aws-sdk-kms 1.28.0 → 1.33.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/lib/aws-sdk-kms.rb +7 -4
- data/lib/aws-sdk-kms/client.rb +244 -144
- data/lib/aws-sdk-kms/client_api.rb +3 -0
- data/lib/aws-sdk-kms/errors.rb +55 -33
- data/lib/aws-sdk-kms/resource.rb +1 -0
- data/lib/aws-sdk-kms/types.rb +194 -101
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: d4e112f00791aa0e345fbcdc072a47a194819797673c861ec6a24a5677a18ce4
|
4
|
+
data.tar.gz: 6ddeb2ce04dc1eb8a04e2a5aa5fb70b7ae21d1ba82b1264b983a8bc5383f920f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 144354c2e93fd55c5030c48b25fb29ff8fd6dd2438407ab4d90b82bec8d0d54e5bd9a5f20be66b7314966e9d15a6591f89865b1ab8567892a5d7c5233f1e9a22
|
7
|
+
data.tar.gz: 16ed20ef755168ba9820ebaec3b7327234760dbbd77d25eb84cf9394b18792318e862618befdcfdb653f82914c25e8cc538d457368415c5d22411af85cd83f40
|
data/lib/aws-sdk-kms.rb
CHANGED
@@ -24,17 +24,20 @@ require_relative 'aws-sdk-kms/customizations'
|
|
24
24
|
# methods each accept a hash of request parameters and return a response
|
25
25
|
# structure.
|
26
26
|
#
|
27
|
+
# kms = Aws::KMS::Client.new
|
28
|
+
# resp = kms.cancel_key_deletion(params)
|
29
|
+
#
|
27
30
|
# See {Client} for more information.
|
28
31
|
#
|
29
32
|
# # Errors
|
30
33
|
#
|
31
|
-
# Errors returned from AWS Key Management Service
|
32
|
-
# extend {Errors::ServiceError}.
|
34
|
+
# Errors returned from AWS Key Management Service are defined in the
|
35
|
+
# {Errors} module and all extend {Errors::ServiceError}.
|
33
36
|
#
|
34
37
|
# begin
|
35
38
|
# # do stuff
|
36
39
|
# rescue Aws::KMS::Errors::ServiceError
|
37
|
-
# # rescues all
|
40
|
+
# # rescues all AWS Key Management Service API errors
|
38
41
|
# end
|
39
42
|
#
|
40
43
|
# See {Errors} for more information.
|
@@ -42,6 +45,6 @@ require_relative 'aws-sdk-kms/customizations'
|
|
42
45
|
# @service
|
43
46
|
module Aws::KMS
|
44
47
|
|
45
|
-
GEM_VERSION = '1.
|
48
|
+
GEM_VERSION = '1.33.0'
|
46
49
|
|
47
50
|
end
|
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -30,6 +30,18 @@ require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
|
|
30
30
|
Aws::Plugins::GlobalConfiguration.add_identifier(:kms)
|
31
31
|
|
32
32
|
module Aws::KMS
|
33
|
+
# An API client for KMS. To construct a client, you need to configure a `:region` and `:credentials`.
|
34
|
+
#
|
35
|
+
# client = Aws::KMS::Client.new(
|
36
|
+
# region: region_name,
|
37
|
+
# credentials: credentials,
|
38
|
+
# # ...
|
39
|
+
# )
|
40
|
+
#
|
41
|
+
# For details on configuring region and credentials see
|
42
|
+
# the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html).
|
43
|
+
#
|
44
|
+
# See {#initialize} for a full list of supported configuration options.
|
33
45
|
class Client < Seahorse::Client::Base
|
34
46
|
|
35
47
|
include Aws::ClientStubs
|
@@ -93,7 +105,7 @@ module Aws::KMS
|
|
93
105
|
# @option options [required, String] :region
|
94
106
|
# The AWS region to connect to. The configured `:region` is
|
95
107
|
# used to determine the service `:endpoint`. When not passed,
|
96
|
-
# a default `:region` is
|
108
|
+
# a default `:region` is searched for in the following locations:
|
97
109
|
#
|
98
110
|
# * `Aws.config[:region]`
|
99
111
|
# * `ENV['AWS_REGION']`
|
@@ -108,6 +120,12 @@ module Aws::KMS
|
|
108
120
|
# When set to `true`, a thread polling for endpoints will be running in
|
109
121
|
# the background every 60 secs (default). Defaults to `false`.
|
110
122
|
#
|
123
|
+
# @option options [Boolean] :adaptive_retry_wait_to_fill (true)
|
124
|
+
# Used only in `adaptive` retry mode. When true, the request will sleep
|
125
|
+
# until there is sufficent client side capacity to retry the request.
|
126
|
+
# When false, the request will raise a `RetryCapacityNotAvailableError` and will
|
127
|
+
# not retry instead of sleeping.
|
128
|
+
#
|
111
129
|
# @option options [Boolean] :client_side_monitoring (false)
|
112
130
|
# When `true`, client-side metrics will be collected for all API requests from
|
113
131
|
# this client.
|
@@ -132,6 +150,10 @@ module Aws::KMS
|
|
132
150
|
# When `true`, an attempt is made to coerce request parameters into
|
133
151
|
# the required types.
|
134
152
|
#
|
153
|
+
# @option options [Boolean] :correct_clock_skew (true)
|
154
|
+
# Used only in `standard` and adaptive retry modes. Specifies whether to apply
|
155
|
+
# a clock skew correction and retry requests with skewed client clocks.
|
156
|
+
#
|
135
157
|
# @option options [Boolean] :disable_host_prefix_injection (false)
|
136
158
|
# Set to true to disable SDK automatically adding host prefix
|
137
159
|
# to default service endpoint when available.
|
@@ -139,7 +161,7 @@ module Aws::KMS
|
|
139
161
|
# @option options [String] :endpoint
|
140
162
|
# The client endpoint is normally constructed from the `:region`
|
141
163
|
# option. You should only configure an `:endpoint` when connecting
|
142
|
-
# to test endpoints. This should be
|
164
|
+
# to test endpoints. This should be a valid HTTP(S) URI.
|
143
165
|
#
|
144
166
|
# @option options [Integer] :endpoint_cache_max_entries (1000)
|
145
167
|
# Used for the maximum size limit of the LRU cache storing endpoints data
|
@@ -154,7 +176,7 @@ module Aws::KMS
|
|
154
176
|
# requests fetching endpoints information. Defaults to 60 sec.
|
155
177
|
#
|
156
178
|
# @option options [Boolean] :endpoint_discovery (false)
|
157
|
-
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
179
|
+
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
158
180
|
#
|
159
181
|
# @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
|
160
182
|
# The log formatter.
|
@@ -166,15 +188,29 @@ module Aws::KMS
|
|
166
188
|
# The Logger instance to send log messages to. If this option
|
167
189
|
# is not set, logging will be disabled.
|
168
190
|
#
|
191
|
+
# @option options [Integer] :max_attempts (3)
|
192
|
+
# An integer representing the maximum number attempts that will be made for
|
193
|
+
# a single request, including the initial attempt. For example,
|
194
|
+
# setting this value to 5 will result in a request being retried up to
|
195
|
+
# 4 times. Used in `standard` and `adaptive` retry modes.
|
196
|
+
#
|
169
197
|
# @option options [String] :profile ("default")
|
170
198
|
# Used when loading credentials from the shared credentials file
|
171
199
|
# at HOME/.aws/credentials. When not specified, 'default' is used.
|
172
200
|
#
|
201
|
+
# @option options [Proc] :retry_backoff
|
202
|
+
# A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
|
203
|
+
# This option is only used in the `legacy` retry mode.
|
204
|
+
#
|
173
205
|
# @option options [Float] :retry_base_delay (0.3)
|
174
|
-
# The base delay in seconds used by the default backoff function.
|
206
|
+
# The base delay in seconds used by the default backoff function. This option
|
207
|
+
# is only used in the `legacy` retry mode.
|
175
208
|
#
|
176
209
|
# @option options [Symbol] :retry_jitter (:none)
|
177
|
-
# A delay randomiser function used by the default backoff function.
|
210
|
+
# A delay randomiser function used by the default backoff function.
|
211
|
+
# Some predefined functions can be referenced by name - :none, :equal, :full,
|
212
|
+
# otherwise a Proc that takes and returns a number. This option is only used
|
213
|
+
# in the `legacy` retry mode.
|
178
214
|
#
|
179
215
|
# @see https://www.awsarchitectureblog.com/2015/03/backoff.html
|
180
216
|
#
|
@@ -182,11 +218,30 @@ module Aws::KMS
|
|
182
218
|
# The maximum number of times to retry failed requests. Only
|
183
219
|
# ~ 500 level server errors and certain ~ 400 level client errors
|
184
220
|
# are retried. Generally, these are throttling errors, data
|
185
|
-
# checksum errors, networking errors, timeout errors
|
186
|
-
# errors from expired credentials.
|
221
|
+
# checksum errors, networking errors, timeout errors, auth errors,
|
222
|
+
# endpoint discovery, and errors from expired credentials.
|
223
|
+
# This option is only used in the `legacy` retry mode.
|
187
224
|
#
|
188
225
|
# @option options [Integer] :retry_max_delay (0)
|
189
|
-
# The maximum number of seconds to delay between retries (0 for no limit)
|
226
|
+
# The maximum number of seconds to delay between retries (0 for no limit)
|
227
|
+
# used by the default backoff function. This option is only used in the
|
228
|
+
# `legacy` retry mode.
|
229
|
+
#
|
230
|
+
# @option options [String] :retry_mode ("legacy")
|
231
|
+
# Specifies which retry algorithm to use. Values are:
|
232
|
+
#
|
233
|
+
# * `legacy` - The pre-existing retry behavior. This is default value if
|
234
|
+
# no retry mode is provided.
|
235
|
+
#
|
236
|
+
# * `standard` - A standardized set of retry rules across the AWS SDKs.
|
237
|
+
# This includes support for retry quotas, which limit the number of
|
238
|
+
# unsuccessful retries a client can make.
|
239
|
+
#
|
240
|
+
# * `adaptive` - An experimental retry mode that includes all the
|
241
|
+
# functionality of `standard` mode along with automatic client side
|
242
|
+
# throttling. This is a provisional mode that may change behavior
|
243
|
+
# in the future.
|
244
|
+
#
|
190
245
|
#
|
191
246
|
# @option options [String] :secret_access_key
|
192
247
|
#
|
@@ -219,16 +274,15 @@ module Aws::KMS
|
|
219
274
|
# requests through. Formatted like 'http://proxy.com:123'.
|
220
275
|
#
|
221
276
|
# @option options [Float] :http_open_timeout (15) The number of
|
222
|
-
# seconds to wait when opening a HTTP session before
|
277
|
+
# seconds to wait when opening a HTTP session before raising a
|
223
278
|
# `Timeout::Error`.
|
224
279
|
#
|
225
280
|
# @option options [Integer] :http_read_timeout (60) The default
|
226
281
|
# number of seconds to wait for response data. This value can
|
227
|
-
# safely be set
|
228
|
-
# per-request on the session yeidled by {#session_for}.
|
282
|
+
# safely be set per-request on the session.
|
229
283
|
#
|
230
284
|
# @option options [Float] :http_idle_timeout (5) The number of
|
231
|
-
# seconds a connection is allowed to sit
|
285
|
+
# seconds a connection is allowed to sit idle before it is
|
232
286
|
# considered stale. Stale connections are closed and removed
|
233
287
|
# from the pool before making a request.
|
234
288
|
#
|
@@ -237,7 +291,7 @@ module Aws::KMS
|
|
237
291
|
# request body. This option has no effect unless the request has
|
238
292
|
# "Expect" header set to "100-continue". Defaults to `nil` which
|
239
293
|
# disables this behaviour. This value can safely be set per
|
240
|
-
# request on the session
|
294
|
+
# request on the session.
|
241
295
|
#
|
242
296
|
# @option options [Boolean] :http_wire_trace (false) When `true`,
|
243
297
|
# HTTP debug output will be sent to the `:logger`.
|
@@ -406,9 +460,9 @@ module Aws::KMS
|
|
406
460
|
end
|
407
461
|
|
408
462
|
# Creates a display name for a customer managed customer master key
|
409
|
-
# (CMK). You can use an alias to identify a CMK in cryptographic
|
410
|
-
# operations, such as Encrypt and GenerateDataKey. You can change
|
411
|
-
# CMK associated with the alias at any time.
|
463
|
+
# (CMK). You can use an alias to identify a CMK in [cryptographic
|
464
|
+
# operations][1], such as Encrypt and GenerateDataKey. You can change
|
465
|
+
# the CMK associated with the alias at any time.
|
412
466
|
#
|
413
467
|
# Aliases are easier to remember than key IDs. They can also help to
|
414
468
|
# simplify your applications. For example, if you use an alias in your
|
@@ -432,8 +486,8 @@ module Aws::KMS
|
|
432
486
|
#
|
433
487
|
# * You can associate an alias with any customer managed CMK in the same
|
434
488
|
# AWS account and Region. However, you do not have permission to
|
435
|
-
# associate an alias with an [AWS managed CMK][
|
436
|
-
# CMK][
|
489
|
+
# associate an alias with an [AWS managed CMK][2] or an [AWS owned
|
490
|
+
# CMK][3].
|
437
491
|
#
|
438
492
|
# * To change the CMK associated with an alias, use the UpdateAlias
|
439
493
|
# operation. The current CMK and the new CMK must be the same type
|
@@ -445,7 +499,7 @@ module Aws::KMS
|
|
445
499
|
# `alias/ExampleAlias`. It can contain only alphanumeric characters,
|
446
500
|
# forward slashes (/), underscores (\_), and dashes (-). The alias
|
447
501
|
# name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
|
448
|
-
# reserved for [AWS managed CMKs][
|
502
|
+
# reserved for [AWS managed CMKs][2].
|
449
503
|
#
|
450
504
|
# * The alias name must be unique within an AWS Region. However, you can
|
451
505
|
# use the same alias name in multiple Regions of the same AWS account.
|
@@ -456,12 +510,12 @@ module Aws::KMS
|
|
456
510
|
# and then create a new alias with the desired name.
|
457
511
|
#
|
458
512
|
# * You can use an alias name or alias ARN to identify a CMK in AWS KMS
|
459
|
-
# cryptographic operations and in the DescribeKey operation.
|
460
|
-
# you cannot use alias names or alias ARNs in API operations
|
461
|
-
# manage CMKs, such as DisableKey or GetKeyPolicy. For
|
462
|
-
# about the valid CMK identifiers for each AWS KMS API
|
463
|
-
# the descriptions of the `KeyId` parameter in the API
|
464
|
-
# documentation.
|
513
|
+
# [cryptographic operations][1] and in the DescribeKey operation.
|
514
|
+
# However, you cannot use alias names or alias ARNs in API operations
|
515
|
+
# that manage CMKs, such as DisableKey or GetKeyPolicy. For
|
516
|
+
# information about the valid CMK identifiers for each AWS KMS API
|
517
|
+
# operation, see the descriptions of the `KeyId` parameter in the API
|
518
|
+
# operation documentation.
|
465
519
|
#
|
466
520
|
# Because an alias is not a property of a CMK, you can delete and change
|
467
521
|
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
@@ -471,13 +525,14 @@ module Aws::KMS
|
|
471
525
|
#
|
472
526
|
# The CMK that you use for this operation must be in a compatible key
|
473
527
|
# state. For details, see [How Key State Affects Use of a Customer
|
474
|
-
# Master Key][
|
528
|
+
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
475
529
|
#
|
476
530
|
#
|
477
531
|
#
|
478
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
479
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-
|
480
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
532
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
533
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
534
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
535
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
481
536
|
#
|
482
537
|
# @option params [required, String] :alias_name
|
483
538
|
# Specifies the alias name. This value must begin with `alias/` followed
|
@@ -623,8 +678,8 @@ module Aws::KMS
|
|
623
678
|
# grant are met. When setting permissions, grants are an alternative to
|
624
679
|
# key policies.
|
625
680
|
#
|
626
|
-
# To create a grant that allows a cryptographic operation only when
|
627
|
-
# request includes a particular [encryption context][
|
681
|
+
# To create a grant that allows a [cryptographic operation][1] only when
|
682
|
+
# the request includes a particular [encryption context][2], use the
|
628
683
|
# `Constraints` parameter. For details, see GrantConstraints.
|
629
684
|
#
|
630
685
|
# You can create grants on symmetric and asymmetric CMKs. However, if
|
@@ -639,9 +694,9 @@ module Aws::KMS
|
|
639
694
|
#
|
640
695
|
# * Grants for asymmetric CMKs cannot allow operations that are not
|
641
696
|
# supported for asymmetric CMKs, including operations that [generate
|
642
|
-
# data keys][
|
643
|
-
# [automatic key rotation][
|
644
|
-
# [custom key stores][
|
697
|
+
# data keys][3] or [data key pairs][4], or operations related to
|
698
|
+
# [automatic key rotation][5], [imported key material][6], or CMKs in
|
699
|
+
# [custom key stores][7].
|
645
700
|
#
|
646
701
|
# * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
|
647
702
|
# cannot allow the Sign or Verify operations. Grants for asymmetric
|
@@ -653,29 +708,30 @@ module Aws::KMS
|
|
653
708
|
# asymmetric CMKs.
|
654
709
|
#
|
655
710
|
# For information about symmetric and asymmetric CMKs, see [Using
|
656
|
-
# Symmetric and Asymmetric CMKs][
|
711
|
+
# Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
|
657
712
|
# Developer Guide*.
|
658
713
|
#
|
659
714
|
# To perform this operation on a CMK in a different AWS account, specify
|
660
715
|
# the key ARN in the value of the `KeyId` parameter. For more
|
661
|
-
# information about grants, see [Grants][
|
716
|
+
# information about grants, see [Grants][9] in the <i> <i>AWS Key
|
662
717
|
# Management Service Developer Guide</i> </i>.
|
663
718
|
#
|
664
719
|
# The CMK that you use for this operation must be in a compatible key
|
665
720
|
# state. For details, see [How Key State Affects Use of a Customer
|
666
|
-
# Master Key][
|
721
|
+
# Master Key][10] in the *AWS Key Management Service Developer Guide*.
|
667
722
|
#
|
668
723
|
#
|
669
724
|
#
|
670
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
671
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/
|
672
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/
|
673
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/
|
674
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
675
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
676
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
677
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
678
|
-
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
725
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
726
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
727
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
|
728
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
|
729
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
730
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
731
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
732
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
733
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
734
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
679
735
|
#
|
680
736
|
# @option params [required, String] :key_id
|
681
737
|
# The unique identifier for the customer master key (CMK) that the grant
|
@@ -729,15 +785,16 @@ module Aws::KMS
|
|
729
785
|
# A list of operations that the grant permits.
|
730
786
|
#
|
731
787
|
# @option params [Types::GrantConstraints] :constraints
|
732
|
-
# Allows a cryptographic operation only when the encryption context
|
788
|
+
# Allows a [cryptographic operation][1] only when the encryption context
|
733
789
|
# matches or includes the encryption context specified in this
|
734
790
|
# structure. For more information about encryption context, see
|
735
|
-
# [Encryption Context][
|
791
|
+
# [Encryption Context][2] in the <i> <i>AWS Key Management Service
|
736
792
|
# Developer Guide</i> </i>.
|
737
793
|
#
|
738
794
|
#
|
739
795
|
#
|
740
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
796
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
797
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
741
798
|
#
|
742
799
|
# @option params [Array<String>] :grant_tokens
|
743
800
|
# A list of grant tokens.
|
@@ -952,10 +1009,10 @@ module Aws::KMS
|
|
952
1009
|
# for a task.
|
953
1010
|
#
|
954
1011
|
# @option params [String] :key_usage
|
955
|
-
# Determines the cryptographic operations for which you can use the
|
956
|
-
# The default value is `ENCRYPT_DECRYPT`. This parameter is
|
957
|
-
# only for asymmetric CMKs. You can't change the `KeyUsage`
|
958
|
-
# the CMK is created.
|
1012
|
+
# Determines the [cryptographic operations][1] for which you can use the
|
1013
|
+
# CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
|
1014
|
+
# required only for asymmetric CMKs. You can't change the `KeyUsage`
|
1015
|
+
# value after the CMK is created.
|
959
1016
|
#
|
960
1017
|
# Select only one valid value.
|
961
1018
|
#
|
@@ -966,6 +1023,10 @@ module Aws::KMS
|
|
966
1023
|
#
|
967
1024
|
# * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
|
968
1025
|
#
|
1026
|
+
#
|
1027
|
+
#
|
1028
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1029
|
+
#
|
969
1030
|
# @option params [String] :customer_master_key_spec
|
970
1031
|
# Specifies the type of CMK to create. The default value,
|
971
1032
|
# `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
|
@@ -1256,9 +1317,9 @@ module Aws::KMS
|
|
1256
1317
|
#
|
1257
1318
|
# @option params [Hash<String,String>] :encryption_context
|
1258
1319
|
# Specifies the encryption context to use when decrypting the data. An
|
1259
|
-
# encryption context is valid only for cryptographic operations
|
1260
|
-
# symmetric CMK. The standard asymmetric encryption algorithms
|
1261
|
-
# KMS uses do not support an encryption context.
|
1320
|
+
# encryption context is valid only for [cryptographic operations][1]
|
1321
|
+
# with a symmetric CMK. The standard asymmetric encryption algorithms
|
1322
|
+
# that AWS KMS uses do not support an encryption context.
|
1262
1323
|
#
|
1263
1324
|
# An *encryption context* is a collection of non-secret key-value pairs
|
1264
1325
|
# that represents additional authenticated data. When you use an
|
@@ -1267,12 +1328,13 @@ module Aws::KMS
|
|
1267
1328
|
# encryption context is optional when encrypting with a symmetric CMK,
|
1268
1329
|
# but it is highly recommended.
|
1269
1330
|
#
|
1270
|
-
# For more information, see [Encryption Context][
|
1331
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
1271
1332
|
# Management Service Developer Guide*.
|
1272
1333
|
#
|
1273
1334
|
#
|
1274
1335
|
#
|
1275
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
1336
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1337
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1276
1338
|
#
|
1277
1339
|
# @option params [Array<String>] :grant_tokens
|
1278
1340
|
# A list of grant tokens.
|
@@ -1425,13 +1487,13 @@ module Aws::KMS
|
|
1425
1487
|
# The custom key store that you delete cannot contain any AWS KMS
|
1426
1488
|
# [customer master keys (CMKs)][2]. Before deleting the key store,
|
1427
1489
|
# verify that you will never need to use any of the CMKs in the key
|
1428
|
-
# store for any cryptographic operations. Then, use
|
1429
|
-
# to delete the AWS KMS customer master keys (CMKs)
|
1430
|
-
# When the scheduled waiting period expires, the
|
1431
|
-
# operation deletes the CMKs. Then it makes a best
|
1432
|
-
# key material from the associated cluster.
|
1433
|
-
# manually [delete the orphaned key
|
1434
|
-
# its backups.
|
1490
|
+
# store for any [cryptographic operations][3]. Then, use
|
1491
|
+
# ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs)
|
1492
|
+
# from the key store. When the scheduled waiting period expires, the
|
1493
|
+
# `ScheduleKeyDeletion` operation deletes the CMKs. Then it makes a best
|
1494
|
+
# effort to delete the key material from the associated cluster.
|
1495
|
+
# However, you might need to manually [delete the orphaned key
|
1496
|
+
# material][4] from the cluster and its backups.
|
1435
1497
|
#
|
1436
1498
|
# After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore
|
1437
1499
|
# to disconnect the key store from AWS KMS. Then, you can delete the
|
@@ -1454,7 +1516,8 @@ module Aws::KMS
|
|
1454
1516
|
#
|
1455
1517
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1456
1518
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1457
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1519
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1520
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
1458
1521
|
#
|
1459
1522
|
# @option params [required, String] :custom_key_store_id
|
1460
1523
|
# Enter the ID of the custom key store you want to delete. To find the
|
@@ -1626,7 +1689,7 @@ module Aws::KMS
|
|
1626
1689
|
# resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
|
1627
1690
|
# resp.custom_key_stores[0].trust_anchor_certificate #=> String
|
1628
1691
|
# resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
|
1629
|
-
# resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN"
|
1692
|
+
# resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN", "SUBNET_NOT_FOUND"
|
1630
1693
|
# resp.custom_key_stores[0].creation_date #=> Time
|
1631
1694
|
# resp.next_marker #=> String
|
1632
1695
|
# resp.truncated #=> Boolean
|
@@ -1794,20 +1857,21 @@ module Aws::KMS
|
|
1794
1857
|
end
|
1795
1858
|
|
1796
1859
|
# Sets the state of a customer master key (CMK) to disabled, thereby
|
1797
|
-
# preventing its use for cryptographic operations. You cannot
|
1798
|
-
# this operation on a CMK in a different AWS account.
|
1860
|
+
# preventing its use for [cryptographic operations][1]. You cannot
|
1861
|
+
# perform this operation on a CMK in a different AWS account.
|
1799
1862
|
#
|
1800
1863
|
# For more information about how key state affects the use of a CMK, see
|
1801
|
-
# [How Key State Affects the Use of a Customer Master Key][
|
1864
|
+
# [How Key State Affects the Use of a Customer Master Key][2] in the <i>
|
1802
1865
|
# <i>AWS Key Management Service Developer Guide</i> </i>.
|
1803
1866
|
#
|
1804
1867
|
# The CMK that you use for this operation must be in a compatible key
|
1805
1868
|
# state. For details, see [How Key State Affects Use of a Customer
|
1806
|
-
# Master Key][
|
1869
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1807
1870
|
#
|
1808
1871
|
#
|
1809
1872
|
#
|
1810
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1873
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1874
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1811
1875
|
#
|
1812
1876
|
# @option params [required, String] :key_id
|
1813
1877
|
# A unique identifier for the customer master key (CMK).
|
@@ -1922,8 +1986,8 @@ module Aws::KMS
|
|
1922
1986
|
#
|
1923
1987
|
# <note markdown="1"> While a custom key store is disconnected, all attempts to create
|
1924
1988
|
# customer master keys (CMKs) in the custom key store or to use existing
|
1925
|
-
# CMKs in cryptographic operations will fail. This action can
|
1926
|
-
# users from storing and accessing sensitive data.
|
1989
|
+
# CMKs in [cryptographic operations][2] will fail. This action can
|
1990
|
+
# prevent users from storing and accessing sensitive data.
|
1927
1991
|
#
|
1928
1992
|
# </note>
|
1929
1993
|
#
|
@@ -1943,6 +2007,7 @@ module Aws::KMS
|
|
1943
2007
|
#
|
1944
2008
|
#
|
1945
2009
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2010
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1946
2011
|
#
|
1947
2012
|
# @option params [required, String] :custom_key_store_id
|
1948
2013
|
# Enter the ID of the custom key store you want to disconnect. To find
|
@@ -1967,16 +2032,17 @@ module Aws::KMS
|
|
1967
2032
|
end
|
1968
2033
|
|
1969
2034
|
# Sets the key state of a customer master key (CMK) to enabled. This
|
1970
|
-
# allows you to use the CMK for cryptographic operations. You
|
1971
|
-
# perform this operation on a CMK in a different AWS account.
|
2035
|
+
# allows you to use the CMK for [cryptographic operations][1]. You
|
2036
|
+
# cannot perform this operation on a CMK in a different AWS account.
|
1972
2037
|
#
|
1973
2038
|
# The CMK that you use for this operation must be in a compatible key
|
1974
2039
|
# state. For details, see [How Key State Affects Use of a Customer
|
1975
|
-
# Master Key][
|
2040
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1976
2041
|
#
|
1977
2042
|
#
|
1978
2043
|
#
|
1979
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2044
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2045
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1980
2046
|
#
|
1981
2047
|
# @option params [required, String] :key_id
|
1982
2048
|
# A unique identifier for the customer master key (CMK).
|
@@ -2088,11 +2154,13 @@ module Aws::KMS
|
|
2088
2154
|
# identifier or database password, or other sensitive information.
|
2089
2155
|
#
|
2090
2156
|
# * You can use the `Encrypt` operation to move encrypted data from one
|
2091
|
-
# AWS
|
2092
|
-
# use the plaintext key to encrypt
|
2093
|
-
#
|
2094
|
-
#
|
2095
|
-
#
|
2157
|
+
# AWS Region to another. For example, in Region A, generate a data key
|
2158
|
+
# and use the plaintext key to encrypt your data. Then, in Region A,
|
2159
|
+
# use the `Encrypt` operation to encrypt the plaintext data key under
|
2160
|
+
# a CMK in Region B. Now, you can move the encrypted data and the
|
2161
|
+
# encrypted data key to Region B. When necessary, you can decrypt the
|
2162
|
+
# encrypted data key and the encrypted data entirely within in Region
|
2163
|
+
# B.
|
2096
2164
|
#
|
2097
2165
|
# You don't need to use the `Encrypt` operation to encrypt a data key.
|
2098
2166
|
# The GenerateDataKey and GenerateDataKeyPair operations return a
|
@@ -2192,9 +2260,10 @@ module Aws::KMS
|
|
2192
2260
|
#
|
2193
2261
|
# @option params [Hash<String,String>] :encryption_context
|
2194
2262
|
# Specifies the encryption context that will be used to encrypt the
|
2195
|
-
# data. An encryption context is valid only for cryptographic
|
2196
|
-
# with a symmetric CMK. The standard asymmetric
|
2197
|
-
# that AWS KMS uses do not support an encryption
|
2263
|
+
# data. An encryption context is valid only for [cryptographic
|
2264
|
+
# operations][1] with a symmetric CMK. The standard asymmetric
|
2265
|
+
# encryption algorithms that AWS KMS uses do not support an encryption
|
2266
|
+
# context.
|
2198
2267
|
#
|
2199
2268
|
# An *encryption context* is a collection of non-secret key-value pairs
|
2200
2269
|
# that represents additional authenticated data. When you use an
|
@@ -2203,12 +2272,13 @@ module Aws::KMS
|
|
2203
2272
|
# encryption context is optional when encrypting with a symmetric CMK,
|
2204
2273
|
# but it is highly recommended.
|
2205
2274
|
#
|
2206
|
-
# For more information, see [Encryption Context][
|
2275
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
2207
2276
|
# Management Service Developer Guide*.
|
2208
2277
|
#
|
2209
2278
|
#
|
2210
2279
|
#
|
2211
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
2280
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2281
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2212
2282
|
#
|
2213
2283
|
# @option params [Array<String>] :grant_tokens
|
2214
2284
|
# A list of grant tokens.
|
@@ -2279,28 +2349,22 @@ module Aws::KMS
|
|
2279
2349
|
req.send_request(options)
|
2280
2350
|
end
|
2281
2351
|
|
2282
|
-
# Generates a unique symmetric data key
|
2283
|
-
# plaintext copy of the data key and a copy that is
|
2284
|
-
# customer master key (CMK) that you specify. You can
|
2285
|
-
# key to encrypt your data outside of AWS KMS and
|
2286
|
-
# data key with the encrypted data.
|
2352
|
+
# Generates a unique symmetric data key for client-side encryption. This
|
2353
|
+
# operation returns a plaintext copy of the data key and a copy that is
|
2354
|
+
# encrypted under a customer master key (CMK) that you specify. You can
|
2355
|
+
# use the plaintext key to encrypt your data outside of AWS KMS and
|
2356
|
+
# store the encrypted data key with the encrypted data.
|
2287
2357
|
#
|
2288
2358
|
# `GenerateDataKey` returns a unique data key for each request. The
|
2289
|
-
# bytes in the key are not related to the caller or CMK
|
2290
|
-
# encrypt the data key.
|
2359
|
+
# bytes in the plaintext key are not related to the caller or the CMK.
|
2291
2360
|
#
|
2292
2361
|
# To generate a data key, specify the symmetric CMK that will be used to
|
2293
2362
|
# encrypt the data key. You cannot use an asymmetric CMK to generate
|
2294
2363
|
# data keys. To get the type of your CMK, use the DescribeKey operation.
|
2295
|
-
#
|
2296
2364
|
# You must also specify the length of the data key. Use either the
|
2297
2365
|
# `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
|
2298
2366
|
# and 256-bit data keys, use the `KeySpec` parameter.
|
2299
2367
|
#
|
2300
|
-
# If the operation succeeds, the plaintext copy of the data key is in
|
2301
|
-
# the `Plaintext` field of the response, and the encrypted copy of the
|
2302
|
-
# data key in the `CiphertextBlob` field.
|
2303
|
-
#
|
2304
2368
|
# To get only an encrypted copy of the data key, use
|
2305
2369
|
# GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
|
2306
2370
|
# pair, use the GenerateDataKeyPair or
|
@@ -2311,7 +2375,7 @@ module Aws::KMS
|
|
2311
2375
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2312
2376
|
# you must specify the same encryption context (a case-sensitive exact
|
2313
2377
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2314
|
-
# to decrypt fails with an InvalidCiphertextException
|
2378
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2315
2379
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2316
2380
|
# Service Developer Guide*.
|
2317
2381
|
#
|
@@ -2319,30 +2383,40 @@ module Aws::KMS
|
|
2319
2383
|
# state. For details, see [How Key State Affects Use of a Customer
|
2320
2384
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2321
2385
|
#
|
2386
|
+
# **How to use your data key**
|
2387
|
+
#
|
2322
2388
|
# We recommend that you use the following pattern to encrypt data
|
2323
|
-
# locally in your application
|
2389
|
+
# locally in your application. You can write your own code or use a
|
2390
|
+
# client-side encryption library, such as the [AWS Encryption SDK][3],
|
2391
|
+
# the [Amazon DynamoDB Encryption Client][4], or [Amazon S3 client-side
|
2392
|
+
# encryption][5] to do these tasks for you.
|
2324
2393
|
#
|
2325
|
-
#
|
2394
|
+
# To encrypt data outside of AWS KMS:
|
2326
2395
|
#
|
2327
|
-
#
|
2328
|
-
# the response) to encrypt data locally, then erase the plaintext
|
2329
|
-
# data key from memory.
|
2396
|
+
# 1. Use the `GenerateDataKey` operation to get a data key.
|
2330
2397
|
#
|
2331
|
-
#
|
2332
|
-
#
|
2398
|
+
# 2. Use the plaintext data key (in the `Plaintext` field of the
|
2399
|
+
# response) to encrypt your data outside of AWS KMS. Then erase the
|
2400
|
+
# plaintext data key from memory.
|
2333
2401
|
#
|
2334
|
-
#
|
2402
|
+
# 3. Store the encrypted data key (in the `CiphertextBlob` field of the
|
2403
|
+
# response) with the encrypted data.
|
2404
|
+
#
|
2405
|
+
# To decrypt data outside of AWS KMS:
|
2335
2406
|
#
|
2336
2407
|
# 1. Use the Decrypt operation to decrypt the encrypted data key. The
|
2337
2408
|
# operation returns a plaintext copy of the data key.
|
2338
2409
|
#
|
2339
|
-
# 2. Use the plaintext data key to decrypt data
|
2340
|
-
# plaintext data key from memory.
|
2410
|
+
# 2. Use the plaintext data key to decrypt data outside of AWS KMS,
|
2411
|
+
# then erase the plaintext data key from memory.
|
2341
2412
|
#
|
2342
2413
|
#
|
2343
2414
|
#
|
2344
2415
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2345
2416
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2417
|
+
# [3]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
2418
|
+
# [4]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
|
2419
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
2346
2420
|
#
|
2347
2421
|
# @option params [required, String] :key_id
|
2348
2422
|
# Identifies the symmetric CMK that encrypts the data key.
|
@@ -2480,8 +2554,8 @@ module Aws::KMS
|
|
2480
2554
|
#
|
2481
2555
|
# To generate a data key pair, you must specify a symmetric customer
|
2482
2556
|
# master key (CMK) to encrypt the private key in a data key pair. You
|
2483
|
-
# cannot use an asymmetric CMK
|
2484
|
-
# DescribeKey operation.
|
2557
|
+
# cannot use an asymmetric CMK or a CMK in a custom key store. To get
|
2558
|
+
# the type and origin of your CMK, use the DescribeKey operation.
|
2485
2559
|
#
|
2486
2560
|
# If you are using the data key pair to encrypt data, or for any
|
2487
2561
|
# operation where you don't immediately need a private key, consider
|
@@ -2496,7 +2570,7 @@ module Aws::KMS
|
|
2496
2570
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2497
2571
|
# you must specify the same encryption context (a case-sensitive exact
|
2498
2572
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2499
|
-
# to decrypt fails with an InvalidCiphertextException
|
2573
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2500
2574
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2501
2575
|
# Service Developer Guide*.
|
2502
2576
|
#
|
@@ -2529,7 +2603,9 @@ module Aws::KMS
|
|
2529
2603
|
#
|
2530
2604
|
# @option params [required, String] :key_id
|
2531
2605
|
# Specifies the symmetric CMK that encrypts the private key in the data
|
2532
|
-
# key pair. You cannot specify an asymmetric
|
2606
|
+
# key pair. You cannot specify an asymmetric CMK or a CMK in a custom
|
2607
|
+
# key store. To get the type and origin of your CMK, use the DescribeKey
|
2608
|
+
# operation.
|
2533
2609
|
#
|
2534
2610
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2535
2611
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -2612,8 +2688,9 @@ module Aws::KMS
|
|
2612
2688
|
#
|
2613
2689
|
# To generate a data key pair, you must specify a symmetric customer
|
2614
2690
|
# master key (CMK) to encrypt the private key in the data key pair. You
|
2615
|
-
# cannot use an asymmetric CMK
|
2616
|
-
# `KeySpec` field in the
|
2691
|
+
# cannot use an asymmetric CMK or a CMK in a custom key store. To get
|
2692
|
+
# the type and origin of your CMK, use the `KeySpec` field in the
|
2693
|
+
# DescribeKey response.
|
2617
2694
|
#
|
2618
2695
|
# You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
|
2619
2696
|
# returns to encrypt data or verify a signature outside of AWS KMS.
|
@@ -2629,7 +2706,7 @@ module Aws::KMS
|
|
2629
2706
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2630
2707
|
# you must specify the same encryption context (a case-sensitive exact
|
2631
2708
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2632
|
-
# to decrypt fails with an InvalidCiphertextException
|
2709
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2633
2710
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2634
2711
|
# Service Developer Guide*.
|
2635
2712
|
#
|
@@ -2662,8 +2739,9 @@ module Aws::KMS
|
|
2662
2739
|
#
|
2663
2740
|
# @option params [required, String] :key_id
|
2664
2741
|
# Specifies the CMK that encrypts the private key in the data key pair.
|
2665
|
-
# You must specify a symmetric CMK. You cannot use an asymmetric CMK
|
2666
|
-
# get the type of your CMK,
|
2742
|
+
# You must specify a symmetric CMK. You cannot use an asymmetric CMK or
|
2743
|
+
# a CMK in a custom key store. To get the type and origin of your CMK,
|
2744
|
+
# use the DescribeKey operation.
|
2667
2745
|
#
|
2668
2746
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2669
2747
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -2772,7 +2850,7 @@ module Aws::KMS
|
|
2772
2850
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2773
2851
|
# you must specify the same encryption context (a case-sensitive exact
|
2774
2852
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2775
|
-
# to decrypt fails with an InvalidCiphertextException
|
2853
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2776
2854
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2777
2855
|
# Service Developer Guide*.
|
2778
2856
|
#
|
@@ -3518,6 +3596,8 @@ module Aws::KMS
|
|
3518
3596
|
# * {Types::ListAliasesResponse#next_marker #next_marker} => String
|
3519
3597
|
# * {Types::ListAliasesResponse#truncated #truncated} => Boolean
|
3520
3598
|
#
|
3599
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
3600
|
+
#
|
3521
3601
|
#
|
3522
3602
|
# @example Example: To list aliases
|
3523
3603
|
#
|
@@ -3604,6 +3684,19 @@ module Aws::KMS
|
|
3604
3684
|
# To perform this operation on a CMK in a different AWS account, specify
|
3605
3685
|
# the key ARN in the value of the `KeyId` parameter.
|
3606
3686
|
#
|
3687
|
+
# <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
|
3688
|
+
# contains the user or role designated as the grantee principal in the
|
3689
|
+
# grant. However, when the grantee principal in the grant is an AWS
|
3690
|
+
# service, the `GranteePrincipal` field contains the [service
|
3691
|
+
# principal][1], which might represent several different grantee
|
3692
|
+
# principals.
|
3693
|
+
#
|
3694
|
+
# </note>
|
3695
|
+
#
|
3696
|
+
#
|
3697
|
+
#
|
3698
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
|
3699
|
+
#
|
3607
3700
|
# @option params [Integer] :limit
|
3608
3701
|
# Use this parameter to specify the maximum number of items to return.
|
3609
3702
|
# When this value is present, AWS KMS does not return more than the
|
@@ -3638,6 +3731,8 @@ module Aws::KMS
|
|
3638
3731
|
# * {Types::ListGrantsResponse#next_marker #next_marker} => String
|
3639
3732
|
# * {Types::ListGrantsResponse#truncated #truncated} => Boolean
|
3640
3733
|
#
|
3734
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
3735
|
+
#
|
3641
3736
|
#
|
3642
3737
|
# @example Example: To list grants for a customer master key (CMK)
|
3643
3738
|
#
|
@@ -3783,6 +3878,8 @@ module Aws::KMS
|
|
3783
3878
|
# * {Types::ListKeyPoliciesResponse#next_marker #next_marker} => String
|
3784
3879
|
# * {Types::ListKeyPoliciesResponse#truncated #truncated} => Boolean
|
3785
3880
|
#
|
3881
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
3882
|
+
#
|
3786
3883
|
#
|
3787
3884
|
# @example Example: To list key policies for a customer master key (CMK)
|
3788
3885
|
#
|
@@ -3847,6 +3944,8 @@ module Aws::KMS
|
|
3847
3944
|
# * {Types::ListKeysResponse#next_marker #next_marker} => String
|
3848
3945
|
# * {Types::ListKeysResponse#truncated #truncated} => Boolean
|
3849
3946
|
#
|
3947
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
3948
|
+
#
|
3850
3949
|
#
|
3851
3950
|
# @example Example: To list customer master keys (CMKs)
|
3852
3951
|
#
|
@@ -4227,16 +4326,16 @@ module Aws::KMS
|
|
4227
4326
|
# under which data is encrypted, such as when you [manually rotate][1] a
|
4228
4327
|
# CMK or change the CMK that protects a ciphertext. You can also use it
|
4229
4328
|
# to reencrypt ciphertext under the same CMK, such as to change the
|
4230
|
-
# encryption context of a ciphertext.
|
4329
|
+
# [encryption context][2] of a ciphertext.
|
4231
4330
|
#
|
4232
4331
|
# The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
|
4233
4332
|
# using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or
|
4234
4333
|
# GenerateDataKey. It can also decrypt ciphertext that was encrypted by
|
4235
|
-
# using the public key of an asymmetric CMK outside of AWS KMS.
|
4236
|
-
# it cannot decrypt ciphertext produced by other libraries,
|
4237
|
-
# [AWS Encryption SDK][
|
4238
|
-
# These libraries return a ciphertext format that is
|
4239
|
-
# AWS KMS.
|
4334
|
+
# using the public key of an [asymmetric CMK][3] outside of AWS KMS.
|
4335
|
+
# However, it cannot decrypt ciphertext produced by other libraries,
|
4336
|
+
# such as the [AWS Encryption SDK][4] or [Amazon S3 client-side
|
4337
|
+
# encryption][5]. These libraries return a ciphertext format that is
|
4338
|
+
# incompatible with AWS KMS.
|
4240
4339
|
#
|
4241
4340
|
# When you use the `ReEncrypt` operation, you need to provide
|
4242
4341
|
# information for the decrypt operation and the subsequent encrypt
|
@@ -4274,29 +4373,30 @@ module Aws::KMS
|
|
4274
4373
|
# Unlike other AWS KMS API operations, `ReEncrypt` callers must have two
|
4275
4374
|
# permissions:
|
4276
4375
|
#
|
4277
|
-
# * `kms:
|
4278
|
-
#
|
4279
|
-
# * `kms:EncryptTo` permission on the destination CMK
|
4376
|
+
# * `kms:ReEncryptFrom` permission on the source CMK
|
4280
4377
|
#
|
4281
|
-
#
|
4378
|
+
# * `kms:ReEncryptTo` permission on the destination CMK
|
4282
4379
|
#
|
4283
|
-
# or to a CMK, include the
|
4284
|
-
# policy][
|
4285
|
-
#
|
4286
|
-
#
|
4287
|
-
# PutKeyPolicy operation set
|
4380
|
+
# To permit reencryption from or to a CMK, include the
|
4381
|
+
# `"kms:ReEncrypt*"` permission in your [key policy][6]. This permission
|
4382
|
+
# is automatically included in the key policy when you use the console
|
4383
|
+
# to create a CMK. But you must include it manually when you create a
|
4384
|
+
# CMK programmatically or when you use the PutKeyPolicy operation to set
|
4385
|
+
# a key policy.
|
4288
4386
|
#
|
4289
4387
|
# The CMK that you use for this operation must be in a compatible key
|
4290
4388
|
# state. For details, see [How Key State Affects Use of a Customer
|
4291
|
-
# Master Key][
|
4389
|
+
# Master Key][7] in the *AWS Key Management Service Developer Guide*.
|
4292
4390
|
#
|
4293
4391
|
#
|
4294
4392
|
#
|
4295
4393
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
|
4296
|
-
# [2]: https://docs.aws.amazon.com/
|
4297
|
-
# [3]: https://docs.aws.amazon.com/
|
4298
|
-
# [4]: https://docs.aws.amazon.com/
|
4299
|
-
# [5]: https://docs.aws.amazon.com/
|
4394
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
4395
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
4396
|
+
# [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
4397
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
4398
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4399
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4300
4400
|
#
|
4301
4401
|
# @option params [required, String, IO] :ciphertext_blob
|
4302
4402
|
# Ciphertext of the data to reencrypt.
|
@@ -4791,8 +4891,8 @@ module Aws::KMS
|
|
4791
4891
|
#
|
4792
4892
|
# @option params [String] :message_type
|
4793
4893
|
# Tells AWS KMS whether the value of the `Message` parameter is a
|
4794
|
-
# message or message digest.
|
4795
|
-
# indicate a message digest, enter `DIGEST`.
|
4894
|
+
# message or message digest. The default value, RAW, indicates a
|
4895
|
+
# message. To indicate a message digest, enter `DIGEST`.
|
4796
4896
|
#
|
4797
4897
|
# @option params [Array<String>] :grant_tokens
|
4798
4898
|
# A list of grant tokens.
|
@@ -5375,7 +5475,7 @@ module Aws::KMS
|
|
5375
5475
|
params: params,
|
5376
5476
|
config: config)
|
5377
5477
|
context[:gem_name] = 'aws-sdk-kms'
|
5378
|
-
context[:gem_version] = '1.
|
5478
|
+
context[:gem_version] = '1.33.0'
|
5379
5479
|
Seahorse::Client::Request.new(handlers, context)
|
5380
5480
|
end
|
5381
5481
|
|