aws-sdk-kms 1.0.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,7 @@
1
+ # WARNING ABOUT GENERATED CODE
2
+ #
3
+ # This file is generated. See the contributing for info on making contributions:
4
+ # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
5
+ #
6
+ # WARNING ABOUT GENERATED CODE
7
+
@@ -0,0 +1,23 @@
1
+ # WARNING ABOUT GENERATED CODE
2
+ #
3
+ # This file is generated. See the contributing for info on making contributions:
4
+ # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
5
+ #
6
+ # WARNING ABOUT GENERATED CODE
7
+
8
+ module Aws
9
+ module KMS
10
+ module Errors
11
+
12
+ extend Aws::Errors::DynamicErrors
13
+
14
+ # Raised when calling #load or #data on a resource class that can not be
15
+ # loaded. This can happen when:
16
+ #
17
+ # * A resource class has identifiers, but no data attributes.
18
+ # * Resource data is only available when making an API call that
19
+ # enumerates all resources of that type.
20
+ class ResourceNotLoadable < RuntimeError; end
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,25 @@
1
+ # WARNING ABOUT GENERATED CODE
2
+ #
3
+ # This file is generated. See the contributing for info on making contributions:
4
+ # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
5
+ #
6
+ # WARNING ABOUT GENERATED CODE
7
+
8
+ module Aws
9
+ module KMS
10
+ class Resource
11
+
12
+ # @param options ({})
13
+ # @option options [Client] :client
14
+ def initialize(options = {})
15
+ @client = options[:client] || Client.new(options)
16
+ end
17
+
18
+ # @return [Client]
19
+ def client
20
+ @client
21
+ end
22
+
23
+ end
24
+ end
25
+ end
@@ -0,0 +1,1930 @@
1
+ # WARNING ABOUT GENERATED CODE
2
+ #
3
+ # This file is generated. See the contributing for info on making contributions:
4
+ # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
5
+ #
6
+ # WARNING ABOUT GENERATED CODE
7
+
8
+ module Aws
9
+ module KMS
10
+ module Types
11
+
12
+ # Contains information about an alias.
13
+ # @!attribute [rw] alias_name
14
+ # String that contains the alias.
15
+ # @return [String]
16
+ #
17
+ # @!attribute [rw] alias_arn
18
+ # String that contains the key ARN.
19
+ # @return [String]
20
+ #
21
+ # @!attribute [rw] target_key_id
22
+ # String that contains the key identifier pointed to by the alias.
23
+ # @return [String]
24
+ class AliasListEntry < Struct.new(
25
+ :alias_name,
26
+ :alias_arn,
27
+ :target_key_id)
28
+ include Aws::Structure
29
+ end
30
+
31
+ # @note When making an API call, pass CancelKeyDeletionRequest
32
+ # data as a hash:
33
+ #
34
+ # {
35
+ # key_id: "KeyIdType", # required
36
+ # }
37
+ # @!attribute [rw] key_id
38
+ # The unique identifier for the customer master key (CMK) for which to
39
+ # cancel deletion.
40
+ #
41
+ # To specify this value, use the unique key ID or the Amazon Resource
42
+ # Name (ARN) of the CMK. Examples:
43
+ #
44
+ # * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
45
+ #
46
+ # * Key ARN:
47
+ # arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
48
+ #
49
+ # To obtain the unique key ID and key ARN for a given CMK, use
50
+ # ListKeys or DescribeKey.
51
+ # @return [String]
52
+ class CancelKeyDeletionRequest < Struct.new(
53
+ :key_id)
54
+ include Aws::Structure
55
+ end
56
+
57
+ # @!attribute [rw] key_id
58
+ # The unique identifier of the master key for which deletion is
59
+ # canceled.
60
+ # @return [String]
61
+ class CancelKeyDeletionResponse < Struct.new(
62
+ :key_id)
63
+ include Aws::Structure
64
+ end
65
+
66
+ # @note When making an API call, pass CreateAliasRequest
67
+ # data as a hash:
68
+ #
69
+ # {
70
+ # alias_name: "AliasNameType", # required
71
+ # target_key_id: "KeyIdType", # required
72
+ # }
73
+ # @!attribute [rw] alias_name
74
+ # String that contains the display name. The name must start with the
75
+ # word "alias" followed by a forward slash (alias/). Aliases that
76
+ # begin with "alias/AWS" are reserved.
77
+ # @return [String]
78
+ #
79
+ # @!attribute [rw] target_key_id
80
+ # An identifier of the key for which you are creating the alias. This
81
+ # value cannot be another alias but can be a globally unique
82
+ # identifier or a fully specified ARN to a key.
83
+ #
84
+ # * Key ARN Example -
85
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
86
+ #
87
+ # * Globally Unique Key ID Example -
88
+ # 12345678-1234-1234-1234-123456789012
89
+ # @return [String]
90
+ class CreateAliasRequest < Struct.new(
91
+ :alias_name,
92
+ :target_key_id)
93
+ include Aws::Structure
94
+ end
95
+
96
+ # @note When making an API call, pass CreateGrantRequest
97
+ # data as a hash:
98
+ #
99
+ # {
100
+ # key_id: "KeyIdType", # required
101
+ # grantee_principal: "PrincipalIdType", # required
102
+ # retiring_principal: "PrincipalIdType",
103
+ # operations: ["Decrypt"], # accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
104
+ # constraints: {
105
+ # encryption_context_subset: {
106
+ # "EncryptionContextKey" => "EncryptionContextValue",
107
+ # },
108
+ # encryption_context_equals: {
109
+ # "EncryptionContextKey" => "EncryptionContextValue",
110
+ # },
111
+ # },
112
+ # grant_tokens: ["GrantTokenType"],
113
+ # name: "GrantNameType",
114
+ # }
115
+ # @!attribute [rw] key_id
116
+ # The unique identifier for the customer master key (CMK) that the
117
+ # grant applies to.
118
+ #
119
+ # To specify this value, use the globally unique key ID or the Amazon
120
+ # Resource Name (ARN) of the key. Examples:
121
+ #
122
+ # * Globally unique key ID: 12345678-1234-1234-1234-123456789012
123
+ #
124
+ # * Key ARN:
125
+ # arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012
126
+ # @return [String]
127
+ #
128
+ # @!attribute [rw] grantee_principal
129
+ # The principal that is given permission to perform the operations
130
+ # that the grant permits.
131
+ #
132
+ # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
133
+ # an AWS principal. Valid AWS principals include AWS accounts (root),
134
+ # IAM users, federated users, and assumed role users. For examples of
135
+ # the ARN syntax to use for specifying a principal, see [AWS Identity
136
+ # and Access Management (IAM)][2] in the Example ARNs section of the
137
+ # *AWS General Reference*.
138
+ #
139
+ #
140
+ #
141
+ # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
142
+ # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
143
+ # @return [String]
144
+ #
145
+ # @!attribute [rw] retiring_principal
146
+ # The principal that is given permission to retire the grant by using
147
+ # RetireGrant operation.
148
+ #
149
+ # To specify the principal, use the [Amazon Resource Name (ARN)][1] of
150
+ # an AWS principal. Valid AWS principals include AWS accounts (root),
151
+ # IAM users, federated users, and assumed role users. For examples of
152
+ # the ARN syntax to use for specifying a principal, see [AWS Identity
153
+ # and Access Management (IAM)][2] in the Example ARNs section of the
154
+ # *AWS General Reference*.
155
+ #
156
+ #
157
+ #
158
+ # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
159
+ # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
160
+ # @return [String]
161
+ #
162
+ # @!attribute [rw] operations
163
+ # A list of operations that the grant permits. The list can contain
164
+ # any combination of one or more of the following values:
165
+ #
166
+ # * Decrypt
167
+ #
168
+ # * Encrypt
169
+ #
170
+ # * GenerateDataKey
171
+ #
172
+ # * GenerateDataKeyWithoutPlaintext
173
+ #
174
+ # * [ReEncryptFrom][1]
175
+ #
176
+ # * [ReEncryptTo][1]
177
+ #
178
+ # * CreateGrant
179
+ #
180
+ # * RetireGrant
181
+ #
182
+ # * DescribeKey
183
+ #
184
+ #
185
+ #
186
+ # [1]: http://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html
187
+ # @return [Array<String>]
188
+ #
189
+ # @!attribute [rw] constraints
190
+ # The conditions under which the operations permitted by the grant are
191
+ # allowed.
192
+ #
193
+ # You can use this value to allow the operations permitted by the
194
+ # grant only when a specified encryption context is present. For more
195
+ # information, see [Encryption Context][1] in the *AWS Key Management
196
+ # Service Developer Guide*.
197
+ #
198
+ #
199
+ #
200
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
201
+ # @return [Types::GrantConstraints]
202
+ #
203
+ # @!attribute [rw] grant_tokens
204
+ # A list of grant tokens.
205
+ #
206
+ # For more information, see [Grant Tokens][1] in the *AWS Key
207
+ # Management Service Developer Guide*.
208
+ #
209
+ #
210
+ #
211
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
212
+ # @return [Array<String>]
213
+ #
214
+ # @!attribute [rw] name
215
+ # A friendly name for identifying the grant. Use this value to prevent
216
+ # unintended creation of duplicate grants when retrying this request.
217
+ #
218
+ # When this value is absent, all `CreateGrant` requests result in a
219
+ # new grant with a unique `GrantId` even if all the supplied
220
+ # parameters are identical. This can result in unintended duplicates
221
+ # when you retry the `CreateGrant` request.
222
+ #
223
+ # When this value is present, you can retry a `CreateGrant` request
224
+ # with identical parameters; if the grant already exists, the original
225
+ # `GrantId` is returned without creating a new grant. Note that the
226
+ # returned grant token is unique with every `CreateGrant` request,
227
+ # even when a duplicate `GrantId` is returned. All grant tokens
228
+ # obtained in this way can be used interchangeably.
229
+ # @return [String]
230
+ class CreateGrantRequest < Struct.new(
231
+ :key_id,
232
+ :grantee_principal,
233
+ :retiring_principal,
234
+ :operations,
235
+ :constraints,
236
+ :grant_tokens,
237
+ :name)
238
+ include Aws::Structure
239
+ end
240
+
241
+ # @!attribute [rw] grant_token
242
+ # The grant token.
243
+ #
244
+ # For more information, see [Grant Tokens][1] in the *AWS Key
245
+ # Management Service Developer Guide*.
246
+ #
247
+ #
248
+ #
249
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
250
+ # @return [String]
251
+ #
252
+ # @!attribute [rw] grant_id
253
+ # The unique identifier for the grant.
254
+ #
255
+ # You can use the `GrantId` in a subsequent RetireGrant or RevokeGrant
256
+ # operation.
257
+ # @return [String]
258
+ class CreateGrantResponse < Struct.new(
259
+ :grant_token,
260
+ :grant_id)
261
+ include Aws::Structure
262
+ end
263
+
264
+ # @note When making an API call, pass CreateKeyRequest
265
+ # data as a hash:
266
+ #
267
+ # {
268
+ # policy: "PolicyType",
269
+ # description: "DescriptionType",
270
+ # key_usage: "ENCRYPT_DECRYPT", # accepts ENCRYPT_DECRYPT
271
+ # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL
272
+ # bypass_policy_lockout_safety_check: false,
273
+ # }
274
+ # @!attribute [rw] policy
275
+ # The key policy to attach to the CMK.
276
+ #
277
+ # If you specify a policy and do not set
278
+ # `BypassPolicyLockoutSafetyCheck` to true, the policy must meet the
279
+ # following criteria:
280
+ #
281
+ # * It must allow the principal making the `CreateKey` request to make
282
+ # a subsequent PutKeyPolicy request on the CMK. This reduces the
283
+ # likelihood that the CMK becomes unmanageable. For more
284
+ # information, refer to the scenario in the [Default Key Policy][1]
285
+ # section in the *AWS Key Management Service Developer Guide*.
286
+ #
287
+ # * The principal(s) specified in the key policy must exist and be
288
+ # visible to AWS KMS. When you create a new AWS principal (for
289
+ # example, an IAM user or role), you might need to enforce a delay
290
+ # before specifying the new principal in a key policy because the
291
+ # new principal might not immediately be visible to AWS KMS. For
292
+ # more information, see [Changes that I make are not always
293
+ # immediately visible][2] in the *IAM User Guide*.
294
+ #
295
+ # If you do not specify a policy, AWS KMS attaches a default key
296
+ # policy to the CMK. For more information, see [Default Key Policy][3]
297
+ # in the *AWS Key Management Service Developer Guide*.
298
+ #
299
+ # The policy size limit is 32 KiB (32768 bytes).
300
+ #
301
+ #
302
+ #
303
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
304
+ # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
305
+ # [3]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
306
+ # @return [String]
307
+ #
308
+ # @!attribute [rw] description
309
+ # A description of the CMK.
310
+ #
311
+ # Use a description that helps you decide whether the CMK is
312
+ # appropriate for a task.
313
+ # @return [String]
314
+ #
315
+ # @!attribute [rw] key_usage
316
+ # The intended use of the CMK.
317
+ #
318
+ # You can use CMKs only for symmetric encryption and decryption.
319
+ # @return [String]
320
+ #
321
+ # @!attribute [rw] origin
322
+ # The source of the CMK's key material.
323
+ #
324
+ # The default is `AWS_KMS`, which means AWS KMS creates the key
325
+ # material. When this parameter is set to `EXTERNAL`, the request
326
+ # creates a CMK without key material so that you can import key
327
+ # material from your existing key management infrastructure. For more
328
+ # information about importing key material into AWS KMS, see
329
+ # [Importing Key Material][1] in the *AWS Key Management Service
330
+ # Developer Guide*.
331
+ #
332
+ # The CMK's `Origin` is immutable and is set when the CMK is created.
333
+ #
334
+ #
335
+ #
336
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
337
+ # @return [String]
338
+ #
339
+ # @!attribute [rw] bypass_policy_lockout_safety_check
340
+ # A flag to indicate whether to bypass the key policy lockout safety
341
+ # check.
342
+ #
343
+ # Setting this value to true increases the likelihood that the CMK
344
+ # becomes unmanageable. Do not set this value to true
345
+ # indiscriminately.
346
+ #
347
+ # For more information, refer to the scenario in the [Default Key
348
+ # Policy][1] section in the *AWS Key Management Service Developer
349
+ # Guide*.
350
+ #
351
+ # Use this parameter only when you include a policy in the request and
352
+ # you intend to prevent the principal making the request from making a
353
+ # subsequent PutKeyPolicy request on the CMK.
354
+ #
355
+ # The default value is false.
356
+ #
357
+ #
358
+ #
359
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
360
+ # @return [Boolean]
361
+ class CreateKeyRequest < Struct.new(
362
+ :policy,
363
+ :description,
364
+ :key_usage,
365
+ :origin,
366
+ :bypass_policy_lockout_safety_check)
367
+ include Aws::Structure
368
+ end
369
+
370
+ # @!attribute [rw] key_metadata
371
+ # Metadata associated with the CMK.
372
+ # @return [Types::KeyMetadata]
373
+ class CreateKeyResponse < Struct.new(
374
+ :key_metadata)
375
+ include Aws::Structure
376
+ end
377
+
378
+ # @note When making an API call, pass DecryptRequest
379
+ # data as a hash:
380
+ #
381
+ # {
382
+ # ciphertext_blob: "data", # required
383
+ # encryption_context: {
384
+ # "EncryptionContextKey" => "EncryptionContextValue",
385
+ # },
386
+ # grant_tokens: ["GrantTokenType"],
387
+ # }
388
+ # @!attribute [rw] ciphertext_blob
389
+ # Ciphertext to be decrypted. The blob includes metadata.
390
+ # @return [String]
391
+ #
392
+ # @!attribute [rw] encryption_context
393
+ # The encryption context. If this was specified in the Encrypt
394
+ # function, it must be specified here or the decryption operation will
395
+ # fail. For more information, see [Encryption Context][1].
396
+ #
397
+ #
398
+ #
399
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
400
+ # @return [Hash<String,String>]
401
+ #
402
+ # @!attribute [rw] grant_tokens
403
+ # A list of grant tokens.
404
+ #
405
+ # For more information, see [Grant Tokens][1] in the *AWS Key
406
+ # Management Service Developer Guide*.
407
+ #
408
+ #
409
+ #
410
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
411
+ # @return [Array<String>]
412
+ class DecryptRequest < Struct.new(
413
+ :ciphertext_blob,
414
+ :encryption_context,
415
+ :grant_tokens)
416
+ include Aws::Structure
417
+ end
418
+
419
+ # @!attribute [rw] key_id
420
+ # ARN of the key used to perform the decryption. This value is
421
+ # returned if no errors are encountered during the operation.
422
+ # @return [String]
423
+ #
424
+ # @!attribute [rw] plaintext
425
+ # Decrypted plaintext data. This value may not be returned if the
426
+ # customer master key is not available or if you didn't have
427
+ # permission to use it.
428
+ # @return [String]
429
+ class DecryptResponse < Struct.new(
430
+ :key_id,
431
+ :plaintext)
432
+ include Aws::Structure
433
+ end
434
+
435
+ # @note When making an API call, pass DeleteAliasRequest
436
+ # data as a hash:
437
+ #
438
+ # {
439
+ # alias_name: "AliasNameType", # required
440
+ # }
441
+ # @!attribute [rw] alias_name
442
+ # The alias to be deleted. The name must start with the word "alias"
443
+ # followed by a forward slash (alias/). Aliases that begin with
444
+ # "alias/AWS" are reserved.
445
+ # @return [String]
446
+ class DeleteAliasRequest < Struct.new(
447
+ :alias_name)
448
+ include Aws::Structure
449
+ end
450
+
451
+ # @note When making an API call, pass DeleteImportedKeyMaterialRequest
452
+ # data as a hash:
453
+ #
454
+ # {
455
+ # key_id: "KeyIdType", # required
456
+ # }
457
+ # @!attribute [rw] key_id
458
+ # The identifier of the CMK whose key material to delete. The CMK's
459
+ # `Origin` must be `EXTERNAL`.
460
+ #
461
+ # A valid identifier is the unique key ID or the Amazon Resource Name
462
+ # (ARN) of the CMK. Examples:
463
+ #
464
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
465
+ #
466
+ # * Key ARN:
467
+ # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
468
+ # @return [String]
469
+ class DeleteImportedKeyMaterialRequest < Struct.new(
470
+ :key_id)
471
+ include Aws::Structure
472
+ end
473
+
474
+ # @note When making an API call, pass DescribeKeyRequest
475
+ # data as a hash:
476
+ #
477
+ # {
478
+ # key_id: "KeyIdType", # required
479
+ # grant_tokens: ["GrantTokenType"],
480
+ # }
481
+ # @!attribute [rw] key_id
482
+ # A unique identifier for the customer master key. This value can be a
483
+ # globally unique identifier, a fully specified ARN to either an alias
484
+ # or a key, or an alias name prefixed by "alias/".
485
+ #
486
+ # * Key ARN Example -
487
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
488
+ #
489
+ # * Alias ARN Example -
490
+ # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
491
+ #
492
+ # * Globally Unique Key ID Example -
493
+ # 12345678-1234-1234-1234-123456789012
494
+ #
495
+ # * Alias Name Example - alias/MyAliasName
496
+ # @return [String]
497
+ #
498
+ # @!attribute [rw] grant_tokens
499
+ # A list of grant tokens.
500
+ #
501
+ # For more information, see [Grant Tokens][1] in the *AWS Key
502
+ # Management Service Developer Guide*.
503
+ #
504
+ #
505
+ #
506
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
507
+ # @return [Array<String>]
508
+ class DescribeKeyRequest < Struct.new(
509
+ :key_id,
510
+ :grant_tokens)
511
+ include Aws::Structure
512
+ end
513
+
514
+ # @!attribute [rw] key_metadata
515
+ # Metadata associated with the key.
516
+ # @return [Types::KeyMetadata]
517
+ class DescribeKeyResponse < Struct.new(
518
+ :key_metadata)
519
+ include Aws::Structure
520
+ end
521
+
522
+ # @note When making an API call, pass DisableKeyRequest
523
+ # data as a hash:
524
+ #
525
+ # {
526
+ # key_id: "KeyIdType", # required
527
+ # }
528
+ # @!attribute [rw] key_id
529
+ # A unique identifier for the CMK.
530
+ #
531
+ # Use the CMK's unique identifier or its Amazon Resource Name (ARN).
532
+ # For example:
533
+ #
534
+ # * Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
535
+ #
536
+ # * ARN:
537
+ # arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
538
+ # @return [String]
539
+ class DisableKeyRequest < Struct.new(
540
+ :key_id)
541
+ include Aws::Structure
542
+ end
543
+
544
+ # @note When making an API call, pass DisableKeyRotationRequest
545
+ # data as a hash:
546
+ #
547
+ # {
548
+ # key_id: "KeyIdType", # required
549
+ # }
550
+ # @!attribute [rw] key_id
551
+ # A unique identifier for the customer master key. This value can be a
552
+ # globally unique identifier or the fully specified ARN to a key.
553
+ #
554
+ # * Key ARN Example -
555
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
556
+ #
557
+ # * Globally Unique Key ID Example -
558
+ # 12345678-1234-1234-1234-123456789012
559
+ # @return [String]
560
+ class DisableKeyRotationRequest < Struct.new(
561
+ :key_id)
562
+ include Aws::Structure
563
+ end
564
+
565
+ # @note When making an API call, pass EnableKeyRequest
566
+ # data as a hash:
567
+ #
568
+ # {
569
+ # key_id: "KeyIdType", # required
570
+ # }
571
+ # @!attribute [rw] key_id
572
+ # A unique identifier for the customer master key. This value can be a
573
+ # globally unique identifier or the fully specified ARN to a key.
574
+ #
575
+ # * Key ARN Example -
576
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
577
+ #
578
+ # * Globally Unique Key ID Example -
579
+ # 12345678-1234-1234-1234-123456789012
580
+ # @return [String]
581
+ class EnableKeyRequest < Struct.new(
582
+ :key_id)
583
+ include Aws::Structure
584
+ end
585
+
586
+ # @note When making an API call, pass EnableKeyRotationRequest
587
+ # data as a hash:
588
+ #
589
+ # {
590
+ # key_id: "KeyIdType", # required
591
+ # }
592
+ # @!attribute [rw] key_id
593
+ # A unique identifier for the customer master key. This value can be a
594
+ # globally unique identifier or the fully specified ARN to a key.
595
+ #
596
+ # * Key ARN Example -
597
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
598
+ #
599
+ # * Globally Unique Key ID Example -
600
+ # 12345678-1234-1234-1234-123456789012
601
+ # @return [String]
602
+ class EnableKeyRotationRequest < Struct.new(
603
+ :key_id)
604
+ include Aws::Structure
605
+ end
606
+
607
+ # @note When making an API call, pass EncryptRequest
608
+ # data as a hash:
609
+ #
610
+ # {
611
+ # key_id: "KeyIdType", # required
612
+ # plaintext: "data", # required
613
+ # encryption_context: {
614
+ # "EncryptionContextKey" => "EncryptionContextValue",
615
+ # },
616
+ # grant_tokens: ["GrantTokenType"],
617
+ # }
618
+ # @!attribute [rw] key_id
619
+ # A unique identifier for the customer master key. This value can be a
620
+ # globally unique identifier, a fully specified ARN to either an alias
621
+ # or a key, or an alias name prefixed by "alias/".
622
+ #
623
+ # * Key ARN Example -
624
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
625
+ #
626
+ # * Alias ARN Example -
627
+ # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
628
+ #
629
+ # * Globally Unique Key ID Example -
630
+ # 12345678-1234-1234-1234-123456789012
631
+ #
632
+ # * Alias Name Example - alias/MyAliasName
633
+ # @return [String]
634
+ #
635
+ # @!attribute [rw] plaintext
636
+ # Data to be encrypted.
637
+ # @return [String]
638
+ #
639
+ # @!attribute [rw] encryption_context
640
+ # Name-value pair that specifies the encryption context to be used for
641
+ # authenticated encryption. If used here, the same value must be
642
+ # supplied to the `Decrypt` API or decryption will fail. For more
643
+ # information, see [Encryption Context][1].
644
+ #
645
+ #
646
+ #
647
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
648
+ # @return [Hash<String,String>]
649
+ #
650
+ # @!attribute [rw] grant_tokens
651
+ # A list of grant tokens.
652
+ #
653
+ # For more information, see [Grant Tokens][1] in the *AWS Key
654
+ # Management Service Developer Guide*.
655
+ #
656
+ #
657
+ #
658
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
659
+ # @return [Array<String>]
660
+ class EncryptRequest < Struct.new(
661
+ :key_id,
662
+ :plaintext,
663
+ :encryption_context,
664
+ :grant_tokens)
665
+ include Aws::Structure
666
+ end
667
+
668
+ # @!attribute [rw] ciphertext_blob
669
+ # The encrypted plaintext. If you are using the CLI, the value is
670
+ # Base64 encoded. Otherwise, it is not encoded.
671
+ # @return [String]
672
+ #
673
+ # @!attribute [rw] key_id
674
+ # The ID of the key used during encryption.
675
+ # @return [String]
676
+ class EncryptResponse < Struct.new(
677
+ :ciphertext_blob,
678
+ :key_id)
679
+ include Aws::Structure
680
+ end
681
+
682
+ # @note When making an API call, pass GenerateDataKeyRequest
683
+ # data as a hash:
684
+ #
685
+ # {
686
+ # key_id: "KeyIdType", # required
687
+ # encryption_context: {
688
+ # "EncryptionContextKey" => "EncryptionContextValue",
689
+ # },
690
+ # number_of_bytes: 1,
691
+ # key_spec: "AES_256", # accepts AES_256, AES_128
692
+ # grant_tokens: ["GrantTokenType"],
693
+ # }
694
+ # @!attribute [rw] key_id
695
+ # The identifier of the CMK under which to generate and encrypt the
696
+ # data encryption key.
697
+ #
698
+ # A valid identifier is the unique key ID or the Amazon Resource Name
699
+ # (ARN) of the CMK, or the alias name or ARN of an alias that points
700
+ # to the CMK. Examples:
701
+ #
702
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
703
+ #
704
+ # * CMK ARN:
705
+ # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
706
+ #
707
+ # * Alias name: `alias/ExampleAlias`
708
+ #
709
+ # * Alias ARN: `arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias`
710
+ # @return [String]
711
+ #
712
+ # @!attribute [rw] encryption_context
713
+ # A set of key-value pairs that represents additional authenticated
714
+ # data.
715
+ #
716
+ # For more information, see [Encryption Context][1] in the *AWS Key
717
+ # Management Service Developer Guide*.
718
+ #
719
+ #
720
+ #
721
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
722
+ # @return [Hash<String,String>]
723
+ #
724
+ # @!attribute [rw] number_of_bytes
725
+ # The length of the data encryption key in bytes. For example, use the
726
+ # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
727
+ # common key lengths (128-bit and 256-bit symmetric keys), we
728
+ # recommend that you use the `KeySpec` field instead of this one.
729
+ # @return [Integer]
730
+ #
731
+ # @!attribute [rw] key_spec
732
+ # The length of the data encryption key. Use `AES_128` to generate a
733
+ # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
734
+ # key.
735
+ # @return [String]
736
+ #
737
+ # @!attribute [rw] grant_tokens
738
+ # A list of grant tokens.
739
+ #
740
+ # For more information, see [Grant Tokens][1] in the *AWS Key
741
+ # Management Service Developer Guide*.
742
+ #
743
+ #
744
+ #
745
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
746
+ # @return [Array<String>]
747
+ class GenerateDataKeyRequest < Struct.new(
748
+ :key_id,
749
+ :encryption_context,
750
+ :number_of_bytes,
751
+ :key_spec,
752
+ :grant_tokens)
753
+ include Aws::Structure
754
+ end
755
+
756
+ # @!attribute [rw] ciphertext_blob
757
+ # The encrypted data encryption key.
758
+ # @return [String]
759
+ #
760
+ # @!attribute [rw] plaintext
761
+ # The data encryption key. Use this data key for local encryption and
762
+ # decryption, then remove it from memory as soon as possible.
763
+ # @return [String]
764
+ #
765
+ # @!attribute [rw] key_id
766
+ # The identifier of the CMK under which the data encryption key was
767
+ # generated and encrypted.
768
+ # @return [String]
769
+ class GenerateDataKeyResponse < Struct.new(
770
+ :ciphertext_blob,
771
+ :plaintext,
772
+ :key_id)
773
+ include Aws::Structure
774
+ end
775
+
776
+ # @note When making an API call, pass GenerateDataKeyWithoutPlaintextRequest
777
+ # data as a hash:
778
+ #
779
+ # {
780
+ # key_id: "KeyIdType", # required
781
+ # encryption_context: {
782
+ # "EncryptionContextKey" => "EncryptionContextValue",
783
+ # },
784
+ # key_spec: "AES_256", # accepts AES_256, AES_128
785
+ # number_of_bytes: 1,
786
+ # grant_tokens: ["GrantTokenType"],
787
+ # }
788
+ # @!attribute [rw] key_id
789
+ # The identifier of the CMK under which to generate and encrypt the
790
+ # data encryption key.
791
+ #
792
+ # A valid identifier is the unique key ID or the Amazon Resource Name
793
+ # (ARN) of the CMK, or the alias name or ARN of an alias that points
794
+ # to the CMK. Examples:
795
+ #
796
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
797
+ #
798
+ # * CMK ARN:
799
+ # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
800
+ #
801
+ # * Alias name: `alias/ExampleAlias`
802
+ #
803
+ # * Alias ARN: `arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias`
804
+ # @return [String]
805
+ #
806
+ # @!attribute [rw] encryption_context
807
+ # A set of key-value pairs that represents additional authenticated
808
+ # data.
809
+ #
810
+ # For more information, see [Encryption Context][1] in the *AWS Key
811
+ # Management Service Developer Guide*.
812
+ #
813
+ #
814
+ #
815
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
816
+ # @return [Hash<String,String>]
817
+ #
818
+ # @!attribute [rw] key_spec
819
+ # The length of the data encryption key. Use `AES_128` to generate a
820
+ # 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
821
+ # key.
822
+ # @return [String]
823
+ #
824
+ # @!attribute [rw] number_of_bytes
825
+ # The length of the data encryption key in bytes. For example, use the
826
+ # value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
827
+ # common key lengths (128-bit and 256-bit symmetric keys), we
828
+ # recommend that you use the `KeySpec` field instead of this one.
829
+ # @return [Integer]
830
+ #
831
+ # @!attribute [rw] grant_tokens
832
+ # A list of grant tokens.
833
+ #
834
+ # For more information, see [Grant Tokens][1] in the *AWS Key
835
+ # Management Service Developer Guide*.
836
+ #
837
+ #
838
+ #
839
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
840
+ # @return [Array<String>]
841
+ class GenerateDataKeyWithoutPlaintextRequest < Struct.new(
842
+ :key_id,
843
+ :encryption_context,
844
+ :key_spec,
845
+ :number_of_bytes,
846
+ :grant_tokens)
847
+ include Aws::Structure
848
+ end
849
+
850
+ # @!attribute [rw] ciphertext_blob
851
+ # The encrypted data encryption key.
852
+ # @return [String]
853
+ #
854
+ # @!attribute [rw] key_id
855
+ # The identifier of the CMK under which the data encryption key was
856
+ # generated and encrypted.
857
+ # @return [String]
858
+ class GenerateDataKeyWithoutPlaintextResponse < Struct.new(
859
+ :ciphertext_blob,
860
+ :key_id)
861
+ include Aws::Structure
862
+ end
863
+
864
+ # @note When making an API call, pass GenerateRandomRequest
865
+ # data as a hash:
866
+ #
867
+ # {
868
+ # number_of_bytes: 1,
869
+ # }
870
+ # @!attribute [rw] number_of_bytes
871
+ # The length of the byte string.
872
+ # @return [Integer]
873
+ class GenerateRandomRequest < Struct.new(
874
+ :number_of_bytes)
875
+ include Aws::Structure
876
+ end
877
+
878
+ # @!attribute [rw] plaintext
879
+ # The unpredictable byte string.
880
+ # @return [String]
881
+ class GenerateRandomResponse < Struct.new(
882
+ :plaintext)
883
+ include Aws::Structure
884
+ end
885
+
886
+ # @note When making an API call, pass GetKeyPolicyRequest
887
+ # data as a hash:
888
+ #
889
+ # {
890
+ # key_id: "KeyIdType", # required
891
+ # policy_name: "PolicyNameType", # required
892
+ # }
893
+ # @!attribute [rw] key_id
894
+ # A unique identifier for the customer master key. This value can be a
895
+ # globally unique identifier or the fully specified ARN to a key.
896
+ #
897
+ # * Key ARN Example -
898
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
899
+ #
900
+ # * Globally Unique Key ID Example -
901
+ # 12345678-1234-1234-1234-123456789012
902
+ # @return [String]
903
+ #
904
+ # @!attribute [rw] policy_name
905
+ # String that contains the name of the policy. Currently, this must be
906
+ # "default". Policy names can be discovered by calling
907
+ # ListKeyPolicies.
908
+ # @return [String]
909
+ class GetKeyPolicyRequest < Struct.new(
910
+ :key_id,
911
+ :policy_name)
912
+ include Aws::Structure
913
+ end
914
+
915
+ # @!attribute [rw] policy
916
+ # A policy document in JSON format.
917
+ # @return [String]
918
+ class GetKeyPolicyResponse < Struct.new(
919
+ :policy)
920
+ include Aws::Structure
921
+ end
922
+
923
+ # @note When making an API call, pass GetKeyRotationStatusRequest
924
+ # data as a hash:
925
+ #
926
+ # {
927
+ # key_id: "KeyIdType", # required
928
+ # }
929
+ # @!attribute [rw] key_id
930
+ # A unique identifier for the customer master key. This value can be a
931
+ # globally unique identifier or the fully specified ARN to a key.
932
+ #
933
+ # * Key ARN Example -
934
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
935
+ #
936
+ # * Globally Unique Key ID Example -
937
+ # 12345678-1234-1234-1234-123456789012
938
+ # @return [String]
939
+ class GetKeyRotationStatusRequest < Struct.new(
940
+ :key_id)
941
+ include Aws::Structure
942
+ end
943
+
944
+ # @!attribute [rw] key_rotation_enabled
945
+ # A Boolean value that specifies whether key rotation is enabled.
946
+ # @return [Boolean]
947
+ class GetKeyRotationStatusResponse < Struct.new(
948
+ :key_rotation_enabled)
949
+ include Aws::Structure
950
+ end
951
+
952
+ # @note When making an API call, pass GetParametersForImportRequest
953
+ # data as a hash:
954
+ #
955
+ # {
956
+ # key_id: "KeyIdType", # required
957
+ # wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
958
+ # wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
959
+ # }
960
+ # @!attribute [rw] key_id
961
+ # The identifier of the CMK into which you will import key material.
962
+ # The CMK's `Origin` must be `EXTERNAL`.
963
+ #
964
+ # A valid identifier is the unique key ID or the Amazon Resource Name
965
+ # (ARN) of the CMK. Examples:
966
+ #
967
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
968
+ #
969
+ # * Key ARN:
970
+ # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
971
+ # @return [String]
972
+ #
973
+ # @!attribute [rw] wrapping_algorithm
974
+ # The algorithm you will use to encrypt the key material before
975
+ # importing it with ImportKeyMaterial. For more information, see
976
+ # [Encrypt the Key Material][1] in the *AWS Key Management Service
977
+ # Developer Guide*.
978
+ #
979
+ #
980
+ #
981
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
982
+ # @return [String]
983
+ #
984
+ # @!attribute [rw] wrapping_key_spec
985
+ # The type of wrapping key (public key) to return in the response.
986
+ # Only 2048-bit RSA public keys are supported.
987
+ # @return [String]
988
+ class GetParametersForImportRequest < Struct.new(
989
+ :key_id,
990
+ :wrapping_algorithm,
991
+ :wrapping_key_spec)
992
+ include Aws::Structure
993
+ end
994
+
995
+ # @!attribute [rw] key_id
996
+ # The identifier of the CMK to use in a subsequent ImportKeyMaterial
997
+ # request. This is the same CMK specified in the
998
+ # `GetParametersForImport` request.
999
+ # @return [String]
1000
+ #
1001
+ # @!attribute [rw] import_token
1002
+ # The import token to send in a subsequent ImportKeyMaterial request.
1003
+ # @return [String]
1004
+ #
1005
+ # @!attribute [rw] public_key
1006
+ # The public key to use to encrypt the key material before importing
1007
+ # it with ImportKeyMaterial.
1008
+ # @return [String]
1009
+ #
1010
+ # @!attribute [rw] parameters_valid_to
1011
+ # The time at which the import token and public key are no longer
1012
+ # valid. After this time, you cannot use them to make an
1013
+ # ImportKeyMaterial request and you must send another
1014
+ # `GetParametersForImport` request to retrieve new ones.
1015
+ # @return [Time]
1016
+ class GetParametersForImportResponse < Struct.new(
1017
+ :key_id,
1018
+ :import_token,
1019
+ :public_key,
1020
+ :parameters_valid_to)
1021
+ include Aws::Structure
1022
+ end
1023
+
1024
+ # A structure for specifying the conditions under which the operations
1025
+ # permitted by the grant are allowed.
1026
+ #
1027
+ # You can use this structure to allow the operations permitted by the
1028
+ # grant only when a specified encryption context is present. For more
1029
+ # information about encryption context, see [Encryption Context][1] in
1030
+ # the *AWS Key Management Service Developer Guide*.
1031
+ #
1032
+ #
1033
+ #
1034
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
1035
+ # @note When making an API call, pass GrantConstraints
1036
+ # data as a hash:
1037
+ #
1038
+ # {
1039
+ # encryption_context_subset: {
1040
+ # "EncryptionContextKey" => "EncryptionContextValue",
1041
+ # },
1042
+ # encryption_context_equals: {
1043
+ # "EncryptionContextKey" => "EncryptionContextValue",
1044
+ # },
1045
+ # }
1046
+ # @!attribute [rw] encryption_context_subset
1047
+ # Contains a list of key-value pairs, a subset of which must be
1048
+ # present in the encryption context of a subsequent operation
1049
+ # permitted by the grant. When a subsequent operation permitted by the
1050
+ # grant includes an encryption context that matches this list or is a
1051
+ # subset of this list, the grant allows the operation. Otherwise, the
1052
+ # operation is not allowed.
1053
+ # @return [Hash<String,String>]
1054
+ #
1055
+ # @!attribute [rw] encryption_context_equals
1056
+ # Contains a list of key-value pairs that must be present in the
1057
+ # encryption context of a subsequent operation permitted by the grant.
1058
+ # When a subsequent operation permitted by the grant includes an
1059
+ # encryption context that matches this list, the grant allows the
1060
+ # operation. Otherwise, the operation is not allowed.
1061
+ # @return [Hash<String,String>]
1062
+ class GrantConstraints < Struct.new(
1063
+ :encryption_context_subset,
1064
+ :encryption_context_equals)
1065
+ include Aws::Structure
1066
+ end
1067
+
1068
+ # Contains information about an entry in a list of grants.
1069
+ # @!attribute [rw] key_id
1070
+ # The unique identifier for the customer master key (CMK) to which the
1071
+ # grant applies.
1072
+ # @return [String]
1073
+ #
1074
+ # @!attribute [rw] grant_id
1075
+ # The unique identifier for the grant.
1076
+ # @return [String]
1077
+ #
1078
+ # @!attribute [rw] name
1079
+ # The friendly name that identifies the grant. If a name was provided
1080
+ # in the CreateGrant request, that name is returned. Otherwise this
1081
+ # value is null.
1082
+ # @return [String]
1083
+ #
1084
+ # @!attribute [rw] creation_date
1085
+ # The date and time when the grant was created.
1086
+ # @return [Time]
1087
+ #
1088
+ # @!attribute [rw] grantee_principal
1089
+ # The principal that receives the grant's permissions.
1090
+ # @return [String]
1091
+ #
1092
+ # @!attribute [rw] retiring_principal
1093
+ # The principal that can retire the grant.
1094
+ # @return [String]
1095
+ #
1096
+ # @!attribute [rw] issuing_account
1097
+ # The AWS account under which the grant was issued.
1098
+ # @return [String]
1099
+ #
1100
+ # @!attribute [rw] operations
1101
+ # The list of operations permitted by the grant.
1102
+ # @return [Array<String>]
1103
+ #
1104
+ # @!attribute [rw] constraints
1105
+ # The conditions under which the grant's operations are allowed.
1106
+ # @return [Types::GrantConstraints]
1107
+ class GrantListEntry < Struct.new(
1108
+ :key_id,
1109
+ :grant_id,
1110
+ :name,
1111
+ :creation_date,
1112
+ :grantee_principal,
1113
+ :retiring_principal,
1114
+ :issuing_account,
1115
+ :operations,
1116
+ :constraints)
1117
+ include Aws::Structure
1118
+ end
1119
+
1120
+ # @note When making an API call, pass ImportKeyMaterialRequest
1121
+ # data as a hash:
1122
+ #
1123
+ # {
1124
+ # key_id: "KeyIdType", # required
1125
+ # import_token: "data", # required
1126
+ # encrypted_key_material: "data", # required
1127
+ # valid_to: Time.now,
1128
+ # expiration_model: "KEY_MATERIAL_EXPIRES", # accepts KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
1129
+ # }
1130
+ # @!attribute [rw] key_id
1131
+ # The identifier of the CMK to import the key material into. The
1132
+ # CMK's `Origin` must be `EXTERNAL`.
1133
+ #
1134
+ # A valid identifier is the unique key ID or the Amazon Resource Name
1135
+ # (ARN) of the CMK. Examples:
1136
+ #
1137
+ # * Unique key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1138
+ #
1139
+ # * Key ARN:
1140
+ # `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1141
+ # @return [String]
1142
+ #
1143
+ # @!attribute [rw] import_token
1144
+ # The import token that you received in the response to a previous
1145
+ # GetParametersForImport request. It must be from the same response
1146
+ # that contained the public key that you used to encrypt the key
1147
+ # material.
1148
+ # @return [String]
1149
+ #
1150
+ # @!attribute [rw] encrypted_key_material
1151
+ # The encrypted key material to import. It must be encrypted with the
1152
+ # public key that you received in the response to a previous
1153
+ # GetParametersForImport request, using the wrapping algorithm that
1154
+ # you specified in that request.
1155
+ # @return [String]
1156
+ #
1157
+ # @!attribute [rw] valid_to
1158
+ # The time at which the imported key material expires. When the key
1159
+ # material expires, AWS KMS deletes the key material and the CMK
1160
+ # becomes unusable. You must omit this parameter when the
1161
+ # `ExpirationModel` parameter is set to
1162
+ # `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is required.
1163
+ # @return [Time]
1164
+ #
1165
+ # @!attribute [rw] expiration_model
1166
+ # Specifies whether the key material expires. The default is
1167
+ # `KEY_MATERIAL_EXPIRES`, in which case you must include the `ValidTo`
1168
+ # parameter. When this parameter is set to
1169
+ # `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo`
1170
+ # parameter.
1171
+ # @return [String]
1172
+ class ImportKeyMaterialRequest < Struct.new(
1173
+ :key_id,
1174
+ :import_token,
1175
+ :encrypted_key_material,
1176
+ :valid_to,
1177
+ :expiration_model)
1178
+ include Aws::Structure
1179
+ end
1180
+
1181
+ class ImportKeyMaterialResponse < Aws::EmptyStructure; end
1182
+
1183
+ # Contains information about each entry in the key list.
1184
+ # @!attribute [rw] key_id
1185
+ # Unique identifier of the key.
1186
+ # @return [String]
1187
+ #
1188
+ # @!attribute [rw] key_arn
1189
+ # ARN of the key.
1190
+ # @return [String]
1191
+ class KeyListEntry < Struct.new(
1192
+ :key_id,
1193
+ :key_arn)
1194
+ include Aws::Structure
1195
+ end
1196
+
1197
+ # Contains metadata about a customer master key (CMK).
1198
+ #
1199
+ # This data type is used as a response element for the CreateKey and
1200
+ # DescribeKey operations.
1201
+ # @!attribute [rw] aws_account_id
1202
+ # The twelve-digit account ID of the AWS account that owns the CMK.
1203
+ # @return [String]
1204
+ #
1205
+ # @!attribute [rw] key_id
1206
+ # The globally unique identifier for the CMK.
1207
+ # @return [String]
1208
+ #
1209
+ # @!attribute [rw] arn
1210
+ # The Amazon Resource Name (ARN) of the CMK. For examples, see [AWS
1211
+ # Key Management Service (AWS KMS)][1] in the Example ARNs section of
1212
+ # the *AWS General Reference*.
1213
+ #
1214
+ #
1215
+ #
1216
+ # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
1217
+ # @return [String]
1218
+ #
1219
+ # @!attribute [rw] creation_date
1220
+ # The date and time when the CMK was created.
1221
+ # @return [Time]
1222
+ #
1223
+ # @!attribute [rw] enabled
1224
+ # Specifies whether the CMK is enabled. When `KeyState` is `Enabled`
1225
+ # this value is true, otherwise it is false.
1226
+ # @return [Boolean]
1227
+ #
1228
+ # @!attribute [rw] description
1229
+ # The description of the CMK.
1230
+ # @return [String]
1231
+ #
1232
+ # @!attribute [rw] key_usage
1233
+ # The cryptographic operations for which you can use the CMK.
1234
+ # Currently the only allowed value is `ENCRYPT_DECRYPT`, which means
1235
+ # you can use the CMK for the Encrypt and Decrypt operations.
1236
+ # @return [String]
1237
+ #
1238
+ # @!attribute [rw] key_state
1239
+ # The state of the CMK.
1240
+ #
1241
+ # For more information about how key state affects the use of a CMK,
1242
+ # see [How Key State Affects the Use of a Customer Master Key][1] in
1243
+ # the *AWS Key Management Service Developer Guide*.
1244
+ #
1245
+ #
1246
+ #
1247
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
1248
+ # @return [String]
1249
+ #
1250
+ # @!attribute [rw] deletion_date
1251
+ # The date and time after which AWS KMS deletes the CMK. This value is
1252
+ # present only when `KeyState` is `PendingDeletion`, otherwise this
1253
+ # value is omitted.
1254
+ # @return [Time]
1255
+ #
1256
+ # @!attribute [rw] valid_to
1257
+ # The time at which the imported key material expires. When the key
1258
+ # material expires, AWS KMS deletes the key material and the CMK
1259
+ # becomes unusable. This value is present only for CMKs whose `Origin`
1260
+ # is `EXTERNAL` and whose `ExpirationModel` is `KEY_MATERIAL_EXPIRES`,
1261
+ # otherwise this value is omitted.
1262
+ # @return [Time]
1263
+ #
1264
+ # @!attribute [rw] origin
1265
+ # The source of the CMK's key material. When this value is `AWS_KMS`,
1266
+ # AWS KMS created the key material. When this value is `EXTERNAL`, the
1267
+ # key material was imported from your existing key management
1268
+ # infrastructure or the CMK lacks key material.
1269
+ # @return [String]
1270
+ #
1271
+ # @!attribute [rw] expiration_model
1272
+ # Specifies whether the CMK's key material expires. This value is
1273
+ # present only when `Origin` is `EXTERNAL`, otherwise this value is
1274
+ # omitted.
1275
+ # @return [String]
1276
+ class KeyMetadata < Struct.new(
1277
+ :aws_account_id,
1278
+ :key_id,
1279
+ :arn,
1280
+ :creation_date,
1281
+ :enabled,
1282
+ :description,
1283
+ :key_usage,
1284
+ :key_state,
1285
+ :deletion_date,
1286
+ :valid_to,
1287
+ :origin,
1288
+ :expiration_model)
1289
+ include Aws::Structure
1290
+ end
1291
+
1292
+ # @note When making an API call, pass ListAliasesRequest
1293
+ # data as a hash:
1294
+ #
1295
+ # {
1296
+ # limit: 1,
1297
+ # marker: "MarkerType",
1298
+ # }
1299
+ # @!attribute [rw] limit
1300
+ # When paginating results, specify the maximum number of items to
1301
+ # return in the response. If additional items exist beyond the number
1302
+ # you specify, the `Truncated` element in the response is set to true.
1303
+ #
1304
+ # This value is optional. If you include a value, it must be between 1
1305
+ # and 100, inclusive. If you do not include a value, it defaults to
1306
+ # 50.
1307
+ # @return [Integer]
1308
+ #
1309
+ # @!attribute [rw] marker
1310
+ # Use this parameter only when paginating results and only in a
1311
+ # subsequent request after you receive a response with truncated
1312
+ # results. Set it to the value of `NextMarker` from the response you
1313
+ # just received.
1314
+ # @return [String]
1315
+ class ListAliasesRequest < Struct.new(
1316
+ :limit,
1317
+ :marker)
1318
+ include Aws::Structure
1319
+ end
1320
+
1321
+ # @!attribute [rw] aliases
1322
+ # A list of key aliases in the user's account.
1323
+ # @return [Array<Types::AliasListEntry>]
1324
+ #
1325
+ # @!attribute [rw] next_marker
1326
+ # When `Truncated` is true, this value is present and contains the
1327
+ # value to use for the `Marker` parameter in a subsequent pagination
1328
+ # request.
1329
+ # @return [String]
1330
+ #
1331
+ # @!attribute [rw] truncated
1332
+ # A flag that indicates whether there are more items in the list. If
1333
+ # your results were truncated, you can use the `Marker` parameter to
1334
+ # make a subsequent pagination request to retrieve more items in the
1335
+ # list.
1336
+ # @return [Boolean]
1337
+ class ListAliasesResponse < Struct.new(
1338
+ :aliases,
1339
+ :next_marker,
1340
+ :truncated)
1341
+ include Aws::Structure
1342
+ end
1343
+
1344
+ # @note When making an API call, pass ListGrantsRequest
1345
+ # data as a hash:
1346
+ #
1347
+ # {
1348
+ # limit: 1,
1349
+ # marker: "MarkerType",
1350
+ # key_id: "KeyIdType", # required
1351
+ # }
1352
+ # @!attribute [rw] limit
1353
+ # When paginating results, specify the maximum number of items to
1354
+ # return in the response. If additional items exist beyond the number
1355
+ # you specify, the `Truncated` element in the response is set to true.
1356
+ #
1357
+ # This value is optional. If you include a value, it must be between 1
1358
+ # and 100, inclusive. If you do not include a value, it defaults to
1359
+ # 50.
1360
+ # @return [Integer]
1361
+ #
1362
+ # @!attribute [rw] marker
1363
+ # Use this parameter only when paginating results and only in a
1364
+ # subsequent request after you receive a response with truncated
1365
+ # results. Set it to the value of `NextMarker` from the response you
1366
+ # just received.
1367
+ # @return [String]
1368
+ #
1369
+ # @!attribute [rw] key_id
1370
+ # A unique identifier for the customer master key. This value can be a
1371
+ # globally unique identifier or the fully specified ARN to a key.
1372
+ #
1373
+ # * Key ARN Example -
1374
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1375
+ #
1376
+ # * Globally Unique Key ID Example -
1377
+ # 12345678-1234-1234-1234-123456789012
1378
+ # @return [String]
1379
+ class ListGrantsRequest < Struct.new(
1380
+ :limit,
1381
+ :marker,
1382
+ :key_id)
1383
+ include Aws::Structure
1384
+ end
1385
+
1386
+ # @!attribute [rw] grants
1387
+ # A list of grants.
1388
+ # @return [Array<Types::GrantListEntry>]
1389
+ #
1390
+ # @!attribute [rw] next_marker
1391
+ # When `Truncated` is true, this value is present and contains the
1392
+ # value to use for the `Marker` parameter in a subsequent pagination
1393
+ # request.
1394
+ # @return [String]
1395
+ #
1396
+ # @!attribute [rw] truncated
1397
+ # A flag that indicates whether there are more items in the list. If
1398
+ # your results were truncated, you can use the `Marker` parameter to
1399
+ # make a subsequent pagination request to retrieve more items in the
1400
+ # list.
1401
+ # @return [Boolean]
1402
+ class ListGrantsResponse < Struct.new(
1403
+ :grants,
1404
+ :next_marker,
1405
+ :truncated)
1406
+ include Aws::Structure
1407
+ end
1408
+
1409
+ # @note When making an API call, pass ListKeyPoliciesRequest
1410
+ # data as a hash:
1411
+ #
1412
+ # {
1413
+ # key_id: "KeyIdType", # required
1414
+ # limit: 1,
1415
+ # marker: "MarkerType",
1416
+ # }
1417
+ # @!attribute [rw] key_id
1418
+ # A unique identifier for the customer master key. This value can be a
1419
+ # globally unique identifier, a fully specified ARN to either an alias
1420
+ # or a key, or an alias name prefixed by "alias/".
1421
+ #
1422
+ # * Key ARN Example -
1423
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1424
+ #
1425
+ # * Alias ARN Example -
1426
+ # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
1427
+ #
1428
+ # * Globally Unique Key ID Example -
1429
+ # 12345678-1234-1234-1234-123456789012
1430
+ #
1431
+ # * Alias Name Example - alias/MyAliasName
1432
+ # @return [String]
1433
+ #
1434
+ # @!attribute [rw] limit
1435
+ # When paginating results, specify the maximum number of items to
1436
+ # return in the response. If additional items exist beyond the number
1437
+ # you specify, the `Truncated` element in the response is set to true.
1438
+ #
1439
+ # This value is optional. If you include a value, it must be between 1
1440
+ # and 1000, inclusive. If you do not include a value, it defaults to
1441
+ # 100.
1442
+ #
1443
+ # Currently only 1 policy can be attached to a key.
1444
+ # @return [Integer]
1445
+ #
1446
+ # @!attribute [rw] marker
1447
+ # Use this parameter only when paginating results and only in a
1448
+ # subsequent request after you receive a response with truncated
1449
+ # results. Set it to the value of `NextMarker` from the response you
1450
+ # just received.
1451
+ # @return [String]
1452
+ class ListKeyPoliciesRequest < Struct.new(
1453
+ :key_id,
1454
+ :limit,
1455
+ :marker)
1456
+ include Aws::Structure
1457
+ end
1458
+
1459
+ # @!attribute [rw] policy_names
1460
+ # A list of policy names. Currently, there is only one policy and it
1461
+ # is named "Default".
1462
+ # @return [Array<String>]
1463
+ #
1464
+ # @!attribute [rw] next_marker
1465
+ # When `Truncated` is true, this value is present and contains the
1466
+ # value to use for the `Marker` parameter in a subsequent pagination
1467
+ # request.
1468
+ # @return [String]
1469
+ #
1470
+ # @!attribute [rw] truncated
1471
+ # A flag that indicates whether there are more items in the list. If
1472
+ # your results were truncated, you can use the `Marker` parameter to
1473
+ # make a subsequent pagination request to retrieve more items in the
1474
+ # list.
1475
+ # @return [Boolean]
1476
+ class ListKeyPoliciesResponse < Struct.new(
1477
+ :policy_names,
1478
+ :next_marker,
1479
+ :truncated)
1480
+ include Aws::Structure
1481
+ end
1482
+
1483
+ # @note When making an API call, pass ListKeysRequest
1484
+ # data as a hash:
1485
+ #
1486
+ # {
1487
+ # limit: 1,
1488
+ # marker: "MarkerType",
1489
+ # }
1490
+ # @!attribute [rw] limit
1491
+ # When paginating results, specify the maximum number of items to
1492
+ # return in the response. If additional items exist beyond the number
1493
+ # you specify, the `Truncated` element in the response is set to true.
1494
+ #
1495
+ # This value is optional. If you include a value, it must be between 1
1496
+ # and 1000, inclusive. If you do not include a value, it defaults to
1497
+ # 100.
1498
+ # @return [Integer]
1499
+ #
1500
+ # @!attribute [rw] marker
1501
+ # Use this parameter only when paginating results and only in a
1502
+ # subsequent request after you receive a response with truncated
1503
+ # results. Set it to the value of `NextMarker` from the response you
1504
+ # just received.
1505
+ # @return [String]
1506
+ class ListKeysRequest < Struct.new(
1507
+ :limit,
1508
+ :marker)
1509
+ include Aws::Structure
1510
+ end
1511
+
1512
+ # @!attribute [rw] keys
1513
+ # A list of keys.
1514
+ # @return [Array<Types::KeyListEntry>]
1515
+ #
1516
+ # @!attribute [rw] next_marker
1517
+ # When `Truncated` is true, this value is present and contains the
1518
+ # value to use for the `Marker` parameter in a subsequent pagination
1519
+ # request.
1520
+ # @return [String]
1521
+ #
1522
+ # @!attribute [rw] truncated
1523
+ # A flag that indicates whether there are more items in the list. If
1524
+ # your results were truncated, you can use the `Marker` parameter to
1525
+ # make a subsequent pagination request to retrieve more items in the
1526
+ # list.
1527
+ # @return [Boolean]
1528
+ class ListKeysResponse < Struct.new(
1529
+ :keys,
1530
+ :next_marker,
1531
+ :truncated)
1532
+ include Aws::Structure
1533
+ end
1534
+
1535
+ # @note When making an API call, pass ListRetirableGrantsRequest
1536
+ # data as a hash:
1537
+ #
1538
+ # {
1539
+ # limit: 1,
1540
+ # marker: "MarkerType",
1541
+ # retiring_principal: "PrincipalIdType", # required
1542
+ # }
1543
+ # @!attribute [rw] limit
1544
+ # When paginating results, specify the maximum number of items to
1545
+ # return in the response. If additional items exist beyond the number
1546
+ # you specify, the `Truncated` element in the response is set to true.
1547
+ #
1548
+ # This value is optional. If you include a value, it must be between 1
1549
+ # and 100, inclusive. If you do not include a value, it defaults to
1550
+ # 50.
1551
+ # @return [Integer]
1552
+ #
1553
+ # @!attribute [rw] marker
1554
+ # Use this parameter only when paginating results and only in a
1555
+ # subsequent request after you receive a response with truncated
1556
+ # results. Set it to the value of `NextMarker` from the response you
1557
+ # just received.
1558
+ # @return [String]
1559
+ #
1560
+ # @!attribute [rw] retiring_principal
1561
+ # The retiring principal for which to list grants.
1562
+ #
1563
+ # To specify the retiring principal, use the [Amazon Resource Name
1564
+ # (ARN)][1] of an AWS principal. Valid AWS principals include AWS
1565
+ # accounts (root), IAM users, federated users, and assumed role users.
1566
+ # For examples of the ARN syntax for specifying a principal, see [AWS
1567
+ # Identity and Access Management (IAM)][2] in the Example ARNs section
1568
+ # of the *Amazon Web Services General Reference*.
1569
+ #
1570
+ #
1571
+ #
1572
+ # [1]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
1573
+ # [2]: http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
1574
+ # @return [String]
1575
+ class ListRetirableGrantsRequest < Struct.new(
1576
+ :limit,
1577
+ :marker,
1578
+ :retiring_principal)
1579
+ include Aws::Structure
1580
+ end
1581
+
1582
+ # @note When making an API call, pass PutKeyPolicyRequest
1583
+ # data as a hash:
1584
+ #
1585
+ # {
1586
+ # key_id: "KeyIdType", # required
1587
+ # policy_name: "PolicyNameType", # required
1588
+ # policy: "PolicyType", # required
1589
+ # bypass_policy_lockout_safety_check: false,
1590
+ # }
1591
+ # @!attribute [rw] key_id
1592
+ # A unique identifier for the CMK.
1593
+ #
1594
+ # Use the CMK's unique identifier or its Amazon Resource Name (ARN).
1595
+ # For example:
1596
+ #
1597
+ # * Unique ID: 1234abcd-12ab-34cd-56ef-1234567890ab
1598
+ #
1599
+ # * ARN:
1600
+ # arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
1601
+ # @return [String]
1602
+ #
1603
+ # @!attribute [rw] policy_name
1604
+ # The name of the key policy.
1605
+ #
1606
+ # This value must be `default`.
1607
+ # @return [String]
1608
+ #
1609
+ # @!attribute [rw] policy
1610
+ # The key policy to attach to the CMK.
1611
+ #
1612
+ # If you do not set `BypassPolicyLockoutSafetyCheck` to true, the
1613
+ # policy must meet the following criteria:
1614
+ #
1615
+ # * It must allow the principal making the `PutKeyPolicy` request to
1616
+ # make a subsequent `PutKeyPolicy` request on the CMK. This reduces
1617
+ # the likelihood that the CMK becomes unmanageable. For more
1618
+ # information, refer to the scenario in the [Default Key Policy][1]
1619
+ # section in the *AWS Key Management Service Developer Guide*.
1620
+ #
1621
+ # * The principal(s) specified in the key policy must exist and be
1622
+ # visible to AWS KMS. When you create a new AWS principal (for
1623
+ # example, an IAM user or role), you might need to enforce a delay
1624
+ # before specifying the new principal in a key policy because the
1625
+ # new principal might not immediately be visible to AWS KMS. For
1626
+ # more information, see [Changes that I make are not always
1627
+ # immediately visible][2] in the *IAM User Guide*.
1628
+ #
1629
+ # The policy size limit is 32 KiB (32768 bytes).
1630
+ #
1631
+ #
1632
+ #
1633
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1634
+ # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
1635
+ # @return [String]
1636
+ #
1637
+ # @!attribute [rw] bypass_policy_lockout_safety_check
1638
+ # A flag to indicate whether to bypass the key policy lockout safety
1639
+ # check.
1640
+ #
1641
+ # Setting this value to true increases the likelihood that the CMK
1642
+ # becomes unmanageable. Do not set this value to true
1643
+ # indiscriminately.
1644
+ #
1645
+ # For more information, refer to the scenario in the [Default Key
1646
+ # Policy][1] section in the *AWS Key Management Service Developer
1647
+ # Guide*.
1648
+ #
1649
+ # Use this parameter only when you intend to prevent the principal
1650
+ # making the request from making a subsequent `PutKeyPolicy` request
1651
+ # on the CMK.
1652
+ #
1653
+ # The default value is false.
1654
+ #
1655
+ #
1656
+ #
1657
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
1658
+ # @return [Boolean]
1659
+ class PutKeyPolicyRequest < Struct.new(
1660
+ :key_id,
1661
+ :policy_name,
1662
+ :policy,
1663
+ :bypass_policy_lockout_safety_check)
1664
+ include Aws::Structure
1665
+ end
1666
+
1667
+ # @note When making an API call, pass ReEncryptRequest
1668
+ # data as a hash:
1669
+ #
1670
+ # {
1671
+ # ciphertext_blob: "data", # required
1672
+ # source_encryption_context: {
1673
+ # "EncryptionContextKey" => "EncryptionContextValue",
1674
+ # },
1675
+ # destination_key_id: "KeyIdType", # required
1676
+ # destination_encryption_context: {
1677
+ # "EncryptionContextKey" => "EncryptionContextValue",
1678
+ # },
1679
+ # grant_tokens: ["GrantTokenType"],
1680
+ # }
1681
+ # @!attribute [rw] ciphertext_blob
1682
+ # Ciphertext of the data to re-encrypt.
1683
+ # @return [String]
1684
+ #
1685
+ # @!attribute [rw] source_encryption_context
1686
+ # Encryption context used to encrypt and decrypt the data specified in
1687
+ # the `CiphertextBlob` parameter.
1688
+ # @return [Hash<String,String>]
1689
+ #
1690
+ # @!attribute [rw] destination_key_id
1691
+ # A unique identifier for the customer master key used to re-encrypt
1692
+ # the data. This value can be a globally unique identifier, a fully
1693
+ # specified ARN to either an alias or a key, or an alias name prefixed
1694
+ # by "alias/".
1695
+ #
1696
+ # * Key ARN Example -
1697
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1698
+ #
1699
+ # * Alias ARN Example -
1700
+ # arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
1701
+ #
1702
+ # * Globally Unique Key ID Example -
1703
+ # 12345678-1234-1234-1234-123456789012
1704
+ #
1705
+ # * Alias Name Example - alias/MyAliasName
1706
+ # @return [String]
1707
+ #
1708
+ # @!attribute [rw] destination_encryption_context
1709
+ # Encryption context to be used when the data is re-encrypted.
1710
+ # @return [Hash<String,String>]
1711
+ #
1712
+ # @!attribute [rw] grant_tokens
1713
+ # A list of grant tokens.
1714
+ #
1715
+ # For more information, see [Grant Tokens][1] in the *AWS Key
1716
+ # Management Service Developer Guide*.
1717
+ #
1718
+ #
1719
+ #
1720
+ # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
1721
+ # @return [Array<String>]
1722
+ class ReEncryptRequest < Struct.new(
1723
+ :ciphertext_blob,
1724
+ :source_encryption_context,
1725
+ :destination_key_id,
1726
+ :destination_encryption_context,
1727
+ :grant_tokens)
1728
+ include Aws::Structure
1729
+ end
1730
+
1731
+ # @!attribute [rw] ciphertext_blob
1732
+ # The re-encrypted data. If you are using the CLI, the value is Base64
1733
+ # encoded. Otherwise, it is not encoded.
1734
+ # @return [String]
1735
+ #
1736
+ # @!attribute [rw] source_key_id
1737
+ # Unique identifier of the key used to originally encrypt the data.
1738
+ # @return [String]
1739
+ #
1740
+ # @!attribute [rw] key_id
1741
+ # Unique identifier of the key used to re-encrypt the data.
1742
+ # @return [String]
1743
+ class ReEncryptResponse < Struct.new(
1744
+ :ciphertext_blob,
1745
+ :source_key_id,
1746
+ :key_id)
1747
+ include Aws::Structure
1748
+ end
1749
+
1750
+ # @note When making an API call, pass RetireGrantRequest
1751
+ # data as a hash:
1752
+ #
1753
+ # {
1754
+ # grant_token: "GrantTokenType",
1755
+ # key_id: "KeyIdType",
1756
+ # grant_id: "GrantIdType",
1757
+ # }
1758
+ # @!attribute [rw] grant_token
1759
+ # Token that identifies the grant to be retired.
1760
+ # @return [String]
1761
+ #
1762
+ # @!attribute [rw] key_id
1763
+ # A unique identifier for the customer master key associated with the
1764
+ # grant. This value can be a globally unique identifier or a fully
1765
+ # specified ARN of the key.
1766
+ #
1767
+ # * Key ARN Example -
1768
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1769
+ #
1770
+ # * Globally Unique Key ID Example -
1771
+ # 12345678-1234-1234-1234-123456789012
1772
+ # @return [String]
1773
+ #
1774
+ # @!attribute [rw] grant_id
1775
+ # Unique identifier of the grant to be retired. The grant ID is
1776
+ # returned by the `CreateGrant` function.
1777
+ #
1778
+ # * Grant ID Example -
1779
+ # 0123456789012345678901234567890123456789012345678901234567890123
1780
+ #
1781
+ # ^
1782
+ # @return [String]
1783
+ class RetireGrantRequest < Struct.new(
1784
+ :grant_token,
1785
+ :key_id,
1786
+ :grant_id)
1787
+ include Aws::Structure
1788
+ end
1789
+
1790
+ # @note When making an API call, pass RevokeGrantRequest
1791
+ # data as a hash:
1792
+ #
1793
+ # {
1794
+ # key_id: "KeyIdType", # required
1795
+ # grant_id: "GrantIdType", # required
1796
+ # }
1797
+ # @!attribute [rw] key_id
1798
+ # A unique identifier for the customer master key associated with the
1799
+ # grant. This value can be a globally unique identifier or the fully
1800
+ # specified ARN to a key.
1801
+ #
1802
+ # * Key ARN Example -
1803
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1804
+ #
1805
+ # * Globally Unique Key ID Example -
1806
+ # 12345678-1234-1234-1234-123456789012
1807
+ # @return [String]
1808
+ #
1809
+ # @!attribute [rw] grant_id
1810
+ # Identifier of the grant to be revoked.
1811
+ # @return [String]
1812
+ class RevokeGrantRequest < Struct.new(
1813
+ :key_id,
1814
+ :grant_id)
1815
+ include Aws::Structure
1816
+ end
1817
+
1818
+ # @note When making an API call, pass ScheduleKeyDeletionRequest
1819
+ # data as a hash:
1820
+ #
1821
+ # {
1822
+ # key_id: "KeyIdType", # required
1823
+ # pending_window_in_days: 1,
1824
+ # }
1825
+ # @!attribute [rw] key_id
1826
+ # The unique identifier for the customer master key (CMK) to delete.
1827
+ #
1828
+ # To specify this value, use the unique key ID or the Amazon Resource
1829
+ # Name (ARN) of the CMK. Examples:
1830
+ #
1831
+ # * Unique key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
1832
+ #
1833
+ # * Key ARN:
1834
+ # arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
1835
+ #
1836
+ # To obtain the unique key ID and key ARN for a given CMK, use
1837
+ # ListKeys or DescribeKey.
1838
+ # @return [String]
1839
+ #
1840
+ # @!attribute [rw] pending_window_in_days
1841
+ # The waiting period, specified in number of days. After the waiting
1842
+ # period ends, AWS KMS deletes the customer master key (CMK).
1843
+ #
1844
+ # This value is optional. If you include a value, it must be between 7
1845
+ # and 30, inclusive. If you do not include a value, it defaults to 30.
1846
+ # @return [Integer]
1847
+ class ScheduleKeyDeletionRequest < Struct.new(
1848
+ :key_id,
1849
+ :pending_window_in_days)
1850
+ include Aws::Structure
1851
+ end
1852
+
1853
+ # @!attribute [rw] key_id
1854
+ # The unique identifier of the customer master key (CMK) for which
1855
+ # deletion is scheduled.
1856
+ # @return [String]
1857
+ #
1858
+ # @!attribute [rw] deletion_date
1859
+ # The date and time after which AWS KMS deletes the customer master
1860
+ # key (CMK).
1861
+ # @return [Time]
1862
+ class ScheduleKeyDeletionResponse < Struct.new(
1863
+ :key_id,
1864
+ :deletion_date)
1865
+ include Aws::Structure
1866
+ end
1867
+
1868
+ # @note When making an API call, pass UpdateAliasRequest
1869
+ # data as a hash:
1870
+ #
1871
+ # {
1872
+ # alias_name: "AliasNameType", # required
1873
+ # target_key_id: "KeyIdType", # required
1874
+ # }
1875
+ # @!attribute [rw] alias_name
1876
+ # String that contains the name of the alias to be modified. The name
1877
+ # must start with the word "alias" followed by a forward slash
1878
+ # (alias/). Aliases that begin with "alias/aws" are reserved.
1879
+ # @return [String]
1880
+ #
1881
+ # @!attribute [rw] target_key_id
1882
+ # Unique identifier of the customer master key to be mapped to the
1883
+ # alias. This value can be a globally unique identifier or the fully
1884
+ # specified ARN of a key.
1885
+ #
1886
+ # * Key ARN Example -
1887
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1888
+ #
1889
+ # * Globally Unique Key ID Example -
1890
+ # 12345678-1234-1234-1234-123456789012
1891
+ #
1892
+ # You can call ListAliases to verify that the alias is mapped to the
1893
+ # correct `TargetKeyId`.
1894
+ # @return [String]
1895
+ class UpdateAliasRequest < Struct.new(
1896
+ :alias_name,
1897
+ :target_key_id)
1898
+ include Aws::Structure
1899
+ end
1900
+
1901
+ # @note When making an API call, pass UpdateKeyDescriptionRequest
1902
+ # data as a hash:
1903
+ #
1904
+ # {
1905
+ # key_id: "KeyIdType", # required
1906
+ # description: "DescriptionType", # required
1907
+ # }
1908
+ # @!attribute [rw] key_id
1909
+ # A unique identifier for the customer master key. This value can be a
1910
+ # globally unique identifier or the fully specified ARN to a key.
1911
+ #
1912
+ # * Key ARN Example -
1913
+ # arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
1914
+ #
1915
+ # * Globally Unique Key ID Example -
1916
+ # 12345678-1234-1234-1234-123456789012
1917
+ # @return [String]
1918
+ #
1919
+ # @!attribute [rw] description
1920
+ # New description for the key.
1921
+ # @return [String]
1922
+ class UpdateKeyDescriptionRequest < Struct.new(
1923
+ :key_id,
1924
+ :description)
1925
+ include Aws::Structure
1926
+ end
1927
+
1928
+ end
1929
+ end
1930
+ end