aws-sdk-kms 1.21.0 → 1.26.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-kms.rb +1 -1
- data/lib/aws-sdk-kms/client.rb +1667 -364
- data/lib/aws-sdk-kms/client_api.rb +186 -0
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/types.rb +1068 -112
- metadata +4 -4
|
@@ -47,6 +47,8 @@ module Aws::KMS
|
|
|
47
47
|
CustomKeyStoreNotFoundException = Shapes::StructureShape.new(name: 'CustomKeyStoreNotFoundException')
|
|
48
48
|
CustomKeyStoresList = Shapes::ListShape.new(name: 'CustomKeyStoresList')
|
|
49
49
|
CustomKeyStoresListEntry = Shapes::StructureShape.new(name: 'CustomKeyStoresListEntry')
|
|
50
|
+
CustomerMasterKeySpec = Shapes::StringShape.new(name: 'CustomerMasterKeySpec')
|
|
51
|
+
DataKeyPairSpec = Shapes::StringShape.new(name: 'DataKeyPairSpec')
|
|
50
52
|
DataKeySpec = Shapes::StringShape.new(name: 'DataKeySpec')
|
|
51
53
|
DateType = Shapes::TimestampShape.new(name: 'DateType')
|
|
52
54
|
DecryptRequest = Shapes::StructureShape.new(name: 'DecryptRequest')
|
|
@@ -70,12 +72,18 @@ module Aws::KMS
|
|
|
70
72
|
EnableKeyRotationRequest = Shapes::StructureShape.new(name: 'EnableKeyRotationRequest')
|
|
71
73
|
EncryptRequest = Shapes::StructureShape.new(name: 'EncryptRequest')
|
|
72
74
|
EncryptResponse = Shapes::StructureShape.new(name: 'EncryptResponse')
|
|
75
|
+
EncryptionAlgorithmSpec = Shapes::StringShape.new(name: 'EncryptionAlgorithmSpec')
|
|
76
|
+
EncryptionAlgorithmSpecList = Shapes::ListShape.new(name: 'EncryptionAlgorithmSpecList')
|
|
73
77
|
EncryptionContextKey = Shapes::StringShape.new(name: 'EncryptionContextKey')
|
|
74
78
|
EncryptionContextType = Shapes::MapShape.new(name: 'EncryptionContextType')
|
|
75
79
|
EncryptionContextValue = Shapes::StringShape.new(name: 'EncryptionContextValue')
|
|
76
80
|
ErrorMessageType = Shapes::StringShape.new(name: 'ErrorMessageType')
|
|
77
81
|
ExpirationModelType = Shapes::StringShape.new(name: 'ExpirationModelType')
|
|
78
82
|
ExpiredImportTokenException = Shapes::StructureShape.new(name: 'ExpiredImportTokenException')
|
|
83
|
+
GenerateDataKeyPairRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyPairRequest')
|
|
84
|
+
GenerateDataKeyPairResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyPairResponse')
|
|
85
|
+
GenerateDataKeyPairWithoutPlaintextRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyPairWithoutPlaintextRequest')
|
|
86
|
+
GenerateDataKeyPairWithoutPlaintextResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyPairWithoutPlaintextResponse')
|
|
79
87
|
GenerateDataKeyRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyRequest')
|
|
80
88
|
GenerateDataKeyResponse = Shapes::StructureShape.new(name: 'GenerateDataKeyResponse')
|
|
81
89
|
GenerateDataKeyWithoutPlaintextRequest = Shapes::StructureShape.new(name: 'GenerateDataKeyWithoutPlaintextRequest')
|
|
@@ -88,6 +96,8 @@ module Aws::KMS
|
|
|
88
96
|
GetKeyRotationStatusResponse = Shapes::StructureShape.new(name: 'GetKeyRotationStatusResponse')
|
|
89
97
|
GetParametersForImportRequest = Shapes::StructureShape.new(name: 'GetParametersForImportRequest')
|
|
90
98
|
GetParametersForImportResponse = Shapes::StructureShape.new(name: 'GetParametersForImportResponse')
|
|
99
|
+
GetPublicKeyRequest = Shapes::StructureShape.new(name: 'GetPublicKeyRequest')
|
|
100
|
+
GetPublicKeyResponse = Shapes::StructureShape.new(name: 'GetPublicKeyResponse')
|
|
91
101
|
GrantConstraints = Shapes::StructureShape.new(name: 'GrantConstraints')
|
|
92
102
|
GrantIdType = Shapes::StringShape.new(name: 'GrantIdType')
|
|
93
103
|
GrantList = Shapes::ListShape.new(name: 'GrantList')
|
|
@@ -99,6 +109,7 @@ module Aws::KMS
|
|
|
99
109
|
GrantTokenType = Shapes::StringShape.new(name: 'GrantTokenType')
|
|
100
110
|
ImportKeyMaterialRequest = Shapes::StructureShape.new(name: 'ImportKeyMaterialRequest')
|
|
101
111
|
ImportKeyMaterialResponse = Shapes::StructureShape.new(name: 'ImportKeyMaterialResponse')
|
|
112
|
+
IncorrectKeyException = Shapes::StructureShape.new(name: 'IncorrectKeyException')
|
|
102
113
|
IncorrectKeyMaterialException = Shapes::StructureShape.new(name: 'IncorrectKeyMaterialException')
|
|
103
114
|
IncorrectTrustAnchorException = Shapes::StructureShape.new(name: 'IncorrectTrustAnchorException')
|
|
104
115
|
InvalidAliasNameException = Shapes::StructureShape.new(name: 'InvalidAliasNameException')
|
|
@@ -135,6 +146,7 @@ module Aws::KMS
|
|
|
135
146
|
ListRetirableGrantsRequest = Shapes::StructureShape.new(name: 'ListRetirableGrantsRequest')
|
|
136
147
|
MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
|
|
137
148
|
MarkerType = Shapes::StringShape.new(name: 'MarkerType')
|
|
149
|
+
MessageType = Shapes::StringShape.new(name: 'MessageType')
|
|
138
150
|
NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
|
|
139
151
|
NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
|
|
140
152
|
OriginType = Shapes::StringShape.new(name: 'OriginType')
|
|
@@ -144,6 +156,7 @@ module Aws::KMS
|
|
|
144
156
|
PolicyNameType = Shapes::StringShape.new(name: 'PolicyNameType')
|
|
145
157
|
PolicyType = Shapes::StringShape.new(name: 'PolicyType')
|
|
146
158
|
PrincipalIdType = Shapes::StringShape.new(name: 'PrincipalIdType')
|
|
159
|
+
PublicKeyType = Shapes::BlobShape.new(name: 'PublicKeyType')
|
|
147
160
|
PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
|
|
148
161
|
ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
|
|
149
162
|
ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
|
|
@@ -151,6 +164,10 @@ module Aws::KMS
|
|
|
151
164
|
RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
|
|
152
165
|
ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
|
|
153
166
|
ScheduleKeyDeletionResponse = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionResponse')
|
|
167
|
+
SignRequest = Shapes::StructureShape.new(name: 'SignRequest')
|
|
168
|
+
SignResponse = Shapes::StructureShape.new(name: 'SignResponse')
|
|
169
|
+
SigningAlgorithmSpec = Shapes::StringShape.new(name: 'SigningAlgorithmSpec')
|
|
170
|
+
SigningAlgorithmSpecList = Shapes::ListShape.new(name: 'SigningAlgorithmSpecList')
|
|
154
171
|
Tag = Shapes::StructureShape.new(name: 'Tag')
|
|
155
172
|
TagException = Shapes::StructureShape.new(name: 'TagException')
|
|
156
173
|
TagKeyList = Shapes::ListShape.new(name: 'TagKeyList')
|
|
@@ -165,6 +182,8 @@ module Aws::KMS
|
|
|
165
182
|
UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
|
|
166
183
|
UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
|
|
167
184
|
UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
|
|
185
|
+
VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
|
|
186
|
+
VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
|
|
168
187
|
WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
|
|
169
188
|
|
|
170
189
|
AliasList.member = Shapes::ShapeRef.new(shape: AliasListEntry)
|
|
@@ -232,6 +251,7 @@ module Aws::KMS
|
|
|
232
251
|
CreateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
|
|
233
252
|
CreateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
|
|
234
253
|
CreateKeyRequest.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
|
|
254
|
+
CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
|
235
255
|
CreateKeyRequest.add_member(:origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "Origin"))
|
|
236
256
|
CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
|
|
237
257
|
CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
|
|
@@ -267,10 +287,13 @@ module Aws::KMS
|
|
|
267
287
|
DecryptRequest.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "CiphertextBlob"))
|
|
268
288
|
DecryptRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
|
|
269
289
|
DecryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
|
290
|
+
DecryptRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
291
|
+
DecryptRequest.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
|
|
270
292
|
DecryptRequest.struct_class = Types::DecryptRequest
|
|
271
293
|
|
|
272
294
|
DecryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
273
295
|
DecryptResponse.add_member(:plaintext, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "Plaintext"))
|
|
296
|
+
DecryptResponse.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
|
|
274
297
|
DecryptResponse.struct_class = Types::DecryptResponse
|
|
275
298
|
|
|
276
299
|
DeleteAliasRequest.add_member(:alias_name, Shapes::ShapeRef.new(shape: AliasNameType, required: true, location_name: "AliasName"))
|
|
@@ -329,18 +352,47 @@ module Aws::KMS
|
|
|
329
352
|
EncryptRequest.add_member(:plaintext, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Plaintext"))
|
|
330
353
|
EncryptRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
|
|
331
354
|
EncryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
|
355
|
+
EncryptRequest.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
|
|
332
356
|
EncryptRequest.struct_class = Types::EncryptRequest
|
|
333
357
|
|
|
334
358
|
EncryptResponse.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextBlob"))
|
|
335
359
|
EncryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
360
|
+
EncryptResponse.add_member(:encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "EncryptionAlgorithm"))
|
|
336
361
|
EncryptResponse.struct_class = Types::EncryptResponse
|
|
337
362
|
|
|
363
|
+
EncryptionAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec)
|
|
364
|
+
|
|
338
365
|
EncryptionContextType.key = Shapes::ShapeRef.new(shape: EncryptionContextKey)
|
|
339
366
|
EncryptionContextType.value = Shapes::ShapeRef.new(shape: EncryptionContextValue)
|
|
340
367
|
|
|
341
368
|
ExpiredImportTokenException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
|
342
369
|
ExpiredImportTokenException.struct_class = Types::ExpiredImportTokenException
|
|
343
370
|
|
|
371
|
+
GenerateDataKeyPairRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
|
|
372
|
+
GenerateDataKeyPairRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
|
373
|
+
GenerateDataKeyPairRequest.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, required: true, location_name: "KeyPairSpec"))
|
|
374
|
+
GenerateDataKeyPairRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
|
375
|
+
GenerateDataKeyPairRequest.struct_class = Types::GenerateDataKeyPairRequest
|
|
376
|
+
|
|
377
|
+
GenerateDataKeyPairResponse.add_member(:private_key_ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "PrivateKeyCiphertextBlob"))
|
|
378
|
+
GenerateDataKeyPairResponse.add_member(:private_key_plaintext, Shapes::ShapeRef.new(shape: PlaintextType, location_name: "PrivateKeyPlaintext"))
|
|
379
|
+
GenerateDataKeyPairResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
|
|
380
|
+
GenerateDataKeyPairResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
381
|
+
GenerateDataKeyPairResponse.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, location_name: "KeyPairSpec"))
|
|
382
|
+
GenerateDataKeyPairResponse.struct_class = Types::GenerateDataKeyPairResponse
|
|
383
|
+
|
|
384
|
+
GenerateDataKeyPairWithoutPlaintextRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
|
|
385
|
+
GenerateDataKeyPairWithoutPlaintextRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
|
386
|
+
GenerateDataKeyPairWithoutPlaintextRequest.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, required: true, location_name: "KeyPairSpec"))
|
|
387
|
+
GenerateDataKeyPairWithoutPlaintextRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
|
388
|
+
GenerateDataKeyPairWithoutPlaintextRequest.struct_class = Types::GenerateDataKeyPairWithoutPlaintextRequest
|
|
389
|
+
|
|
390
|
+
GenerateDataKeyPairWithoutPlaintextResponse.add_member(:private_key_ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "PrivateKeyCiphertextBlob"))
|
|
391
|
+
GenerateDataKeyPairWithoutPlaintextResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
|
|
392
|
+
GenerateDataKeyPairWithoutPlaintextResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
393
|
+
GenerateDataKeyPairWithoutPlaintextResponse.add_member(:key_pair_spec, Shapes::ShapeRef.new(shape: DataKeyPairSpec, location_name: "KeyPairSpec"))
|
|
394
|
+
GenerateDataKeyPairWithoutPlaintextResponse.struct_class = Types::GenerateDataKeyPairWithoutPlaintextResponse
|
|
395
|
+
|
|
344
396
|
GenerateDataKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
|
345
397
|
GenerateDataKeyRequest.add_member(:encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContext"))
|
|
346
398
|
GenerateDataKeyRequest.add_member(:number_of_bytes, Shapes::ShapeRef.new(shape: NumberOfBytesType, location_name: "NumberOfBytes"))
|
|
@@ -395,6 +447,18 @@ module Aws::KMS
|
|
|
395
447
|
GetParametersForImportResponse.add_member(:parameters_valid_to, Shapes::ShapeRef.new(shape: DateType, location_name: "ParametersValidTo"))
|
|
396
448
|
GetParametersForImportResponse.struct_class = Types::GetParametersForImportResponse
|
|
397
449
|
|
|
450
|
+
GetPublicKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
|
451
|
+
GetPublicKeyRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
|
452
|
+
GetPublicKeyRequest.struct_class = Types::GetPublicKeyRequest
|
|
453
|
+
|
|
454
|
+
GetPublicKeyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
455
|
+
GetPublicKeyResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
|
|
456
|
+
GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
|
457
|
+
GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
|
|
458
|
+
GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
|
459
|
+
GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
|
460
|
+
GetPublicKeyResponse.struct_class = Types::GetPublicKeyResponse
|
|
461
|
+
|
|
398
462
|
GrantConstraints.add_member(:encryption_context_subset, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextSubset"))
|
|
399
463
|
GrantConstraints.add_member(:encryption_context_equals, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextEquals"))
|
|
400
464
|
GrantConstraints.struct_class = Types::GrantConstraints
|
|
@@ -425,6 +489,9 @@ module Aws::KMS
|
|
|
425
489
|
|
|
426
490
|
ImportKeyMaterialResponse.struct_class = Types::ImportKeyMaterialResponse
|
|
427
491
|
|
|
492
|
+
IncorrectKeyException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
|
493
|
+
IncorrectKeyException.struct_class = Types::IncorrectKeyException
|
|
494
|
+
|
|
428
495
|
IncorrectKeyMaterialException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
|
429
496
|
IncorrectKeyMaterialException.struct_class = Types::IncorrectKeyMaterialException
|
|
430
497
|
|
|
@@ -482,6 +549,9 @@ module Aws::KMS
|
|
|
482
549
|
KeyMetadata.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
|
|
483
550
|
KeyMetadata.add_member(:expiration_model, Shapes::ShapeRef.new(shape: ExpirationModelType, location_name: "ExpirationModel"))
|
|
484
551
|
KeyMetadata.add_member(:key_manager, Shapes::ShapeRef.new(shape: KeyManagerType, location_name: "KeyManager"))
|
|
552
|
+
KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
|
553
|
+
KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
|
554
|
+
KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
|
485
555
|
KeyMetadata.struct_class = Types::KeyMetadata
|
|
486
556
|
|
|
487
557
|
KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
|
@@ -560,14 +630,19 @@ module Aws::KMS
|
|
|
560
630
|
|
|
561
631
|
ReEncryptRequest.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "CiphertextBlob"))
|
|
562
632
|
ReEncryptRequest.add_member(:source_encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "SourceEncryptionContext"))
|
|
633
|
+
ReEncryptRequest.add_member(:source_key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "SourceKeyId"))
|
|
563
634
|
ReEncryptRequest.add_member(:destination_key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "DestinationKeyId"))
|
|
564
635
|
ReEncryptRequest.add_member(:destination_encryption_context, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "DestinationEncryptionContext"))
|
|
636
|
+
ReEncryptRequest.add_member(:source_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "SourceEncryptionAlgorithm"))
|
|
637
|
+
ReEncryptRequest.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
|
|
565
638
|
ReEncryptRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
|
566
639
|
ReEncryptRequest.struct_class = Types::ReEncryptRequest
|
|
567
640
|
|
|
568
641
|
ReEncryptResponse.add_member(:ciphertext_blob, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "CiphertextBlob"))
|
|
569
642
|
ReEncryptResponse.add_member(:source_key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "SourceKeyId"))
|
|
570
643
|
ReEncryptResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
644
|
+
ReEncryptResponse.add_member(:source_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "SourceEncryptionAlgorithm"))
|
|
645
|
+
ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
|
|
571
646
|
ReEncryptResponse.struct_class = Types::ReEncryptResponse
|
|
572
647
|
|
|
573
648
|
RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
|
|
@@ -587,6 +662,20 @@ module Aws::KMS
|
|
|
587
662
|
ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
|
|
588
663
|
ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
|
|
589
664
|
|
|
665
|
+
SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
|
666
|
+
SignRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
|
|
667
|
+
SignRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
|
|
668
|
+
SignRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
|
669
|
+
SignRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, required: true, location_name: "SigningAlgorithm"))
|
|
670
|
+
SignRequest.struct_class = Types::SignRequest
|
|
671
|
+
|
|
672
|
+
SignResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
673
|
+
SignResponse.add_member(:signature, Shapes::ShapeRef.new(shape: CiphertextType, location_name: "Signature"))
|
|
674
|
+
SignResponse.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, location_name: "SigningAlgorithm"))
|
|
675
|
+
SignResponse.struct_class = Types::SignResponse
|
|
676
|
+
|
|
677
|
+
SigningAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: SigningAlgorithmSpec)
|
|
678
|
+
|
|
590
679
|
Tag.add_member(:tag_key, Shapes::ShapeRef.new(shape: TagKeyType, required: true, location_name: "TagKey"))
|
|
591
680
|
Tag.add_member(:tag_value, Shapes::ShapeRef.new(shape: TagValueType, required: true, location_name: "TagValue"))
|
|
592
681
|
Tag.struct_class = Types::Tag
|
|
@@ -625,6 +714,19 @@ module Aws::KMS
|
|
|
625
714
|
UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
|
|
626
715
|
UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
|
|
627
716
|
|
|
717
|
+
VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
|
718
|
+
VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
|
|
719
|
+
VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
|
|
720
|
+
VerifyRequest.add_member(:signature, Shapes::ShapeRef.new(shape: CiphertextType, required: true, location_name: "Signature"))
|
|
721
|
+
VerifyRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, required: true, location_name: "SigningAlgorithm"))
|
|
722
|
+
VerifyRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
|
|
723
|
+
VerifyRequest.struct_class = Types::VerifyRequest
|
|
724
|
+
|
|
725
|
+
VerifyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
|
726
|
+
VerifyResponse.add_member(:signature_valid, Shapes::ShapeRef.new(shape: BooleanType, location_name: "SignatureValid"))
|
|
727
|
+
VerifyResponse.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: SigningAlgorithmSpec, location_name: "SigningAlgorithm"))
|
|
728
|
+
VerifyResponse.struct_class = Types::VerifyResponse
|
|
729
|
+
|
|
628
730
|
|
|
629
731
|
# @api private
|
|
630
732
|
API = Seahorse::Model::Api.new.tap do |api|
|
|
@@ -744,6 +846,8 @@ module Aws::KMS
|
|
|
744
846
|
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
|
745
847
|
o.errors << Shapes::ShapeRef.new(shape: InvalidCiphertextException)
|
|
746
848
|
o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
|
|
849
|
+
o.errors << Shapes::ShapeRef.new(shape: IncorrectKeyException)
|
|
850
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
|
|
747
851
|
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
|
748
852
|
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
|
749
853
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
|
@@ -910,6 +1014,38 @@ module Aws::KMS
|
|
|
910
1014
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
|
911
1015
|
end)
|
|
912
1016
|
|
|
1017
|
+
api.add_operation(:generate_data_key_pair, Seahorse::Model::Operation.new.tap do |o|
|
|
1018
|
+
o.name = "GenerateDataKeyPair"
|
|
1019
|
+
o.http_method = "POST"
|
|
1020
|
+
o.http_request_uri = "/"
|
|
1021
|
+
o.input = Shapes::ShapeRef.new(shape: GenerateDataKeyPairRequest)
|
|
1022
|
+
o.output = Shapes::ShapeRef.new(shape: GenerateDataKeyPairResponse)
|
|
1023
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
|
1024
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
|
1025
|
+
o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
|
|
1026
|
+
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
|
1027
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
|
|
1028
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
|
1029
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
|
1030
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
|
1031
|
+
end)
|
|
1032
|
+
|
|
1033
|
+
api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
|
|
1034
|
+
o.name = "GenerateDataKeyPairWithoutPlaintext"
|
|
1035
|
+
o.http_method = "POST"
|
|
1036
|
+
o.http_request_uri = "/"
|
|
1037
|
+
o.input = Shapes::ShapeRef.new(shape: GenerateDataKeyPairWithoutPlaintextRequest)
|
|
1038
|
+
o.output = Shapes::ShapeRef.new(shape: GenerateDataKeyPairWithoutPlaintextResponse)
|
|
1039
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
|
1040
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
|
1041
|
+
o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
|
|
1042
|
+
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
|
1043
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
|
|
1044
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
|
1045
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
|
1046
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
|
1047
|
+
end)
|
|
1048
|
+
|
|
913
1049
|
api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
|
|
914
1050
|
o.name = "GenerateDataKeyWithoutPlaintext"
|
|
915
1051
|
o.http_method = "POST"
|
|
@@ -979,6 +1115,24 @@ module Aws::KMS
|
|
|
979
1115
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
|
980
1116
|
end)
|
|
981
1117
|
|
|
1118
|
+
api.add_operation(:get_public_key, Seahorse::Model::Operation.new.tap do |o|
|
|
1119
|
+
o.name = "GetPublicKey"
|
|
1120
|
+
o.http_method = "POST"
|
|
1121
|
+
o.http_request_uri = "/"
|
|
1122
|
+
o.input = Shapes::ShapeRef.new(shape: GetPublicKeyRequest)
|
|
1123
|
+
o.output = Shapes::ShapeRef.new(shape: GetPublicKeyResponse)
|
|
1124
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
|
1125
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
|
1126
|
+
o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
|
|
1127
|
+
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
|
1128
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
|
1129
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
|
|
1130
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
|
1131
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
|
|
1132
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
|
1133
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
|
1134
|
+
end)
|
|
1135
|
+
|
|
982
1136
|
api.add_operation(:import_key_material, Seahorse::Model::Operation.new.tap do |o|
|
|
983
1137
|
o.name = "ImportKeyMaterial"
|
|
984
1138
|
o.http_method = "POST"
|
|
@@ -1127,6 +1281,7 @@ module Aws::KMS
|
|
|
1127
1281
|
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
|
1128
1282
|
o.errors << Shapes::ShapeRef.new(shape: InvalidCiphertextException)
|
|
1129
1283
|
o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
|
|
1284
|
+
o.errors << Shapes::ShapeRef.new(shape: IncorrectKeyException)
|
|
1130
1285
|
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
|
1131
1286
|
o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
|
|
1132
1287
|
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
|
@@ -1176,6 +1331,21 @@ module Aws::KMS
|
|
|
1176
1331
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
|
1177
1332
|
end)
|
|
1178
1333
|
|
|
1334
|
+
api.add_operation(:sign, Seahorse::Model::Operation.new.tap do |o|
|
|
1335
|
+
o.name = "Sign"
|
|
1336
|
+
o.http_method = "POST"
|
|
1337
|
+
o.http_request_uri = "/"
|
|
1338
|
+
o.input = Shapes::ShapeRef.new(shape: SignRequest)
|
|
1339
|
+
o.output = Shapes::ShapeRef.new(shape: SignResponse)
|
|
1340
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
|
1341
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
|
1342
|
+
o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
|
|
1343
|
+
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
|
1344
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
|
|
1345
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
|
1346
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
|
1347
|
+
end)
|
|
1348
|
+
|
|
1179
1349
|
api.add_operation(:tag_resource, Seahorse::Model::Operation.new.tap do |o|
|
|
1180
1350
|
o.name = "TagResource"
|
|
1181
1351
|
o.http_method = "POST"
|
|
@@ -1222,6 +1392,7 @@ module Aws::KMS
|
|
|
1222
1392
|
o.input = Shapes::ShapeRef.new(shape: UpdateCustomKeyStoreRequest)
|
|
1223
1393
|
o.output = Shapes::ShapeRef.new(shape: UpdateCustomKeyStoreResponse)
|
|
1224
1394
|
o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
|
|
1395
|
+
o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNameInUseException)
|
|
1225
1396
|
o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotFoundException)
|
|
1226
1397
|
o.errors << Shapes::ShapeRef.new(shape: CloudHsmClusterNotRelatedException)
|
|
1227
1398
|
o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreInvalidStateException)
|
|
@@ -1242,6 +1413,21 @@ module Aws::KMS
|
|
|
1242
1413
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
|
1243
1414
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
|
1244
1415
|
end)
|
|
1416
|
+
|
|
1417
|
+
api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
|
|
1418
|
+
o.name = "Verify"
|
|
1419
|
+
o.http_method = "POST"
|
|
1420
|
+
o.http_request_uri = "/"
|
|
1421
|
+
o.input = Shapes::ShapeRef.new(shape: VerifyRequest)
|
|
1422
|
+
o.output = Shapes::ShapeRef.new(shape: VerifyResponse)
|
|
1423
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
|
1424
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
|
1425
|
+
o.errors << Shapes::ShapeRef.new(shape: KeyUnavailableException)
|
|
1426
|
+
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
|
1427
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidKeyUsageException)
|
|
1428
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
|
1429
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
|
1430
|
+
end)
|
|
1245
1431
|
end
|
|
1246
1432
|
|
|
1247
1433
|
end
|
data/lib/aws-sdk-kms/errors.rb
CHANGED
|
@@ -218,6 +218,22 @@ module Aws::KMS
|
|
|
218
218
|
|
|
219
219
|
end
|
|
220
220
|
|
|
221
|
+
class IncorrectKeyException < ServiceError
|
|
222
|
+
|
|
223
|
+
# @param [Seahorse::Client::RequestContext] context
|
|
224
|
+
# @param [String] message
|
|
225
|
+
# @param [Aws::KMS::Types::IncorrectKeyException] data
|
|
226
|
+
def initialize(context, message, data = Aws::EmptyStructure.new)
|
|
227
|
+
super(context, message, data)
|
|
228
|
+
end
|
|
229
|
+
|
|
230
|
+
# @return [String]
|
|
231
|
+
def message
|
|
232
|
+
@message || @data[:message]
|
|
233
|
+
end
|
|
234
|
+
|
|
235
|
+
end
|
|
236
|
+
|
|
221
237
|
class IncorrectKeyMaterialException < ServiceError
|
|
222
238
|
|
|
223
239
|
# @param [Seahorse::Client::RequestContext] context
|
data/lib/aws-sdk-kms/types.rb
CHANGED
|
@@ -360,7 +360,7 @@ module Aws::KMS
|
|
|
360
360
|
# key_id: "KeyIdType", # required
|
|
361
361
|
# grantee_principal: "PrincipalIdType", # required
|
|
362
362
|
# retiring_principal: "PrincipalIdType",
|
|
363
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
|
|
363
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
|
|
364
364
|
# constraints: {
|
|
365
365
|
# encryption_context_subset: {
|
|
366
366
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
@@ -515,7 +515,8 @@ module Aws::KMS
|
|
|
515
515
|
# {
|
|
516
516
|
# policy: "PolicyType",
|
|
517
517
|
# description: "DescriptionType",
|
|
518
|
-
# key_usage: "
|
|
518
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
|
519
|
+
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
519
520
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
|
520
521
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
521
522
|
# bypass_policy_lockout_safety_check: false,
|
|
@@ -571,28 +572,91 @@ module Aws::KMS
|
|
|
571
572
|
# @return [String]
|
|
572
573
|
#
|
|
573
574
|
# @!attribute [rw] key_usage
|
|
574
|
-
#
|
|
575
|
-
#
|
|
576
|
-
#
|
|
575
|
+
# Determines the cryptographic operations for which you can use the
|
|
576
|
+
# CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
|
|
577
|
+
# required only for asymmetric CMKs. You can't change the `KeyUsage`
|
|
578
|
+
# value after the CMK is created.
|
|
579
|
+
#
|
|
580
|
+
# Select only one valid value.
|
|
581
|
+
#
|
|
582
|
+
# * For symmetric CMKs, omit the parameter or specify
|
|
583
|
+
# `ENCRYPT_DECRYPT`.
|
|
584
|
+
#
|
|
585
|
+
# * For asymmetric CMKs with RSA key material, specify
|
|
586
|
+
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
587
|
+
#
|
|
588
|
+
# * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
|
|
589
|
+
# @return [String]
|
|
590
|
+
#
|
|
591
|
+
# @!attribute [rw] customer_master_key_spec
|
|
592
|
+
# Specifies the type of CMK to create. The `CustomerMasterKeySpec`
|
|
593
|
+
# determines whether the CMK contains a symmetric key or an asymmetric
|
|
594
|
+
# key pair. It also determines the encryption algorithms or signing
|
|
595
|
+
# algorithms that the CMK supports. You can't change the
|
|
596
|
+
# `CustomerMasterKeySpec` after the CMK is created. To further
|
|
597
|
+
# restrict the algorithms that can be used with the CMK, use its key
|
|
598
|
+
# policy or IAM policy.
|
|
599
|
+
#
|
|
600
|
+
# For help with choosing a key spec for your CMK, see [Selecting a
|
|
601
|
+
# Customer Master Key Spec][1] in the *AWS Key Management Service
|
|
602
|
+
# Developer Guide*.
|
|
603
|
+
#
|
|
604
|
+
# The default value, `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit
|
|
605
|
+
# symmetric key.
|
|
606
|
+
#
|
|
607
|
+
# AWS KMS supports the following key specs for CMKs:
|
|
608
|
+
#
|
|
609
|
+
# * Symmetric key (default)
|
|
610
|
+
#
|
|
611
|
+
# * `SYMMETRIC_DEFAULT` (AES-256-GCM)
|
|
612
|
+
#
|
|
613
|
+
# ^
|
|
614
|
+
#
|
|
615
|
+
# * Asymmetric RSA key pairs
|
|
616
|
+
#
|
|
617
|
+
# * `RSA_2048`
|
|
618
|
+
#
|
|
619
|
+
# * `RSA_3072`
|
|
620
|
+
#
|
|
621
|
+
# * `RSA_4096`
|
|
622
|
+
#
|
|
623
|
+
# * Asymmetric NIST-recommended elliptic curve key pairs
|
|
624
|
+
#
|
|
625
|
+
# * `ECC_NIST_P256` (secp256r1)
|
|
626
|
+
#
|
|
627
|
+
# * `ECC_NIST_P384` (secp384r1)
|
|
628
|
+
#
|
|
629
|
+
# * `ECC_NIST_P521` (secp521r1)
|
|
630
|
+
#
|
|
631
|
+
# * Other asymmetric elliptic curve key pairs
|
|
632
|
+
#
|
|
633
|
+
# * `ECC_SECG_P256K1` (secp256k1), commonly used for
|
|
634
|
+
# cryptocurrencies.
|
|
635
|
+
#
|
|
636
|
+
# ^
|
|
637
|
+
#
|
|
638
|
+
#
|
|
639
|
+
#
|
|
640
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#cmk-key-spec
|
|
577
641
|
# @return [String]
|
|
578
642
|
#
|
|
579
643
|
# @!attribute [rw] origin
|
|
580
644
|
# The source of the key material for the CMK. You cannot change the
|
|
581
|
-
# origin after you create the CMK.
|
|
582
|
-
#
|
|
583
|
-
# The default is `AWS_KMS`, which means AWS KMS creates the key
|
|
584
|
-
# material in its own key store.
|
|
645
|
+
# origin after you create the CMK. The default is `AWS_KMS`, which
|
|
646
|
+
# means AWS KMS creates the key material.
|
|
585
647
|
#
|
|
586
648
|
# When the parameter value is `EXTERNAL`, AWS KMS creates a CMK
|
|
587
649
|
# without key material so that you can import key material from your
|
|
588
650
|
# existing key management infrastructure. For more information about
|
|
589
651
|
# importing key material into AWS KMS, see [Importing Key Material][1]
|
|
590
|
-
# in the *AWS Key Management Service Developer Guide*.
|
|
652
|
+
# in the *AWS Key Management Service Developer Guide*. This value is
|
|
653
|
+
# valid only for symmetric CMKs.
|
|
591
654
|
#
|
|
592
655
|
# When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK
|
|
593
656
|
# in an AWS KMS [custom key store][2] and creates its key material in
|
|
594
657
|
# the associated AWS CloudHSM cluster. You must also use the
|
|
595
|
-
# `CustomKeyStoreId` parameter to identify the custom key store.
|
|
658
|
+
# `CustomKeyStoreId` parameter to identify the custom key store. This
|
|
659
|
+
# value is valid only for symmetric CMKs.
|
|
596
660
|
#
|
|
597
661
|
#
|
|
598
662
|
#
|
|
@@ -608,6 +672,9 @@ module Aws::KMS
|
|
|
608
672
|
# associated with the custom key store must have at least two active
|
|
609
673
|
# HSMs, each in a different Availability Zone in the Region.
|
|
610
674
|
#
|
|
675
|
+
# This parameter is valid only for symmetric CMKs. You cannot create
|
|
676
|
+
# an asymmetric CMK in a custom key store.
|
|
677
|
+
#
|
|
611
678
|
# To find the ID of a custom key store, use the
|
|
612
679
|
# DescribeCustomKeyStores operation.
|
|
613
680
|
#
|
|
@@ -648,12 +715,20 @@ module Aws::KMS
|
|
|
648
715
|
#
|
|
649
716
|
# @!attribute [rw] tags
|
|
650
717
|
# One or more tags. Each tag consists of a tag key and a tag value.
|
|
651
|
-
#
|
|
652
|
-
# empty (null)
|
|
718
|
+
# Both the tag key and the tag value are required, but the tag value
|
|
719
|
+
# can be an empty (null) string.
|
|
720
|
+
#
|
|
721
|
+
# When you add tags to an AWS resource, AWS generates a cost
|
|
722
|
+
# allocation report with usage and costs aggregated by tags. For
|
|
723
|
+
# information about adding, changing, deleting and listing tags for
|
|
724
|
+
# CMKs, see [Tagging Keys][1].
|
|
725
|
+
#
|
|
726
|
+
# Use this parameter to tag the CMK when it is created. To add tags to
|
|
727
|
+
# an existing CMK, use the TagResource operation.
|
|
728
|
+
#
|
|
729
|
+
#
|
|
653
730
|
#
|
|
654
|
-
#
|
|
655
|
-
# you can omit this parameter and instead tag the CMK after it is
|
|
656
|
-
# created using TagResource.
|
|
731
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
|
657
732
|
# @return [Array<Types::Tag>]
|
|
658
733
|
#
|
|
659
734
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
|
|
@@ -662,6 +737,7 @@ module Aws::KMS
|
|
|
662
737
|
:policy,
|
|
663
738
|
:description,
|
|
664
739
|
:key_usage,
|
|
740
|
+
:customer_master_key_spec,
|
|
665
741
|
:origin,
|
|
666
742
|
:custom_key_store_id,
|
|
667
743
|
:bypass_policy_lockout_safety_check,
|
|
@@ -862,6 +938,8 @@ module Aws::KMS
|
|
|
862
938
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
863
939
|
# },
|
|
864
940
|
# grant_tokens: ["GrantTokenType"],
|
|
941
|
+
# key_id: "KeyIdType",
|
|
942
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
865
943
|
# }
|
|
866
944
|
#
|
|
867
945
|
# @!attribute [rw] ciphertext_blob
|
|
@@ -869,9 +947,20 @@ module Aws::KMS
|
|
|
869
947
|
# @return [String]
|
|
870
948
|
#
|
|
871
949
|
# @!attribute [rw] encryption_context
|
|
872
|
-
#
|
|
873
|
-
#
|
|
874
|
-
#
|
|
950
|
+
# Specifies the encryption context to use when decrypting the data. An
|
|
951
|
+
# encryption context is valid only for cryptographic operations with a
|
|
952
|
+
# symmetric CMK. The standard asymmetric encryption algorithms that
|
|
953
|
+
# AWS KMS uses do not support an encryption context.
|
|
954
|
+
#
|
|
955
|
+
# An *encryption context* is a collection of non-secret key-value
|
|
956
|
+
# pairs that represents additional authenticated data. When you use an
|
|
957
|
+
# encryption context to encrypt data, you must specify the same (an
|
|
958
|
+
# exact case-sensitive match) encryption context to decrypt the data.
|
|
959
|
+
# An encryption context is optional when encrypting with a symmetric
|
|
960
|
+
# CMK, but it is highly recommended.
|
|
961
|
+
#
|
|
962
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
|
963
|
+
# Management Service Developer Guide*.
|
|
875
964
|
#
|
|
876
965
|
#
|
|
877
966
|
#
|
|
@@ -889,30 +978,83 @@ module Aws::KMS
|
|
|
889
978
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
|
890
979
|
# @return [Array<String>]
|
|
891
980
|
#
|
|
981
|
+
# @!attribute [rw] key_id
|
|
982
|
+
# Specifies the customer master key (CMK) that AWS KMS will use to
|
|
983
|
+
# decrypt the ciphertext. Enter a key ID of the CMK that was used to
|
|
984
|
+
# encrypt the ciphertext.
|
|
985
|
+
#
|
|
986
|
+
# If you specify a `KeyId` value, the `Decrypt` operation succeeds
|
|
987
|
+
# only if the specified CMK was used to encrypt the ciphertext.
|
|
988
|
+
#
|
|
989
|
+
# This parameter is required only when the ciphertext was encrypted
|
|
990
|
+
# under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that
|
|
991
|
+
# it adds to the ciphertext blob to determine which CMK was used to
|
|
992
|
+
# encrypt the ciphertext. However, you can use this parameter to
|
|
993
|
+
# ensure that a particular CMK (of any kind) is used to decrypt the
|
|
994
|
+
# ciphertext.
|
|
995
|
+
#
|
|
996
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
997
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
|
998
|
+
# `"alias/"`.
|
|
999
|
+
#
|
|
1000
|
+
# For example:
|
|
1001
|
+
#
|
|
1002
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1003
|
+
#
|
|
1004
|
+
# * Key ARN:
|
|
1005
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1006
|
+
#
|
|
1007
|
+
# * Alias name: `alias/ExampleAlias`
|
|
1008
|
+
#
|
|
1009
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
1010
|
+
#
|
|
1011
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
1012
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
1013
|
+
# @return [String]
|
|
1014
|
+
#
|
|
1015
|
+
# @!attribute [rw] encryption_algorithm
|
|
1016
|
+
# Specifies the encryption algorithm that will be used to decrypt the
|
|
1017
|
+
# ciphertext. Specify the same algorithm that was used to encrypt the
|
|
1018
|
+
# data. If you specify a different algorithm, the `Decrypt` operation
|
|
1019
|
+
# fails.
|
|
1020
|
+
#
|
|
1021
|
+
# This parameter is required only when the ciphertext was encrypted
|
|
1022
|
+
# under an asymmetric CMK. The default value, `SYMMETRIC_DEFAULT`,
|
|
1023
|
+
# represents the only supported algorithm that is valid for symmetric
|
|
1024
|
+
# CMKs.
|
|
1025
|
+
# @return [String]
|
|
1026
|
+
#
|
|
892
1027
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
|
893
1028
|
#
|
|
894
1029
|
class DecryptRequest < Struct.new(
|
|
895
1030
|
:ciphertext_blob,
|
|
896
1031
|
:encryption_context,
|
|
897
|
-
:grant_tokens
|
|
1032
|
+
:grant_tokens,
|
|
1033
|
+
:key_id,
|
|
1034
|
+
:encryption_algorithm)
|
|
898
1035
|
include Aws::Structure
|
|
899
1036
|
end
|
|
900
1037
|
|
|
901
1038
|
# @!attribute [rw] key_id
|
|
902
|
-
# ARN of the key used to perform the
|
|
903
|
-
#
|
|
1039
|
+
# The ARN of the customer master key that was used to perform the
|
|
1040
|
+
# decryption.
|
|
904
1041
|
# @return [String]
|
|
905
1042
|
#
|
|
906
1043
|
# @!attribute [rw] plaintext
|
|
907
1044
|
# Decrypted plaintext data. When you use the HTTP API or the AWS CLI,
|
|
908
|
-
# the value is Base64-encoded. Otherwise, it is not encoded.
|
|
1045
|
+
# the value is Base64-encoded. Otherwise, it is not Base64-encoded.
|
|
1046
|
+
# @return [String]
|
|
1047
|
+
#
|
|
1048
|
+
# @!attribute [rw] encryption_algorithm
|
|
1049
|
+
# The encryption algorithm that was used to decrypt the ciphertext.
|
|
909
1050
|
# @return [String]
|
|
910
1051
|
#
|
|
911
1052
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
|
|
912
1053
|
#
|
|
913
1054
|
class DecryptResponse < Struct.new(
|
|
914
1055
|
:key_id,
|
|
915
|
-
:plaintext
|
|
1056
|
+
:plaintext,
|
|
1057
|
+
:encryption_algorithm)
|
|
916
1058
|
include Aws::Structure
|
|
917
1059
|
end
|
|
918
1060
|
|
|
@@ -1186,7 +1328,9 @@ module Aws::KMS
|
|
|
1186
1328
|
# }
|
|
1187
1329
|
#
|
|
1188
1330
|
# @!attribute [rw] key_id
|
|
1189
|
-
#
|
|
1331
|
+
# Identifies a symmetric customer master key (CMK). You cannot enable
|
|
1332
|
+
# automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
|
|
1333
|
+
# material][2], or CMKs in a [custom key store][3].
|
|
1190
1334
|
#
|
|
1191
1335
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
|
1192
1336
|
#
|
|
@@ -1199,6 +1343,12 @@ module Aws::KMS
|
|
|
1199
1343
|
#
|
|
1200
1344
|
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
1201
1345
|
# DescribeKey.
|
|
1346
|
+
#
|
|
1347
|
+
#
|
|
1348
|
+
#
|
|
1349
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
|
1350
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1351
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1202
1352
|
# @return [String]
|
|
1203
1353
|
#
|
|
1204
1354
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
|
|
@@ -1282,7 +1432,9 @@ module Aws::KMS
|
|
|
1282
1432
|
# }
|
|
1283
1433
|
#
|
|
1284
1434
|
# @!attribute [rw] key_id
|
|
1285
|
-
#
|
|
1435
|
+
# Identifies a symmetric customer master key (CMK). You cannot enable
|
|
1436
|
+
# automatic rotation of asymmetric CMKs, CMKs with imported key
|
|
1437
|
+
# material, or CMKs in a [custom key store][1].
|
|
1286
1438
|
#
|
|
1287
1439
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
|
1288
1440
|
#
|
|
@@ -1295,6 +1447,10 @@ module Aws::KMS
|
|
|
1295
1447
|
#
|
|
1296
1448
|
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
1297
1449
|
# DescribeKey.
|
|
1450
|
+
#
|
|
1451
|
+
#
|
|
1452
|
+
#
|
|
1453
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1298
1454
|
# @return [String]
|
|
1299
1455
|
#
|
|
1300
1456
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
|
@@ -1314,6 +1470,7 @@ module Aws::KMS
|
|
|
1314
1470
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1315
1471
|
# },
|
|
1316
1472
|
# grant_tokens: ["GrantTokenType"],
|
|
1473
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
1317
1474
|
# }
|
|
1318
1475
|
#
|
|
1319
1476
|
# @!attribute [rw] key_id
|
|
@@ -1344,10 +1501,20 @@ module Aws::KMS
|
|
|
1344
1501
|
# @return [String]
|
|
1345
1502
|
#
|
|
1346
1503
|
# @!attribute [rw] encryption_context
|
|
1347
|
-
#
|
|
1348
|
-
#
|
|
1349
|
-
#
|
|
1350
|
-
#
|
|
1504
|
+
# Specifies the encryption context that will be used to encrypt the
|
|
1505
|
+
# data. An encryption context is valid only for cryptographic
|
|
1506
|
+
# operations with a symmetric CMK. The standard asymmetric encryption
|
|
1507
|
+
# algorithms that AWS KMS uses do not support an encryption context.
|
|
1508
|
+
#
|
|
1509
|
+
# An *encryption context* is a collection of non-secret key-value
|
|
1510
|
+
# pairs that represents additional authenticated data. When you use an
|
|
1511
|
+
# encryption context to encrypt data, you must specify the same (an
|
|
1512
|
+
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1513
|
+
# An encryption context is optional when encrypting with a symmetric
|
|
1514
|
+
# CMK, but it is highly recommended.
|
|
1515
|
+
#
|
|
1516
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
|
1517
|
+
# Management Service Developer Guide*.
|
|
1351
1518
|
#
|
|
1352
1519
|
#
|
|
1353
1520
|
#
|
|
@@ -1365,37 +1532,54 @@ module Aws::KMS
|
|
|
1365
1532
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
|
1366
1533
|
# @return [Array<String>]
|
|
1367
1534
|
#
|
|
1535
|
+
# @!attribute [rw] encryption_algorithm
|
|
1536
|
+
# Specifies the encryption algorithm that AWS KMS will use to encrypt
|
|
1537
|
+
# the plaintext message. The algorithm must be compatible with the CMK
|
|
1538
|
+
# that you specify.
|
|
1539
|
+
#
|
|
1540
|
+
# This parameter is required only for asymmetric CMKs. The default
|
|
1541
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1542
|
+
# CMKs. If you are using an asymmetric CMK, we recommend
|
|
1543
|
+
# RSAES\_OAEP\_SHA\_256.
|
|
1544
|
+
# @return [String]
|
|
1545
|
+
#
|
|
1368
1546
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
|
1369
1547
|
#
|
|
1370
1548
|
class EncryptRequest < Struct.new(
|
|
1371
1549
|
:key_id,
|
|
1372
1550
|
:plaintext,
|
|
1373
1551
|
:encryption_context,
|
|
1374
|
-
:grant_tokens
|
|
1552
|
+
:grant_tokens,
|
|
1553
|
+
:encryption_algorithm)
|
|
1375
1554
|
include Aws::Structure
|
|
1376
1555
|
end
|
|
1377
1556
|
|
|
1378
1557
|
# @!attribute [rw] ciphertext_blob
|
|
1379
1558
|
# The encrypted plaintext. When you use the HTTP API or the AWS CLI,
|
|
1380
|
-
# the value is Base64-encoded. Otherwise, it is not encoded.
|
|
1559
|
+
# the value is Base64-encoded. Otherwise, it is not Base64-encoded.
|
|
1381
1560
|
# @return [String]
|
|
1382
1561
|
#
|
|
1383
1562
|
# @!attribute [rw] key_id
|
|
1384
1563
|
# The ID of the key used during encryption.
|
|
1385
1564
|
# @return [String]
|
|
1386
1565
|
#
|
|
1566
|
+
# @!attribute [rw] encryption_algorithm
|
|
1567
|
+
# The encryption algorithm that was used to encrypt the plaintext.
|
|
1568
|
+
# @return [String]
|
|
1569
|
+
#
|
|
1387
1570
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptResponse AWS API Documentation
|
|
1388
1571
|
#
|
|
1389
1572
|
class EncryptResponse < Struct.new(
|
|
1390
1573
|
:ciphertext_blob,
|
|
1391
|
-
:key_id
|
|
1574
|
+
:key_id,
|
|
1575
|
+
:encryption_algorithm)
|
|
1392
1576
|
include Aws::Structure
|
|
1393
1577
|
end
|
|
1394
1578
|
|
|
1395
|
-
# The request was rejected because the
|
|
1396
|
-
# Use GetParametersForImport to get a new import token and
|
|
1397
|
-
# use the new public key to encrypt the key material, and
|
|
1398
|
-
# request again.
|
|
1579
|
+
# The request was rejected because the specified import token is
|
|
1580
|
+
# expired. Use GetParametersForImport to get a new import token and
|
|
1581
|
+
# public key, use the new public key to encrypt the key material, and
|
|
1582
|
+
# then try the request again.
|
|
1399
1583
|
#
|
|
1400
1584
|
# @!attribute [rw] message
|
|
1401
1585
|
# @return [String]
|
|
@@ -1407,6 +1591,259 @@ module Aws::KMS
|
|
|
1407
1591
|
include Aws::Structure
|
|
1408
1592
|
end
|
|
1409
1593
|
|
|
1594
|
+
# @note When making an API call, you may pass GenerateDataKeyPairRequest
|
|
1595
|
+
# data as a hash:
|
|
1596
|
+
#
|
|
1597
|
+
# {
|
|
1598
|
+
# encryption_context: {
|
|
1599
|
+
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1600
|
+
# },
|
|
1601
|
+
# key_id: "KeyIdType", # required
|
|
1602
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
|
1603
|
+
# grant_tokens: ["GrantTokenType"],
|
|
1604
|
+
# }
|
|
1605
|
+
#
|
|
1606
|
+
# @!attribute [rw] encryption_context
|
|
1607
|
+
# Specifies the encryption context that will be used when encrypting
|
|
1608
|
+
# the private key in the data key pair.
|
|
1609
|
+
#
|
|
1610
|
+
# An *encryption context* is a collection of non-secret key-value
|
|
1611
|
+
# pairs that represents additional authenticated data. When you use an
|
|
1612
|
+
# encryption context to encrypt data, you must specify the same (an
|
|
1613
|
+
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1614
|
+
# An encryption context is optional when encrypting with a symmetric
|
|
1615
|
+
# CMK, but it is highly recommended.
|
|
1616
|
+
#
|
|
1617
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
|
1618
|
+
# Management Service Developer Guide*.
|
|
1619
|
+
#
|
|
1620
|
+
#
|
|
1621
|
+
#
|
|
1622
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
1623
|
+
# @return [Hash<String,String>]
|
|
1624
|
+
#
|
|
1625
|
+
# @!attribute [rw] key_id
|
|
1626
|
+
# Specifies the symmetric CMK that encrypts the private key in the
|
|
1627
|
+
# data key pair. You cannot specify an asymmetric CMKs.
|
|
1628
|
+
#
|
|
1629
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
1630
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
|
1631
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must
|
|
1632
|
+
# use the key ARN or alias ARN.
|
|
1633
|
+
#
|
|
1634
|
+
# For example:
|
|
1635
|
+
#
|
|
1636
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1637
|
+
#
|
|
1638
|
+
# * Key ARN:
|
|
1639
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1640
|
+
#
|
|
1641
|
+
# * Alias name: `alias/ExampleAlias`
|
|
1642
|
+
#
|
|
1643
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
1644
|
+
#
|
|
1645
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
1646
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
1647
|
+
# @return [String]
|
|
1648
|
+
#
|
|
1649
|
+
# @!attribute [rw] key_pair_spec
|
|
1650
|
+
# Determines the type of data key pair that is generated.
|
|
1651
|
+
#
|
|
1652
|
+
# The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
|
|
1653
|
+
# encrypt and decrypt or to sign and verify (but not both), and the
|
|
1654
|
+
# rule that permits you to use ECC CMKs only to sign and verify, are
|
|
1655
|
+
# not effective outside of AWS KMS.
|
|
1656
|
+
# @return [String]
|
|
1657
|
+
#
|
|
1658
|
+
# @!attribute [rw] grant_tokens
|
|
1659
|
+
# A list of grant tokens.
|
|
1660
|
+
#
|
|
1661
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key
|
|
1662
|
+
# Management Service Developer Guide*.
|
|
1663
|
+
#
|
|
1664
|
+
#
|
|
1665
|
+
#
|
|
1666
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
|
1667
|
+
# @return [Array<String>]
|
|
1668
|
+
#
|
|
1669
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
|
|
1670
|
+
#
|
|
1671
|
+
class GenerateDataKeyPairRequest < Struct.new(
|
|
1672
|
+
:encryption_context,
|
|
1673
|
+
:key_id,
|
|
1674
|
+
:key_pair_spec,
|
|
1675
|
+
:grant_tokens)
|
|
1676
|
+
include Aws::Structure
|
|
1677
|
+
end
|
|
1678
|
+
|
|
1679
|
+
# @!attribute [rw] private_key_ciphertext_blob
|
|
1680
|
+
# The encrypted copy of the private key. When you use the HTTP API or
|
|
1681
|
+
# the AWS CLI, the value is Base64-encoded. Otherwise, it is not
|
|
1682
|
+
# Base64-encoded.
|
|
1683
|
+
# @return [String]
|
|
1684
|
+
#
|
|
1685
|
+
# @!attribute [rw] private_key_plaintext
|
|
1686
|
+
# The plaintext copy of the private key. When you use the HTTP API or
|
|
1687
|
+
# the AWS CLI, the value is Base64-encoded. Otherwise, it is not
|
|
1688
|
+
# Base64-encoded.
|
|
1689
|
+
# @return [String]
|
|
1690
|
+
#
|
|
1691
|
+
# @!attribute [rw] public_key
|
|
1692
|
+
# The public key (in plaintext).
|
|
1693
|
+
# @return [String]
|
|
1694
|
+
#
|
|
1695
|
+
# @!attribute [rw] key_id
|
|
1696
|
+
# The identifier of the CMK that encrypted the private key.
|
|
1697
|
+
# @return [String]
|
|
1698
|
+
#
|
|
1699
|
+
# @!attribute [rw] key_pair_spec
|
|
1700
|
+
# The type of data key pair that was generated.
|
|
1701
|
+
# @return [String]
|
|
1702
|
+
#
|
|
1703
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
|
|
1704
|
+
#
|
|
1705
|
+
class GenerateDataKeyPairResponse < Struct.new(
|
|
1706
|
+
:private_key_ciphertext_blob,
|
|
1707
|
+
:private_key_plaintext,
|
|
1708
|
+
:public_key,
|
|
1709
|
+
:key_id,
|
|
1710
|
+
:key_pair_spec)
|
|
1711
|
+
include Aws::Structure
|
|
1712
|
+
end
|
|
1713
|
+
|
|
1714
|
+
# @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
|
|
1715
|
+
# data as a hash:
|
|
1716
|
+
#
|
|
1717
|
+
# {
|
|
1718
|
+
# encryption_context: {
|
|
1719
|
+
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1720
|
+
# },
|
|
1721
|
+
# key_id: "KeyIdType", # required
|
|
1722
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
|
1723
|
+
# grant_tokens: ["GrantTokenType"],
|
|
1724
|
+
# }
|
|
1725
|
+
#
|
|
1726
|
+
# @!attribute [rw] encryption_context
|
|
1727
|
+
# Specifies the encryption context that will be used when encrypting
|
|
1728
|
+
# the private key in the data key pair.
|
|
1729
|
+
#
|
|
1730
|
+
# An *encryption context* is a collection of non-secret key-value
|
|
1731
|
+
# pairs that represents additional authenticated data. When you use an
|
|
1732
|
+
# encryption context to encrypt data, you must specify the same (an
|
|
1733
|
+
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1734
|
+
# An encryption context is optional when encrypting with a symmetric
|
|
1735
|
+
# CMK, but it is highly recommended.
|
|
1736
|
+
#
|
|
1737
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
|
1738
|
+
# Management Service Developer Guide*.
|
|
1739
|
+
#
|
|
1740
|
+
#
|
|
1741
|
+
#
|
|
1742
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
1743
|
+
# @return [Hash<String,String>]
|
|
1744
|
+
#
|
|
1745
|
+
# @!attribute [rw] key_id
|
|
1746
|
+
# Specifies the CMK that encrypts the private key in the data key
|
|
1747
|
+
# pair. You must specify a symmetric CMK. You cannot use an asymmetric
|
|
1748
|
+
# CMK.
|
|
1749
|
+
#
|
|
1750
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
1751
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
|
1752
|
+
# `"alias/"`.
|
|
1753
|
+
#
|
|
1754
|
+
# For example:
|
|
1755
|
+
#
|
|
1756
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1757
|
+
#
|
|
1758
|
+
# * Key ARN:
|
|
1759
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1760
|
+
#
|
|
1761
|
+
# * Alias name: `alias/ExampleAlias`
|
|
1762
|
+
#
|
|
1763
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
1764
|
+
#
|
|
1765
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
1766
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
1767
|
+
# @return [String]
|
|
1768
|
+
#
|
|
1769
|
+
# @!attribute [rw] key_pair_spec
|
|
1770
|
+
# Determines the type of data key pair that is generated.
|
|
1771
|
+
#
|
|
1772
|
+
# The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
|
|
1773
|
+
# encrypt and decrypt or to sign and verify (but not both), and the
|
|
1774
|
+
# rule that permits you to use ECC CMKs only to sign and verify, are
|
|
1775
|
+
# not effective outside of AWS KMS.
|
|
1776
|
+
# @return [String]
|
|
1777
|
+
#
|
|
1778
|
+
# @!attribute [rw] grant_tokens
|
|
1779
|
+
# A list of grant tokens.
|
|
1780
|
+
#
|
|
1781
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key
|
|
1782
|
+
# Management Service Developer Guide*.
|
|
1783
|
+
#
|
|
1784
|
+
#
|
|
1785
|
+
#
|
|
1786
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
|
1787
|
+
# @return [Array<String>]
|
|
1788
|
+
#
|
|
1789
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
|
|
1790
|
+
#
|
|
1791
|
+
class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
|
|
1792
|
+
:encryption_context,
|
|
1793
|
+
:key_id,
|
|
1794
|
+
:key_pair_spec,
|
|
1795
|
+
:grant_tokens)
|
|
1796
|
+
include Aws::Structure
|
|
1797
|
+
end
|
|
1798
|
+
|
|
1799
|
+
# @!attribute [rw] private_key_ciphertext_blob
|
|
1800
|
+
# The encrypted copy of the private key. When you use the HTTP API or
|
|
1801
|
+
# the AWS CLI, the value is Base64-encoded. Otherwise, it is not
|
|
1802
|
+
# Base64-encoded.
|
|
1803
|
+
# @return [String]
|
|
1804
|
+
#
|
|
1805
|
+
# @!attribute [rw] public_key
|
|
1806
|
+
# The public key (in plaintext).
|
|
1807
|
+
# @return [String]
|
|
1808
|
+
#
|
|
1809
|
+
# @!attribute [rw] key_id
|
|
1810
|
+
# Specifies the CMK that encrypted the private key in the data key
|
|
1811
|
+
# pair. You must specify a symmetric CMK. You cannot use an asymmetric
|
|
1812
|
+
# CMK.
|
|
1813
|
+
#
|
|
1814
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
1815
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
|
1816
|
+
# `"alias/"`.
|
|
1817
|
+
#
|
|
1818
|
+
# For example:
|
|
1819
|
+
#
|
|
1820
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1821
|
+
#
|
|
1822
|
+
# * Key ARN:
|
|
1823
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
1824
|
+
#
|
|
1825
|
+
# * Alias name: `alias/ExampleAlias`
|
|
1826
|
+
#
|
|
1827
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
1828
|
+
#
|
|
1829
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
1830
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
1831
|
+
# @return [String]
|
|
1832
|
+
#
|
|
1833
|
+
# @!attribute [rw] key_pair_spec
|
|
1834
|
+
# The type of data key pair that was generated.
|
|
1835
|
+
# @return [String]
|
|
1836
|
+
#
|
|
1837
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextResponse AWS API Documentation
|
|
1838
|
+
#
|
|
1839
|
+
class GenerateDataKeyPairWithoutPlaintextResponse < Struct.new(
|
|
1840
|
+
:private_key_ciphertext_blob,
|
|
1841
|
+
:public_key,
|
|
1842
|
+
:key_id,
|
|
1843
|
+
:key_pair_spec)
|
|
1844
|
+
include Aws::Structure
|
|
1845
|
+
end
|
|
1846
|
+
|
|
1410
1847
|
# @note When making an API call, you may pass GenerateDataKeyRequest
|
|
1411
1848
|
# data as a hash:
|
|
1412
1849
|
#
|
|
@@ -1421,7 +1858,7 @@ module Aws::KMS
|
|
|
1421
1858
|
# }
|
|
1422
1859
|
#
|
|
1423
1860
|
# @!attribute [rw] key_id
|
|
1424
|
-
#
|
|
1861
|
+
# Identifies the symmetric CMK that encrypts the data key.
|
|
1425
1862
|
#
|
|
1426
1863
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
1427
1864
|
# name, or alias ARN. When using an alias name, prefix it with
|
|
@@ -1444,8 +1881,15 @@ module Aws::KMS
|
|
|
1444
1881
|
# @return [String]
|
|
1445
1882
|
#
|
|
1446
1883
|
# @!attribute [rw] encryption_context
|
|
1447
|
-
#
|
|
1448
|
-
# data.
|
|
1884
|
+
# Specifies the encryption context that will be used when encrypting
|
|
1885
|
+
# the data key.
|
|
1886
|
+
#
|
|
1887
|
+
# An *encryption context* is a collection of non-secret key-value
|
|
1888
|
+
# pairs that represents additional authenticated data. When you use an
|
|
1889
|
+
# encryption context to encrypt data, you must specify the same (an
|
|
1890
|
+
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1891
|
+
# An encryption context is optional when encrypting with a symmetric
|
|
1892
|
+
# CMK, but it is highly recommended.
|
|
1449
1893
|
#
|
|
1450
1894
|
# For more information, see [Encryption Context][1] in the *AWS Key
|
|
1451
1895
|
# Management Service Developer Guide*.
|
|
@@ -1456,15 +1900,22 @@ module Aws::KMS
|
|
|
1456
1900
|
# @return [Hash<String,String>]
|
|
1457
1901
|
#
|
|
1458
1902
|
# @!attribute [rw] number_of_bytes
|
|
1459
|
-
#
|
|
1460
|
-
# to generate a 512-bit data key (64 bytes is 512 bits). For
|
|
1461
|
-
#
|
|
1462
|
-
#
|
|
1903
|
+
# Specifies the length of the data key in bytes. For example, use the
|
|
1904
|
+
# value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
|
|
1905
|
+
# 128-bit (16-byte) and 256-bit (32-byte) data keys, use the `KeySpec`
|
|
1906
|
+
# parameter.
|
|
1907
|
+
#
|
|
1908
|
+
# You must specify either the `KeySpec` or the `NumberOfBytes`
|
|
1909
|
+
# parameter (but not both) in every `GenerateDataKey` request.
|
|
1463
1910
|
# @return [Integer]
|
|
1464
1911
|
#
|
|
1465
1912
|
# @!attribute [rw] key_spec
|
|
1466
|
-
#
|
|
1467
|
-
# symmetric key, or `AES_256` to generate a 256-bit symmetric
|
|
1913
|
+
# Specifies the length of the data key. Use `AES_128` to generate a
|
|
1914
|
+
# 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
|
|
1915
|
+
# key.
|
|
1916
|
+
#
|
|
1917
|
+
# You must specify either the `KeySpec` or the `NumberOfBytes`
|
|
1918
|
+
# parameter (but not both) in every `GenerateDataKey` request.
|
|
1468
1919
|
# @return [String]
|
|
1469
1920
|
#
|
|
1470
1921
|
# @!attribute [rw] grant_tokens
|
|
@@ -1491,14 +1942,15 @@ module Aws::KMS
|
|
|
1491
1942
|
|
|
1492
1943
|
# @!attribute [rw] ciphertext_blob
|
|
1493
1944
|
# The encrypted copy of the data key. When you use the HTTP API or the
|
|
1494
|
-
# AWS CLI, the value is Base64-encoded. Otherwise, it is not
|
|
1945
|
+
# AWS CLI, the value is Base64-encoded. Otherwise, it is not
|
|
1946
|
+
# Base64-encoded.
|
|
1495
1947
|
# @return [String]
|
|
1496
1948
|
#
|
|
1497
1949
|
# @!attribute [rw] plaintext
|
|
1498
1950
|
# The plaintext data key. When you use the HTTP API or the AWS CLI,
|
|
1499
|
-
# the value is Base64-encoded. Otherwise, it is not encoded.
|
|
1500
|
-
# data key to encrypt your data outside of KMS. Then, remove
|
|
1501
|
-
# memory as soon as possible.
|
|
1951
|
+
# the value is Base64-encoded. Otherwise, it is not Base64-encoded.
|
|
1952
|
+
# Use this data key to encrypt your data outside of KMS. Then, remove
|
|
1953
|
+
# it from memory as soon as possible.
|
|
1502
1954
|
# @return [String]
|
|
1503
1955
|
#
|
|
1504
1956
|
# @!attribute [rw] key_id
|
|
@@ -1528,8 +1980,8 @@ module Aws::KMS
|
|
|
1528
1980
|
# }
|
|
1529
1981
|
#
|
|
1530
1982
|
# @!attribute [rw] key_id
|
|
1531
|
-
# The identifier of the customer master key (CMK) that
|
|
1532
|
-
# data key.
|
|
1983
|
+
# The identifier of the symmetric customer master key (CMK) that
|
|
1984
|
+
# encrypts the data key.
|
|
1533
1985
|
#
|
|
1534
1986
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
1535
1987
|
# name, or alias ARN. When using an alias name, prefix it with
|
|
@@ -1552,8 +2004,15 @@ module Aws::KMS
|
|
|
1552
2004
|
# @return [String]
|
|
1553
2005
|
#
|
|
1554
2006
|
# @!attribute [rw] encryption_context
|
|
1555
|
-
#
|
|
1556
|
-
# data.
|
|
2007
|
+
# Specifies the encryption context that will be used when encrypting
|
|
2008
|
+
# the data key.
|
|
2009
|
+
#
|
|
2010
|
+
# An *encryption context* is a collection of non-secret key-value
|
|
2011
|
+
# pairs that represents additional authenticated data. When you use an
|
|
2012
|
+
# encryption context to encrypt data, you must specify the same (an
|
|
2013
|
+
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2014
|
+
# An encryption context is optional when encrypting with a symmetric
|
|
2015
|
+
# CMK, but it is highly recommended.
|
|
1557
2016
|
#
|
|
1558
2017
|
# For more information, see [Encryption Context][1] in the *AWS Key
|
|
1559
2018
|
# Management Service Developer Guide*.
|
|
@@ -1599,7 +2058,7 @@ module Aws::KMS
|
|
|
1599
2058
|
|
|
1600
2059
|
# @!attribute [rw] ciphertext_blob
|
|
1601
2060
|
# The encrypted data key. When you use the HTTP API or the AWS CLI,
|
|
1602
|
-
# the value is Base64-encoded. Otherwise, it is not encoded.
|
|
2061
|
+
# the value is Base64-encoded. Otherwise, it is not Base64-encoded.
|
|
1603
2062
|
# @return [String]
|
|
1604
2063
|
#
|
|
1605
2064
|
# @!attribute [rw] key_id
|
|
@@ -1646,7 +2105,7 @@ module Aws::KMS
|
|
|
1646
2105
|
|
|
1647
2106
|
# @!attribute [rw] plaintext
|
|
1648
2107
|
# The random byte string. When you use the HTTP API or the AWS CLI,
|
|
1649
|
-
# the value is Base64-encoded. Otherwise, it is not encoded.
|
|
2108
|
+
# the value is Base64-encoded. Otherwise, it is not Base64-encoded.
|
|
1650
2109
|
# @return [String]
|
|
1651
2110
|
#
|
|
1652
2111
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
|
|
@@ -1756,8 +2215,8 @@ module Aws::KMS
|
|
|
1756
2215
|
# }
|
|
1757
2216
|
#
|
|
1758
2217
|
# @!attribute [rw] key_id
|
|
1759
|
-
# The identifier of the CMK into which you will import key
|
|
1760
|
-
# The
|
|
2218
|
+
# The identifier of the symmetric CMK into which you will import key
|
|
2219
|
+
# material. The `Origin` of the CMK must be `EXTERNAL`.
|
|
1761
2220
|
#
|
|
1762
2221
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
|
1763
2222
|
#
|
|
@@ -1788,44 +2247,155 @@ module Aws::KMS
|
|
|
1788
2247
|
# Only 2048-bit RSA public keys are supported.
|
|
1789
2248
|
# @return [String]
|
|
1790
2249
|
#
|
|
1791
|
-
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
|
|
2250
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
|
|
2251
|
+
#
|
|
2252
|
+
class GetParametersForImportRequest < Struct.new(
|
|
2253
|
+
:key_id,
|
|
2254
|
+
:wrapping_algorithm,
|
|
2255
|
+
:wrapping_key_spec)
|
|
2256
|
+
include Aws::Structure
|
|
2257
|
+
end
|
|
2258
|
+
|
|
2259
|
+
# @!attribute [rw] key_id
|
|
2260
|
+
# The identifier of the CMK to use in a subsequent ImportKeyMaterial
|
|
2261
|
+
# request. This is the same CMK specified in the
|
|
2262
|
+
# `GetParametersForImport` request.
|
|
2263
|
+
# @return [String]
|
|
2264
|
+
#
|
|
2265
|
+
# @!attribute [rw] import_token
|
|
2266
|
+
# The import token to send in a subsequent ImportKeyMaterial request.
|
|
2267
|
+
# @return [String]
|
|
2268
|
+
#
|
|
2269
|
+
# @!attribute [rw] public_key
|
|
2270
|
+
# The public key to use to encrypt the key material before importing
|
|
2271
|
+
# it with ImportKeyMaterial.
|
|
2272
|
+
# @return [String]
|
|
2273
|
+
#
|
|
2274
|
+
# @!attribute [rw] parameters_valid_to
|
|
2275
|
+
# The time at which the import token and public key are no longer
|
|
2276
|
+
# valid. After this time, you cannot use them to make an
|
|
2277
|
+
# ImportKeyMaterial request and you must send another
|
|
2278
|
+
# `GetParametersForImport` request to get new ones.
|
|
2279
|
+
# @return [Time]
|
|
2280
|
+
#
|
|
2281
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportResponse AWS API Documentation
|
|
2282
|
+
#
|
|
2283
|
+
class GetParametersForImportResponse < Struct.new(
|
|
2284
|
+
:key_id,
|
|
2285
|
+
:import_token,
|
|
2286
|
+
:public_key,
|
|
2287
|
+
:parameters_valid_to)
|
|
2288
|
+
include Aws::Structure
|
|
2289
|
+
end
|
|
2290
|
+
|
|
2291
|
+
# @note When making an API call, you may pass GetPublicKeyRequest
|
|
2292
|
+
# data as a hash:
|
|
2293
|
+
#
|
|
2294
|
+
# {
|
|
2295
|
+
# key_id: "KeyIdType", # required
|
|
2296
|
+
# grant_tokens: ["GrantTokenType"],
|
|
2297
|
+
# }
|
|
2298
|
+
#
|
|
2299
|
+
# @!attribute [rw] key_id
|
|
2300
|
+
# Identifies the asymmetric CMK that includes the public key.
|
|
2301
|
+
#
|
|
2302
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
2303
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
|
2304
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must
|
|
2305
|
+
# use the key ARN or alias ARN.
|
|
2306
|
+
#
|
|
2307
|
+
# For example:
|
|
2308
|
+
#
|
|
2309
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
2310
|
+
#
|
|
2311
|
+
# * Key ARN:
|
|
2312
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
2313
|
+
#
|
|
2314
|
+
# * Alias name: `alias/ExampleAlias`
|
|
2315
|
+
#
|
|
2316
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
2317
|
+
#
|
|
2318
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
2319
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
2320
|
+
# @return [String]
|
|
2321
|
+
#
|
|
2322
|
+
# @!attribute [rw] grant_tokens
|
|
2323
|
+
# A list of grant tokens.
|
|
2324
|
+
#
|
|
2325
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key
|
|
2326
|
+
# Management Service Developer Guide*.
|
|
2327
|
+
#
|
|
2328
|
+
#
|
|
2329
|
+
#
|
|
2330
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
|
2331
|
+
# @return [Array<String>]
|
|
1792
2332
|
#
|
|
1793
|
-
|
|
2333
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
|
|
2334
|
+
#
|
|
2335
|
+
class GetPublicKeyRequest < Struct.new(
|
|
1794
2336
|
:key_id,
|
|
1795
|
-
:
|
|
1796
|
-
:wrapping_key_spec)
|
|
2337
|
+
:grant_tokens)
|
|
1797
2338
|
include Aws::Structure
|
|
1798
2339
|
end
|
|
1799
2340
|
|
|
1800
2341
|
# @!attribute [rw] key_id
|
|
1801
|
-
# The identifier of the CMK
|
|
1802
|
-
#
|
|
1803
|
-
# `GetParametersForImport` request.
|
|
2342
|
+
# The identifier of the asymmetric CMK from which the public key was
|
|
2343
|
+
# downloaded.
|
|
1804
2344
|
# @return [String]
|
|
1805
2345
|
#
|
|
1806
|
-
# @!attribute [rw]
|
|
1807
|
-
# The
|
|
2346
|
+
# @!attribute [rw] public_key
|
|
2347
|
+
# The exported public key.
|
|
2348
|
+
#
|
|
2349
|
+
# This value is returned as a binary [Distinguished Encoding Rules][1]
|
|
2350
|
+
# (DER)-encoded object. To decode it, use an ASN.1 parsing tool, such
|
|
2351
|
+
# as [OpenSSL asn1parse][2].
|
|
2352
|
+
#
|
|
2353
|
+
#
|
|
2354
|
+
#
|
|
2355
|
+
# [1]: https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
|
|
2356
|
+
# [2]: https://www.openssl.org/docs/man1.0.2/man1/asn1parse.html
|
|
1808
2357
|
# @return [String]
|
|
1809
2358
|
#
|
|
1810
|
-
# @!attribute [rw]
|
|
1811
|
-
# The
|
|
1812
|
-
# it with ImportKeyMaterial.
|
|
2359
|
+
# @!attribute [rw] customer_master_key_spec
|
|
2360
|
+
# The type of the of the public key that was downloaded.
|
|
1813
2361
|
# @return [String]
|
|
1814
2362
|
#
|
|
1815
|
-
# @!attribute [rw]
|
|
1816
|
-
# The
|
|
1817
|
-
#
|
|
1818
|
-
# ImportKeyMaterial request and you must send another
|
|
1819
|
-
# `GetParametersForImport` request to get new ones.
|
|
1820
|
-
# @return [Time]
|
|
2363
|
+
# @!attribute [rw] key_usage
|
|
2364
|
+
# The permitted use of the public key. Valid values are
|
|
2365
|
+
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
1821
2366
|
#
|
|
1822
|
-
#
|
|
2367
|
+
# This information is critical. If a public key with `SIGN_VERIFY` key
|
|
2368
|
+
# usage encrypts data outside of AWS KMS, the ciphertext cannot be
|
|
2369
|
+
# decrypted.
|
|
2370
|
+
# @return [String]
|
|
1823
2371
|
#
|
|
1824
|
-
|
|
2372
|
+
# @!attribute [rw] encryption_algorithms
|
|
2373
|
+
# The encryption algorithms that AWS KMS supports for this key.
|
|
2374
|
+
#
|
|
2375
|
+
# This information is critical. If a public key encrypts data outside
|
|
2376
|
+
# of AWS KMS by using an unsupported encryption algorithm, the
|
|
2377
|
+
# ciphertext cannot be decrypted.
|
|
2378
|
+
#
|
|
2379
|
+
# This field appears in the response only when the `KeyUsage` of the
|
|
2380
|
+
# public key is `ENCRYPT_DECRYPT`.
|
|
2381
|
+
# @return [Array<String>]
|
|
2382
|
+
#
|
|
2383
|
+
# @!attribute [rw] signing_algorithms
|
|
2384
|
+
# The signing algorithms that AWS KMS supports for this key.
|
|
2385
|
+
#
|
|
2386
|
+
# This field appears in the response only when the `KeyUsage` of the
|
|
2387
|
+
# public key is `SIGN_VERIFY`.
|
|
2388
|
+
# @return [Array<String>]
|
|
2389
|
+
#
|
|
2390
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
|
|
2391
|
+
#
|
|
2392
|
+
class GetPublicKeyResponse < Struct.new(
|
|
1825
2393
|
:key_id,
|
|
1826
|
-
:import_token,
|
|
1827
2394
|
:public_key,
|
|
1828
|
-
:
|
|
2395
|
+
:customer_master_key_spec,
|
|
2396
|
+
:key_usage,
|
|
2397
|
+
:encryption_algorithms,
|
|
2398
|
+
:signing_algorithms)
|
|
1829
2399
|
include Aws::Structure
|
|
1830
2400
|
end
|
|
1831
2401
|
|
|
@@ -1974,8 +2544,10 @@ module Aws::KMS
|
|
|
1974
2544
|
# }
|
|
1975
2545
|
#
|
|
1976
2546
|
# @!attribute [rw] key_id
|
|
1977
|
-
# The identifier of the CMK
|
|
1978
|
-
# CMK's `Origin` must be `EXTERNAL`.
|
|
2547
|
+
# The identifier of the symmetric CMK that receives the imported key
|
|
2548
|
+
# material. The CMK's `Origin` must be `EXTERNAL`. This must be the
|
|
2549
|
+
# same CMK specified in the `KeyID` parameter of the corresponding
|
|
2550
|
+
# GetParametersForImport request.
|
|
1979
2551
|
#
|
|
1980
2552
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
|
1981
2553
|
#
|
|
@@ -1998,10 +2570,10 @@ module Aws::KMS
|
|
|
1998
2570
|
# @return [String]
|
|
1999
2571
|
#
|
|
2000
2572
|
# @!attribute [rw] encrypted_key_material
|
|
2001
|
-
# The encrypted key material to import.
|
|
2002
|
-
#
|
|
2003
|
-
#
|
|
2004
|
-
#
|
|
2573
|
+
# The encrypted key material to import. The key material must be
|
|
2574
|
+
# encrypted with the public wrapping key that GetParametersForImport
|
|
2575
|
+
# returned, using the wrapping algorithm that you specified in the
|
|
2576
|
+
# same `GetParametersForImport` request.
|
|
2005
2577
|
# @return [String]
|
|
2006
2578
|
#
|
|
2007
2579
|
# @!attribute [rw] valid_to
|
|
@@ -2035,9 +2607,24 @@ module Aws::KMS
|
|
|
2035
2607
|
#
|
|
2036
2608
|
class ImportKeyMaterialResponse < Aws::EmptyStructure; end
|
|
2037
2609
|
|
|
2038
|
-
# The request was rejected because the
|
|
2039
|
-
#
|
|
2040
|
-
#
|
|
2610
|
+
# The request was rejected because the specified CMK cannot decrypt the
|
|
2611
|
+
# data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
|
|
2612
|
+
# ReEncrypt request must identify the same CMK that was used to encrypt
|
|
2613
|
+
# the ciphertext.
|
|
2614
|
+
#
|
|
2615
|
+
# @!attribute [rw] message
|
|
2616
|
+
# @return [String]
|
|
2617
|
+
#
|
|
2618
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/IncorrectKeyException AWS API Documentation
|
|
2619
|
+
#
|
|
2620
|
+
class IncorrectKeyException < Struct.new(
|
|
2621
|
+
:message)
|
|
2622
|
+
include Aws::Structure
|
|
2623
|
+
end
|
|
2624
|
+
|
|
2625
|
+
# The request was rejected because the key material in the request is,
|
|
2626
|
+
# expired, invalid, or is not the same key material that was previously
|
|
2627
|
+
# imported into this customer master key (CMK).
|
|
2041
2628
|
#
|
|
2042
2629
|
# @!attribute [rw] message
|
|
2043
2630
|
# @return [String]
|
|
@@ -2096,10 +2683,13 @@ module Aws::KMS
|
|
|
2096
2683
|
include Aws::Structure
|
|
2097
2684
|
end
|
|
2098
2685
|
|
|
2099
|
-
#
|
|
2100
|
-
#
|
|
2101
|
-
# as the encryption context, is
|
|
2102
|
-
# invalid.
|
|
2686
|
+
# From the Decrypt or ReEncrypt operation, the request was rejected
|
|
2687
|
+
# because the specified ciphertext, or additional authenticated data
|
|
2688
|
+
# incorporated into the ciphertext, such as the encryption context, is
|
|
2689
|
+
# corrupted, missing, or otherwise invalid.
|
|
2690
|
+
#
|
|
2691
|
+
# From the ImportKeyMaterial operation, the request was rejected because
|
|
2692
|
+
# AWS KMS could not decrypt the encrypted (wrapped) key material.
|
|
2103
2693
|
#
|
|
2104
2694
|
# @!attribute [rw] message
|
|
2105
2695
|
# @return [String]
|
|
@@ -2149,8 +2739,22 @@ module Aws::KMS
|
|
|
2149
2739
|
include Aws::Structure
|
|
2150
2740
|
end
|
|
2151
2741
|
|
|
2152
|
-
# The request was rejected
|
|
2153
|
-
#
|
|
2742
|
+
# The request was rejected for one of the following reasons:
|
|
2743
|
+
#
|
|
2744
|
+
# * The `KeyUsage` value of the CMK is incompatible with the API
|
|
2745
|
+
# operation.
|
|
2746
|
+
#
|
|
2747
|
+
# * The encryption algorithm or signing algorithm specified for the
|
|
2748
|
+
# operation is incompatible with the type of key material in the CMK
|
|
2749
|
+
# `(CustomerMasterKeySpec`).
|
|
2750
|
+
#
|
|
2751
|
+
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
|
2752
|
+
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
|
|
2753
|
+
# the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK,
|
|
2754
|
+
# use the DescribeKey operation.
|
|
2755
|
+
#
|
|
2756
|
+
# To find the encryption or signing algorithms supported for a
|
|
2757
|
+
# particular CMK, use the DescribeKey operation.
|
|
2154
2758
|
#
|
|
2155
2759
|
# @!attribute [rw] message
|
|
2156
2760
|
# @return [String]
|
|
@@ -2192,8 +2796,8 @@ module Aws::KMS
|
|
|
2192
2796
|
# is not valid for this request.
|
|
2193
2797
|
#
|
|
2194
2798
|
# For more information about how key state affects the use of a CMK, see
|
|
2195
|
-
# [How Key State Affects Use of a Customer Master Key][1] in the
|
|
2196
|
-
# Key Management Service Developer Guide
|
|
2799
|
+
# [How Key State Affects Use of a Customer Master Key][1] in the <i>
|
|
2800
|
+
# <i>AWS Key Management Service Developer Guide</i> </i>.
|
|
2197
2801
|
#
|
|
2198
2802
|
#
|
|
2199
2803
|
#
|
|
@@ -2264,9 +2868,7 @@ module Aws::KMS
|
|
|
2264
2868
|
# @return [String]
|
|
2265
2869
|
#
|
|
2266
2870
|
# @!attribute [rw] key_usage
|
|
2267
|
-
# The cryptographic operations for which you can use the CMK.
|
|
2268
|
-
# valid value is `ENCRYPT_DECRYPT`, which means you can use the CMK to
|
|
2269
|
-
# encrypt and decrypt data.
|
|
2871
|
+
# The cryptographic operations for which you can use the CMK.
|
|
2270
2872
|
# @return [String]
|
|
2271
2873
|
#
|
|
2272
2874
|
# @!attribute [rw] key_state
|
|
@@ -2342,6 +2944,26 @@ module Aws::KMS
|
|
|
2342
2944
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
|
2343
2945
|
# @return [String]
|
|
2344
2946
|
#
|
|
2947
|
+
# @!attribute [rw] customer_master_key_spec
|
|
2948
|
+
# Describes the type of key material in the CMK.
|
|
2949
|
+
# @return [String]
|
|
2950
|
+
#
|
|
2951
|
+
# @!attribute [rw] encryption_algorithms
|
|
2952
|
+
# A list of encryption algorithms that the CMK supports. You cannot
|
|
2953
|
+
# use the CMK with other encryption algorithms within AWS KMS.
|
|
2954
|
+
#
|
|
2955
|
+
# This field appears only when the `KeyUsage` of the CMK is
|
|
2956
|
+
# `ENCRYPT_DECRYPT`.
|
|
2957
|
+
# @return [Array<String>]
|
|
2958
|
+
#
|
|
2959
|
+
# @!attribute [rw] signing_algorithms
|
|
2960
|
+
# A list of signing algorithms that the CMK supports. You cannot use
|
|
2961
|
+
# the CMK with other signing algorithms within AWS KMS.
|
|
2962
|
+
#
|
|
2963
|
+
# This field appears only when the `KeyUsage` of the CMK is
|
|
2964
|
+
# `SIGN_VERIFY`.
|
|
2965
|
+
# @return [Array<String>]
|
|
2966
|
+
#
|
|
2345
2967
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
|
2346
2968
|
#
|
|
2347
2969
|
class KeyMetadata < Struct.new(
|
|
@@ -2359,12 +2981,15 @@ module Aws::KMS
|
|
|
2359
2981
|
:custom_key_store_id,
|
|
2360
2982
|
:cloud_hsm_cluster_id,
|
|
2361
2983
|
:expiration_model,
|
|
2362
|
-
:key_manager
|
|
2984
|
+
:key_manager,
|
|
2985
|
+
:customer_master_key_spec,
|
|
2986
|
+
:encryption_algorithms,
|
|
2987
|
+
:signing_algorithms)
|
|
2363
2988
|
include Aws::Structure
|
|
2364
2989
|
end
|
|
2365
2990
|
|
|
2366
2991
|
# The request was rejected because the specified CMK was not available.
|
|
2367
|
-
#
|
|
2992
|
+
# You can retry the request.
|
|
2368
2993
|
#
|
|
2369
2994
|
# @!attribute [rw] message
|
|
2370
2995
|
# @return [String]
|
|
@@ -2929,10 +3554,13 @@ module Aws::KMS
|
|
|
2929
3554
|
# source_encryption_context: {
|
|
2930
3555
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
2931
3556
|
# },
|
|
3557
|
+
# source_key_id: "KeyIdType",
|
|
2932
3558
|
# destination_key_id: "KeyIdType", # required
|
|
2933
3559
|
# destination_encryption_context: {
|
|
2934
3560
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
2935
3561
|
# },
|
|
3562
|
+
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
3563
|
+
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
2936
3564
|
# grant_tokens: ["GrantTokenType"],
|
|
2937
3565
|
# }
|
|
2938
3566
|
#
|
|
@@ -2941,12 +3569,64 @@ module Aws::KMS
|
|
|
2941
3569
|
# @return [String]
|
|
2942
3570
|
#
|
|
2943
3571
|
# @!attribute [rw] source_encryption_context
|
|
2944
|
-
#
|
|
2945
|
-
# the
|
|
3572
|
+
# Specifies the encryption context to use to decrypt the ciphertext.
|
|
3573
|
+
# Enter the same encryption context that was used to encrypt the
|
|
3574
|
+
# ciphertext.
|
|
3575
|
+
#
|
|
3576
|
+
# An *encryption context* is a collection of non-secret key-value
|
|
3577
|
+
# pairs that represents additional authenticated data. When you use an
|
|
3578
|
+
# encryption context to encrypt data, you must specify the same (an
|
|
3579
|
+
# exact case-sensitive match) encryption context to decrypt the data.
|
|
3580
|
+
# An encryption context is optional when encrypting with a symmetric
|
|
3581
|
+
# CMK, but it is highly recommended.
|
|
3582
|
+
#
|
|
3583
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
|
3584
|
+
# Management Service Developer Guide*.
|
|
3585
|
+
#
|
|
3586
|
+
#
|
|
3587
|
+
#
|
|
3588
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
2946
3589
|
# @return [Hash<String,String>]
|
|
2947
3590
|
#
|
|
3591
|
+
# @!attribute [rw] source_key_id
|
|
3592
|
+
# A unique identifier for the CMK that is used to decrypt the
|
|
3593
|
+
# ciphertext before it reencrypts it using the destination CMK.
|
|
3594
|
+
#
|
|
3595
|
+
# This parameter is required only when the ciphertext was encrypted
|
|
3596
|
+
# under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that
|
|
3597
|
+
# it adds to the ciphertext blob to determine which CMK was used to
|
|
3598
|
+
# encrypt the ciphertext. However, you can use this parameter to
|
|
3599
|
+
# ensure that a particular CMK (of any kind) is used to decrypt the
|
|
3600
|
+
# ciphertext before it is reencrypted.
|
|
3601
|
+
#
|
|
3602
|
+
# If you specify a `KeyId` value, the decrypt part of the `ReEncrypt`
|
|
3603
|
+
# operation succeeds only if the specified CMK was used to encrypt the
|
|
3604
|
+
# ciphertext.
|
|
3605
|
+
#
|
|
3606
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
3607
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
|
3608
|
+
# `"alias/"`.
|
|
3609
|
+
#
|
|
3610
|
+
# For example:
|
|
3611
|
+
#
|
|
3612
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
3613
|
+
#
|
|
3614
|
+
# * Key ARN:
|
|
3615
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
3616
|
+
#
|
|
3617
|
+
# * Alias name: `alias/ExampleAlias`
|
|
3618
|
+
#
|
|
3619
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
3620
|
+
#
|
|
3621
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
3622
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
3623
|
+
# @return [String]
|
|
3624
|
+
#
|
|
2948
3625
|
# @!attribute [rw] destination_key_id
|
|
2949
3626
|
# A unique identifier for the CMK that is used to reencrypt the data.
|
|
3627
|
+
# Specify a symmetric or asymmetric CMK with a `KeyUsage` value of
|
|
3628
|
+
# `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
|
|
3629
|
+
# DescribeKey operation.
|
|
2950
3630
|
#
|
|
2951
3631
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
2952
3632
|
# name, or alias ARN. When using an alias name, prefix it with
|
|
@@ -2969,9 +3649,51 @@ module Aws::KMS
|
|
|
2969
3649
|
# @return [String]
|
|
2970
3650
|
#
|
|
2971
3651
|
# @!attribute [rw] destination_encryption_context
|
|
2972
|
-
#
|
|
3652
|
+
# Specifies that encryption context to use when the reencrypting the
|
|
3653
|
+
# data.
|
|
3654
|
+
#
|
|
3655
|
+
# A destination encryption context is valid only when the destination
|
|
3656
|
+
# CMK is a symmetric CMK. The standard ciphertext format for
|
|
3657
|
+
# asymmetric CMKs does not include fields for metadata.
|
|
3658
|
+
#
|
|
3659
|
+
# An *encryption context* is a collection of non-secret key-value
|
|
3660
|
+
# pairs that represents additional authenticated data. When you use an
|
|
3661
|
+
# encryption context to encrypt data, you must specify the same (an
|
|
3662
|
+
# exact case-sensitive match) encryption context to decrypt the data.
|
|
3663
|
+
# An encryption context is optional when encrypting with a symmetric
|
|
3664
|
+
# CMK, but it is highly recommended.
|
|
3665
|
+
#
|
|
3666
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
|
3667
|
+
# Management Service Developer Guide*.
|
|
3668
|
+
#
|
|
3669
|
+
#
|
|
3670
|
+
#
|
|
3671
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
2973
3672
|
# @return [Hash<String,String>]
|
|
2974
3673
|
#
|
|
3674
|
+
# @!attribute [rw] source_encryption_algorithm
|
|
3675
|
+
# Specifies the encryption algorithm that AWS KMS will use to decrypt
|
|
3676
|
+
# the ciphertext before it is reencrypted. The default value,
|
|
3677
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
3678
|
+
# CMKs.
|
|
3679
|
+
#
|
|
3680
|
+
# Specify the same algorithm that was used to encrypt the ciphertext.
|
|
3681
|
+
# If you specify a different algorithm, the decrypt attempt fails.
|
|
3682
|
+
#
|
|
3683
|
+
# This parameter is required only when the ciphertext was encrypted
|
|
3684
|
+
# under an asymmetric CMK.
|
|
3685
|
+
# @return [String]
|
|
3686
|
+
#
|
|
3687
|
+
# @!attribute [rw] destination_encryption_algorithm
|
|
3688
|
+
# Specifies the encryption algorithm that AWS KMS will use to reecrypt
|
|
3689
|
+
# the data after it has decrypted it. The default value,
|
|
3690
|
+
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
|
3691
|
+
# symmetric CMKs.
|
|
3692
|
+
#
|
|
3693
|
+
# This parameter is required only when the destination CMK is an
|
|
3694
|
+
# asymmetric CMK.
|
|
3695
|
+
# @return [String]
|
|
3696
|
+
#
|
|
2975
3697
|
# @!attribute [rw] grant_tokens
|
|
2976
3698
|
# A list of grant tokens.
|
|
2977
3699
|
#
|
|
@@ -2988,15 +3710,18 @@ module Aws::KMS
|
|
|
2988
3710
|
class ReEncryptRequest < Struct.new(
|
|
2989
3711
|
:ciphertext_blob,
|
|
2990
3712
|
:source_encryption_context,
|
|
3713
|
+
:source_key_id,
|
|
2991
3714
|
:destination_key_id,
|
|
2992
3715
|
:destination_encryption_context,
|
|
3716
|
+
:source_encryption_algorithm,
|
|
3717
|
+
:destination_encryption_algorithm,
|
|
2993
3718
|
:grant_tokens)
|
|
2994
3719
|
include Aws::Structure
|
|
2995
3720
|
end
|
|
2996
3721
|
|
|
2997
3722
|
# @!attribute [rw] ciphertext_blob
|
|
2998
3723
|
# The reencrypted data. When you use the HTTP API or the AWS CLI, the
|
|
2999
|
-
# value is Base64-encoded. Otherwise, it is not encoded.
|
|
3724
|
+
# value is Base64-encoded. Otherwise, it is not Base64-encoded.
|
|
3000
3725
|
# @return [String]
|
|
3001
3726
|
#
|
|
3002
3727
|
# @!attribute [rw] source_key_id
|
|
@@ -3007,12 +3732,23 @@ module Aws::KMS
|
|
|
3007
3732
|
# Unique identifier of the CMK used to reencrypt the data.
|
|
3008
3733
|
# @return [String]
|
|
3009
3734
|
#
|
|
3735
|
+
# @!attribute [rw] source_encryption_algorithm
|
|
3736
|
+
# The encryption algorithm that was used to decrypt the ciphertext
|
|
3737
|
+
# before it was reencrypted.
|
|
3738
|
+
# @return [String]
|
|
3739
|
+
#
|
|
3740
|
+
# @!attribute [rw] destination_encryption_algorithm
|
|
3741
|
+
# The encryption algorithm that was used to reencrypt the data.
|
|
3742
|
+
# @return [String]
|
|
3743
|
+
#
|
|
3010
3744
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptResponse AWS API Documentation
|
|
3011
3745
|
#
|
|
3012
3746
|
class ReEncryptResponse < Struct.new(
|
|
3013
3747
|
:ciphertext_blob,
|
|
3014
3748
|
:source_key_id,
|
|
3015
|
-
:key_id
|
|
3749
|
+
:key_id,
|
|
3750
|
+
:source_encryption_algorithm,
|
|
3751
|
+
:destination_encryption_algorithm)
|
|
3016
3752
|
include Aws::Structure
|
|
3017
3753
|
end
|
|
3018
3754
|
|
|
@@ -3151,6 +3887,108 @@ module Aws::KMS
|
|
|
3151
3887
|
include Aws::Structure
|
|
3152
3888
|
end
|
|
3153
3889
|
|
|
3890
|
+
# @note When making an API call, you may pass SignRequest
|
|
3891
|
+
# data as a hash:
|
|
3892
|
+
#
|
|
3893
|
+
# {
|
|
3894
|
+
# key_id: "KeyIdType", # required
|
|
3895
|
+
# message: "data", # required
|
|
3896
|
+
# message_type: "RAW", # accepts RAW, DIGEST
|
|
3897
|
+
# grant_tokens: ["GrantTokenType"],
|
|
3898
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
|
3899
|
+
# }
|
|
3900
|
+
#
|
|
3901
|
+
# @!attribute [rw] key_id
|
|
3902
|
+
# Identifies an asymmetric CMK. AWS KMS uses the private key in the
|
|
3903
|
+
# asymmetric CMK to sign the message. The `KeyUsage` type of the CMK
|
|
3904
|
+
# must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
|
|
3905
|
+
# DescribeKey operation.
|
|
3906
|
+
#
|
|
3907
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
3908
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
|
3909
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must
|
|
3910
|
+
# use the key ARN or alias ARN.
|
|
3911
|
+
#
|
|
3912
|
+
# For example:
|
|
3913
|
+
#
|
|
3914
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
3915
|
+
#
|
|
3916
|
+
# * Key ARN:
|
|
3917
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
3918
|
+
#
|
|
3919
|
+
# * Alias name: `alias/ExampleAlias`
|
|
3920
|
+
#
|
|
3921
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
3922
|
+
#
|
|
3923
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
3924
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
3925
|
+
# @return [String]
|
|
3926
|
+
#
|
|
3927
|
+
# @!attribute [rw] message
|
|
3928
|
+
# Specifies the message or message digest to sign. Messages can be
|
|
3929
|
+
# 0-4096 bytes. To sign a larger message, provide the message digest.
|
|
3930
|
+
#
|
|
3931
|
+
# If you provide a message, AWS KMS generates a hash digest of the
|
|
3932
|
+
# message and then signs it.
|
|
3933
|
+
# @return [String]
|
|
3934
|
+
#
|
|
3935
|
+
# @!attribute [rw] message_type
|
|
3936
|
+
# Tells AWS KMS whether the value of the `Message` parameter is a
|
|
3937
|
+
# message or message digest. To indicate a message, enter `RAW`. To
|
|
3938
|
+
# indicate a message digest, enter `DIGEST`.
|
|
3939
|
+
# @return [String]
|
|
3940
|
+
#
|
|
3941
|
+
# @!attribute [rw] grant_tokens
|
|
3942
|
+
# A list of grant tokens.
|
|
3943
|
+
#
|
|
3944
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key
|
|
3945
|
+
# Management Service Developer Guide*.
|
|
3946
|
+
#
|
|
3947
|
+
#
|
|
3948
|
+
#
|
|
3949
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
|
3950
|
+
# @return [Array<String>]
|
|
3951
|
+
#
|
|
3952
|
+
# @!attribute [rw] signing_algorithm
|
|
3953
|
+
# Specifies the signing algorithm to use when signing the message.
|
|
3954
|
+
#
|
|
3955
|
+
# Choose an algorithm that is compatible with the type and size of the
|
|
3956
|
+
# specified asymmetric CMK.
|
|
3957
|
+
# @return [String]
|
|
3958
|
+
#
|
|
3959
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
|
|
3960
|
+
#
|
|
3961
|
+
class SignRequest < Struct.new(
|
|
3962
|
+
:key_id,
|
|
3963
|
+
:message,
|
|
3964
|
+
:message_type,
|
|
3965
|
+
:grant_tokens,
|
|
3966
|
+
:signing_algorithm)
|
|
3967
|
+
include Aws::Structure
|
|
3968
|
+
end
|
|
3969
|
+
|
|
3970
|
+
# @!attribute [rw] key_id
|
|
3971
|
+
# The Amazon Resource Name (ARN) of the asymmetric CMK that was used
|
|
3972
|
+
# to sign the message.
|
|
3973
|
+
# @return [String]
|
|
3974
|
+
#
|
|
3975
|
+
# @!attribute [rw] signature
|
|
3976
|
+
# The cryptographic signature that was generated for the message.
|
|
3977
|
+
# @return [String]
|
|
3978
|
+
#
|
|
3979
|
+
# @!attribute [rw] signing_algorithm
|
|
3980
|
+
# The signing algorithm that was used to sign the message.
|
|
3981
|
+
# @return [String]
|
|
3982
|
+
#
|
|
3983
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignResponse AWS API Documentation
|
|
3984
|
+
#
|
|
3985
|
+
class SignResponse < Struct.new(
|
|
3986
|
+
:key_id,
|
|
3987
|
+
:signature,
|
|
3988
|
+
:signing_algorithm)
|
|
3989
|
+
include Aws::Structure
|
|
3990
|
+
end
|
|
3991
|
+
|
|
3154
3992
|
# A key-value pair. A tag consists of a tag key and a tag value. Tag
|
|
3155
3993
|
# keys and tag values are both required, but tag values can be empty
|
|
3156
3994
|
# (null) strings.
|
|
@@ -3298,15 +4136,20 @@ module Aws::KMS
|
|
|
3298
4136
|
# }
|
|
3299
4137
|
#
|
|
3300
4138
|
# @!attribute [rw] alias_name
|
|
3301
|
-
#
|
|
4139
|
+
# Identifies the alias that is changing its CMK. This value must begin
|
|
3302
4140
|
# with `alias/` followed by the alias name, such as
|
|
3303
|
-
# `alias/ExampleAlias`.
|
|
4141
|
+
# `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
|
|
4142
|
+
# name.
|
|
3304
4143
|
# @return [String]
|
|
3305
4144
|
#
|
|
3306
4145
|
# @!attribute [rw] target_key_id
|
|
3307
|
-
#
|
|
3308
|
-
#
|
|
3309
|
-
#
|
|
4146
|
+
# Identifies the CMK to associate with the alias. When the update
|
|
4147
|
+
# operation completes, the alias will point to this CMK.
|
|
4148
|
+
#
|
|
4149
|
+
# The CMK must be in the same AWS account and Region as the alias.
|
|
4150
|
+
# Also, the new target CMK must be the same type as the current target
|
|
4151
|
+
# CMK (both symmetric or both asymmetric) and they must have the same
|
|
4152
|
+
# key usage.
|
|
3310
4153
|
#
|
|
3311
4154
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
|
3312
4155
|
#
|
|
@@ -3431,5 +4274,118 @@ module Aws::KMS
|
|
|
3431
4274
|
include Aws::Structure
|
|
3432
4275
|
end
|
|
3433
4276
|
|
|
4277
|
+
# @note When making an API call, you may pass VerifyRequest
|
|
4278
|
+
# data as a hash:
|
|
4279
|
+
#
|
|
4280
|
+
# {
|
|
4281
|
+
# key_id: "KeyIdType", # required
|
|
4282
|
+
# message: "data", # required
|
|
4283
|
+
# message_type: "RAW", # accepts RAW, DIGEST
|
|
4284
|
+
# signature: "data", # required
|
|
4285
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
|
4286
|
+
# grant_tokens: ["GrantTokenType"],
|
|
4287
|
+
# }
|
|
4288
|
+
#
|
|
4289
|
+
# @!attribute [rw] key_id
|
|
4290
|
+
# Identifies the asymmetric CMK that will be used to verify the
|
|
4291
|
+
# signature. This must be the same CMK that was used to generate the
|
|
4292
|
+
# signature. If you specify a different CMK, the value of the
|
|
4293
|
+
# `SignatureValid` field in the response will be `False`.
|
|
4294
|
+
#
|
|
4295
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
|
4296
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
|
4297
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must
|
|
4298
|
+
# use the key ARN or alias ARN.
|
|
4299
|
+
#
|
|
4300
|
+
# For example:
|
|
4301
|
+
#
|
|
4302
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
4303
|
+
#
|
|
4304
|
+
# * Key ARN:
|
|
4305
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
4306
|
+
#
|
|
4307
|
+
# * Alias name: `alias/ExampleAlias`
|
|
4308
|
+
#
|
|
4309
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
4310
|
+
#
|
|
4311
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
|
4312
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
4313
|
+
# @return [String]
|
|
4314
|
+
#
|
|
4315
|
+
# @!attribute [rw] message
|
|
4316
|
+
# Specifies the message that was signed, or a hash digest of that
|
|
4317
|
+
# message. Messages can be 0-4096 bytes. To verify a larger message,
|
|
4318
|
+
# provide a hash digest of the message.
|
|
4319
|
+
#
|
|
4320
|
+
# If the digest of the message specified here is different from the
|
|
4321
|
+
# message digest that was signed, the `SignatureValid` value in the
|
|
4322
|
+
# response will be `False`.
|
|
4323
|
+
# @return [String]
|
|
4324
|
+
#
|
|
4325
|
+
# @!attribute [rw] message_type
|
|
4326
|
+
# Tells AWS KMS whether the value of the `Message` parameter is a
|
|
4327
|
+
# message or message digest. To indicate a message, enter `RAW`. To
|
|
4328
|
+
# indicate a message digest, enter `DIGEST`.
|
|
4329
|
+
# @return [String]
|
|
4330
|
+
#
|
|
4331
|
+
# @!attribute [rw] signature
|
|
4332
|
+
# The signature that the `Sign` operation generated.
|
|
4333
|
+
# @return [String]
|
|
4334
|
+
#
|
|
4335
|
+
# @!attribute [rw] signing_algorithm
|
|
4336
|
+
# The signing algorithm that was used to sign the message. If you
|
|
4337
|
+
# submit a different algorithm, the value of the `SignatureValid`
|
|
4338
|
+
# field in the response will be `False`.
|
|
4339
|
+
# @return [String]
|
|
4340
|
+
#
|
|
4341
|
+
# @!attribute [rw] grant_tokens
|
|
4342
|
+
# A list of grant tokens.
|
|
4343
|
+
#
|
|
4344
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key
|
|
4345
|
+
# Management Service Developer Guide*.
|
|
4346
|
+
#
|
|
4347
|
+
#
|
|
4348
|
+
#
|
|
4349
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
|
4350
|
+
# @return [Array<String>]
|
|
4351
|
+
#
|
|
4352
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
|
|
4353
|
+
#
|
|
4354
|
+
class VerifyRequest < Struct.new(
|
|
4355
|
+
:key_id,
|
|
4356
|
+
:message,
|
|
4357
|
+
:message_type,
|
|
4358
|
+
:signature,
|
|
4359
|
+
:signing_algorithm,
|
|
4360
|
+
:grant_tokens)
|
|
4361
|
+
include Aws::Structure
|
|
4362
|
+
end
|
|
4363
|
+
|
|
4364
|
+
# @!attribute [rw] key_id
|
|
4365
|
+
# The unique identifier for the asymmetric CMK that was used to verify
|
|
4366
|
+
# the signature.
|
|
4367
|
+
# @return [String]
|
|
4368
|
+
#
|
|
4369
|
+
# @!attribute [rw] signature_valid
|
|
4370
|
+
# A Boolean value that indicates whether the signature was verified. A
|
|
4371
|
+
# value of True indicates that the `Signature` was produced by signing
|
|
4372
|
+
# the `Message` with the specified KeyID and `SigningAlgorithm.` A
|
|
4373
|
+
# value of False indicates that the message, the algorithm, or the key
|
|
4374
|
+
# changed since the message was signed.
|
|
4375
|
+
# @return [Boolean]
|
|
4376
|
+
#
|
|
4377
|
+
# @!attribute [rw] signing_algorithm
|
|
4378
|
+
# The signing algorithm that was used to verify the signature.
|
|
4379
|
+
# @return [String]
|
|
4380
|
+
#
|
|
4381
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyResponse AWS API Documentation
|
|
4382
|
+
#
|
|
4383
|
+
class VerifyResponse < Struct.new(
|
|
4384
|
+
:key_id,
|
|
4385
|
+
:signature_valid,
|
|
4386
|
+
:signing_algorithm)
|
|
4387
|
+
include Aws::Structure
|
|
4388
|
+
end
|
|
4389
|
+
|
|
3434
4390
|
end
|
|
3435
4391
|
end
|