
383
+ # Creates a customer master key (CMK).
384
+ #
385
+ # You can use a CMK to encrypt small amounts of data (4 KiB or less)
386
+ # directly, but CMKs are more commonly used to encrypt data encryption
387
+ # keys (DEKs), which are used to encrypt raw data. For more information
388
+ # about DEKs and the difference between CMKs and DEKs, see the
389
+ # following:
390
+ #
391
+ # * The GenerateDataKey operation
392
+ #
393
+ # * [AWS Key Management Service Concepts][1] in the *AWS Key Management
394
+ # Service Developer Guide*
395
+ #
396
+ #
397
+ #
398
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
399
+ #
400
+ # @option params [String] :policy
401
+ # The key policy to attach to the CMK.
402
+ #
403
+ # If you specify a policy and do not set
404
+ # `BypassPolicyLockoutSafetyCheck` to true, the policy must meet the
405
+ # following criteria:
406
+ #
407
+ # * It must allow the principal making the `CreateKey` request to make a
408
+ # subsequent PutKeyPolicy request on the CMK. This reduces the
409
+ # likelihood that the CMK becomes unmanageable. For more information,
410
+ # refer to the scenario in the [Default Key Policy][1] section in the
411
+ # *AWS Key Management Service Developer Guide*.
412
+ #
413
+ # * The principal(s) specified in the key policy must exist and be
414
+ # visible to AWS KMS. When you create a new AWS principal (for
415
+ # example, an IAM user or role), you might need to enforce a delay
416
+ # before specifying the new principal in a key policy because the new
417
+ # principal might not immediately be visible to AWS KMS. For more
418
+ # information, see [Changes that I make are not always immediately
419
+ # visible][2] in the *IAM User Guide*.
420
+ #
421
+ # If you do not specify a policy, AWS KMS attaches a default key policy
422
+ # to the CMK. For more information, see [Default Key Policy][3] in the
423
+ # *AWS Key Management Service Developer Guide*.
424
+ #
425
+ # The policy size limit is 32 KiB (32768 bytes).
426
+ #
427
+ #
428
+ #
429
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
430
+ # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
431
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
432
+ #
433
+ # @option params [String] :description
434
+ # A description of the CMK.
435
+ #
436
+ # Use a description that helps you decide whether the CMK is appropriate
437
+ # for a task.
438
+ #
439
+ # @option params [String] :key_usage
440
+ # The intended use of the CMK.
441
+ #
442
+ # You can use CMKs only for symmetric encryption and decryption.
443
+ #
444
+ # @option params [String] :origin
445
+ # The source of the CMK's key material.
446
+ #
447
+ # The default is `AWS_KMS`, which means AWS KMS creates the key
448
+ # material. When this parameter is set to `EXTERNAL`, the request
449
+ # creates a CMK without key material so that you can import key material
450
+ # from your existing key management infrastructure. For more information
451
+ # about importing key material into AWS KMS, see [Importing Key
452
+ # Material][1] in the *AWS Key Management Service Developer Guide*.
453
+ #
454
+ # The CMK's `Origin` is immutable and is set when the CMK is created.
455
+ #
456
+ #
457
+ #
458
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
459
+ #
460
+ # @option params [Boolean] :bypass_policy_lockout_safety_check
461
+ # A flag to indicate whether to bypass the key policy lockout safety
462
+ # check.
463
+ #
464
+ # Setting this value to true increases the likelihood that the CMK
465
+ # becomes unmanageable. Do not set this value to true indiscriminately.
466
+ #
467
+ # For more information, refer to the scenario in the [Default Key
468
+ # Policy][1] section in the *AWS Key Management Service Developer
469
+ # Guide*.
470
+ #
471
+ # Use this parameter only when you include a policy in the request and
472
+ # you intend to prevent the principal making the request from making a
473
+ # subsequent PutKeyPolicy request on the CMK.
474
+ #
475
+ # The default value is false.
476
+ #
477
+ #
478
+ #
479
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
480
+ #
481
+ # @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
482
+ #
483
+ # * {Types::CreateKeyResponse#key_metadata #key_metadata} => Types::KeyMetadata
484
+ #
485
+ # @example Request syntax with placeholder values
486
+ #
487
+ # resp = client.create_key({
488
+ # policy: "PolicyType",
489
+ # description: "DescriptionType",
490
+ # key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
491
+ # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL
492
+ # bypass_policy_lockout_safety_check: false,
493
+ # })
494
+ #
495
+ # @example Response structure
496
+ #
497
+ # resp.key_metadata.aws_account_id #=> String
498
+ # resp.key_metadata.key_id #=> String
499
+ # resp.key_metadata.arn #=> String
500
+ # resp.key_metadata.creation_date #=> Time
501
+ # resp.key_metadata.enabled #=> Boolean
502
+ # resp.key_metadata.description #=> String
503
+ # resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
504
+ # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
505
+ # resp.key_metadata.deletion_date #=> Time
506
+ # resp.key_metadata.valid_to #=> Time
507
+ # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
508
+ # resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
509
+ #
510
+ # @overload create_key(params = {})
511
+ # @param [Hash] params ({})
512
+ def create_key(params = {}, options = {})
513
+ req = build_request(:create_key, params)
514
+ req.send_request(options)
515
+ end
556
516
 
557
- # Deletes the specified alias. To map an alias to a different key, call
558
- # UpdateAlias.
559
- # @option params [required, String] :alias_name
560
- # The alias to be deleted. The name must start with the word "alias"
561
- # followed by a forward slash (alias/). Aliases that begin with
562
- # "alias/AWS" are reserved.
563
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
564
- #
565
- # @example Request syntax with placeholder values
566
- # resp = client.delete_alias({
567
- # alias_name: "AliasNameType", # required
568
- # })
569
- # @overload delete_alias(params = {})
570
- # @param [Hash] params ({})
571
- def delete_alias(params = {}, options = {})
572
- req = build_request(:delete_alias, params)
573
- req.send_request(options)
574
- end
517
+ # Decrypts ciphertext. Ciphertext is plaintext that has been previously
518
+ # encrypted by using any of the following functions:
519
+ #
520
+ # * GenerateDataKey
521
+ #
522
+ # * GenerateDataKeyWithoutPlaintext
523
+ #
524
+ # * Encrypt
525
+ #
526
+ # Note that if a caller has been granted access permissions to all keys
527
+ # (through, for example, IAM user policies that grant `Decrypt`
528
+ # permission on all resources), then ciphertext encrypted by using keys
529
+ # in other accounts where the key grants access to the caller can be
530
+ # decrypted. To remedy this, we recommend that you do not grant
531
+ # `Decrypt` access in an IAM user policy. Instead grant `Decrypt` access
532
+ # only in key policies. If you must grant `Decrypt` access in an IAM
533
+ # user policy, you should scope the resource to specific keys or to
534
+ # specific trusted accounts.
535
+ #
536
+ # @option params [required, String, IO] :ciphertext_blob
537
+ # Ciphertext to be decrypted. The blob includes metadata.
538
+ #
539
+ # @option params [Hash<String,String>] :encryption_context
540
+ # The encryption context. If this was specified in the Encrypt function,
541
+ # it must be specified here or the decryption operation will fail. For
542
+ # more information, see [Encryption Context][1].
543
+ #
544
+ #
545
+ #
546
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
547
+ #
548
+ # @option params [Array<String>] :grant_tokens
549
+ # A list of grant tokens.
550
+ #
551
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
552
+ # Service Developer Guide*.
553
+ #
554
+ #
555
+ #
556
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
557
+ #
558
+ # @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
559
+ #
560
+ # * {Types::DecryptResponse#key_id #key_id} => String
561
+ # * {Types::DecryptResponse#plaintext #plaintext} => String
562
+ #
563
+ # @example Request syntax with placeholder values
564
+ #
565
+ # resp = client.decrypt({
566
+ # ciphertext_blob: "data", # required
567
+ # encryption_context: {
568
+ # "EncryptionContextKey" => "EncryptionContextValue",
569
+ # },
570
+ # grant_tokens: ["GrantTokenType"],
571
+ # })
572
+ #
573
+ # @example Response structure
574
+ #
575
+ # resp.key_id #=> String
576
+ # resp.plaintext #=> String
577
+ #
578
+ # @overload decrypt(params = {})
579
+ # @param [Hash] params ({})
580
+ def decrypt(params = {}, options = {})
581
+ req = build_request(:decrypt, params)
582
+ req.send_request(options)
583
+ end
575
584
 
576
- # Deletes key material that you previously imported and makes the
577
- # specified customer master key (CMK) unusable. For more information
578
- # about importing key material into AWS KMS, see [Importing Key
579
- # Material][1] in the *AWS Key Management Service Developer Guide*.
580
- #
581
- # When the specified CMK is in the `PendingDeletion` state, this
582
- # operation does not change the CMK's state. Otherwise, it changes the
583
- # CMK's state to `PendingImport`.
584
- #
585
- # After you delete key material, you can use ImportKeyMaterial to
586
- # reimport the same key material into the CMK.
587
- #
588
- #
589
- #
590
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
591
- # @option params [required, String] :key_id
592
- # The identifier of the CMK whose key material to delete. The CMK's
593
- # `Origin` must be `EXTERNAL`.
594
- #
595
- # A valid identifier is the unique key ID or the Amazon Resource Name
596
- # (ARN) of the CMK. Examples:
597
- #
598
- # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
599
- #
600
- # * Key ARN:
601
- # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
602
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
603
- #
604
- # @example Request syntax with placeholder values
605
- # resp = client.delete_imported_key_material({
606
- # key_id: "KeyIdType", # required
607
- # })
608
- # @overload delete_imported_key_material(params = {})
609
- # @param [Hash] params ({})
610
- def delete_imported_key_material(params = {}, options = {})
611
- req = build_request(:delete_imported_key_material, params)
612
- req.send_request(options)
613
- end
585
+ # Deletes the specified alias. To map an alias to a different key, call
586
+ # UpdateAlias.
587
+ #
588
+ # @option params [required, String] :alias_name
589
+ # The alias to be deleted. The name must start with the word "alias"
590
+ # followed by a forward slash (alias/). Aliases that begin with
591
+ # "alias/AWS" are reserved.
592
+ #
593
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
594
+ #
595
+ # @example Request syntax with placeholder values
596
+ #
597
+ # resp = client.delete_alias({
598
+ # alias_name: "AliasNameType", # required
599
+ # })
600
+ #
601
+ # @overload delete_alias(params = {})
602
+ # @param [Hash] params ({})
603
+ def delete_alias(params = {}, options = {})
604
+ req = build_request(:delete_alias, params)
605
+ req.send_request(options)
606
+ end
614
607
 
615
- # Provides detailed information about the specified customer master key.
616
- # @option params [required, String] :key_id
617
- # A unique identifier for the customer master key. This value can be a
618
- # globally unique identifier, a fully specified ARN to either an alias
619
- # or a key, or an alias name prefixed by "alias/".
620
- #
621
- # * Key ARN Example -
622
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
623
- #
624
- # * Alias ARN Example -
625
- # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
626
- #
627
- # * Globally Unique Key ID Example -
628
- # 12345678-1234-1234-1234-123456789012
629
- #
630
- # * Alias Name Example - alias/MyAliasName
631
- # @option params [Array<String>] :grant_tokens
632
- # A list of grant tokens.
633
- #
634
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
635
- # Service Developer Guide*.
636
- #
637
- #
638
- #
639
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
640
- # @return [Types::DescribeKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
641
- #
642
- # * {Types::DescribeKeyResponse#key_metadata #KeyMetadata} => Types::KeyMetadata
643
- #
644
- # @example Request syntax with placeholder values
645
- # resp = client.describe_key({
646
- # key_id: "KeyIdType", # required
647
- # grant_tokens: ["GrantTokenType"],
648
- # })
649
- #
650
- # @example Response structure
651
- # resp.key_metadata.aws_account_id #=> String
652
- # resp.key_metadata.key_id #=> String
653
- # resp.key_metadata.arn #=> String
654
- # resp.key_metadata.creation_date #=> Time
655
- # resp.key_metadata.enabled #=> Boolean
656
- # resp.key_metadata.description #=> String
657
- # resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
658
- # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
659
- # resp.key_metadata.deletion_date #=> Time
660
- # resp.key_metadata.valid_to #=> Time
661
- # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
662
- # resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
663
- # @overload describe_key(params = {})
664
- # @param [Hash] params ({})
665
- def describe_key(params = {}, options = {})
666
- req = build_request(:describe_key, params)
667
- req.send_request(options)
668
- end
608
+ # Deletes key material that you previously imported and makes the
609
+ # specified customer master key (CMK) unusable. For more information
610
+ # about importing key material into AWS KMS, see [Importing Key
611
+ # Material][1] in the *AWS Key Management Service Developer Guide*.
612
+ #
613
+ # When the specified CMK is in the `PendingDeletion` state, this
614
+ # operation does not change the CMK's state. Otherwise, it changes the
615
+ # CMK's state to `PendingImport`.
616
+ #
617
+ # After you delete key material, you can use ImportKeyMaterial to
618
+ # reimport the same key material into the CMK.
619
+ #
620
+ #
621
+ #
622
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
623
+ #
624
+ # @option params [required, String] :key_id
625
+ # The identifier of the CMK whose key material to delete. The CMK's
626
+ # `Origin` must be `EXTERNAL`.
627
+ #
628
+ # A valid identifier is the unique key ID or the Amazon Resource Name
629
+ # (ARN) of the CMK. Examples:
630
+ #
631
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
632
+ #
633
+ # * Key ARN:
634
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
635
+ #
636
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
637
+ #
638
+ # @example Request syntax with placeholder values
639
+ #
640
+ # resp = client.delete_imported_key_material({
641
+ # key_id: "KeyIdType", # required
642
+ # })
643
+ #
644
+ # @overload delete_imported_key_material(params = {})
645
+ # @param [Hash] params ({})
646
+ def delete_imported_key_material(params = {}, options = {})
647
+ req = build_request(:delete_imported_key_material, params)
648
+ req.send_request(options)
649
+ end
669
650
 
670
- # Sets the state of a customer master key (CMK) to disabled, thereby
671
- # preventing its use for cryptographic operations. For more information
672
- # about how key state affects the use of a CMK, see [How Key State
673
- # Affects the Use of a Customer Master Key][1] in the *AWS Key
674
- # Management Service Developer Guide*.
675
- #
676
- #
677
- #
678
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
679
- # @option params [required, String] :key_id
680
- # A unique identifier for the CMK.
681
- #
682
- # Use the CMK's unique identifier or its Amazon Resource Name (ARN).
683
- # For example:
684
- #
685
- # * Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
686
- #
687
- # * ARN:
688
- # arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
689
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
690
- #
691
- # @example Request syntax with placeholder values
692
- # resp = client.disable_key({
693
- # key_id: "KeyIdType", # required
694
- # })
695
- # @overload disable_key(params = {})
696
- # @param [Hash] params ({})
697
- def disable_key(params = {}, options = {})
698
- req = build_request(:disable_key, params)
699
- req.send_request(options)
700
- end
651
+ # Provides detailed information about the specified customer master key.
652
+ #
653
+ # @option params [required, String] :key_id
654
+ # A unique identifier for the customer master key. This value can be a
655
+ # globally unique identifier, a fully specified ARN to either an alias
656
+ # or a key, or an alias name prefixed by "alias/".
657
+ #
658
+ # * Key ARN Example -
659
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
660
+ #
661
+ # * Alias ARN Example -
662
+ # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
663
+ #
664
+ # * Globally Unique Key ID Example -
665
+ # 12345678-1234-1234-1234-123456789012
666
+ #
667
+ # * Alias Name Example - alias/MyAliasName
668
+ #
669
+ # @option params [Array<String>] :grant_tokens
670
+ # A list of grant tokens.
671
+ #
672
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
673
+ # Service Developer Guide*.
674
+ #
675
+ #
676
+ #
677
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
678
+ #
679
+ # @return [Types::DescribeKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
680
+ #
681
+ # * {Types::DescribeKeyResponse#key_metadata #key_metadata} => Types::KeyMetadata
682
+ #
683
+ # @example Request syntax with placeholder values
684
+ #
685
+ # resp = client.describe_key({
686
+ # key_id: "KeyIdType", # required
687
+ # grant_tokens: ["GrantTokenType"],
688
+ # })
689
+ #
690
+ # @example Response structure
691
+ #
692
+ # resp.key_metadata.aws_account_id #=> String
693
+ # resp.key_metadata.key_id #=> String
694
+ # resp.key_metadata.arn #=> String
695
+ # resp.key_metadata.creation_date #=> Time
696
+ # resp.key_metadata.enabled #=> Boolean
697
+ # resp.key_metadata.description #=> String
698
+ # resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
699
+ # resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport"
700
+ # resp.key_metadata.deletion_date #=> Time
701
+ # resp.key_metadata.valid_to #=> Time
702
+ # resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL"
703
+ # resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
704
+ #
705
+ # @overload describe_key(params = {})
706
+ # @param [Hash] params ({})
707
+ def describe_key(params = {}, options = {})
708
+ req = build_request(:describe_key, params)
709
+ req.send_request(options)
710
+ end
701
711
 
702
- # Disables rotation of the specified key.
703
- # @option params [required, String] :key_id
704
- # A unique identifier for the customer master key. This value can be a
705
- # globally unique identifier or the fully specified ARN to a key.
706
- #
707
- # * Key ARN Example -
708
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
709
- #
710
- # * Globally Unique Key ID Example -
711
- # 12345678-1234-1234-1234-123456789012
712
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
713
- #
714
- # @example Request syntax with placeholder values
715
- # resp = client.disable_key_rotation({
716
- # key_id: "KeyIdType", # required
717
- # })
718
- # @overload disable_key_rotation(params = {})
719
- # @param [Hash] params ({})
720
- def disable_key_rotation(params = {}, options = {})
721
- req = build_request(:disable_key_rotation, params)
722
- req.send_request(options)
723
- end
712
+ # Sets the state of a customer master key (CMK) to disabled, thereby
713
+ # preventing its use for cryptographic operations. For more information
714
+ # about how key state affects the use of a CMK, see [How Key State
715
+ # Affects the Use of a Customer Master Key][1] in the *AWS Key
716
+ # Management Service Developer Guide*.
717
+ #
718
+ #
719
+ #
720
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
721
+ #
722
+ # @option params [required, String] :key_id
723
+ # A unique identifier for the CMK.
724
+ #
725
+ # Use the CMK's unique identifier or its Amazon Resource Name (ARN).
726
+ # For example:
727
+ #
728
+ # * Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
729
+ #
730
+ # * ARN:
731
+ # arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
732
+ #
733
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
734
+ #
735
+ # @example Request syntax with placeholder values
736
+ #
737
+ # resp = client.disable_key({
738
+ # key_id: "KeyIdType", # required
739
+ # })
740
+ #
741
+ # @overload disable_key(params = {})
742
+ # @param [Hash] params ({})
743
+ def disable_key(params = {}, options = {})
744
+ req = build_request(:disable_key, params)
745
+ req.send_request(options)
746
+ end
724
747
 
725
- # Marks a key as enabled, thereby permitting its use.
726
- # @option params [required, String] :key_id
727
- # A unique identifier for the customer master key. This value can be a
728
- # globally unique identifier or the fully specified ARN to a key.
729
- #
730
- # * Key ARN Example -
731
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
732
- #
733
- # * Globally Unique Key ID Example -
734
- # 12345678-1234-1234-1234-123456789012
735
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
736
- #
737
- # @example Request syntax with placeholder values
738
- # resp = client.enable_key({
739
- # key_id: "KeyIdType", # required
740
- # })
741
- # @overload enable_key(params = {})
742
- # @param [Hash] params ({})
743
- def enable_key(params = {}, options = {})
744
- req = build_request(:enable_key, params)
745
- req.send_request(options)
746
- end
748
+ # Disables rotation of the specified key.
749
+ #
750
+ # @option params [required, String] :key_id
751
+ # A unique identifier for the customer master key. This value can be a
752
+ # globally unique identifier or the fully specified ARN to a key.
753
+ #
754
+ # * Key ARN Example -
755
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
756
+ #
757
+ # * Globally Unique Key ID Example -
758
+ # 12345678-1234-1234-1234-123456789012
759
+ #
760
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
761
+ #
762
+ # @example Request syntax with placeholder values
763
+ #
764
+ # resp = client.disable_key_rotation({
765
+ # key_id: "KeyIdType", # required
766
+ # })
767
+ #
768
+ # @overload disable_key_rotation(params = {})
769
+ # @param [Hash] params ({})
770
+ def disable_key_rotation(params = {}, options = {})
771
+ req = build_request(:disable_key_rotation, params)
772
+ req.send_request(options)
773
+ end
747
774
 
748
- # Enables rotation of the specified customer master key.
749
- # @option params [required, String] :key_id
750
- # A unique identifier for the customer master key. This value can be a
751
- # globally unique identifier or the fully specified ARN to a key.
752
- #
753
- # * Key ARN Example -
754
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
755
- #
756
- # * Globally Unique Key ID Example -
757
- # 12345678-1234-1234-1234-123456789012
758
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
759
- #
760
- # @example Request syntax with placeholder values
761
- # resp = client.enable_key_rotation({
762
- # key_id: "KeyIdType", # required
763
- # })
764
- # @overload enable_key_rotation(params = {})
765
- # @param [Hash] params ({})
766
- def enable_key_rotation(params = {}, options = {})
767
- req = build_request(:enable_key_rotation, params)
768
- req.send_request(options)
769
- end
775
+ # Marks a key as enabled, thereby permitting its use.
776
+ #
777
+ # @option params [required, String] :key_id
778
+ # A unique identifier for the customer master key. This value can be a
779
+ # globally unique identifier or the fully specified ARN to a key.
780
+ #
781
+ # * Key ARN Example -
782
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
783
+ #
784
+ # * Globally Unique Key ID Example -
785
+ # 12345678-1234-1234-1234-123456789012
786
+ #
787
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
788
+ #
789
+ # @example Request syntax with placeholder values
790
+ #
791
+ # resp = client.enable_key({
792
+ # key_id: "KeyIdType", # required
793
+ # })
794
+ #
795
+ # @overload enable_key(params = {})
796
+ # @param [Hash] params ({})
797
+ def enable_key(params = {}, options = {})
798
+ req = build_request(:enable_key, params)
799
+ req.send_request(options)
800
+ end
770
801
 
771
- # Encrypts plaintext into ciphertext by using a customer master key. The
772
- # `Encrypt` function has two primary use cases:
773
- #
774
- # * You can encrypt up to 4 KB of arbitrary data such as an RSA key, a
775
- # database password, or other sensitive customer information.
776
- #
777
- # * If you are moving encrypted data from one region to another, you can
778
- # use this API to encrypt in the new region the plaintext data key
779
- # that was used to encrypt the data in the original region. This
780
- # provides you with an encrypted copy of the data key that can be
781
- # decrypted in the new region and used there to decrypt the encrypted
782
- # data.
783
- #
784
- # Unless you are moving encrypted data from one region to another, you
785
- # don't use this function to encrypt a generated data key within a
786
- # region. You retrieve data keys already encrypted by calling the
787
- # GenerateDataKey or GenerateDataKeyWithoutPlaintext function. Data keys
788
- # don't need to be encrypted again by calling `Encrypt`.
789
- #
790
- # If you want to encrypt data locally in your application, you can use
791
- # the `GenerateDataKey` function to return a plaintext data encryption
792
- # key and a copy of the key encrypted under the customer master key
793
- # (CMK) of your choosing.
794
- # @option params [required, String] :key_id
795
- # A unique identifier for the customer master key. This value can be a
796
- # globally unique identifier, a fully specified ARN to either an alias
797
- # or a key, or an alias name prefixed by "alias/".
798
- #
799
- # * Key ARN Example -
800
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
801
- #
802
- # * Alias ARN Example -
803
- # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
804
- #
805
- # * Globally Unique Key ID Example -
806
- # 12345678-1234-1234-1234-123456789012
807
- #
808
- # * Alias Name Example - alias/MyAliasName
809
- # @option params [required, String, IO] :plaintext
810
- # Data to be encrypted.
811
- # @option params [Hash<String,String>] :encryption_context
812
- # Name-value pair that specifies the encryption context to be used for
813
- # authenticated encryption. If used here, the same value must be
814
- # supplied to the `Decrypt` API or decryption will fail. For more
815
- # information, see [Encryption Context][1].
816
- #
817
- #
818
- #
819
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
820
- # @option params [Array<String>] :grant_tokens
821
- # A list of grant tokens.
822
- #
823
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
824
- # Service Developer Guide*.
825
- #
826
- #
827
- #
828
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
829
- # @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
830
- #
831
- # * {Types::EncryptResponse#ciphertext_blob #CiphertextBlob} => String
832
- # * {Types::EncryptResponse#key_id #KeyId} => String
833
- #
834
- # @example Request syntax with placeholder values
835
- # resp = client.encrypt({
836
- # key_id: "KeyIdType", # required
837
- # plaintext: "data", # required
838
- # encryption_context: {
839
- # "EncryptionContextKey" => "EncryptionContextValue",
840
- # },
841
- # grant_tokens: ["GrantTokenType"],
842
- # })
843
- #
844
- # @example Response structure
845
- # resp.ciphertext_blob #=> String
846
- # resp.key_id #=> String
847
- # @overload encrypt(params = {})
848
- # @param [Hash] params ({})
849
- def encrypt(params = {}, options = {})
850
- req = build_request(:encrypt, params)
851
- req.send_request(options)
852
- end
802
+ # Enables rotation of the specified customer master key.
803
+ #
804
+ # @option params [required, String] :key_id
805
+ # A unique identifier for the customer master key. This value can be a
806
+ # globally unique identifier or the fully specified ARN to a key.
807
+ #
808
+ # * Key ARN Example -
809
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
810
+ #
811
+ # * Globally Unique Key ID Example -
812
+ # 12345678-1234-1234-1234-123456789012
813
+ #
814
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
815
+ #
816
+ # @example Request syntax with placeholder values
817
+ #
818
+ # resp = client.enable_key_rotation({
819
+ # key_id: "KeyIdType", # required
820
+ # })
821
+ #
822
+ # @overload enable_key_rotation(params = {})
823
+ # @param [Hash] params ({})
824
+ def enable_key_rotation(params = {}, options = {})
825
+ req = build_request(:enable_key_rotation, params)
826
+ req.send_request(options)
827
+ end
853
828
 
854
- # Returns a data encryption key that you can use in your application to
855
- # encrypt data locally.
856
- #
857
- # You must specify the customer master key (CMK) under which to generate
858
- # the data key. You must also specify the length of the data key using
859
- # either the `KeySpec` or `NumberOfBytes` field. You must specify one
860
- # field or the other, but not both. For common key lengths (128-bit and
861
- # 256-bit symmetric keys), we recommend that you use `KeySpec`.
862
- #
863
- # This operation returns a plaintext copy of the data key in the
864
- # `Plaintext` field of the response, and an encrypted copy of the data
865
- # key in the `CiphertextBlob` field. The data key is encrypted under the
866
- # CMK specified in the `KeyId` field of the request.
867
- #
868
- # We recommend that you use the following pattern to encrypt data
869
- # locally in your application:
870
- #
871
- # 1. Use this operation (`GenerateDataKey`) to retrieve a data
872
- # encryption key.
873
- #
874
- # 2. Use the plaintext data encryption key (returned in the `Plaintext`
875
- # field of the response) to encrypt data locally, then erase the
876
- # plaintext data key from memory.
877
- #
878
- # 3. Store the encrypted data key (returned in the `CiphertextBlob`
879
- # field of the response) alongside the locally encrypted data.
880
- #
881
- # To decrypt data locally:
882
- #
883
- # 1. Use the Decrypt operation to decrypt the encrypted data key into a
884
- # plaintext copy of the data key.
885
- #
886
- # 2. Use the plaintext data key to decrypt data locally, then erase the
887
- # plaintext data key from memory.
888
- #
889
- # To return only an encrypted copy of the data key, use
890
- # GenerateDataKeyWithoutPlaintext. To return an arbitrary unpredictable
891
- # byte string, use GenerateRandom.
892
- #
893
- # If you use the optional `EncryptionContext` field, you must store at
894
- # least enough information to be able to reconstruct the full encryption
895
- # context when you later send the ciphertext to the Decrypt operation.
896
- # It is a good practice to choose an encryption context that you can
897
- # reconstruct on the fly to better secure the ciphertext. For more
898
- # information, see [Encryption Context][1] in the *AWS Key Management
899
- # Service Developer Guide*.
900
- #
901
- #
902
- #
903
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
904
- # @option params [required, String] :key_id
905
- # The identifier of the CMK under which to generate and encrypt the data
906
- # encryption key.
907
- #
908
- # A valid identifier is the unique key ID or the Amazon Resource Name
909
- # (ARN) of the CMK, or the alias name or ARN of an alias that points to
910
- # the CMK. Examples:
911
- #
912
- # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
913
- #
914
- # * CMK ARN:
915
- # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
916
- #
917
- # * Alias name: `alias/ExampleAlias`
918
- #
919
- # * Alias ARN: `arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias`
920
- # @option params [Hash<String,String>] :encryption_context
921
- # A set of key-value pairs that represents additional authenticated
922
- # data.
923
- #
924
- # For more information, see [Encryption Context][1] in the *AWS Key
925
- # Management Service Developer Guide*.
926
- #
927
- #
928
- #
929
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
930
- # @option params [Integer] :number_of_bytes
931
- # The length of the data encryption key in bytes. For example, use the
932
- # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
933
- # common key lengths (128-bit and 256-bit symmetric keys), we recommend
934
- # that you use the `KeySpec` field instead of this one.
935
- # @option params [String] :key_spec
936
- # The length of the data encryption key. Use `AES_128` to generate a
937
- # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
938
- # key.
939
- # @option params [Array<String>] :grant_tokens
940
- # A list of grant tokens.
941
- #
942
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
943
- # Service Developer Guide*.
944
- #
945
- #
946
- #
947
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
948
- # @return [Types::GenerateDataKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
949
- #
950
- # * {Types::GenerateDataKeyResponse#ciphertext_blob #CiphertextBlob} => String
951
- # * {Types::GenerateDataKeyResponse#plaintext #Plaintext} => String
952
- # * {Types::GenerateDataKeyResponse#key_id #KeyId} => String
953
- #
954
- # @example Request syntax with placeholder values
955
- # resp = client.generate_data_key({
956
- # key_id: "KeyIdType", # required
957
- # encryption_context: {
958
- # "EncryptionContextKey" => "EncryptionContextValue",
959
- # },
960
- # number_of_bytes: 1,
961
- # key_spec: "AES_256", # accepts AES_256, AES_128
962
- # grant_tokens: ["GrantTokenType"],
963
- # })
964
- #
965
- # @example Response structure
966
- # resp.ciphertext_blob #=> String
967
- # resp.plaintext #=> String
968
- # resp.key_id #=> String
969
- # @overload generate_data_key(params = {})
970
- # @param [Hash] params ({})
971
- def generate_data_key(params = {}, options = {})
972
- req = build_request(:generate_data_key, params)
973
- req.send_request(options)
974
- end
829
+ # Encrypts plaintext into ciphertext by using a customer master key. The
830
+ # `Encrypt` function has two primary use cases:
831
+ #
832
+ # * You can encrypt up to 4 KB of arbitrary data such as an RSA key, a
833
+ # database password, or other sensitive customer information.
834
+ #
835
+ # * If you are moving encrypted data from one region to another, you can
836
+ # use this API to encrypt in the new region the plaintext data key
837
+ # that was used to encrypt the data in the original region. This
838
+ # provides you with an encrypted copy of the data key that can be
839
+ # decrypted in the new region and used there to decrypt the encrypted
840
+ # data.
841
+ #
842
+ # Unless you are moving encrypted data from one region to another, you
843
+ # don't use this function to encrypt a generated data key within a
844
+ # region. You retrieve data keys already encrypted by calling the
845
+ # GenerateDataKey or GenerateDataKeyWithoutPlaintext function. Data keys
846
+ # don't need to be encrypted again by calling `Encrypt`.
847
+ #
848
+ # If you want to encrypt data locally in your application, you can use
849
+ # the `GenerateDataKey` function to return a plaintext data encryption
850
+ # key and a copy of the key encrypted under the customer master key
851
+ # (CMK) of your choosing.
852
+ #
853
+ # @option params [required, String] :key_id
854
+ # A unique identifier for the customer master key. This value can be a
855
+ # globally unique identifier, a fully specified ARN to either an alias
856
+ # or a key, or an alias name prefixed by "alias/".
857
+ #
858
+ # * Key ARN Example -
859
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
860
+ #
861
+ # * Alias ARN Example -
862
+ # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
863
+ #
864
+ # * Globally Unique Key ID Example -
865
+ # 12345678-1234-1234-1234-123456789012
866
+ #
867
+ # * Alias Name Example - alias/MyAliasName
868
+ #
869
+ # @option params [required, String, IO] :plaintext
870
+ # Data to be encrypted.
871
+ #
872
+ # @option params [Hash<String,String>] :encryption_context
873
+ # Name-value pair that specifies the encryption context to be used for
874
+ # authenticated encryption. If used here, the same value must be
875
+ # supplied to the `Decrypt` API or decryption will fail. For more
876
+ # information, see [Encryption Context][1].
877
+ #
878
+ #
879
+ #
880
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
881
+ #
882
+ # @option params [Array<String>] :grant_tokens
883
+ # A list of grant tokens.
884
+ #
885
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
886
+ # Service Developer Guide*.
887
+ #
888
+ #
889
+ #
890
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
891
+ #
892
+ # @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
893
+ #
894
+ # * {Types::EncryptResponse#ciphertext_blob #ciphertext_blob} => String
895
+ # * {Types::EncryptResponse#key_id #key_id} => String
896
+ #
897
+ # @example Request syntax with placeholder values
898
+ #
899
+ # resp = client.encrypt({
900
+ # key_id: "KeyIdType", # required
901
+ # plaintext: "data", # required
902
+ # encryption_context: {
903
+ # "EncryptionContextKey" => "EncryptionContextValue",
904
+ # },
905
+ # grant_tokens: ["GrantTokenType"],
906
+ # })
907
+ #
908
+ # @example Response structure
909
+ #
910
+ # resp.ciphertext_blob #=> String
911
+ # resp.key_id #=> String
912
+ #
913
+ # @overload encrypt(params = {})
914
+ # @param [Hash] params ({})
915
+ def encrypt(params = {}, options = {})
916
+ req = build_request(:encrypt, params)
917
+ req.send_request(options)
918
+ end
975
919
 
976
- # Returns a data encryption key encrypted under a customer master key
977
- # (CMK). This operation is identical to GenerateDataKey but returns only
978
- # the encrypted copy of the data key.
979
- #
980
- # This operation is useful in a system that has multiple components with
981
- # different degrees of trust. For example, consider a system that stores
982
- # encrypted data in containers. Each container stores the encrypted data
983
- # and an encrypted copy of the data key. One component of the system,
984
- # called the *control plane*, creates new containers. When it creates a
985
- # new container, it uses this operation
986
- # (`GenerateDataKeyWithoutPlaintext`) to get an encrypted data key and
987
- # then stores it in the container. Later, a different component of the
988
- # system, called the *data plane*, puts encrypted data into the
989
- # containers. To do this, it passes the encrypted data key to the
990
- # Decrypt operation, then uses the returned plaintext data key to
991
- # encrypt data, and finally stores the encrypted data in the container.
992
- # In this system, the control plane never sees the plaintext data key.
993
- # @option params [required, String] :key_id
994
- # The identifier of the CMK under which to generate and encrypt the data
995
- # encryption key.
996
- #
997
- # A valid identifier is the unique key ID or the Amazon Resource Name
998
- # (ARN) of the CMK, or the alias name or ARN of an alias that points to
999
- # the CMK. Examples:
1000
- #
1001
- # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1002
- #
1003
- # * CMK ARN:
1004
- # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1005
- #
1006
- # * Alias name: `alias/ExampleAlias`
1007
- #
1008
- # * Alias ARN: `arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias`
1009
- # @option params [Hash<String,String>] :encryption_context
1010
- # A set of key-value pairs that represents additional authenticated
1011
- # data.
1012
- #
1013
- # For more information, see [Encryption Context][1] in the *AWS Key
1014
- # Management Service Developer Guide*.
1015
- #
1016
- #
1017
- #
1018
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1019
- # @option params [String] :key_spec
1020
- # The length of the data encryption key. Use `AES_128` to generate a
1021
- # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1022
- # key.
1023
- # @option params [Integer] :number_of_bytes
1024
- # The length of the data encryption key in bytes. For example, use the
1025
- # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1026
- # common key lengths (128-bit and 256-bit symmetric keys), we recommend
1027
- # that you use the `KeySpec` field instead of this one.
1028
- # @option params [Array<String>] :grant_tokens
1029
- # A list of grant tokens.
1030
- #
1031
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
1032
- # Service Developer Guide*.
1033
- #
1034
- #
1035
- #
1036
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1037
- # @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1038
- #
1039
- # * {Types::GenerateDataKeyWithoutPlaintextResponse#ciphertext_blob #CiphertextBlob} => String
1040
- # * {Types::GenerateDataKeyWithoutPlaintextResponse#key_id #KeyId} => String
1041
- #
1042
- # @example Request syntax with placeholder values
1043
- # resp = client.generate_data_key_without_plaintext({
1044
- # key_id: "KeyIdType", # required
1045
- # encryption_context: {
1046
- # "EncryptionContextKey" => "EncryptionContextValue",
1047
- # },
1048
- # key_spec: "AES_256", # accepts AES_256, AES_128
1049
- # number_of_bytes: 1,
1050
- # grant_tokens: ["GrantTokenType"],
1051
- # })
1052
- #
1053
- # @example Response structure
1054
- # resp.ciphertext_blob #=> String
1055
- # resp.key_id #=> String
1056
- # @overload generate_data_key_without_plaintext(params = {})
1057
- # @param [Hash] params ({})
1058
- def generate_data_key_without_plaintext(params = {}, options = {})
1059
- req = build_request(:generate_data_key_without_plaintext, params)
1060
- req.send_request(options)
1061
- end
920
+ # Returns a data encryption key that you can use in your application to
921
+ # encrypt data locally.
922
+ #
923
+ # You must specify the customer master key (CMK) under which to generate
924
+ # the data key. You must also specify the length of the data key using
925
+ # either the `KeySpec` or `NumberOfBytes` field. You must specify one
926
+ # field or the other, but not both. For common key lengths (128-bit and
927
+ # 256-bit symmetric keys), we recommend that you use `KeySpec`.
928
+ #
929
+ # This operation returns a plaintext copy of the data key in the
930
+ # `Plaintext` field of the response, and an encrypted copy of the data
931
+ # key in the `CiphertextBlob` field. The data key is encrypted under the
932
+ # CMK specified in the `KeyId` field of the request.
933
+ #
934
+ # We recommend that you use the following pattern to encrypt data
935
+ # locally in your application:
936
+ #
937
+ # 1. Use this operation (`GenerateDataKey`) to retrieve a data
938
+ # encryption key.
939
+ #
940
+ # 2. Use the plaintext data encryption key (returned in the `Plaintext`
941
+ # field of the response) to encrypt data locally, then erase the
942
+ # plaintext data key from memory.
943
+ #
944
+ # 3. Store the encrypted data key (returned in the `CiphertextBlob`
945
+ # field of the response) alongside the locally encrypted data.
946
+ #
947
+ # To decrypt data locally:
948
+ #
949
+ # 1. Use the Decrypt operation to decrypt the encrypted data key into a
950
+ # plaintext copy of the data key.
951
+ #
952
+ # 2. Use the plaintext data key to decrypt data locally, then erase the
953
+ # plaintext data key from memory.
954
+ #
955
+ # To return only an encrypted copy of the data key, use
956
+ # GenerateDataKeyWithoutPlaintext. To return an arbitrary unpredictable
957
+ # byte string, use GenerateRandom.
958
+ #
959
+ # If you use the optional `EncryptionContext` field, you must store at
960
+ # least enough information to be able to reconstruct the full encryption
961
+ # context when you later send the ciphertext to the Decrypt operation.
962
+ # It is a good practice to choose an encryption context that you can
963
+ # reconstruct on the fly to better secure the ciphertext. For more
964
+ # information, see [Encryption Context][1] in the *AWS Key Management
965
+ # Service Developer Guide*.
966
+ #
967
+ #
968
+ #
969
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
970
+ #
971
+ # @option params [required, String] :key_id
972
+ # The identifier of the CMK under which to generate and encrypt the data
973
+ # encryption key.
974
+ #
975
+ # A valid identifier is the unique key ID or the Amazon Resource Name
976
+ # (ARN) of the CMK, or the alias name or ARN of an alias that refers to
977
+ # the CMK. Examples:
978
+ #
979
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
980
+ #
981
+ # * CMK ARN:
982
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
983
+ #
984
+ # * Alias name: `alias/ExampleAlias`
985
+ #
986
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
987
+ #
988
+ # @option params [Hash<String,String>] :encryption_context
989
+ # A set of key-value pairs that represents additional authenticated
990
+ # data.
991
+ #
992
+ # For more information, see [Encryption Context][1] in the *AWS Key
993
+ # Management Service Developer Guide*.
994
+ #
995
+ #
996
+ #
997
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
998
+ #
999
+ # @option params [Integer] :number_of_bytes
1000
+ # The length of the data encryption key in bytes. For example, use the
1001
+ # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1002
+ # common key lengths (128-bit and 256-bit symmetric keys), we recommend
1003
+ # that you use the `KeySpec` field instead of this one.
1004
+ #
1005
+ # @option params [String] :key_spec
1006
+ # The length of the data encryption key. Use `AES_128` to generate a
1007
+ # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1008
+ # key.
1009
+ #
1010
+ # @option params [Array<String>] :grant_tokens
1011
+ # A list of grant tokens.
1012
+ #
1013
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
1014
+ # Service Developer Guide*.
1015
+ #
1016
+ #
1017
+ #
1018
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1019
+ #
1020
+ # @return [Types::GenerateDataKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1021
+ #
1022
+ # * {Types::GenerateDataKeyResponse#ciphertext_blob #ciphertext_blob} => String
1023
+ # * {Types::GenerateDataKeyResponse#plaintext #plaintext} => String
1024
+ # * {Types::GenerateDataKeyResponse#key_id #key_id} => String
1025
+ #
1026
+ # @example Request syntax with placeholder values
1027
+ #
1028
+ # resp = client.generate_data_key({
1029
+ # key_id: "KeyIdType", # required
1030
+ # encryption_context: {
1031
+ # "EncryptionContextKey" => "EncryptionContextValue",
1032
+ # },
1033
+ # number_of_bytes: 1,
1034
+ # key_spec: "AES_256", # accepts AES_256, AES_128
1035
+ # grant_tokens: ["GrantTokenType"],
1036
+ # })
1037
+ #
1038
+ # @example Response structure
1039
+ #
1040
+ # resp.ciphertext_blob #=> String
1041
+ # resp.plaintext #=> String
1042
+ # resp.key_id #=> String
1043
+ #
1044
+ # @overload generate_data_key(params = {})
1045
+ # @param [Hash] params ({})
1046
+ def generate_data_key(params = {}, options = {})
1047
+ req = build_request(:generate_data_key, params)
1048
+ req.send_request(options)
1049
+ end
1062
1050
 
1063
- # Generates an unpredictable byte string.
1064
- # @option params [Integer] :number_of_bytes
1065
- # The length of the byte string.
1066
- # @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1067
- #
1068
- # * {Types::GenerateRandomResponse#plaintext #Plaintext} => String
1069
- #
1070
- # @example Request syntax with placeholder values
1071
- # resp = client.generate_random({
1072
- # number_of_bytes: 1,
1073
- # })
1074
- #
1075
- # @example Response structure
1076
- # resp.plaintext #=> String
1077
- # @overload generate_random(params = {})
1078
- # @param [Hash] params ({})
1079
- def generate_random(params = {}, options = {})
1080
- req = build_request(:generate_random, params)
1081
- req.send_request(options)
1082
- end
1051
+ # Returns a data encryption key encrypted under a customer master key
1052
+ # (CMK). This operation is identical to GenerateDataKey but returns only
1053
+ # the encrypted copy of the data key.
1054
+ #
1055
+ # This operation is useful in a system that has multiple components with
1056
+ # different degrees of trust. For example, consider a system that stores
1057
+ # encrypted data in containers. Each container stores the encrypted data
1058
+ # and an encrypted copy of the data key. One component of the system,
1059
+ # called the *control plane*, creates new containers. When it creates a
1060
+ # new container, it uses this operation
1061
+ # (`GenerateDataKeyWithoutPlaintext`) to get an encrypted data key and
1062
+ # then stores it in the container. Later, a different component of the
1063
+ # system, called the *data plane*, puts encrypted data into the
1064
+ # containers. To do this, it passes the encrypted data key to the
1065
+ # Decrypt operation, then uses the returned plaintext data key to
1066
+ # encrypt data, and finally stores the encrypted data in the container.
1067
+ # In this system, the control plane never sees the plaintext data key.
1068
+ #
1069
+ # @option params [required, String] :key_id
1070
+ # The identifier of the CMK under which to generate and encrypt the data
1071
+ # encryption key.
1072
+ #
1073
+ # A valid identifier is the unique key ID or the Amazon Resource Name
1074
+ # (ARN) of the CMK, or the alias name or ARN of an alias that refers to
1075
+ # the CMK. Examples:
1076
+ #
1077
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1078
+ #
1079
+ # * CMK ARN:
1080
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1081
+ #
1082
+ # * Alias name: `alias/ExampleAlias`
1083
+ #
1084
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1085
+ #
1086
+ # @option params [Hash<String,String>] :encryption_context
1087
+ # A set of key-value pairs that represents additional authenticated
1088
+ # data.
1089
+ #
1090
+ # For more information, see [Encryption Context][1] in the *AWS Key
1091
+ # Management Service Developer Guide*.
1092
+ #
1093
+ #
1094
+ #
1095
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1096
+ #
1097
+ # @option params [String] :key_spec
1098
+ # The length of the data encryption key. Use `AES_128` to generate a
1099
+ # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
1100
+ # key.
1101
+ #
1102
+ # @option params [Integer] :number_of_bytes
1103
+ # The length of the data encryption key in bytes. For example, use the
1104
+ # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
1105
+ # common key lengths (128-bit and 256-bit symmetric keys), we recommend
1106
+ # that you use the `KeySpec` field instead of this one.
1107
+ #
1108
+ # @option params [Array<String>] :grant_tokens
1109
+ # A list of grant tokens.
1110
+ #
1111
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
1112
+ # Service Developer Guide*.
1113
+ #
1114
+ #
1115
+ #
1116
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1117
+ #
1118
+ # @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1119
+ #
1120
+ # * {Types::GenerateDataKeyWithoutPlaintextResponse#ciphertext_blob #ciphertext_blob} => String
1121
+ # * {Types::GenerateDataKeyWithoutPlaintextResponse#key_id #key_id} => String
1122
+ #
1123
+ # @example Request syntax with placeholder values
1124
+ #
1125
+ # resp = client.generate_data_key_without_plaintext({
1126
+ # key_id: "KeyIdType", # required
1127
+ # encryption_context: {
1128
+ # "EncryptionContextKey" => "EncryptionContextValue",
1129
+ # },
1130
+ # key_spec: "AES_256", # accepts AES_256, AES_128
1131
+ # number_of_bytes: 1,
1132
+ # grant_tokens: ["GrantTokenType"],
1133
+ # })
1134
+ #
1135
+ # @example Response structure
1136
+ #
1137
+ # resp.ciphertext_blob #=> String
1138
+ # resp.key_id #=> String
1139
+ #
1140
+ # @overload generate_data_key_without_plaintext(params = {})
1141
+ # @param [Hash] params ({})
1142
+ def generate_data_key_without_plaintext(params = {}, options = {})
1143
+ req = build_request(:generate_data_key_without_plaintext, params)
1144
+ req.send_request(options)
1145
+ end
1083
1146
 
1084
- # Retrieves a policy attached to the specified key.
1085
- # @option params [required, String] :key_id
1086
- # A unique identifier for the customer master key. This value can be a
1087
- # globally unique identifier or the fully specified ARN to a key.
1088
- #
1089
- # * Key ARN Example -
1090
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1091
- #
1092
- # * Globally Unique Key ID Example -
1093
- # 12345678-1234-1234-1234-123456789012
1094
- # @option params [required, String] :policy_name
1095
- # String that contains the name of the policy. Currently, this must be
1096
- # "default". Policy names can be discovered by calling
1097
- # ListKeyPolicies.
1098
- # @return [Types::GetKeyPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1099
- #
1100
- # * {Types::GetKeyPolicyResponse#policy #Policy} => String
1101
- #
1102
- # @example Request syntax with placeholder values
1103
- # resp = client.get_key_policy({
1104
- # key_id: "KeyIdType", # required
1105
- # policy_name: "PolicyNameType", # required
1106
- # })
1107
- #
1108
- # @example Response structure
1109
- # resp.policy #=> String
1110
- # @overload get_key_policy(params = {})
1111
- # @param [Hash] params ({})
1112
- def get_key_policy(params = {}, options = {})
1113
- req = build_request(:get_key_policy, params)
1114
- req.send_request(options)
1115
- end
1147
+ # Generates an unpredictable byte string.
1148
+ #
1149
+ # @option params [Integer] :number_of_bytes
1150
+ # The length of the byte string.
1151
+ #
1152
+ # @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1153
+ #
1154
+ # * {Types::GenerateRandomResponse#plaintext #plaintext} => String
1155
+ #
1156
+ # @example Request syntax with placeholder values
1157
+ #
1158
+ # resp = client.generate_random({
1159
+ # number_of_bytes: 1,
1160
+ # })
1161
+ #
1162
+ # @example Response structure
1163
+ #
1164
+ # resp.plaintext #=> String
1165
+ #
1166
+ # @overload generate_random(params = {})
1167
+ # @param [Hash] params ({})
1168
+ def generate_random(params = {}, options = {})
1169
+ req = build_request(:generate_random, params)
1170
+ req.send_request(options)
1171
+ end
1116
1172
 
1117
- # Retrieves a Boolean value that indicates whether key rotation is
1118
- # enabled for the specified key.
1119
- # @option params [required, String] :key_id
1120
- # A unique identifier for the customer master key. This value can be a
1121
- # globally unique identifier or the fully specified ARN to a key.
1122
- #
1123
- # * Key ARN Example -
1124
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1125
- #
1126
- # * Globally Unique Key ID Example -
1127
- # 12345678-1234-1234-1234-123456789012
1128
- # @return [Types::GetKeyRotationStatusResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1129
- #
1130
- # * {Types::GetKeyRotationStatusResponse#key_rotation_enabled #KeyRotationEnabled} => Boolean
1131
- #
1132
- # @example Request syntax with placeholder values
1133
- # resp = client.get_key_rotation_status({
1134
- # key_id: "KeyIdType", # required
1135
- # })
1136
- #
1137
- # @example Response structure
1138
- # resp.key_rotation_enabled #=> Boolean
1139
- # @overload get_key_rotation_status(params = {})
1140
- # @param [Hash] params ({})
1141
- def get_key_rotation_status(params = {}, options = {})
1142
- req = build_request(:get_key_rotation_status, params)
1143
- req.send_request(options)
1144
- end
1173
+ # Retrieves a policy attached to the specified key.
1174
+ #
1175
+ # @option params [required, String] :key_id
1176
+ # A unique identifier for the customer master key. This value can be a
1177
+ # globally unique identifier or the fully specified ARN to a key.
1178
+ #
1179
+ # * Key ARN Example -
1180
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1181
+ #
1182
+ # * Globally Unique Key ID Example -
1183
+ # 12345678-1234-1234-1234-123456789012
1184
+ #
1185
+ # @option params [required, String] :policy_name
1186
+ # String that contains the name of the policy. Currently, this must be
1187
+ # "default". Policy names can be discovered by calling
1188
+ # ListKeyPolicies.
1189
+ #
1190
+ # @return [Types::GetKeyPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1191
+ #
1192
+ # * {Types::GetKeyPolicyResponse#policy #policy} => String
1193
+ #
1194
+ # @example Request syntax with placeholder values
1195
+ #
1196
+ # resp = client.get_key_policy({
1197
+ # key_id: "KeyIdType", # required
1198
+ # policy_name: "PolicyNameType", # required
1199
+ # })
1200
+ #
1201
+ # @example Response structure
1202
+ #
1203
+ # resp.policy #=> String
1204
+ #
1205
+ # @overload get_key_policy(params = {})
1206
+ # @param [Hash] params ({})
1207
+ def get_key_policy(params = {}, options = {})
1208
+ req = build_request(:get_key_policy, params)
1209
+ req.send_request(options)
1210
+ end
1145
1211
 
1146
- # Returns the items you need in order to import key material into AWS
1147
- # KMS from your existing key management infrastructure. For more
1148
- # information about importing key material into AWS KMS, see [Importing
1149
- # Key Material][1] in the *AWS Key Management Service Developer Guide*.
1150
- #
1151
- # You must specify the key ID of the customer master key (CMK) into
1152
- # which you will import key material. This CMK's `Origin` must be
1153
- # `EXTERNAL`. You must also specify the wrapping algorithm and type of
1154
- # wrapping key (public key) that you will use to encrypt the key
1155
- # material.
1156
- #
1157
- # This operation returns a public key and an import token. Use the
1158
- # public key to encrypt the key material. Store the import token to send
1159
- # with a subsequent ImportKeyMaterial request. The public key and import
1160
- # token from the same response must be used together. These items are
1161
- # valid for 24 hours, after which they cannot be used for a subsequent
1162
- # ImportKeyMaterial request. To retrieve new ones, send another
1163
- # `GetParametersForImport` request.
1164
- #
1165
- #
1166
- #
1167
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1168
- # @option params [required, String] :key_id
1169
- # The identifier of the CMK into which you will import key material. The
1170
- # CMK's `Origin` must be `EXTERNAL`.
1171
- #
1172
- # A valid identifier is the unique key ID or the Amazon Resource Name
1173
- # (ARN) of the CMK. Examples:
1174
- #
1175
- # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1176
- #
1177
- # * Key ARN:
1178
- # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1179
- # @option params [required, String] :wrapping_algorithm
1180
- # The algorithm you will use to encrypt the key material before
1181
- # importing it with ImportKeyMaterial. For more information, see
1182
- # [Encrypt the Key Material][1] in the *AWS Key Management Service
1183
- # Developer Guide*.
1184
- #
1185
- #
1186
- #
1187
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
1188
- # @option params [required, String] :wrapping_key_spec
1189
- # The type of wrapping key (public key) to return in the response. Only
1190
- # 2048-bit RSA public keys are supported.
1191
- # @return [Types::GetParametersForImportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1192
- #
1193
- # * {Types::GetParametersForImportResponse#key_id #KeyId} => String
1194
- # * {Types::GetParametersForImportResponse#import_token #ImportToken} => String
1195
- # * {Types::GetParametersForImportResponse#public_key #PublicKey} => String
1196
- # * {Types::GetParametersForImportResponse#parameters_valid_to #ParametersValidTo} => Time
1197
- #
1198
- # @example Request syntax with placeholder values
1199
- # resp = client.get_parameters_for_import({
1200
- # key_id: "KeyIdType", # required
1201
- # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
1202
- # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
1203
- # })
1204
- #
1205
- # @example Response structure
1206
- # resp.key_id #=> String
1207
- # resp.import_token #=> String
1208
- # resp.public_key #=> String
1209
- # resp.parameters_valid_to #=> Time
1210
- # @overload get_parameters_for_import(params = {})
1211
- # @param [Hash] params ({})
1212
- def get_parameters_for_import(params = {}, options = {})
1213
- req = build_request(:get_parameters_for_import, params)
1214
- req.send_request(options)
1215
- end
1212
+ # Retrieves a Boolean value that indicates whether key rotation is
1213
+ # enabled for the specified key.
1214
+ #
1215
+ # @option params [required, String] :key_id
1216
+ # A unique identifier for the customer master key. This value can be a
1217
+ # globally unique identifier or the fully specified ARN to a key.
1218
+ #
1219
+ # * Key ARN Example -
1220
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1221
+ #
1222
+ # * Globally Unique Key ID Example -
1223
+ # 12345678-1234-1234-1234-123456789012
1224
+ #
1225
+ # @return [Types::GetKeyRotationStatusResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1226
+ #
1227
+ # * {Types::GetKeyRotationStatusResponse#key_rotation_enabled #key_rotation_enabled} => Boolean
1228
+ #
1229
+ # @example Request syntax with placeholder values
1230
+ #
1231
+ # resp = client.get_key_rotation_status({
1232
+ # key_id: "KeyIdType", # required
1233
+ # })
1234
+ #
1235
+ # @example Response structure
1236
+ #
1237
+ # resp.key_rotation_enabled #=> Boolean
1238
+ #
1239
+ # @overload get_key_rotation_status(params = {})
1240
+ # @param [Hash] params ({})
1241
+ def get_key_rotation_status(params = {}, options = {})
1242
+ req = build_request(:get_key_rotation_status, params)
1243
+ req.send_request(options)
1244
+ end
1216
1245
 
1217
- # Imports key material into an AWS KMS customer master key (CMK) from
1218
- # your existing key management infrastructure. For more information
1219
- # about importing key material into AWS KMS, see [Importing Key
1220
- # Material][1] in the *AWS Key Management Service Developer Guide*.
1221
- #
1222
- # You must specify the key ID of the CMK to import the key material
1223
- # into. This CMK's `Origin` must be `EXTERNAL`. You must also send an
1224
- # import token and the encrypted key material. Send the import token
1225
- # that you received in the same GetParametersForImport response that
1226
- # contained the public key that you used to encrypt the key material.
1227
- # You must also specify whether the key material expires and if so,
1228
- # when. When the key material expires, AWS KMS deletes the key material
1229
- # and the CMK becomes unusable. To use the CMK again, you can reimport
1230
- # the same key material. If you set an expiration date, you can change
1231
- # it only by reimporting the same key material and specifying a new
1232
- # expiration date.
1233
- #
1234
- # When this operation is successful, the specified CMK's key state
1235
- # changes to `Enabled`, and you can use the CMK.
1236
- #
1237
- # After you successfully import key material into a CMK, you can
1238
- # reimport the same key material into that CMK, but you cannot import
1239
- # different key material.
1240
- #
1241
- #
1242
- #
1243
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1244
- # @option params [required, String] :key_id
1245
- # The identifier of the CMK to import the key material into. The CMK's
1246
- # `Origin` must be `EXTERNAL`.
1247
- #
1248
- # A valid identifier is the unique key ID or the Amazon Resource Name
1249
- # (ARN) of the CMK. Examples:
1250
- #
1251
- # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1252
- #
1253
- # * Key ARN:
1254
- # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1255
- # @option params [required, String, IO] :import_token
1256
- # The import token that you received in the response to a previous
1257
- # GetParametersForImport request. It must be from the same response that
1258
- # contained the public key that you used to encrypt the key material.
1259
- # @option params [required, String, IO] :encrypted_key_material
1260
- # The encrypted key material to import. It must be encrypted with the
1261
- # public key that you received in the response to a previous
1262
- # GetParametersForImport request, using the wrapping algorithm that you
1263
- # specified in that request.
1264
- # @option params [Time,DateTime,Date,Integer,String] :valid_to
1265
- # The time at which the imported key material expires. When the key
1266
- # material expires, AWS KMS deletes the key material and the CMK becomes
1267
- # unusable. You must omit this parameter when the `ExpirationModel`
1268
- # parameter is set to `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is
1269
- # required.
1270
- # @option params [String] :expiration_model
1271
- # Specifies whether the key material expires. The default is
1272
- # `KEY_MATERIAL_EXPIRES`, in which case you must include the `ValidTo`
1273
- # parameter. When this parameter is set to
1274
- # `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo` parameter.
1275
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1276
- #
1277
- # @example Request syntax with placeholder values
1278
- # resp = client.import_key_material({
1279
- # key_id: "KeyIdType", # required
1280
- # import_token: "data", # required
1281
- # encrypted_key_material: "data", # required
1282
- # valid_to: Time.now,
1283
- # expiration_model: "KEY_MATERIAL_EXPIRES", # accepts KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
1284
- # })
1285
- # @overload import_key_material(params = {})
1286
- # @param [Hash] params ({})
1287
- def import_key_material(params = {}, options = {})
1288
- req = build_request(:import_key_material, params)
1289
- req.send_request(options)
1290
- end
1246
+ # Returns the items you need in order to import key material into AWS
1247
+ # KMS from your existing key management infrastructure. For more
1248
+ # information about importing key material into AWS KMS, see [Importing
1249
+ # Key Material][1] in the *AWS Key Management Service Developer Guide*.
1250
+ #
1251
+ # You must specify the key ID of the customer master key (CMK) into
1252
+ # which you will import key material. This CMK's `Origin` must be
1253
+ # `EXTERNAL`. You must also specify the wrapping algorithm and type of
1254
+ # wrapping key (public key) that you will use to encrypt the key
1255
+ # material.
1256
+ #
1257
+ # This operation returns a public key and an import token. Use the
1258
+ # public key to encrypt the key material. Store the import token to send
1259
+ # with a subsequent ImportKeyMaterial request. The public key and import
1260
+ # token from the same response must be used together. These items are
1261
+ # valid for 24 hours, after which they cannot be used for a subsequent
1262
+ # ImportKeyMaterial request. To retrieve new ones, send another
1263
+ # `GetParametersForImport` request.
1264
+ #
1265
+ #
1266
+ #
1267
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1268
+ #
1269
+ # @option params [required, String] :key_id
1270
+ # The identifier of the CMK into which you will import key material. The
1271
+ # CMK's `Origin` must be `EXTERNAL`.
1272
+ #
1273
+ # A valid identifier is the unique key ID or the Amazon Resource Name
1274
+ # (ARN) of the CMK. Examples:
1275
+ #
1276
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1277
+ #
1278
+ # * Key ARN:
1279
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1280
+ #
1281
+ # @option params [required, String] :wrapping_algorithm
1282
+ # The algorithm you will use to encrypt the key material before
1283
+ # importing it with ImportKeyMaterial. For more information, see
1284
+ # [Encrypt the Key Material][1] in the *AWS Key Management Service
1285
+ # Developer Guide*.
1286
+ #
1287
+ #
1288
+ #
1289
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
1290
+ #
1291
+ # @option params [required, String] :wrapping_key_spec
1292
+ # The type of wrapping key (public key) to return in the response. Only
1293
+ # 2048-bit RSA public keys are supported.
1294
+ #
1295
+ # @return [Types::GetParametersForImportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1296
+ #
1297
+ # * {Types::GetParametersForImportResponse#key_id #key_id} => String
1298
+ # * {Types::GetParametersForImportResponse#import_token #import_token} => String
1299
+ # * {Types::GetParametersForImportResponse#public_key #public_key} => String
1300
+ # * {Types::GetParametersForImportResponse#parameters_valid_to #parameters_valid_to} => Time
1301
+ #
1302
+ # @example Request syntax with placeholder values
1303
+ #
1304
+ # resp = client.get_parameters_for_import({
1305
+ # key_id: "KeyIdType", # required
1306
+ # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
1307
+ # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
1308
+ # })
1309
+ #
1310
+ # @example Response structure
1311
+ #
1312
+ # resp.key_id #=> String
1313
+ # resp.import_token #=> String
1314
+ # resp.public_key #=> String
1315
+ # resp.parameters_valid_to #=> Time
1316
+ #
1317
+ # @overload get_parameters_for_import(params = {})
1318
+ # @param [Hash] params ({})
1319
+ def get_parameters_for_import(params = {}, options = {})
1320
+ req = build_request(:get_parameters_for_import, params)
1321
+ req.send_request(options)
1322
+ end
1291
1323
 
1292
- # Lists all of the key aliases in the account.
1293
- # @option params [Integer] :limit
1294
- # When paginating results, specify the maximum number of items to return
1295
- # in the response. If additional items exist beyond the number you
1296
- # specify, the `Truncated` element in the response is set to true.
1297
- #
1298
- # This value is optional. If you include a value, it must be between 1
1299
- # and 100, inclusive. If you do not include a value, it defaults to 50.
1300
- # @option params [String] :marker
1301
- # Use this parameter only when paginating results and only in a
1302
- # subsequent request after you receive a response with truncated
1303
- # results. Set it to the value of `NextMarker` from the response you
1304
- # just received.
1305
- # @return [Types::ListAliasesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1306
- #
1307
- # * {Types::ListAliasesResponse#aliases #Aliases} => Array&lt;Types::AliasListEntry&gt;
1308
- # * {Types::ListAliasesResponse#next_marker #NextMarker} => String
1309
- # * {Types::ListAliasesResponse#truncated #Truncated} => Boolean
1310
- #
1311
- # @example Request syntax with placeholder values
1312
- # resp = client.list_aliases({
1313
- # limit: 1,
1314
- # marker: "MarkerType",
1315
- # })
1316
- #
1317
- # @example Response structure
1318
- # resp.aliases #=> Array
1319
- # resp.aliases[0].alias_name #=> String
1320
- # resp.aliases[0].alias_arn #=> String
1321
- # resp.aliases[0].target_key_id #=> String
1322
- # resp.next_marker #=> String
1323
- # resp.truncated #=> Boolean
1324
- # @overload list_aliases(params = {})
1325
- # @param [Hash] params ({})
1326
- def list_aliases(params = {}, options = {})
1327
- req = build_request(:list_aliases, params)
1328
- req.send_request(options)
1329
- end
1324
+ # Imports key material into an AWS KMS customer master key (CMK) from
1325
+ # your existing key management infrastructure. For more information
1326
+ # about importing key material into AWS KMS, see [Importing Key
1327
+ # Material][1] in the *AWS Key Management Service Developer Guide*.
1328
+ #
1329
+ # You must specify the key ID of the CMK to import the key material
1330
+ # into. This CMK's `Origin` must be `EXTERNAL`. You must also send an
1331
+ # import token and the encrypted key material. Send the import token
1332
+ # that you received in the same GetParametersForImport response that
1333
+ # contained the public key that you used to encrypt the key material.
1334
+ # You must also specify whether the key material expires and if so,
1335
+ # when. When the key material expires, AWS KMS deletes the key material
1336
+ # and the CMK becomes unusable. To use the CMK again, you can reimport
1337
+ # the same key material. If you set an expiration date, you can change
1338
+ # it only by reimporting the same key material and specifying a new
1339
+ # expiration date.
1340
+ #
1341
+ # When this operation is successful, the specified CMK's key state
1342
+ # changes to `Enabled`, and you can use the CMK.
1343
+ #
1344
+ # After you successfully import key material into a CMK, you can
1345
+ # reimport the same key material into that CMK, but you cannot import
1346
+ # different key material.
1347
+ #
1348
+ #
1349
+ #
1350
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
1351
+ #
1352
+ # @option params [required, String] :key_id
1353
+ # The identifier of the CMK to import the key material into. The CMK's
1354
+ # `Origin` must be `EXTERNAL`.
1355
+ #
1356
+ # A valid identifier is the unique key ID or the Amazon Resource Name
1357
+ # (ARN) of the CMK. Examples:
1358
+ #
1359
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1360
+ #
1361
+ # * Key ARN:
1362
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1363
+ #
1364
+ # @option params [required, String, IO] :import_token
1365
+ # The import token that you received in the response to a previous
1366
+ # GetParametersForImport request. It must be from the same response that
1367
+ # contained the public key that you used to encrypt the key material.
1368
+ #
1369
+ # @option params [required, String, IO] :encrypted_key_material
1370
+ # The encrypted key material to import. It must be encrypted with the
1371
+ # public key that you received in the response to a previous
1372
+ # GetParametersForImport request, using the wrapping algorithm that you
1373
+ # specified in that request.
1374
+ #
1375
+ # @option params [Time,DateTime,Date,Integer,String] :valid_to
1376
+ # The time at which the imported key material expires. When the key
1377
+ # material expires, AWS KMS deletes the key material and the CMK becomes
1378
+ # unusable. You must omit this parameter when the `ExpirationModel`
1379
+ # parameter is set to `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is
1380
+ # required.
1381
+ #
1382
+ # @option params [String] :expiration_model
1383
+ # Specifies whether the key material expires. The default is
1384
+ # `KEY_MATERIAL_EXPIRES`, in which case you must include the `ValidTo`
1385
+ # parameter. When this parameter is set to
1386
+ # `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo` parameter.
1387
+ #
1388
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1389
+ #
1390
+ # @example Request syntax with placeholder values
1391
+ #
1392
+ # resp = client.import_key_material({
1393
+ # key_id: "KeyIdType", # required
1394
+ # import_token: "data", # required
1395
+ # encrypted_key_material: "data", # required
1396
+ # valid_to: Time.now,
1397
+ # expiration_model: "KEY_MATERIAL_EXPIRES", # accepts KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
1398
+ # })
1399
+ #
1400
+ # @overload import_key_material(params = {})
1401
+ # @param [Hash] params ({})
1402
+ def import_key_material(params = {}, options = {})
1403
+ req = build_request(:import_key_material, params)
1404
+ req.send_request(options)
1405
+ end
1330
1406
 
1331
- # List the grants for a specified key.
1332
- # @option params [Integer] :limit
1333
- # When paginating results, specify the maximum number of items to return
1334
- # in the response. If additional items exist beyond the number you
1335
- # specify, the `Truncated` element in the response is set to true.
1336
- #
1337
- # This value is optional. If you include a value, it must be between 1
1338
- # and 100, inclusive. If you do not include a value, it defaults to 50.
1339
- # @option params [String] :marker
1340
- # Use this parameter only when paginating results and only in a
1341
- # subsequent request after you receive a response with truncated
1342
- # results. Set it to the value of `NextMarker` from the response you
1343
- # just received.
1344
- # @option params [required, String] :key_id
1345
- # A unique identifier for the customer master key. This value can be a
1346
- # globally unique identifier or the fully specified ARN to a key.
1347
- #
1348
- # * Key ARN Example -
1349
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1350
- #
1351
- # * Globally Unique Key ID Example -
1352
- # 12345678-1234-1234-1234-123456789012
1353
- # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1354
- #
1355
- # * {Types::ListGrantsResponse#grants #Grants} => Array&lt;Types::GrantListEntry&gt;
1356
- # * {Types::ListGrantsResponse#next_marker #NextMarker} => String
1357
- # * {Types::ListGrantsResponse#truncated #Truncated} => Boolean
1358
- #
1359
- # @example Request syntax with placeholder values
1360
- # resp = client.list_grants({
1361
- # limit: 1,
1362
- # marker: "MarkerType",
1363
- # key_id: "KeyIdType", # required
1364
- # })
1365
- #
1366
- # @example Response structure
1367
- # resp.grants #=> Array
1368
- # resp.grants[0].key_id #=> String
1369
- # resp.grants[0].grant_id #=> String
1370
- # resp.grants[0].name #=> String
1371
- # resp.grants[0].creation_date #=> Time
1372
- # resp.grants[0].grantee_principal #=> String
1373
- # resp.grants[0].retiring_principal #=> String
1374
- # resp.grants[0].issuing_account #=> String
1375
- # resp.grants[0].operations #=> Array
1376
- # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "CreateGrant", "RetireGrant", "DescribeKey"
1377
- # resp.grants[0].constraints.encryption_context_subset #=> Hash
1378
- # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
1379
- # resp.grants[0].constraints.encryption_context_equals #=> Hash
1380
- # resp.grants[0].constraints.encryption_context_equals["EncryptionContextKey"] #=> String
1381
- # resp.next_marker #=> String
1382
- # resp.truncated #=> Boolean
1383
- # @overload list_grants(params = {})
1384
- # @param [Hash] params ({})
1385
- def list_grants(params = {}, options = {})
1386
- req = build_request(:list_grants, params)
1387
- req.send_request(options)
1388
- end
1407
+ # Lists all of the key aliases in the account.
1408
+ #
1409
+ # @option params [Integer] :limit
1410
+ # When paginating results, specify the maximum number of items to return
1411
+ # in the response. If additional items exist beyond the number you
1412
+ # specify, the `Truncated` element in the response is set to true.
1413
+ #
1414
+ # This value is optional. If you include a value, it must be between 1
1415
+ # and 100, inclusive. If you do not include a value, it defaults to 50.
1416
+ #
1417
+ # @option params [String] :marker
1418
+ # Use this parameter only when paginating results and only in a
1419
+ # subsequent request after you receive a response with truncated
1420
+ # results. Set it to the value of `NextMarker` from the response you
1421
+ # just received.
1422
+ #
1423
+ # @return [Types::ListAliasesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1424
+ #
1425
+ # * {Types::ListAliasesResponse#aliases #aliases} => Array&lt;Types::AliasListEntry&gt;
1426
+ # * {Types::ListAliasesResponse#next_marker #next_marker} => String
1427
+ # * {Types::ListAliasesResponse#truncated #truncated} => Boolean
1428
+ #
1429
+ # @example Request syntax with placeholder values
1430
+ #
1431
+ # resp = client.list_aliases({
1432
+ # limit: 1,
1433
+ # marker: "MarkerType",
1434
+ # })
1435
+ #
1436
+ # @example Response structure
1437
+ #
1438
+ # resp.aliases #=> Array
1439
+ # resp.aliases[0].alias_name #=> String
1440
+ # resp.aliases[0].alias_arn #=> String
1441
+ # resp.aliases[0].target_key_id #=> String
1442
+ # resp.next_marker #=> String
1443
+ # resp.truncated #=> Boolean
1444
+ #
1445
+ # @overload list_aliases(params = {})
1446
+ # @param [Hash] params ({})
1447
+ def list_aliases(params = {}, options = {})
1448
+ req = build_request(:list_aliases, params)
1449
+ req.send_request(options)
1450
+ end
1389
1451
 
1390
- # Retrieves a list of policies attached to a key.
1391
- # @option params [required, String] :key_id
1392
- # A unique identifier for the customer master key. This value can be a
1393
- # globally unique identifier, a fully specified ARN to either an alias
1394
- # or a key, or an alias name prefixed by "alias/".
1395
- #
1396
- # * Key ARN Example -
1397
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1398
- #
1399
- # * Alias ARN Example -
1400
- # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
1401
- #
1402
- # * Globally Unique Key ID Example -
1403
- # 12345678-1234-1234-1234-123456789012
1404
- #
1405
- # * Alias Name Example - alias/MyAliasName
1406
- # @option params [Integer] :limit
1407
- # When paginating results, specify the maximum number of items to return
1408
- # in the response. If additional items exist beyond the number you
1409
- # specify, the `Truncated` element in the response is set to true.
1410
- #
1411
- # This value is optional. If you include a value, it must be between 1
1412
- # and 1000, inclusive. If you do not include a value, it defaults to
1413
- # 100.
1414
- #
1415
- # Currently only 1 policy can be attached to a key.
1416
- # @option params [String] :marker
1417
- # Use this parameter only when paginating results and only in a
1418
- # subsequent request after you receive a response with truncated
1419
- # results. Set it to the value of `NextMarker` from the response you
1420
- # just received.
1421
- # @return [Types::ListKeyPoliciesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1422
- #
1423
- # * {Types::ListKeyPoliciesResponse#policy_names #PolicyNames} => Array&lt;String&gt;
1424
- # * {Types::ListKeyPoliciesResponse#next_marker #NextMarker} => String
1425
- # * {Types::ListKeyPoliciesResponse#truncated #Truncated} => Boolean
1426
- #
1427
- # @example Request syntax with placeholder values
1428
- # resp = client.list_key_policies({
1429
- # key_id: "KeyIdType", # required
1430
- # limit: 1,
1431
- # marker: "MarkerType",
1432
- # })
1433
- #
1434
- # @example Response structure
1435
- # resp.policy_names #=> Array
1436
- # resp.policy_names[0] #=> String
1437
- # resp.next_marker #=> String
1438
- # resp.truncated #=> Boolean
1439
- # @overload list_key_policies(params = {})
1440
- # @param [Hash] params ({})
1441
- def list_key_policies(params = {}, options = {})
1442
- req = build_request(:list_key_policies, params)
1443
- req.send_request(options)
1444
- end
1452
+ # List the grants for a specified key.
1453
+ #
1454
+ # @option params [Integer] :limit
1455
+ # When paginating results, specify the maximum number of items to return
1456
+ # in the response. If additional items exist beyond the number you
1457
+ # specify, the `Truncated` element in the response is set to true.
1458
+ #
1459
+ # This value is optional. If you include a value, it must be between 1
1460
+ # and 100, inclusive. If you do not include a value, it defaults to 50.
1461
+ #
1462
+ # @option params [String] :marker
1463
+ # Use this parameter only when paginating results and only in a
1464
+ # subsequent request after you receive a response with truncated
1465
+ # results. Set it to the value of `NextMarker` from the response you
1466
+ # just received.
1467
+ #
1468
+ # @option params [required, String] :key_id
1469
+ # A unique identifier for the customer master key. This value can be a
1470
+ # globally unique identifier or the fully specified ARN to a key.
1471
+ #
1472
+ # * Key ARN Example -
1473
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1474
+ #
1475
+ # * Globally Unique Key ID Example -
1476
+ # 12345678-1234-1234-1234-123456789012
1477
+ #
1478
+ # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1479
+ #
1480
+ # * {Types::ListGrantsResponse#grants #grants} => Array&lt;Types::GrantListEntry&gt;
1481
+ # * {Types::ListGrantsResponse#next_marker #next_marker} => String
1482
+ # * {Types::ListGrantsResponse#truncated #truncated} => Boolean
1483
+ #
1484
+ # @example Request syntax with placeholder values
1485
+ #
1486
+ # resp = client.list_grants({
1487
+ # limit: 1,
1488
+ # marker: "MarkerType",
1489
+ # key_id: "KeyIdType", # required
1490
+ # })
1491
+ #
1492
+ # @example Response structure
1493
+ #
1494
+ # resp.grants #=> Array
1495
+ # resp.grants[0].key_id #=> String
1496
+ # resp.grants[0].grant_id #=> String
1497
+ # resp.grants[0].name #=> String
1498
+ # resp.grants[0].creation_date #=> Time
1499
+ # resp.grants[0].grantee_principal #=> String
1500
+ # resp.grants[0].retiring_principal #=> String
1501
+ # resp.grants[0].issuing_account #=> String
1502
+ # resp.grants[0].operations #=> Array
1503
+ # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "CreateGrant", "RetireGrant", "DescribeKey"
1504
+ # resp.grants[0].constraints.encryption_context_subset #=> Hash
1505
+ # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
1506
+ # resp.grants[0].constraints.encryption_context_equals #=> Hash
1507
+ # resp.grants[0].constraints.encryption_context_equals["EncryptionContextKey"] #=> String
1508
+ # resp.next_marker #=> String
1509
+ # resp.truncated #=> Boolean
1510
+ #
1511
+ # @overload list_grants(params = {})
1512
+ # @param [Hash] params ({})
1513
+ def list_grants(params = {}, options = {})
1514
+ req = build_request(:list_grants, params)
1515
+ req.send_request(options)
1516
+ end
1445
1517
 
1446
- # Lists the customer master keys.
1447
- # @option params [Integer] :limit
1448
- # When paginating results, specify the maximum number of items to return
1449
- # in the response. If additional items exist beyond the number you
1450
- # specify, the `Truncated` element in the response is set to true.
1451
- #
1452
- # This value is optional. If you include a value, it must be between 1
1453
- # and 1000, inclusive. If you do not include a value, it defaults to
1454
- # 100.
1455
- # @option params [String] :marker
1456
- # Use this parameter only when paginating results and only in a
1457
- # subsequent request after you receive a response with truncated
1458
- # results. Set it to the value of `NextMarker` from the response you
1459
- # just received.
1460
- # @return [Types::ListKeysResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1461
- #
1462
- # * {Types::ListKeysResponse#keys #Keys} => Array&lt;Types::KeyListEntry&gt;
1463
- # * {Types::ListKeysResponse#next_marker #NextMarker} => String
1464
- # * {Types::ListKeysResponse#truncated #Truncated} => Boolean
1465
- #
1466
- # @example Request syntax with placeholder values
1467
- # resp = client.list_keys({
1468
- # limit: 1,
1469
- # marker: "MarkerType",
1470
- # })
1471
- #
1472
- # @example Response structure
1473
- # resp.keys #=> Array
1474
- # resp.keys[0].key_id #=> String
1475
- # resp.keys[0].key_arn #=> String
1476
- # resp.next_marker #=> String
1477
- # resp.truncated #=> Boolean
1478
- # @overload list_keys(params = {})
1479
- # @param [Hash] params ({})
1480
- def list_keys(params = {}, options = {})
1481
- req = build_request(:list_keys, params)
1482
- req.send_request(options)
1483
- end
1518
+ # Retrieves a list of policies attached to a key.
1519
+ #
1520
+ # @option params [required, String] :key_id
1521
+ # A unique identifier for the customer master key (CMK). You can use the
1522
+ # unique key ID or the Amazon Resource Name (ARN) of the CMK. Examples:
1523
+ #
1524
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1525
+ #
1526
+ # * Key ARN:
1527
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1528
+ #
1529
+ # @option params [Integer] :limit
1530
+ # When paginating results, specify the maximum number of items to return
1531
+ # in the response. If additional items exist beyond the number you
1532
+ # specify, the `Truncated` element in the response is set to true.
1533
+ #
1534
+ # This value is optional. If you include a value, it must be between 1
1535
+ # and 1000, inclusive. If you do not include a value, it defaults to
1536
+ # 100.
1537
+ #
1538
+ # Currently only 1 policy can be attached to a key.
1539
+ #
1540
+ # @option params [String] :marker
1541
+ # Use this parameter only when paginating results and only in a
1542
+ # subsequent request after you receive a response with truncated
1543
+ # results. Set it to the value of `NextMarker` from the response you
1544
+ # just received.
1545
+ #
1546
+ # @return [Types::ListKeyPoliciesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1547
+ #
1548
+ # * {Types::ListKeyPoliciesResponse#policy_names #policy_names} => Array&lt;String&gt;
1549
+ # * {Types::ListKeyPoliciesResponse#next_marker #next_marker} => String
1550
+ # * {Types::ListKeyPoliciesResponse#truncated #truncated} => Boolean
1551
+ #
1552
+ # @example Request syntax with placeholder values
1553
+ #
1554
+ # resp = client.list_key_policies({
1555
+ # key_id: "KeyIdType", # required
1556
+ # limit: 1,
1557
+ # marker: "MarkerType",
1558
+ # })
1559
+ #
1560
+ # @example Response structure
1561
+ #
1562
+ # resp.policy_names #=> Array
1563
+ # resp.policy_names[0] #=> String
1564
+ # resp.next_marker #=> String
1565
+ # resp.truncated #=> Boolean
1566
+ #
1567
+ # @overload list_key_policies(params = {})
1568
+ # @param [Hash] params ({})
1569
+ def list_key_policies(params = {}, options = {})
1570
+ req = build_request(:list_key_policies, params)
1571
+ req.send_request(options)
1572
+ end
1484
1573
 
1485
- # Returns a list of all grants for which the grant's
1486
- # `RetiringPrincipal` matches the one specified.
1487
- #
1488
- # A typical use is to list all grants that you are able to retire. To
1489
- # retire a grant, use RetireGrant.
1490
- # @option params [Integer] :limit
1491
- # When paginating results, specify the maximum number of items to return
1492
- # in the response. If additional items exist beyond the number you
1493
- # specify, the `Truncated` element in the response is set to true.
1494
- #
1495
- # This value is optional. If you include a value, it must be between 1
1496
- # and 100, inclusive. If you do not include a value, it defaults to 50.
1497
- # @option params [String] :marker
1498
- # Use this parameter only when paginating results and only in a
1499
- # subsequent request after you receive a response with truncated
1500
- # results. Set it to the value of `NextMarker` from the response you
1501
- # just received.
1502
- # @option params [required, String] :retiring_principal
1503
- # The retiring principal for which to list grants.
1504
- #
1505
- # To specify the retiring principal, use the [Amazon Resource Name
1506
- # (ARN)][1] of an AWS principal. Valid AWS principals include AWS
1507
- # accounts (root), IAM users, federated users, and assumed role users.
1508
- # For examples of the ARN syntax for specifying a principal, see [AWS
1509
- # Identity and Access Management (IAM)][2] in the Example ARNs section
1510
- # of the *Amazon Web Services General Reference*.
1511
- #
1512
- #
1513
- #
1514
- # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
1515
- # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
1516
- # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1517
- #
1518
- # * {Types::ListGrantsResponse#grants #Grants} => Array&lt;Types::GrantListEntry&gt;
1519
- # * {Types::ListGrantsResponse#next_marker #NextMarker} => String
1520
- # * {Types::ListGrantsResponse#truncated #Truncated} => Boolean
1521
- #
1522
- # @example Request syntax with placeholder values
1523
- # resp = client.list_retirable_grants({
1524
- # limit: 1,
1525
- # marker: "MarkerType",
1526
- # retiring_principal: "PrincipalIdType", # required
1527
- # })
1528
- #
1529
- # @example Response structure
1530
- # resp.grants #=> Array
1531
- # resp.grants[0].key_id #=> String
1532
- # resp.grants[0].grant_id #=> String
1533
- # resp.grants[0].name #=> String
1534
- # resp.grants[0].creation_date #=> Time
1535
- # resp.grants[0].grantee_principal #=> String
1536
- # resp.grants[0].retiring_principal #=> String
1537
- # resp.grants[0].issuing_account #=> String
1538
- # resp.grants[0].operations #=> Array
1539
- # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "CreateGrant", "RetireGrant", "DescribeKey"
1540
- # resp.grants[0].constraints.encryption_context_subset #=> Hash
1541
- # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
1542
- # resp.grants[0].constraints.encryption_context_equals #=> Hash
1543
- # resp.grants[0].constraints.encryption_context_equals["EncryptionContextKey"] #=> String
1544
- # resp.next_marker #=> String
1545
- # resp.truncated #=> Boolean
1546
- # @overload list_retirable_grants(params = {})
1547
- # @param [Hash] params ({})
1548
- def list_retirable_grants(params = {}, options = {})
1549
- req = build_request(:list_retirable_grants, params)
1550
- req.send_request(options)
1551
- end
1574
+ # Lists the customer master keys.
1575
+ #
1576
+ # @option params [Integer] :limit
1577
+ # When paginating results, specify the maximum number of items to return
1578
+ # in the response. If additional items exist beyond the number you
1579
+ # specify, the `Truncated` element in the response is set to true.
1580
+ #
1581
+ # This value is optional. If you include a value, it must be between 1
1582
+ # and 1000, inclusive. If you do not include a value, it defaults to
1583
+ # 100.
1584
+ #
1585
+ # @option params [String] :marker
1586
+ # Use this parameter only when paginating results and only in a
1587
+ # subsequent request after you receive a response with truncated
1588
+ # results. Set it to the value of `NextMarker` from the response you
1589
+ # just received.
1590
+ #
1591
+ # @return [Types::ListKeysResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1592
+ #
1593
+ # * {Types::ListKeysResponse#keys #keys} => Array&lt;Types::KeyListEntry&gt;
1594
+ # * {Types::ListKeysResponse#next_marker #next_marker} => String
1595
+ # * {Types::ListKeysResponse#truncated #truncated} => Boolean
1596
+ #
1597
+ # @example Request syntax with placeholder values
1598
+ #
1599
+ # resp = client.list_keys({
1600
+ # limit: 1,
1601
+ # marker: "MarkerType",
1602
+ # })
1603
+ #
1604
+ # @example Response structure
1605
+ #
1606
+ # resp.keys #=> Array
1607
+ # resp.keys[0].key_id #=> String
1608
+ # resp.keys[0].key_arn #=> String
1609
+ # resp.next_marker #=> String
1610
+ # resp.truncated #=> Boolean
1611
+ #
1612
+ # @overload list_keys(params = {})
1613
+ # @param [Hash] params ({})
1614
+ def list_keys(params = {}, options = {})
1615
+ req = build_request(:list_keys, params)
1616
+ req.send_request(options)
1617
+ end
1552
1618
 
1553
- # Attaches a key policy to the specified customer master key (CMK).
1554
- #
1555
- # For more information about key policies, see [Key Policies][1] in the
1556
- # *AWS Key Management Service Developer Guide*.
1557
- #
1558
- #
1559
- #
1560
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
1561
- # @option params [required, String] :key_id
1562
- # A unique identifier for the CMK.
1563
- #
1564
- # Use the CMK's unique identifier or its Amazon Resource Name (ARN).
1565
- # For example:
1566
- #
1567
- # * Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
1568
- #
1569
- # * ARN:
1570
- # arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
1571
- # @option params [required, String] :policy_name
1572
- # The name of the key policy.
1573
- #
1574
- # This value must be `default`.
1575
- # @option params [required, String] :policy
1576
- # The key policy to attach to the CMK.
1577
- #
1578
- # If you do not set `BypassPolicyLockoutSafetyCheck` to true, the policy
1579
- # must meet the following criteria:
1580
- #
1581
- # * It must allow the principal making the `PutKeyPolicy` request to
1582
- # make a subsequent `PutKeyPolicy` request on the CMK. This reduces
1583
- # the likelihood that the CMK becomes unmanageable. For more
1584
- # information, refer to the scenario in the [Default Key Policy][1]
1585
- # section in the *AWS Key Management Service Developer Guide*.
1586
- #
1587
- # * The principal(s) specified in the key policy must exist and be
1588
- # visible to AWS KMS. When you create a new AWS principal (for
1589
- # example, an IAM user or role), you might need to enforce a delay
1590
- # before specifying the new principal in a key policy because the new
1591
- # principal might not immediately be visible to AWS KMS. For more
1592
- # information, see [Changes that I make are not always immediately
1593
- # visible][2] in the *IAM User Guide*.
1594
- #
1595
- # The policy size limit is 32 KiB (32768 bytes).
1596
- #
1597
- #
1598
- #
1599
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1600
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
1601
- # @option params [Boolean] :bypass_policy_lockout_safety_check
1602
- # A flag to indicate whether to bypass the key policy lockout safety
1603
- # check.
1604
- #
1605
- # Setting this value to true increases the likelihood that the CMK
1606
- # becomes unmanageable. Do not set this value to true indiscriminately.
1607
- #
1608
- # For more information, refer to the scenario in the [Default Key
1609
- # Policy][1] section in the *AWS Key Management Service Developer
1610
- # Guide*.
1611
- #
1612
- # Use this parameter only when you intend to prevent the principal
1613
- # making the request from making a subsequent `PutKeyPolicy` request on
1614
- # the CMK.
1615
- #
1616
- # The default value is false.
1617
- #
1618
- #
1619
- #
1620
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1621
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1622
- #
1623
- # @example Request syntax with placeholder values
1624
- # resp = client.put_key_policy({
1625
- # key_id: "KeyIdType", # required
1626
- # policy_name: "PolicyNameType", # required
1627
- # policy: "PolicyType", # required
1628
- # bypass_policy_lockout_safety_check: false,
1629
- # })
1630
- # @overload put_key_policy(params = {})
1631
- # @param [Hash] params ({})
1632
- def put_key_policy(params = {}, options = {})
1633
- req = build_request(:put_key_policy, params)
1634
- req.send_request(options)
1635
- end
1619
+ # Returns a list of all grants for which the grant's
1620
+ # `RetiringPrincipal` matches the one specified.
1621
+ #
1622
+ # A typical use is to list all grants that you are able to retire. To
1623
+ # retire a grant, use RetireGrant.
1624
+ #
1625
+ # @option params [Integer] :limit
1626
+ # When paginating results, specify the maximum number of items to return
1627
+ # in the response. If additional items exist beyond the number you
1628
+ # specify, the `Truncated` element in the response is set to true.
1629
+ #
1630
+ # This value is optional. If you include a value, it must be between 1
1631
+ # and 100, inclusive. If you do not include a value, it defaults to 50.
1632
+ #
1633
+ # @option params [String] :marker
1634
+ # Use this parameter only when paginating results and only in a
1635
+ # subsequent request after you receive a response with truncated
1636
+ # results. Set it to the value of `NextMarker` from the response you
1637
+ # just received.
1638
+ #
1639
+ # @option params [required, String] :retiring_principal
1640
+ # The retiring principal for which to list grants.
1641
+ #
1642
+ # To specify the retiring principal, use the [Amazon Resource Name
1643
+ # (ARN)][1] of an AWS principal. Valid AWS principals include AWS
1644
+ # accounts (root), IAM users, federated users, and assumed role users.
1645
+ # For examples of the ARN syntax for specifying a principal, see [AWS
1646
+ # Identity and Access Management (IAM)][2] in the Example ARNs section
1647
+ # of the *Amazon Web Services General Reference*.
1648
+ #
1649
+ #
1650
+ #
1651
+ # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
1652
+ # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
1653
+ #
1654
+ # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1655
+ #
1656
+ # * {Types::ListGrantsResponse#grants #grants} => Array&lt;Types::GrantListEntry&gt;
1657
+ # * {Types::ListGrantsResponse#next_marker #next_marker} => String
1658
+ # * {Types::ListGrantsResponse#truncated #truncated} => Boolean
1659
+ #
1660
+ # @example Request syntax with placeholder values
1661
+ #
1662
+ # resp = client.list_retirable_grants({
1663
+ # limit: 1,
1664
+ # marker: "MarkerType",
1665
+ # retiring_principal: "PrincipalIdType", # required
1666
+ # })
1667
+ #
1668
+ # @example Response structure
1669
+ #
1670
+ # resp.grants #=> Array
1671
+ # resp.grants[0].key_id #=> String
1672
+ # resp.grants[0].grant_id #=> String
1673
+ # resp.grants[0].name #=> String
1674
+ # resp.grants[0].creation_date #=> Time
1675
+ # resp.grants[0].grantee_principal #=> String
1676
+ # resp.grants[0].retiring_principal #=> String
1677
+ # resp.grants[0].issuing_account #=> String
1678
+ # resp.grants[0].operations #=> Array
1679
+ # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "CreateGrant", "RetireGrant", "DescribeKey"
1680
+ # resp.grants[0].constraints.encryption_context_subset #=> Hash
1681
+ # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
1682
+ # resp.grants[0].constraints.encryption_context_equals #=> Hash
1683
+ # resp.grants[0].constraints.encryption_context_equals["EncryptionContextKey"] #=> String
1684
+ # resp.next_marker #=> String
1685
+ # resp.truncated #=> Boolean
1686
+ #
1687
+ # @overload list_retirable_grants(params = {})
1688
+ # @param [Hash] params ({})
1689
+ def list_retirable_grants(params = {}, options = {})
1690
+ req = build_request(:list_retirable_grants, params)
1691
+ req.send_request(options)
1692
+ end
1636
1693
 
1637
- # Encrypts data on the server side with a new customer master key
1638
- # without exposing the plaintext of the data on the client side. The
1639
- # data is first decrypted and then encrypted. This operation can also be
1640
- # used to change the encryption context of a ciphertext.
1641
- #
1642
- # Unlike other actions, `ReEncrypt` is authorized twice - once as
1643
- # `ReEncryptFrom` on the source key and once as `ReEncryptTo` on the
1644
- # destination key. We therefore recommend that you include the
1645
- # `"action":"kms:ReEncrypt*"` statement in your key policies to permit
1646
- # re-encryption from or to the key. The statement is included
1647
- # automatically when you authorize use of the key through the console
1648
- # but must be included manually when you set a policy by using the
1649
- # PutKeyPolicy function.
1650
- # @option params [required, String, IO] :ciphertext_blob
1651
- # Ciphertext of the data to re-encrypt.
1652
- # @option params [Hash<String,String>] :source_encryption_context
1653
- # Encryption context used to encrypt and decrypt the data specified in
1654
- # the `CiphertextBlob` parameter.
1655
- # @option params [required, String] :destination_key_id
1656
- # A unique identifier for the customer master key used to re-encrypt the
1657
- # data. This value can be a globally unique identifier, a fully
1658
- # specified ARN to either an alias or a key, or an alias name prefixed
1659
- # by "alias/".
1660
- #
1661
- # * Key ARN Example -
1662
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1663
- #
1664
- # * Alias ARN Example -
1665
- # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
1666
- #
1667
- # * Globally Unique Key ID Example -
1668
- # 12345678-1234-1234-1234-123456789012
1669
- #
1670
- # * Alias Name Example - alias/MyAliasName
1671
- # @option params [Hash<String,String>] :destination_encryption_context
1672
- # Encryption context to be used when the data is re-encrypted.
1673
- # @option params [Array<String>] :grant_tokens
1674
- # A list of grant tokens.
1675
- #
1676
- # For more information, see [Grant Tokens][1] in the *AWS Key Management
1677
- # Service Developer Guide*.
1678
- #
1679
- #
1680
- #
1681
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1682
- # @return [Types::ReEncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1683
- #
1684
- # * {Types::ReEncryptResponse#ciphertext_blob #CiphertextBlob} => String
1685
- # * {Types::ReEncryptResponse#source_key_id #SourceKeyId} => String
1686
- # * {Types::ReEncryptResponse#key_id #KeyId} => String
1687
- #
1688
- # @example Request syntax with placeholder values
1689
- # resp = client.re_encrypt({
1690
- # ciphertext_blob: "data", # required
1691
- # source_encryption_context: {
1692
- # "EncryptionContextKey" => "EncryptionContextValue",
1693
- # },
1694
- # destination_key_id: "KeyIdType", # required
1695
- # destination_encryption_context: {
1696
- # "EncryptionContextKey" => "EncryptionContextValue",
1697
- # },
1698
- # grant_tokens: ["GrantTokenType"],
1699
- # })
1700
- #
1701
- # @example Response structure
1702
- # resp.ciphertext_blob #=> String
1703
- # resp.source_key_id #=> String
1704
- # resp.key_id #=> String
1705
- # @overload re_encrypt(params = {})
1706
- # @param [Hash] params ({})
1707
- def re_encrypt(params = {}, options = {})
1708
- req = build_request(:re_encrypt, params)
1709
- req.send_request(options)
1710
- end
1694
+ # Attaches a key policy to the specified customer master key (CMK).
1695
+ #
1696
+ # For more information about key policies, see [Key Policies][1] in the
1697
+ # *AWS Key Management Service Developer Guide*.
1698
+ #
1699
+ #
1700
+ #
1701
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
1702
+ #
1703
+ # @option params [required, String] :key_id
1704
+ # A unique identifier for the CMK.
1705
+ #
1706
+ # Use the CMK's unique identifier or its Amazon Resource Name (ARN).
1707
+ # For example:
1708
+ #
1709
+ # * Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
1710
+ #
1711
+ # * ARN:
1712
+ # arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
1713
+ #
1714
+ # @option params [required, String] :policy_name
1715
+ # The name of the key policy.
1716
+ #
1717
+ # This value must be `default`.
1718
+ #
1719
+ # @option params [required, String] :policy
1720
+ # The key policy to attach to the CMK.
1721
+ #
1722
+ # If you do not set `BypassPolicyLockoutSafetyCheck` to true, the policy
1723
+ # must meet the following criteria:
1724
+ #
1725
+ # * It must allow the principal making the `PutKeyPolicy` request to
1726
+ # make a subsequent `PutKeyPolicy` request on the CMK. This reduces
1727
+ # the likelihood that the CMK becomes unmanageable. For more
1728
+ # information, refer to the scenario in the [Default Key Policy][1]
1729
+ # section in the *AWS Key Management Service Developer Guide*.
1730
+ #
1731
+ # * The principal(s) specified in the key policy must exist and be
1732
+ # visible to AWS KMS. When you create a new AWS principal (for
1733
+ # example, an IAM user or role), you might need to enforce a delay
1734
+ # before specifying the new principal in a key policy because the new
1735
+ # principal might not immediately be visible to AWS KMS. For more
1736
+ # information, see [Changes that I make are not always immediately
1737
+ # visible][2] in the *IAM User Guide*.
1738
+ #
1739
+ # The policy size limit is 32 KiB (32768 bytes).
1740
+ #
1741
+ #
1742
+ #
1743
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1744
+ # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
1745
+ #
1746
+ # @option params [Boolean] :bypass_policy_lockout_safety_check
1747
+ # A flag to indicate whether to bypass the key policy lockout safety
1748
+ # check.
1749
+ #
1750
+ # Setting this value to true increases the likelihood that the CMK
1751
+ # becomes unmanageable. Do not set this value to true indiscriminately.
1752
+ #
1753
+ # For more information, refer to the scenario in the [Default Key
1754
+ # Policy][1] section in the *AWS Key Management Service Developer
1755
+ # Guide*.
1756
+ #
1757
+ # Use this parameter only when you intend to prevent the principal
1758
+ # making the request from making a subsequent `PutKeyPolicy` request on
1759
+ # the CMK.
1760
+ #
1761
+ # The default value is false.
1762
+ #
1763
+ #
1764
+ #
1765
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1766
+ #
1767
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1768
+ #
1769
+ # @example Request syntax with placeholder values
1770
+ #
1771
+ # resp = client.put_key_policy({
1772
+ # key_id: "KeyIdType", # required
1773
+ # policy_name: "PolicyNameType", # required
1774
+ # policy: "PolicyType", # required
1775
+ # bypass_policy_lockout_safety_check: false,
1776
+ # })
1777
+ #
1778
+ # @overload put_key_policy(params = {})
1779
+ # @param [Hash] params ({})
1780
+ def put_key_policy(params = {}, options = {})
1781
+ req = build_request(:put_key_policy, params)
1782
+ req.send_request(options)
1783
+ end
1711
1784
 
1712
- # Retires a grant. You can retire a grant when you're done using it to
1713
- # clean up. You should revoke a grant when you intend to actively deny
1714
- # operations that depend on it. The following are permitted to call this
1715
- # API:
1716
- #
1717
- # * The account that created the grant
1718
- #
1719
- # * The `RetiringPrincipal`, if present
1720
- #
1721
- # * The `GranteePrincipal`, if `RetireGrant` is a grantee operation
1722
- #
1723
- # The grant to retire must be identified by its grant token or by a
1724
- # combination of the key ARN and the grant ID. A grant token is a unique
1725
- # variable-length base64-encoded string. A grant ID is a 64 character
1726
- # unique identifier of a grant. Both are returned by the `CreateGrant`
1727
- # function.
1728
- # @option params [String] :grant_token
1729
- # Token that identifies the grant to be retired.
1730
- # @option params [String] :key_id
1731
- # A unique identifier for the customer master key associated with the
1732
- # grant. This value can be a globally unique identifier or a fully
1733
- # specified ARN of the key.
1734
- #
1735
- # * Key ARN Example -
1736
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1737
- #
1738
- # * Globally Unique Key ID Example -
1739
- # 12345678-1234-1234-1234-123456789012
1740
- # @option params [String] :grant_id
1741
- # Unique identifier of the grant to be retired. The grant ID is returned
1742
- # by the `CreateGrant` function.
1743
- #
1744
- # * Grant ID Example -
1745
- # 0123456789012345678901234567890123456789012345678901234567890123
1746
- #
1747
- # ^
1748
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1749
- #
1750
- # @example Request syntax with placeholder values
1751
- # resp = client.retire_grant({
1752
- # grant_token: "GrantTokenType",
1753
- # key_id: "KeyIdType",
1754
- # grant_id: "GrantIdType",
1755
- # })
1756
- # @overload retire_grant(params = {})
1757
- # @param [Hash] params ({})
1758
- def retire_grant(params = {}, options = {})
1759
- req = build_request(:retire_grant, params)
1760
- req.send_request(options)
1761
- end
1785
+ # Encrypts data on the server side with a new customer master key (CMK)
1786
+ # without exposing the plaintext of the data on the client side. The
1787
+ # data is first decrypted and then reencrypted. You can also use this
1788
+ # operation to change the encryption context of a ciphertext.
1789
+ #
1790
+ # Unlike other operations, `ReEncrypt` is authorized twice, once as
1791
+ # `ReEncryptFrom` on the source CMK and once as `ReEncryptTo` on the
1792
+ # destination CMK. We recommend that you include the `"kms:ReEncrypt*"`
1793
+ # permission in your [key policies][1] to permit reencryption from or to
1794
+ # the CMK. This permission is automatically included in the key policy
1795
+ # when you create a CMK through the console, but you must include it
1796
+ # manually when you create a CMK programmatically or when you set a key
1797
+ # policy with the PutKeyPolicy operation.
1798
+ #
1799
+ #
1800
+ #
1801
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
1802
+ #
1803
+ # @option params [required, String, IO] :ciphertext_blob
1804
+ # Ciphertext of the data to reencrypt.
1805
+ #
1806
+ # @option params [Hash<String,String>] :source_encryption_context
1807
+ # Encryption context used to encrypt and decrypt the data specified in
1808
+ # the `CiphertextBlob` parameter.
1809
+ #
1810
+ # @option params [required, String] :destination_key_id
1811
+ # A unique identifier for the CMK to use to reencrypt the data. This
1812
+ # value can be a globally unique identifier, a fully specified ARN to
1813
+ # either an alias or a key, or an alias name prefixed by "alias/".
1814
+ #
1815
+ # * Key ARN Example -
1816
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1817
+ #
1818
+ # * Alias ARN Example -
1819
+ # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
1820
+ #
1821
+ # * Globally Unique Key ID Example -
1822
+ # 12345678-1234-1234-1234-123456789012
1823
+ #
1824
+ # * Alias Name Example - alias/MyAliasName
1825
+ #
1826
+ # @option params [Hash<String,String>] :destination_encryption_context
1827
+ # Encryption context to use when the data is reencrypted.
1828
+ #
1829
+ # @option params [Array<String>] :grant_tokens
1830
+ # A list of grant tokens.
1831
+ #
1832
+ # For more information, see [Grant Tokens][1] in the *AWS Key Management
1833
+ # Service Developer Guide*.
1834
+ #
1835
+ #
1836
+ #
1837
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1838
+ #
1839
+ # @return [Types::ReEncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1840
+ #
1841
+ # * {Types::ReEncryptResponse#ciphertext_blob #ciphertext_blob} => String
1842
+ # * {Types::ReEncryptResponse#source_key_id #source_key_id} => String
1843
+ # * {Types::ReEncryptResponse#key_id #key_id} => String
1844
+ #
1845
+ # @example Request syntax with placeholder values
1846
+ #
1847
+ # resp = client.re_encrypt({
1848
+ # ciphertext_blob: "data", # required
1849
+ # source_encryption_context: {
1850
+ # "EncryptionContextKey" => "EncryptionContextValue",
1851
+ # },
1852
+ # destination_key_id: "KeyIdType", # required
1853
+ # destination_encryption_context: {
1854
+ # "EncryptionContextKey" => "EncryptionContextValue",
1855
+ # },
1856
+ # grant_tokens: ["GrantTokenType"],
1857
+ # })
1858
+ #
1859
+ # @example Response structure
1860
+ #
1861
+ # resp.ciphertext_blob #=> String
1862
+ # resp.source_key_id #=> String
1863
+ # resp.key_id #=> String
1864
+ #
1865
+ # @overload re_encrypt(params = {})
1866
+ # @param [Hash] params ({})
1867
+ def re_encrypt(params = {}, options = {})
1868
+ req = build_request(:re_encrypt, params)
1869
+ req.send_request(options)
1870
+ end
1762
1871
 
1763
- # Revokes a grant. You can revoke a grant to actively deny operations
1764
- # that depend on it.
1765
- # @option params [required, String] :key_id
1766
- # A unique identifier for the customer master key associated with the
1767
- # grant. This value can be a globally unique identifier or the fully
1768
- # specified ARN to a key.
1769
- #
1770
- # * Key ARN Example -
1771
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1772
- #
1773
- # * Globally Unique Key ID Example -
1774
- # 12345678-1234-1234-1234-123456789012
1775
- # @option params [required, String] :grant_id
1776
- # Identifier of the grant to be revoked.
1777
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1778
- #
1779
- # @example Request syntax with placeholder values
1780
- # resp = client.revoke_grant({
1781
- # key_id: "KeyIdType", # required
1782
- # grant_id: "GrantIdType", # required
1783
- # })
1784
- # @overload revoke_grant(params = {})
1785
- # @param [Hash] params ({})
1786
- def revoke_grant(params = {}, options = {})
1787
- req = build_request(:revoke_grant, params)
1788
- req.send_request(options)
1789
- end
1872
+ # Retires a grant. To clean up, you can retire a grant when you're done
1873
+ # using it. You should revoke a grant when you intend to actively deny
1874
+ # operations that depend on it. The following are permitted to call this
1875
+ # API:
1876
+ #
1877
+ # * The AWS account (root user) under which the grant was created
1878
+ #
1879
+ # * The `RetiringPrincipal`, if present in the grant
1880
+ #
1881
+ # * The `GranteePrincipal`, if `RetireGrant` is an operation specified
1882
+ # in the grant
1883
+ #
1884
+ # You must identify the grant to retire by its grant token or by a
1885
+ # combination of the grant ID and the Amazon Resource Name (ARN) of the
1886
+ # customer master key (CMK). A grant token is a unique variable-length
1887
+ # base64-encoded string. A grant ID is a 64 character unique identifier
1888
+ # of a grant. The CreateGrant operation returns both.
1889
+ #
1890
+ # @option params [String] :grant_token
1891
+ # Token that identifies the grant to be retired.
1892
+ #
1893
+ # @option params [String] :key_id
1894
+ # The Amazon Resource Name of the CMK associated with the grant.
1895
+ # Example:
1896
+ #
1897
+ # * arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab
1898
+ #
1899
+ # ^
1900
+ #
1901
+ # @option params [String] :grant_id
1902
+ # Unique identifier of the grant to retire. The grant ID is returned in
1903
+ # the response to a `CreateGrant` operation.
1904
+ #
1905
+ # * Grant ID Example -
1906
+ # 0123456789012345678901234567890123456789012345678901234567890123
1907
+ #
1908
+ # ^
1909
+ #
1910
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1911
+ #
1912
+ # @example Request syntax with placeholder values
1913
+ #
1914
+ # resp = client.retire_grant({
1915
+ # grant_token: "GrantTokenType",
1916
+ # key_id: "KeyIdType",
1917
+ # grant_id: "GrantIdType",
1918
+ # })
1919
+ #
1920
+ # @overload retire_grant(params = {})
1921
+ # @param [Hash] params ({})
1922
+ def retire_grant(params = {}, options = {})
1923
+ req = build_request(:retire_grant, params)
1924
+ req.send_request(options)
1925
+ end
1790
1926
 
1791
- # Schedules the deletion of a customer master key (CMK). You may provide
1792
- # a waiting period, specified in days, before deletion occurs. If you do
1793
- # not provide a waiting period, the default period of 30 days is used.
1794
- # When this operation is successful, the state of the CMK changes to
1795
- # `PendingDeletion`. Before the waiting period ends, you can use
1796
- # CancelKeyDeletion to cancel the deletion of the CMK. After the waiting
1797
- # period ends, AWS KMS deletes the CMK and all AWS KMS data associated
1798
- # with it, including all aliases that point to it.
1799
- #
1800
- # Deleting a CMK is a destructive and potentially dangerous operation.
1801
- # When a CMK is deleted, all data that was encrypted under the CMK is
1802
- # rendered unrecoverable. To restrict the use of a CMK without deleting
1803
- # it, use DisableKey.
1804
- #
1805
- # For more information about scheduling a CMK for deletion, see
1806
- # [Deleting Customer Master Keys][1] in the *AWS Key Management Service
1807
- # Developer Guide*.
1808
- #
1809
- #
1810
- #
1811
- # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
1812
- # @option params [required, String] :key_id
1813
- # The unique identifier for the customer master key (CMK) to delete.
1814
- #
1815
- # To specify this value, use the unique key ID or the Amazon Resource
1816
- # Name (ARN) of the CMK. Examples:
1817
- #
1818
- # * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
1819
- #
1820
- # * Key ARN:
1821
- # arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
1822
- #
1823
- # To obtain the unique key ID and key ARN for a given CMK, use ListKeys
1824
- # or DescribeKey.
1825
- # @option params [Integer] :pending_window_in_days
1826
- # The waiting period, specified in number of days. After the waiting
1827
- # period ends, AWS KMS deletes the customer master key (CMK).
1828
- #
1829
- # This value is optional. If you include a value, it must be between 7
1830
- # and 30, inclusive. If you do not include a value, it defaults to 30.
1831
- # @return [Types::ScheduleKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1832
- #
1833
- # * {Types::ScheduleKeyDeletionResponse#key_id #KeyId} => String
1834
- # * {Types::ScheduleKeyDeletionResponse#deletion_date #DeletionDate} => Time
1835
- #
1836
- # @example Request syntax with placeholder values
1837
- # resp = client.schedule_key_deletion({
1838
- # key_id: "KeyIdType", # required
1839
- # pending_window_in_days: 1,
1840
- # })
1841
- #
1842
- # @example Response structure
1843
- # resp.key_id #=> String
1844
- # resp.deletion_date #=> Time
1845
- # @overload schedule_key_deletion(params = {})
1846
- # @param [Hash] params ({})
1847
- def schedule_key_deletion(params = {}, options = {})
1848
- req = build_request(:schedule_key_deletion, params)
1849
- req.send_request(options)
1850
- end
1927
+ # Revokes a grant. You can revoke a grant to actively deny operations
1928
+ # that depend on it.
1929
+ #
1930
+ # @option params [required, String] :key_id
1931
+ # A unique identifier for the customer master key associated with the
1932
+ # grant. This value can be a globally unique identifier or the fully
1933
+ # specified ARN to a key.
1934
+ #
1935
+ # * Key ARN Example -
1936
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1937
+ #
1938
+ # * Globally Unique Key ID Example -
1939
+ # 12345678-1234-1234-1234-123456789012
1940
+ #
1941
+ # @option params [required, String] :grant_id
1942
+ # Identifier of the grant to be revoked.
1943
+ #
1944
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1945
+ #
1946
+ # @example Request syntax with placeholder values
1947
+ #
1948
+ # resp = client.revoke_grant({
1949
+ # key_id: "KeyIdType", # required
1950
+ # grant_id: "GrantIdType", # required
1951
+ # })
1952
+ #
1953
+ # @overload revoke_grant(params = {})
1954
+ # @param [Hash] params ({})
1955
+ def revoke_grant(params = {}, options = {})
1956
+ req = build_request(:revoke_grant, params)
1957
+ req.send_request(options)
1958
+ end
1851
1959
 
1852
- # Updates an alias to map it to a different key.
1853
- #
1854
- # An alias is not a property of a key. Therefore, an alias can be mapped
1855
- # to and unmapped from an existing key without changing the properties
1856
- # of the key.
1857
- #
1858
- # An alias name can contain only alphanumeric characters, forward
1859
- # slashes (/), underscores (\_), and dashes (-). An alias must start
1860
- # with the word "alias" followed by a forward slash (alias/). An alias
1861
- # that begins with "aws" after the forward slash (alias/aws...) is
1862
- # reserved by Amazon Web Services (AWS).
1863
- #
1864
- # The alias and the key it is mapped to must be in the same AWS account
1865
- # and the same region.
1866
- # @option params [required, String] :alias_name
1867
- # String that contains the name of the alias to be modified. The name
1868
- # must start with the word "alias" followed by a forward slash
1869
- # (alias/). Aliases that begin with "alias/aws" are reserved.
1870
- # @option params [required, String] :target_key_id
1871
- # Unique identifier of the customer master key to be mapped to the
1872
- # alias. This value can be a globally unique identifier or the fully
1873
- # specified ARN of a key.
1874
- #
1875
- # * Key ARN Example -
1876
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1877
- #
1878
- # * Globally Unique Key ID Example -
1879
- # 12345678-1234-1234-1234-123456789012
1880
- #
1881
- # You can call ListAliases to verify that the alias is mapped to the
1882
- # correct `TargetKeyId`.
1883
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1884
- #
1885
- # @example Request syntax with placeholder values
1886
- # resp = client.update_alias({
1887
- # alias_name: "AliasNameType", # required
1888
- # target_key_id: "KeyIdType", # required
1889
- # })
1890
- # @overload update_alias(params = {})
1891
- # @param [Hash] params ({})
1892
- def update_alias(params = {}, options = {})
1893
- req = build_request(:update_alias, params)
1894
- req.send_request(options)
1895
- end
1960
+ # Schedules the deletion of a customer master key (CMK). You may provide
1961
+ # a waiting period, specified in days, before deletion occurs. If you do
1962
+ # not provide a waiting period, the default period of 30 days is used.
1963
+ # When this operation is successful, the state of the CMK changes to
1964
+ # `PendingDeletion`. Before the waiting period ends, you can use
1965
+ # CancelKeyDeletion to cancel the deletion of the CMK. After the waiting
1966
+ # period ends, AWS KMS deletes the CMK and all AWS KMS data associated
1967
+ # with it, including all aliases that refer to it.
1968
+ #
1969
+ # Deleting a CMK is a destructive and potentially dangerous operation.
1970
+ # When a CMK is deleted, all data that was encrypted under the CMK is
1971
+ # rendered unrecoverable. To restrict the use of a CMK without deleting
1972
+ # it, use DisableKey.
1973
+ #
1974
+ # For more information about scheduling a CMK for deletion, see
1975
+ # [Deleting Customer Master Keys][1] in the *AWS Key Management Service
1976
+ # Developer Guide*.
1977
+ #
1978
+ #
1979
+ #
1980
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
1981
+ #
1982
+ # @option params [required, String] :key_id
1983
+ # The unique identifier for the customer master key (CMK) to delete.
1984
+ #
1985
+ # To specify this value, use the unique key ID or the Amazon Resource
1986
+ # Name (ARN) of the CMK. Examples:
1987
+ #
1988
+ # * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
1989
+ #
1990
+ # * Key ARN:
1991
+ # arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
1992
+ #
1993
+ # To obtain the unique key ID and key ARN for a given CMK, use ListKeys
1994
+ # or DescribeKey.
1995
+ #
1996
+ # @option params [Integer] :pending_window_in_days
1997
+ # The waiting period, specified in number of days. After the waiting
1998
+ # period ends, AWS KMS deletes the customer master key (CMK).
1999
+ #
2000
+ # This value is optional. If you include a value, it must be between 7
2001
+ # and 30, inclusive. If you do not include a value, it defaults to 30.
2002
+ #
2003
+ # @return [Types::ScheduleKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2004
+ #
2005
+ # * {Types::ScheduleKeyDeletionResponse#key_id #key_id} => String
2006
+ # * {Types::ScheduleKeyDeletionResponse#deletion_date #deletion_date} => Time
2007
+ #
2008
+ # @example Request syntax with placeholder values
2009
+ #
2010
+ # resp = client.schedule_key_deletion({
2011
+ # key_id: "KeyIdType", # required
2012
+ # pending_window_in_days: 1,
2013
+ # })
2014
+ #
2015
+ # @example Response structure
2016
+ #
2017
+ # resp.key_id #=> String
2018
+ # resp.deletion_date #=> Time
2019
+ #
2020
+ # @overload schedule_key_deletion(params = {})
2021
+ # @param [Hash] params ({})
2022
+ def schedule_key_deletion(params = {}, options = {})
2023
+ req = build_request(:schedule_key_deletion, params)
2024
+ req.send_request(options)
2025
+ end
1896
2026
 
1897
- # Updates the description of a key.
1898
- # @option params [required, String] :key_id
1899
- # A unique identifier for the customer master key. This value can be a
1900
- # globally unique identifier or the fully specified ARN to a key.
1901
- #
1902
- # * Key ARN Example -
1903
- # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1904
- #
1905
- # * Globally Unique Key ID Example -
1906
- # 12345678-1234-1234-1234-123456789012
1907
- # @option params [required, String] :description
1908
- # New description for the key.
1909
- # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1910
- #
1911
- # @example Request syntax with placeholder values
1912
- # resp = client.update_key_description({
1913
- # key_id: "KeyIdType", # required
1914
- # description: "DescriptionType", # required
1915
- # })
1916
- # @overload update_key_description(params = {})
1917
- # @param [Hash] params ({})
1918
- def update_key_description(params = {}, options = {})
1919
- req = build_request(:update_key_description, params)
1920
- req.send_request(options)
1921
- end
2027
+ # Updates an alias to map it to a different key.
2028
+ #
2029
+ # An alias is not a property of a key. Therefore, an alias can be mapped
2030
+ # to and unmapped from an existing key without changing the properties
2031
+ # of the key.
2032
+ #
2033
+ # An alias name can contain only alphanumeric characters, forward
2034
+ # slashes (/), underscores (\_), and dashes (-). An alias must start
2035
+ # with the word "alias" followed by a forward slash (alias/). An alias
2036
+ # that begins with "aws" after the forward slash (alias/aws...) is
2037
+ # reserved by Amazon Web Services (AWS).
2038
+ #
2039
+ # The alias and the key it is mapped to must be in the same AWS account
2040
+ # and the same region.
2041
+ #
2042
+ # @option params [required, String] :alias_name
2043
+ # String that contains the name of the alias to be modified. The name
2044
+ # must start with the word "alias" followed by a forward slash
2045
+ # (alias/). Aliases that begin with "alias/aws" are reserved.
2046
+ #
2047
+ # @option params [required, String] :target_key_id
2048
+ # Unique identifier of the customer master key to be mapped to the
2049
+ # alias. This value can be a globally unique identifier or the fully
2050
+ # specified ARN of a key.
2051
+ #
2052
+ # * Key ARN Example -
2053
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
2054
+ #
2055
+ # * Globally Unique Key ID Example -
2056
+ # 12345678-1234-1234-1234-123456789012
2057
+ #
2058
+ # You can call ListAliases to verify that the alias is mapped to the
2059
+ # correct `TargetKeyId`.
2060
+ #
2061
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
2062
+ #
2063
+ # @example Request syntax with placeholder values
2064
+ #
2065
+ # resp = client.update_alias({
2066
+ # alias_name: "AliasNameType", # required
2067
+ # target_key_id: "KeyIdType", # required
2068
+ # })
2069
+ #
2070
+ # @overload update_alias(params = {})
2071
+ # @param [Hash] params ({})
2072
+ def update_alias(params = {}, options = {})
2073
+ req = build_request(:update_alias, params)
2074
+ req.send_request(options)
2075
+ end
1922
2076
 
1923
- # @!endgroup
2077
+ # Updates the description of a customer master key (CMK).
2078
+ #
2079
+ # @option params [required, String] :key_id
2080
+ # A unique identifier for the CMK. This value can be a globally unique
2081
+ # identifier or the fully specified ARN to a key.
2082
+ #
2083
+ # * Key ARN Example -
2084
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
2085
+ #
2086
+ # * Globally Unique Key ID Example -
2087
+ # 12345678-1234-1234-1234-123456789012
2088
+ #
2089
+ # @option params [required, String] :description
2090
+ # New description for the CMK.
2091
+ #
2092
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
2093
+ #
2094
+ # @example Request syntax with placeholder values
2095
+ #
2096
+ # resp = client.update_key_description({
2097
+ # key_id: "KeyIdType", # required
2098
+ # description: "DescriptionType", # required
2099
+ # })
2100
+ #
2101
+ # @overload update_key_description(params = {})
2102
+ # @param [Hash] params ({})
2103
+ def update_key_description(params = {}, options = {})
2104
+ req = build_request(:update_key_description, params)
2105
+ req.send_request(options)
2106
+ end
1924
2107
 
1925
- # @param params ({})
1926
- # @api private
1927
- def build_request(operation_name, params = {})
1928
- handlers = @handlers.for(operation_name)
1929
- context = Seahorse::Client::RequestContext.new(
1930
- operation_name: operation_name,
1931
- operation: config.api.operation(operation_name),
1932
- client: self,
1933
- params: params,
1934
- config: config)
1935
- context[:gem_name] = 'aws-sdk-kms'
1936
- context[:gem_version] = '1.0.0.rc1'
1937
- Seahorse::Client::Request.new(handlers, context)
1938
- end
2108
+ # @!endgroup
1939
2109
 
1940
- # @api private
1941
- # @deprecated
1942
- def waiter_names
1943
- []
1944
- end
2110
+ # @param params ({})
2111
+ # @api private
2112
+ def build_request(operation_name, params = {})
2113
+ handlers = @handlers.for(operation_name)
2114
+ context = Seahorse::Client::RequestContext.new(
2115
+ operation_name: operation_name,
2116
+ operation: config.api.operation(operation_name),
2117
+ client: self,
2118
+ params: params,
2119
+ config: config)
2120
+ context[:gem_name] = 'aws-sdk-kms'
2121
+ context[:gem_version] = '1.0.0.rc1'
2122
+ Seahorse::Client::Request.new(handlers, context)
2123
+ end
1945
2124
 
1946
- class << self
2125
+ # @api private
2126
+ # @deprecated
2127
+ def waiter_names
2128
+ []
2129
+ end
1947
2130
 
1948
- # @api private
1949
- attr_reader :identifier
2131
+ class << self
1950
2132
 
1951
- # @api private
1952
- def errors_module
1953
- Errors
1954
- end
2133
+ # @api private
2134
+ attr_reader :identifier
1955
2135
 
2136
+ # @api private
2137
+ def errors_module
2138
+ Errors
1956
2139
  end
2140
+
1957
2141
  end
1958
2142
  end
1959
2143
  end