aws-sdk-kms 1.27.0 → 1.32.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6a983aaa03a80ed7188f61a1bab13d7bcddf5701
-  data.tar.gz: 155fd553e0ddd8cb820d3f1b4e8f051177446d1f
+SHA256:
+  metadata.gz: 429d3556c6ee6342d08a47f751e42a23793659d358624e577d274986f58627ef
+  data.tar.gz: 7c5044014048141ca656e23cb3bea94088c46cfd599e21dbbec4527fadedf0cd
 SHA512:
-  metadata.gz: 39eb4bc0cfd2bb7b6cd062d5b1b54052edf5868d720bae9f20359a75b8c84721b676e20444e4454b446b576ea5009ff5d5b3259094d82a0d8eb758abd27af195
-  data.tar.gz: 0fd429e969b0ba7461822783be9b7ea9e77239e021ff189bdeb729327ff2179b887009eacdd77d237f32ae622851fd483cb539fe69717f9d670799e779731741
+  metadata.gz: b4f4e02a1259bb6b804089bf8666ef9430be50deae769ee10d95ead6d50ab1ab11c9dc1f820b74bff70208c933edc1c169b5d30c17772957b3ae85ce9e470544
+  data.tar.gz: ebb3e1f0e58e309e16bd5b12a2b8612533b71c2e890da215adf67df84011c9d99b1fc4def32d968f04870c623ddc04b1464e930f8d92f437e404308ef6867e5c

data/lib/aws-sdk-kms.rb

@@ -24,17 +24,20 @@ require_relative 'aws-sdk-kms/customizations'
 # methods each accept a hash of request parameters and return a response
 # structure.
 #
+#     kms = Aws::KMS::Client.new
+#     resp = kms.cancel_key_deletion(params)
+#
 # See {Client} for more information.
 #
 # # Errors
 #
-# Errors returned from AWS Key Management Service all
-# extend {Errors::ServiceError}.
+# Errors returned from AWS Key Management Service are defined in the
+# {Errors} module and all extend {Errors::ServiceError}.
 #
 #     begin
 #       # do stuff
 #     rescue Aws::KMS::Errors::ServiceError
-#       # rescues all service API errors
+#       # rescues all AWS Key Management Service API errors
 #     end
 #
 # See {Errors} for more information.
@@ -42,6 +45,6 @@ require_relative 'aws-sdk-kms/customizations'
 # @service
 module Aws::KMS
 
-  GEM_VERSION = '1.27.0'
+  GEM_VERSION = '1.32.0'
 
 end

data/lib/aws-sdk-kms/client.rb

@@ -30,6 +30,18 @@ require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
 Aws::Plugins::GlobalConfiguration.add_identifier(:kms)
 
 module Aws::KMS
+  # An API client for KMS.  To construct a client, you need to configure a `:region` and `:credentials`.
+  #
+  #     client = Aws::KMS::Client.new(
+  #       region: region_name,
+  #       credentials: credentials,
+  #       # ...
+  #     )
+  #
+  # For details on configuring region and credentials see
+  # the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html).
+  #
+  # See {#initialize} for a full list of supported configuration options.
   class Client < Seahorse::Client::Base
 
     include Aws::ClientStubs
@@ -93,7 +105,7 @@ module Aws::KMS
     #   @option options [required, String] :region
     #     The AWS region to connect to.  The configured `:region` is
     #     used to determine the service `:endpoint`. When not passed,
-    #     a default `:region` is search for in the following locations:
+    #     a default `:region` is searched for in the following locations:
     #
     #     * `Aws.config[:region]`
     #     * `ENV['AWS_REGION']`
@@ -108,6 +120,12 @@ module Aws::KMS
     #     When set to `true`, a thread polling for endpoints will be running in
     #     the background every 60 secs (default). Defaults to `false`.
     #
+    #   @option options [Boolean] :adaptive_retry_wait_to_fill (true)
+    #     Used only in `adaptive` retry mode.  When true, the request will sleep
+    #     until there is sufficent client side capacity to retry the request.
+    #     When false, the request will raise a `RetryCapacityNotAvailableError` and will
+    #     not retry instead of sleeping.
+    #
     #   @option options [Boolean] :client_side_monitoring (false)
     #     When `true`, client-side metrics will be collected for all API requests from
     #     this client.
@@ -132,6 +150,10 @@ module Aws::KMS
     #     When `true`, an attempt is made to coerce request parameters into
     #     the required types.
     #
+    #   @option options [Boolean] :correct_clock_skew (true)
+    #     Used only in `standard` and adaptive retry modes. Specifies whether to apply
+    #     a clock skew correction and retry requests with skewed client clocks.
+    #
     #   @option options [Boolean] :disable_host_prefix_injection (false)
     #     Set to true to disable SDK automatically adding host prefix
     #     to default service endpoint when available.
@@ -139,7 +161,7 @@ module Aws::KMS
     #   @option options [String] :endpoint
     #     The client endpoint is normally constructed from the `:region`
     #     option. You should only configure an `:endpoint` when connecting
-    #     to test endpoints. This should be avalid HTTP(S) URI.
+    #     to test endpoints. This should be a valid HTTP(S) URI.
     #
     #   @option options [Integer] :endpoint_cache_max_entries (1000)
     #     Used for the maximum size limit of the LRU cache storing endpoints data
@@ -154,7 +176,7 @@ module Aws::KMS
     #     requests fetching endpoints information. Defaults to 60 sec.
     #
     #   @option options [Boolean] :endpoint_discovery (false)
-    #     When set to `true`, endpoint discovery will be enabled for operations when available. Defaults to `false`.
+    #     When set to `true`, endpoint discovery will be enabled for operations when available.
     #
     #   @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
     #     The log formatter.
@@ -166,15 +188,29 @@ module Aws::KMS
     #     The Logger instance to send log messages to.  If this option
     #     is not set, logging will be disabled.
     #
+    #   @option options [Integer] :max_attempts (3)
+    #     An integer representing the maximum number attempts that will be made for
+    #     a single request, including the initial attempt.  For example,
+    #     setting this value to 5 will result in a request being retried up to
+    #     4 times. Used in `standard` and `adaptive` retry modes.
+    #
     #   @option options [String] :profile ("default")
     #     Used when loading credentials from the shared credentials file
     #     at HOME/.aws/credentials.  When not specified, 'default' is used.
     #
+    #   @option options [Proc] :retry_backoff
+    #     A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
+    #     This option is only used in the `legacy` retry mode.
+    #
     #   @option options [Float] :retry_base_delay (0.3)
-    #     The base delay in seconds used by the default backoff function.
+    #     The base delay in seconds used by the default backoff function. This option
+    #     is only used in the `legacy` retry mode.
     #
     #   @option options [Symbol] :retry_jitter (:none)
-    #     A delay randomiser function used by the default backoff function. Some predefined functions can be referenced by name - :none, :equal, :full, otherwise a Proc that takes and returns a number.
+    #     A delay randomiser function used by the default backoff function.
+    #     Some predefined functions can be referenced by name - :none, :equal, :full,
+    #     otherwise a Proc that takes and returns a number. This option is only used
+    #     in the `legacy` retry mode.
     #
     #     @see https://www.awsarchitectureblog.com/2015/03/backoff.html
     #
@@ -182,11 +218,30 @@ module Aws::KMS
     #     The maximum number of times to retry failed requests.  Only
     #     ~ 500 level server errors and certain ~ 400 level client errors
     #     are retried.  Generally, these are throttling errors, data
-    #     checksum errors, networking errors, timeout errors and auth
-    #     errors from expired credentials.
+    #     checksum errors, networking errors, timeout errors, auth errors,
+    #     endpoint discovery, and errors from expired credentials.
+    #     This option is only used in the `legacy` retry mode.
     #
     #   @option options [Integer] :retry_max_delay (0)
-    #     The maximum number of seconds to delay between retries (0 for no limit) used by the default backoff function.
+    #     The maximum number of seconds to delay between retries (0 for no limit)
+    #     used by the default backoff function. This option is only used in the
+    #     `legacy` retry mode.
+    #
+    #   @option options [String] :retry_mode ("legacy")
+    #     Specifies which retry algorithm to use. Values are:
+    #
+    #     * `legacy` - The pre-existing retry behavior.  This is default value if
+    #       no retry mode is provided.
+    #
+    #     * `standard` - A standardized set of retry rules across the AWS SDKs.
+    #       This includes support for retry quotas, which limit the number of
+    #       unsuccessful retries a client can make.
+    #
+    #     * `adaptive` - An experimental retry mode that includes all the
+    #       functionality of `standard` mode along with automatic client side
+    #       throttling.  This is a provisional mode that may change behavior
+    #       in the future.
+    #
     #
     #   @option options [String] :secret_access_key
     #
@@ -219,16 +274,15 @@ module Aws::KMS
     #     requests through.  Formatted like 'http://proxy.com:123'.
     #
     #   @option options [Float] :http_open_timeout (15) The number of
-    #     seconds to wait when opening a HTTP session before rasing a
+    #     seconds to wait when opening a HTTP session before raising a
     #     `Timeout::Error`.
     #
     #   @option options [Integer] :http_read_timeout (60) The default
     #     number of seconds to wait for response data.  This value can
-    #     safely be set
-    #     per-request on the session yeidled by {#session_for}.
+    #     safely be set per-request on the session.
     #
     #   @option options [Float] :http_idle_timeout (5) The number of
-    #     seconds a connection is allowed to sit idble before it is
+    #     seconds a connection is allowed to sit idle before it is
     #     considered stale.  Stale connections are closed and removed
     #     from the pool before making a request.
     #
@@ -237,7 +291,7 @@ module Aws::KMS
     #     request body.  This option has no effect unless the request has
     #     "Expect" header set to "100-continue".  Defaults to `nil` which
     #     disables this behaviour.  This value can safely be set per
-    #     request on the session yeidled by {#session_for}.
+    #     request on the session.
     #
     #   @option options [Boolean] :http_wire_trace (false) When `true`,
     #     HTTP debug output will be sent to the `:logger`.
@@ -344,7 +398,9 @@ module Aws::KMS
     # To connect a custom key store, its associated AWS CloudHSM cluster
     # must have at least one active HSM. To get the number of active HSMs in
     # a cluster, use the [DescribeClusters][2] operation. To add HSMs to the
-    # cluster, use the [CreateHsm][3] operation.
+    # cluster, use the [CreateHsm][3] operation. Also, the [ `kmsuser`
+    # crypto user][4] (CU) must not be logged into the cluster. This
+    # prevents AWS KMS from using this account to log in.
     #
     # The connection process can take an extended amount of time to
     # complete; up to 20 minutes. This operation starts the connection
@@ -357,8 +413,7 @@ module Aws::KMS
     # During the connection process, AWS KMS finds the AWS CloudHSM cluster
     # that is associated with the custom key store, creates the connection
     # infrastructure, connects to the cluster, logs into the AWS CloudHSM
-    # client as the [ `kmsuser` crypto user][4] (CU), and rotates its
-    # password.
+    # client as the `kmsuser` CU, and rotates its password.
     #
     # The `ConnectCustomKeyStore` operation might fail for various reasons.
     # To find the reason, use the DescribeCustomKeyStores operation and see
@@ -581,6 +636,9 @@ module Aws::KMS
     #   the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as
     #   this user to manage key material on your behalf.
     #
+    #   The password must be a string of 7 to 32 characters. Its value is case
+    #   sensitive.
+    #
     #   This parameter tells AWS KMS the `kmsuser` account password; it does
     #   not change the password in the AWS CloudHSM cluster.
     #
@@ -831,8 +889,9 @@ module Aws::KMS
     # * **Symmetric CMKs** contain a 256-bit symmetric key that never leaves
     #   AWS KMS unencrypted. To use the CMK, you must call AWS KMS. You can
     #   use a symmetric CMK to encrypt and decrypt small amounts of data,
-    #   but they are typically used to generate [data keys][2] or data key
-    #   pairs. For details, see GenerateDataKey and GenerateDataKeyPair.
+    #   but they are typically used to generate [data keys][2] and [data
+    #   keys pairs][3]. For details, see GenerateDataKey and
+    #   GenerateDataKeyPair.
     #
     # * **Asymmetric CMKs** can contain an RSA key pair or an Elliptic Curve
     #   (ECC) key pair. The private key in an asymmetric CMK never leaves
@@ -843,7 +902,7 @@ module Aws::KMS
     #   be used only to sign and verify messages.
     #
     # For information about symmetric and asymmetric CMKs, see [Using
-    # Symmetric and Asymmetric CMKs][3] in the *AWS Key Management Service
+    # Symmetric and Asymmetric CMKs][4] in the *AWS Key Management Service
     # Developer Guide*.
     #
     # To create different types of CMKs, use the following guidance:
@@ -877,7 +936,7 @@ module Aws::KMS
     #   token, and use the public key to encrypt your key material. Then,
     #   use ImportKeyMaterial with your import token to import the key
     #   material. For step-by-step instructions, see [Importing Key
-    #   Material][4] in the <i> <i>AWS Key Management Service Developer
+    #   Material][5] in the <i> <i>AWS Key Management Service Developer
     #   Guide</i> </i>. You cannot import the key material into an
     #   asymmetric CMK.
     #
@@ -885,7 +944,7 @@ module Aws::KMS
     #
     # Custom Key Stores
     #
-    # : To create a symmetric CMK in a [custom key store][5], use the
+    # : To create a symmetric CMK in a [custom key store][6], use the
     #   `CustomKeyStoreId` parameter to specify the custom key store. You
     #   must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
     #   The AWS CloudHSM cluster that is associated with the custom key
@@ -894,16 +953,17 @@ module Aws::KMS
     #
     #   You cannot create an asymmetric CMK in a custom key store. For
     #   information about custom key stores in AWS KMS see [Using Custom Key
-    #   Stores][5] in the <i> <i>AWS Key Management Service Developer
+    #   Stores][6] in the <i> <i>AWS Key Management Service Developer
     #   Guide</i> </i>.
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys
     # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
-    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
-    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
+    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs
+    # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
+    # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
+    # [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
     #
     # @option params [String] :policy
     #   The key policy to attach to the CMK.
@@ -931,7 +991,7 @@ module Aws::KMS
     #   policy to the CMK. For more information, see [Default Key Policy][3]
     #   in the *AWS Key Management Service Developer Guide*.
     #
-    #   The key policy size limit is 32 kilobytes (32768 bytes).
+    #   The key policy size quota is 32 kilobytes (32768 bytes).
     #
     #
     #
@@ -961,20 +1021,26 @@ module Aws::KMS
     #   * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
     #
     # @option params [String] :customer_master_key_spec
-    #   Specifies the type of CMK to create. The `CustomerMasterKeySpec`
-    #   determines whether the CMK contains a symmetric key or an asymmetric
-    #   key pair. It also determines the encryption algorithms or signing
-    #   algorithms that the CMK supports. You can't change the
-    #   `CustomerMasterKeySpec` after the CMK is created. To further restrict
-    #   the algorithms that can be used with the CMK, use its key policy or
-    #   IAM policy.
-    #
-    #   For help with choosing a key spec for your CMK, see [Selecting a
-    #   Customer Master Key Spec][1] in the *AWS Key Management Service
-    #   Developer Guide*.
+    #   Specifies the type of CMK to create. The default value,
+    #   `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
+    #   encryption and decryption. For help choosing a key spec for your CMK,
+    #   see [How to Choose Your CMK Configuration][1] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
-    #   The default value, `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit
-    #   symmetric key.
+    #   The `CustomerMasterKeySpec` determines whether the CMK contains a
+    #   symmetric key or an asymmetric key pair. It also determines the
+    #   encryption algorithms or signing algorithms that the CMK supports. You
+    #   can't change the `CustomerMasterKeySpec` after the CMK is created. To
+    #   further restrict the algorithms that can be used with the CMK, use a
+    #   condition key in its key policy or IAM policy. For more information,
+    #   see [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in the
+    #   *AWS Key Management Service Developer Guide*.
+    #
+    #   [AWS services that are integrated with AWS KMS][4] use symmetric CMKs
+    #   to protect your data. These services do not support asymmetric CMKs.
+    #   For help determining whether a CMK is symmetric or asymmetric, see
+    #   [Identifying Symmetric and Asymmetric CMKs][5] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
     #   AWS KMS supports the following key specs for CMKs:
     #
@@ -1008,7 +1074,11 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#cmk-key-spec
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
+    #   [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
     #
     # @option params [String] :origin
     #   The source of the key material for the CMK. You cannot change the
@@ -1610,7 +1680,7 @@ module Aws::KMS
     #   resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
     #   resp.custom_key_stores[0].trust_anchor_certificate #=> String
     #   resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
-    #   resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT"
+    #   resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN", "SUBNET_NOT_FOUND"
     #   resp.custom_key_stores[0].creation_date #=> Time
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
@@ -2275,7 +2345,7 @@ module Aws::KMS
     #
     # To generate a data key, specify the symmetric CMK that will be used to
     # encrypt the data key. You cannot use an asymmetric CMK to generate
-    # data keys.
+    # data keys. To get the type of your CMK, use the DescribeKey operation.
     #
     # You must also specify the length of the data key. Use either the
     # `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
@@ -2646,7 +2716,8 @@ module Aws::KMS
     #
     # @option params [required, String] :key_id
     #   Specifies the CMK that encrypts the private key in the data key pair.
-    #   You must specify a symmetric CMK. You cannot use an asymmetric CMK.
+    #   You must specify a symmetric CMK. You cannot use an asymmetric CMK. To
+    #   get the type of your CMK, use the DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -2746,14 +2817,10 @@ module Aws::KMS
     # To generate a data key, you must specify the symmetric customer master
     # key (CMK) that is used to encrypt the data key. You cannot use an
     # asymmetric CMK to generate a data key. To get the type of your CMK,
-    # use the `KeySpec` field in the DescribeKey response. You must also
-    # specify the length of the data key using either the `KeySpec` or
-    # `NumberOfBytes` field (but not both). For common key lengths (128-bit
-    # and 256-bit symmetric keys), use the `KeySpec` parameter.
+    # use the DescribeKey operation.
     #
-    # If the operation succeeds, you will find the plaintext copy of the
-    # data key in the `Plaintext` field of the response, and the encrypted
-    # copy of the data key in the `CiphertextBlob` field.
+    # If the operation succeeds, you will find the encrypted copy of the
+    # data key in the `CiphertextBlob` field.
     #
     # You can use the optional encryption context to add additional security
     # to the encryption operation. If you specify an `EncryptionContext`,
@@ -3471,7 +3538,7 @@ module Aws::KMS
     # field. These are predefined aliases that AWS has created but has not
     # yet associated with a CMK. Aliases that AWS creates in your account,
     # including predefined aliases, do not count against your [AWS KMS
-    # aliases limit][1].
+    # aliases quota][1].
     #
     #
     #
@@ -3505,6 +3572,8 @@ module Aws::KMS
     #   * {Types::ListAliasesResponse#next_marker #next_marker} => String
     #   * {Types::ListAliasesResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To list aliases
     #
@@ -3625,6 +3694,8 @@ module Aws::KMS
     #   * {Types::ListGrantsResponse#next_marker #next_marker} => String
     #   * {Types::ListGrantsResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To list grants for a customer master key (CMK)
     #
@@ -3770,6 +3841,8 @@ module Aws::KMS
     #   * {Types::ListKeyPoliciesResponse#next_marker #next_marker} => String
     #   * {Types::ListKeyPoliciesResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To list key policies for a customer master key (CMK)
     #
@@ -3834,6 +3907,8 @@ module Aws::KMS
     #   * {Types::ListKeysResponse#next_marker #next_marker} => String
     #   * {Types::ListKeysResponse#truncated #truncated} => Boolean
     #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
     #
     # @example Example: To list customer master keys (CMKs)
     #
@@ -4147,12 +4222,15 @@ module Aws::KMS
     #     information, see [Changes that I make are not always immediately
     #     visible][2] in the *AWS Identity and Access Management User Guide*.
     #
-    #   The key policy size limit is 32 kilobytes (32768 bytes).
+    #   The key policy cannot exceed 32 kilobytes (32768 bytes). For more
+    #   information, see [Resource Quotas][3] in the *AWS Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
     #
     # @option params [Boolean] :bypass_policy_lockout_safety_check
     #   A flag to indicate whether to bypass the key policy lockout safety
@@ -4775,8 +4853,8 @@ module Aws::KMS
     #
     # @option params [String] :message_type
     #   Tells AWS KMS whether the value of the `Message` parameter is a
-    #   message or message digest. To indicate a message, enter `RAW`. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   message or message digest. The default value, RAW, indicates a
+    #   message. To indicate a message digest, enter `DIGEST`.
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -5280,17 +5358,22 @@ module Aws::KMS
     #   To get the alias name and alias ARN, use ListAliases.
     #
     # @option params [required, String, IO] :message
-    #   Specifies the message that was signed, or a hash digest of that
-    #   message. Messages can be 0-4096 bytes. To verify a larger message,
-    #   provide a hash digest of the message.
+    #   Specifies the message that was signed. You can submit a raw message of
+    #   up to 4096 bytes, or a hash digest of the message. If you submit a
+    #   digest, use the `MessageType` parameter with a value of `DIGEST`.
     #
-    #   If the digest of the message specified here is different from the
-    #   message digest that was signed, the signature verification fails.
+    #   If the message specified here is different from the message that was
+    #   signed, the signature verification fails. A message and its hash
+    #   digest are considered to be the same message.
     #
     # @option params [String] :message_type
     #   Tells AWS KMS whether the value of the `Message` parameter is a
-    #   message or message digest. To indicate a message, enter `RAW`. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   message or message digest. The default value, RAW, indicates a
+    #   message. To indicate a message digest, enter `DIGEST`.
+    #
+    #   Use the `DIGEST` value only when the value of the `Message` parameter
+    #   is a message digest. If you use the `DIGEST` value with a raw message,
+    #   the security of the verification operation can be compromised.
     #
     # @option params [required, String, IO] :signature
     #   The signature that the `Sign` operation generated.
@@ -5354,7 +5437,7 @@ module Aws::KMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.27.0'
+      context[:gem_version] = '1.32.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-kms/errors.rb

@@ -6,6 +6,61 @@
 # WARNING ABOUT GENERATED CODE
 
 module Aws::KMS
+
+  # When KMS returns an error response, the Ruby SDK constructs and raises an error.
+  # These errors all extend Aws::KMS::Errors::ServiceError < {Aws::Errors::ServiceError}
+  #
+  # You can rescue all KMS errors using ServiceError:
+  #
+  #     begin
+  #       # do stuff
+  #     rescue Aws::KMS::Errors::ServiceError
+  #       # rescues all KMS API errors
+  #     end
+  #
+  #
+  # ## Request Context
+  # ServiceError objects have a {Aws::Errors::ServiceError#context #context} method that returns
+  # information about the request that generated the error.
+  # See {Seahorse::Client::RequestContext} for more information.
+  #
+  # ## Error Classes
+  # * {AlreadyExistsException}
+  # * {CloudHsmClusterInUseException}
+  # * {CloudHsmClusterInvalidConfigurationException}
+  # * {CloudHsmClusterNotActiveException}
+  # * {CloudHsmClusterNotFoundException}
+  # * {CloudHsmClusterNotRelatedException}
+  # * {CustomKeyStoreHasCMKsException}
+  # * {CustomKeyStoreInvalidStateException}
+  # * {CustomKeyStoreNameInUseException}
+  # * {CustomKeyStoreNotFoundException}
+  # * {DependencyTimeoutException}
+  # * {DisabledException}
+  # * {ExpiredImportTokenException}
+  # * {IncorrectKeyException}
+  # * {IncorrectKeyMaterialException}
+  # * {IncorrectTrustAnchorException}
+  # * {InvalidAliasNameException}
+  # * {InvalidArnException}
+  # * {InvalidCiphertextException}
+  # * {InvalidGrantIdException}
+  # * {InvalidGrantTokenException}
+  # * {InvalidImportTokenException}
+  # * {InvalidKeyUsageException}
+  # * {InvalidMarkerException}
+  # * {KMSInternalException}
+  # * {KMSInvalidSignatureException}
+  # * {KMSInvalidStateException}
+  # * {KeyUnavailableException}
+  # * {LimitExceededException}
+  # * {MalformedPolicyDocumentException}
+  # * {NotFoundException}
+  # * {TagException}
+  # * {UnsupportedOperationException}
+  #
+  # Additionally, error classes are dynamically generated for service errors based on the error code
+  # if they are not defined above.
   module Errors
 
     extend Aws::Errors::DynamicErrors
@@ -23,7 +78,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterInUseException < ServiceError
@@ -39,7 +93,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterInvalidConfigurationException < ServiceError
@@ -55,7 +108,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterNotActiveException < ServiceError
@@ -71,7 +123,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterNotFoundException < ServiceError
@@ -87,7 +138,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CloudHsmClusterNotRelatedException < ServiceError
@@ -103,7 +153,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CustomKeyStoreHasCMKsException < ServiceError
@@ -119,7 +168,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CustomKeyStoreInvalidStateException < ServiceError
@@ -135,7 +183,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CustomKeyStoreNameInUseException < ServiceError
@@ -151,7 +198,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class CustomKeyStoreNotFoundException < ServiceError
@@ -167,7 +213,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class DependencyTimeoutException < ServiceError
@@ -183,7 +228,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class DisabledException < ServiceError
@@ -199,7 +243,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class ExpiredImportTokenException < ServiceError
@@ -215,7 +258,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class IncorrectKeyException < ServiceError
@@ -231,7 +273,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class IncorrectKeyMaterialException < ServiceError
@@ -247,7 +288,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class IncorrectTrustAnchorException < ServiceError
@@ -263,7 +303,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidAliasNameException < ServiceError
@@ -279,7 +318,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidArnException < ServiceError
@@ -295,7 +333,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidCiphertextException < ServiceError
@@ -311,7 +348,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidGrantIdException < ServiceError
@@ -327,7 +363,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidGrantTokenException < ServiceError
@@ -343,7 +378,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidImportTokenException < ServiceError
@@ -359,7 +393,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidKeyUsageException < ServiceError
@@ -375,7 +408,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class InvalidMarkerException < ServiceError
@@ -391,7 +423,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class KMSInternalException < ServiceError
@@ -407,7 +438,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class KMSInvalidSignatureException < ServiceError
@@ -423,7 +453,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class KMSInvalidStateException < ServiceError
@@ -439,7 +468,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class KeyUnavailableException < ServiceError
@@ -455,7 +483,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class LimitExceededException < ServiceError
@@ -471,7 +498,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class MalformedPolicyDocumentException < ServiceError
@@ -487,7 +513,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class NotFoundException < ServiceError
@@ -503,7 +528,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class TagException < ServiceError
@@ -519,7 +543,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
     class UnsupportedOperationException < ServiceError
@@ -535,7 +558,6 @@ module Aws::KMS
       def message
         @message || @data[:message]
       end
-
     end
 
   end

data/lib/aws-sdk-kms/resource.rb

@@ -6,6 +6,7 @@
 # WARNING ABOUT GENERATED CODE
 
 module Aws::KMS
+
   class Resource
 
     # @param options ({})

data/lib/aws-sdk-kms/types.rb

@@ -324,6 +324,9 @@ module Aws::KMS
     #   in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster
     #   as this user to manage key material on your behalf.
     #
+    #   The password must be a string of 7 to 32 characters. Its value is
+    #   case sensitive.
+    #
     #   This parameter tells AWS KMS the `kmsuser` account password; it does
     #   not change the password in the AWS CloudHSM cluster.
     #
@@ -555,7 +558,7 @@ module Aws::KMS
     #   policy to the CMK. For more information, see [Default Key Policy][3]
     #   in the *AWS Key Management Service Developer Guide*.
     #
-    #   The key policy size limit is 32 kilobytes (32768 bytes).
+    #   The key policy size quota is 32 kilobytes (32768 bytes).
     #
     #
     #
@@ -589,20 +592,26 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
-    #   Specifies the type of CMK to create. The `CustomerMasterKeySpec`
-    #   determines whether the CMK contains a symmetric key or an asymmetric
-    #   key pair. It also determines the encryption algorithms or signing
-    #   algorithms that the CMK supports. You can't change the
-    #   `CustomerMasterKeySpec` after the CMK is created. To further
-    #   restrict the algorithms that can be used with the CMK, use its key
-    #   policy or IAM policy.
-    #
-    #   For help with choosing a key spec for your CMK, see [Selecting a
-    #   Customer Master Key Spec][1] in the *AWS Key Management Service
-    #   Developer Guide*.
+    #   Specifies the type of CMK to create. The default value,
+    #   `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
+    #   encryption and decryption. For help choosing a key spec for your
+    #   CMK, see [How to Choose Your CMK Configuration][1] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
-    #   The default value, `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit
-    #   symmetric key.
+    #   The `CustomerMasterKeySpec` determines whether the CMK contains a
+    #   symmetric key or an asymmetric key pair. It also determines the
+    #   encryption algorithms or signing algorithms that the CMK supports.
+    #   You can't change the `CustomerMasterKeySpec` after the CMK is
+    #   created. To further restrict the algorithms that can be used with
+    #   the CMK, use a condition key in its key policy or IAM policy. For
+    #   more information, see [kms:EncryptionAlgorithm][2] or [kms:Signing
+    #   Algorithm][3] in the *AWS Key Management Service Developer Guide*.
+    #
+    #   [AWS services that are integrated with AWS KMS][4] use symmetric
+    #   CMKs to protect your data. These services do not support asymmetric
+    #   CMKs. For help determining whether a CMK is symmetric or asymmetric,
+    #   see [Identifying Symmetric and Asymmetric CMKs][5] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
     #   AWS KMS supports the following key specs for CMKs:
     #
@@ -637,7 +646,11 @@ module Aws::KMS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#cmk-key-spec
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
+    #   [4]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html
     #   @return [String]
     #
     # @!attribute [rw] origin
@@ -867,9 +880,10 @@ module Aws::KMS
     #   AWS CloudHSM cluster is active and contains at least one active HSM.
     #
     #   A value of `FAILED` indicates that an attempt to connect was
-    #   unsuccessful. For help resolving a connection failure, see
-    #   [Troubleshooting a Custom Key Store][1] in the *AWS Key Management
-    #   Service Developer Guide*.
+    #   unsuccessful. The `ConnectionErrorCode` field in the response
+    #   indicates the cause of the failure. For help resolving a connection
+    #   failure, see [Troubleshooting a Custom Key Store][1] in the *AWS Key
+    #   Management Service Developer Guide*.
     #
     #
     #
@@ -877,7 +891,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] connection_error_code
-    #   Describes the connection error. Valid values are:
+    #   Describes the connection error. This field appears in the response
+    #   only when the `ConnectionState` is `FAILED`. For help resolving
+    #   these errors, see [How to Fix a Connection Failure][1] in *AWS Key
+    #   Management Service Developer Guide*.
+    #
+    #   Valid values are:
     #
     #   * `CLUSTER_NOT_FOUND` - AWS KMS cannot find the AWS CloudHSM cluster
     #     with the specified cluster ID.
@@ -893,23 +912,49 @@ module Aws::KMS
     #     again.
     #
     #   * `INVALID_CREDENTIALS` - AWS KMS does not have the correct password
-    #     for the `kmsuser` crypto user in the AWS CloudHSM cluster.
+    #     for the `kmsuser` crypto user in the AWS CloudHSM cluster. Before
+    #     you can connect your custom key store to its AWS CloudHSM cluster,
+    #     you must change the `kmsuser` account password and update the key
+    #     store password value for the custom key store.
     #
     #   * `NETWORK_ERRORS` - Network errors are preventing AWS KMS from
     #     connecting to the custom key store.
     #
+    #   * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
+    #     configuration was deleted. If AWS KMS cannot find all of the
+    #     subnets that were configured for the cluster when the custom key
+    #     store was created, attempts to connect fail. To fix this error,
+    #     create a cluster from a backup and associate it with your custom
+    #     key store. This process includes selecting a VPC and subnets. For
+    #     details, see [How to Fix a Connection Failure][1] in the *AWS Key
+    #     Management Service Developer Guide*.
+    #
     #   * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
     #     associated AWS CloudHSM cluster due to too many failed password
     #     attempts. Before you can connect your custom key store to its AWS
     #     CloudHSM cluster, you must change the `kmsuser` account password
-    #     and update the password value for the custom key store.
+    #     and update the key store password value for the custom key store.
     #
-    #   For help with connection failures, see [Troubleshooting Custom Key
-    #   Stores][1] in the *AWS Key Management Service Developer Guide*.
+    #   * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
+    #     associated AWS CloudHSM cluster. This prevents AWS KMS from
+    #     rotating the `kmsuser` account password and logging into the
+    #     cluster. Before you can connect your custom key store to its AWS
+    #     CloudHSM cluster, you must log the `kmsuser` CU out of the
+    #     cluster. If you changed the `kmsuser` password to log into the
+    #     cluster, you must also and update the key store password value for
+    #     the custom key store. For help, see [How to Log Out and
+    #     Reconnect][2] in the *AWS Key Management Service Developer Guide*.
     #
+    #   * `USER_NOT_FOUND` - AWS KMS cannot find a `kmsuser` CU account in
+    #     the associated AWS CloudHSM cluster. Before you can connect your
+    #     custom key store to its AWS CloudHSM cluster, you must create a
+    #     `kmsuser` CU account in the cluster, and then update the key store
+    #     password value for the custom key store.
     #
     #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
     #   @return [String]
     #
     # @!attribute [rw] creation_date
@@ -1745,7 +1790,7 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Specifies the CMK that encrypts the private key in the data key
     #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK.
+    #   CMK. To get the type of your CMK, use the DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -1809,7 +1854,7 @@ module Aws::KMS
     # @!attribute [rw] key_id
     #   Specifies the CMK that encrypted the private key in the data key
     #   pair. You must specify a symmetric CMK. You cannot use an asymmetric
-    #   CMK.
+    #   CMK. To get the type of your CMK, use the DescribeKey operation.
     #
     #   To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
     #   name, or alias ARN. When using an alias name, prefix it with
@@ -2346,14 +2391,16 @@ module Aws::KMS
     # @!attribute [rw] public_key
     #   The exported public key.
     #
-    #   This value is returned as a binary [Distinguished Encoding Rules][1]
-    #   (DER)-encoded object. To decode it, use an ASN.1 parsing tool, such
-    #   as [OpenSSL asn1parse][2].
+    #   The value is a DER-encoded X.509 public key, also known as
+    #   `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1]. When you
+    #   use the HTTP API or the AWS CLI, the value is Base64-encoded.
+    #   Otherwise, it is not Base64-encoded.
     #
     #
     #
-    #   [1]: https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
-    #   [2]: https://www.openssl.org/docs/man1.0.2/man1/asn1parse.html
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280
     #   @return [String]
     #
     # @!attribute [rw] customer_master_key_spec
@@ -3016,8 +3063,8 @@ module Aws::KMS
       include Aws::Structure
     end
 
-    # The request was rejected because a limit was exceeded. For more
-    # information, see [Limits][1] in the *AWS Key Management Service
+    # The request was rejected because a quota was exceeded. For more
+    # information, see [Quotas][1] in the *AWS Key Management Service
     # Developer Guide*.
     #
     #
@@ -3521,12 +3568,15 @@ module Aws::KMS
     #     visible][2] in the *AWS Identity and Access Management User
     #     Guide*.
     #
-    #   The key policy size limit is 32 kilobytes (32768 bytes).
+    #   The key policy cannot exceed 32 kilobytes (32768 bytes). For more
+    #   information, see [Resource Quotas][3] in the *AWS Key Management
+    #   Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
     #   @return [String]
     #
     # @!attribute [rw] bypass_policy_lockout_safety_check
@@ -3949,8 +3999,8 @@ module Aws::KMS
     #
     # @!attribute [rw] message_type
     #   Tells AWS KMS whether the value of the `Message` parameter is a
-    #   message or message digest. To indicate a message, enter `RAW`. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   message or message digest. The default value, RAW, indicates a
+    #   message. To indicate a message digest, enter `DIGEST`.
     #   @return [String]
     #
     # @!attribute [rw] grant_tokens
@@ -3989,6 +4039,23 @@ module Aws::KMS
     #
     # @!attribute [rw] signature
     #   The cryptographic signature that was generated for the message.
+    #
+    #   * When used with the supported RSA signing algorithms, the encoding
+    #     of this value is defined by [PKCS #1 in RFC 8017][1].
+    #
+    #   * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
+    #     `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
+    #     object as defined by ANS X9.62–2005 and [RFC 3279 Section
+    #     2.2.3][2]. This is the most commonly used signature format and is
+    #     appropriate for most uses.
+    #
+    #   When you use the HTTP API or the AWS CLI, the value is
+    #   Base64-encoded. Otherwise, it is not Base64-encoded.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc8017
+    #   [2]: https://tools.ietf.org/html/rfc3279#section-2.2.3
     #   @return [String]
     #
     # @!attribute [rw] signing_algorithm
@@ -4328,18 +4395,24 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] message
-    #   Specifies the message that was signed, or a hash digest of that
-    #   message. Messages can be 0-4096 bytes. To verify a larger message,
-    #   provide a hash digest of the message.
+    #   Specifies the message that was signed. You can submit a raw message
+    #   of up to 4096 bytes, or a hash digest of the message. If you submit
+    #   a digest, use the `MessageType` parameter with a value of `DIGEST`.
     #
-    #   If the digest of the message specified here is different from the
-    #   message digest that was signed, the signature verification fails.
+    #   If the message specified here is different from the message that was
+    #   signed, the signature verification fails. A message and its hash
+    #   digest are considered to be the same message.
     #   @return [String]
     #
     # @!attribute [rw] message_type
     #   Tells AWS KMS whether the value of the `Message` parameter is a
-    #   message or message digest. To indicate a message, enter `RAW`. To
-    #   indicate a message digest, enter `DIGEST`.
+    #   message or message digest. The default value, RAW, indicates a
+    #   message. To indicate a message digest, enter `DIGEST`.
+    #
+    #   Use the `DIGEST` value only when the value of the `Message`
+    #   parameter is a message digest. If you use the `DIGEST` value with a
+    #   raw message, the security of the verification operation can be
+    #   compromised.
     #   @return [String]
     #
     # @!attribute [rw] signature

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.27.0
+  version: 1.32.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-09 00:00:00.000000000 Z
+date: 2020-05-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -81,7 +81,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2.3
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: AWS SDK for Ruby - KMS