aws-sdk-kms 1.28.0 → 1.33.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/lib/aws-sdk-kms.rb +7 -4
- data/lib/aws-sdk-kms/client.rb +244 -144
- data/lib/aws-sdk-kms/client_api.rb +3 -0
- data/lib/aws-sdk-kms/errors.rb +55 -33
- data/lib/aws-sdk-kms/resource.rb +1 -0
- data/lib/aws-sdk-kms/types.rb +194 -101
- metadata +3 -3
@@ -1032,6 +1032,7 @@ module Aws::KMS
|
|
1032
1032
|
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
1033
1033
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1034
1034
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1035
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
1035
1036
|
end)
|
1036
1037
|
|
1037
1038
|
api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
|
@@ -1048,6 +1049,7 @@ module Aws::KMS
|
|
1048
1049
|
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
1049
1050
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1050
1051
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1052
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
1051
1053
|
end)
|
1052
1054
|
|
1053
1055
|
api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
|
@@ -1387,6 +1389,7 @@ module Aws::KMS
|
|
1387
1389
|
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
1388
1390
|
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
1389
1391
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1392
|
+
o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
|
1390
1393
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1391
1394
|
end)
|
1392
1395
|
|
data/lib/aws-sdk-kms/errors.rb
CHANGED
@@ -6,6 +6,61 @@
|
|
6
6
|
# WARNING ABOUT GENERATED CODE
|
7
7
|
|
8
8
|
module Aws::KMS
|
9
|
+
|
10
|
+
# When KMS returns an error response, the Ruby SDK constructs and raises an error.
|
11
|
+
# These errors all extend Aws::KMS::Errors::ServiceError < {Aws::Errors::ServiceError}
|
12
|
+
#
|
13
|
+
# You can rescue all KMS errors using ServiceError:
|
14
|
+
#
|
15
|
+
# begin
|
16
|
+
# # do stuff
|
17
|
+
# rescue Aws::KMS::Errors::ServiceError
|
18
|
+
# # rescues all KMS API errors
|
19
|
+
# end
|
20
|
+
#
|
21
|
+
#
|
22
|
+
# ## Request Context
|
23
|
+
# ServiceError objects have a {Aws::Errors::ServiceError#context #context} method that returns
|
24
|
+
# information about the request that generated the error.
|
25
|
+
# See {Seahorse::Client::RequestContext} for more information.
|
26
|
+
#
|
27
|
+
# ## Error Classes
|
28
|
+
# * {AlreadyExistsException}
|
29
|
+
# * {CloudHsmClusterInUseException}
|
30
|
+
# * {CloudHsmClusterInvalidConfigurationException}
|
31
|
+
# * {CloudHsmClusterNotActiveException}
|
32
|
+
# * {CloudHsmClusterNotFoundException}
|
33
|
+
# * {CloudHsmClusterNotRelatedException}
|
34
|
+
# * {CustomKeyStoreHasCMKsException}
|
35
|
+
# * {CustomKeyStoreInvalidStateException}
|
36
|
+
# * {CustomKeyStoreNameInUseException}
|
37
|
+
# * {CustomKeyStoreNotFoundException}
|
38
|
+
# * {DependencyTimeoutException}
|
39
|
+
# * {DisabledException}
|
40
|
+
# * {ExpiredImportTokenException}
|
41
|
+
# * {IncorrectKeyException}
|
42
|
+
# * {IncorrectKeyMaterialException}
|
43
|
+
# * {IncorrectTrustAnchorException}
|
44
|
+
# * {InvalidAliasNameException}
|
45
|
+
# * {InvalidArnException}
|
46
|
+
# * {InvalidCiphertextException}
|
47
|
+
# * {InvalidGrantIdException}
|
48
|
+
# * {InvalidGrantTokenException}
|
49
|
+
# * {InvalidImportTokenException}
|
50
|
+
# * {InvalidKeyUsageException}
|
51
|
+
# * {InvalidMarkerException}
|
52
|
+
# * {KMSInternalException}
|
53
|
+
# * {KMSInvalidSignatureException}
|
54
|
+
# * {KMSInvalidStateException}
|
55
|
+
# * {KeyUnavailableException}
|
56
|
+
# * {LimitExceededException}
|
57
|
+
# * {MalformedPolicyDocumentException}
|
58
|
+
# * {NotFoundException}
|
59
|
+
# * {TagException}
|
60
|
+
# * {UnsupportedOperationException}
|
61
|
+
#
|
62
|
+
# Additionally, error classes are dynamically generated for service errors based on the error code
|
63
|
+
# if they are not defined above.
|
9
64
|
module Errors
|
10
65
|
|
11
66
|
extend Aws::Errors::DynamicErrors
|
@@ -23,7 +78,6 @@ module Aws::KMS
|
|
23
78
|
def message
|
24
79
|
@message || @data[:message]
|
25
80
|
end
|
26
|
-
|
27
81
|
end
|
28
82
|
|
29
83
|
class CloudHsmClusterInUseException < ServiceError
|
@@ -39,7 +93,6 @@ module Aws::KMS
|
|
39
93
|
def message
|
40
94
|
@message || @data[:message]
|
41
95
|
end
|
42
|
-
|
43
96
|
end
|
44
97
|
|
45
98
|
class CloudHsmClusterInvalidConfigurationException < ServiceError
|
@@ -55,7 +108,6 @@ module Aws::KMS
|
|
55
108
|
def message
|
56
109
|
@message || @data[:message]
|
57
110
|
end
|
58
|
-
|
59
111
|
end
|
60
112
|
|
61
113
|
class CloudHsmClusterNotActiveException < ServiceError
|
@@ -71,7 +123,6 @@ module Aws::KMS
|
|
71
123
|
def message
|
72
124
|
@message || @data[:message]
|
73
125
|
end
|
74
|
-
|
75
126
|
end
|
76
127
|
|
77
128
|
class CloudHsmClusterNotFoundException < ServiceError
|
@@ -87,7 +138,6 @@ module Aws::KMS
|
|
87
138
|
def message
|
88
139
|
@message || @data[:message]
|
89
140
|
end
|
90
|
-
|
91
141
|
end
|
92
142
|
|
93
143
|
class CloudHsmClusterNotRelatedException < ServiceError
|
@@ -103,7 +153,6 @@ module Aws::KMS
|
|
103
153
|
def message
|
104
154
|
@message || @data[:message]
|
105
155
|
end
|
106
|
-
|
107
156
|
end
|
108
157
|
|
109
158
|
class CustomKeyStoreHasCMKsException < ServiceError
|
@@ -119,7 +168,6 @@ module Aws::KMS
|
|
119
168
|
def message
|
120
169
|
@message || @data[:message]
|
121
170
|
end
|
122
|
-
|
123
171
|
end
|
124
172
|
|
125
173
|
class CustomKeyStoreInvalidStateException < ServiceError
|
@@ -135,7 +183,6 @@ module Aws::KMS
|
|
135
183
|
def message
|
136
184
|
@message || @data[:message]
|
137
185
|
end
|
138
|
-
|
139
186
|
end
|
140
187
|
|
141
188
|
class CustomKeyStoreNameInUseException < ServiceError
|
@@ -151,7 +198,6 @@ module Aws::KMS
|
|
151
198
|
def message
|
152
199
|
@message || @data[:message]
|
153
200
|
end
|
154
|
-
|
155
201
|
end
|
156
202
|
|
157
203
|
class CustomKeyStoreNotFoundException < ServiceError
|
@@ -167,7 +213,6 @@ module Aws::KMS
|
|
167
213
|
def message
|
168
214
|
@message || @data[:message]
|
169
215
|
end
|
170
|
-
|
171
216
|
end
|
172
217
|
|
173
218
|
class DependencyTimeoutException < ServiceError
|
@@ -183,7 +228,6 @@ module Aws::KMS
|
|
183
228
|
def message
|
184
229
|
@message || @data[:message]
|
185
230
|
end
|
186
|
-
|
187
231
|
end
|
188
232
|
|
189
233
|
class DisabledException < ServiceError
|
@@ -199,7 +243,6 @@ module Aws::KMS
|
|
199
243
|
def message
|
200
244
|
@message || @data[:message]
|
201
245
|
end
|
202
|
-
|
203
246
|
end
|
204
247
|
|
205
248
|
class ExpiredImportTokenException < ServiceError
|
@@ -215,7 +258,6 @@ module Aws::KMS
|
|
215
258
|
def message
|
216
259
|
@message || @data[:message]
|
217
260
|
end
|
218
|
-
|
219
261
|
end
|
220
262
|
|
221
263
|
class IncorrectKeyException < ServiceError
|
@@ -231,7 +273,6 @@ module Aws::KMS
|
|
231
273
|
def message
|
232
274
|
@message || @data[:message]
|
233
275
|
end
|
234
|
-
|
235
276
|
end
|
236
277
|
|
237
278
|
class IncorrectKeyMaterialException < ServiceError
|
@@ -247,7 +288,6 @@ module Aws::KMS
|
|
247
288
|
def message
|
248
289
|
@message || @data[:message]
|
249
290
|
end
|
250
|
-
|
251
291
|
end
|
252
292
|
|
253
293
|
class IncorrectTrustAnchorException < ServiceError
|
@@ -263,7 +303,6 @@ module Aws::KMS
|
|
263
303
|
def message
|
264
304
|
@message || @data[:message]
|
265
305
|
end
|
266
|
-
|
267
306
|
end
|
268
307
|
|
269
308
|
class InvalidAliasNameException < ServiceError
|
@@ -279,7 +318,6 @@ module Aws::KMS
|
|
279
318
|
def message
|
280
319
|
@message || @data[:message]
|
281
320
|
end
|
282
|
-
|
283
321
|
end
|
284
322
|
|
285
323
|
class InvalidArnException < ServiceError
|
@@ -295,7 +333,6 @@ module Aws::KMS
|
|
295
333
|
def message
|
296
334
|
@message || @data[:message]
|
297
335
|
end
|
298
|
-
|
299
336
|
end
|
300
337
|
|
301
338
|
class InvalidCiphertextException < ServiceError
|
@@ -311,7 +348,6 @@ module Aws::KMS
|
|
311
348
|
def message
|
312
349
|
@message || @data[:message]
|
313
350
|
end
|
314
|
-
|
315
351
|
end
|
316
352
|
|
317
353
|
class InvalidGrantIdException < ServiceError
|
@@ -327,7 +363,6 @@ module Aws::KMS
|
|
327
363
|
def message
|
328
364
|
@message || @data[:message]
|
329
365
|
end
|
330
|
-
|
331
366
|
end
|
332
367
|
|
333
368
|
class InvalidGrantTokenException < ServiceError
|
@@ -343,7 +378,6 @@ module Aws::KMS
|
|
343
378
|
def message
|
344
379
|
@message || @data[:message]
|
345
380
|
end
|
346
|
-
|
347
381
|
end
|
348
382
|
|
349
383
|
class InvalidImportTokenException < ServiceError
|
@@ -359,7 +393,6 @@ module Aws::KMS
|
|
359
393
|
def message
|
360
394
|
@message || @data[:message]
|
361
395
|
end
|
362
|
-
|
363
396
|
end
|
364
397
|
|
365
398
|
class InvalidKeyUsageException < ServiceError
|
@@ -375,7 +408,6 @@ module Aws::KMS
|
|
375
408
|
def message
|
376
409
|
@message || @data[:message]
|
377
410
|
end
|
378
|
-
|
379
411
|
end
|
380
412
|
|
381
413
|
class InvalidMarkerException < ServiceError
|
@@ -391,7 +423,6 @@ module Aws::KMS
|
|
391
423
|
def message
|
392
424
|
@message || @data[:message]
|
393
425
|
end
|
394
|
-
|
395
426
|
end
|
396
427
|
|
397
428
|
class KMSInternalException < ServiceError
|
@@ -407,7 +438,6 @@ module Aws::KMS
|
|
407
438
|
def message
|
408
439
|
@message || @data[:message]
|
409
440
|
end
|
410
|
-
|
411
441
|
end
|
412
442
|
|
413
443
|
class KMSInvalidSignatureException < ServiceError
|
@@ -423,7 +453,6 @@ module Aws::KMS
|
|
423
453
|
def message
|
424
454
|
@message || @data[:message]
|
425
455
|
end
|
426
|
-
|
427
456
|
end
|
428
457
|
|
429
458
|
class KMSInvalidStateException < ServiceError
|
@@ -439,7 +468,6 @@ module Aws::KMS
|
|
439
468
|
def message
|
440
469
|
@message || @data[:message]
|
441
470
|
end
|
442
|
-
|
443
471
|
end
|
444
472
|
|
445
473
|
class KeyUnavailableException < ServiceError
|
@@ -455,7 +483,6 @@ module Aws::KMS
|
|
455
483
|
def message
|
456
484
|
@message || @data[:message]
|
457
485
|
end
|
458
|
-
|
459
486
|
end
|
460
487
|
|
461
488
|
class LimitExceededException < ServiceError
|
@@ -471,7 +498,6 @@ module Aws::KMS
|
|
471
498
|
def message
|
472
499
|
@message || @data[:message]
|
473
500
|
end
|
474
|
-
|
475
501
|
end
|
476
502
|
|
477
503
|
class MalformedPolicyDocumentException < ServiceError
|
@@ -487,7 +513,6 @@ module Aws::KMS
|
|
487
513
|
def message
|
488
514
|
@message || @data[:message]
|
489
515
|
end
|
490
|
-
|
491
516
|
end
|
492
517
|
|
493
518
|
class NotFoundException < ServiceError
|
@@ -503,7 +528,6 @@ module Aws::KMS
|
|
503
528
|
def message
|
504
529
|
@message || @data[:message]
|
505
530
|
end
|
506
|
-
|
507
531
|
end
|
508
532
|
|
509
533
|
class TagException < ServiceError
|
@@ -519,7 +543,6 @@ module Aws::KMS
|
|
519
543
|
def message
|
520
544
|
@message || @data[:message]
|
521
545
|
end
|
522
|
-
|
523
546
|
end
|
524
547
|
|
525
548
|
class UnsupportedOperationException < ServiceError
|
@@ -535,7 +558,6 @@ module Aws::KMS
|
|
535
558
|
def message
|
536
559
|
@message || @data[:message]
|
537
560
|
end
|
538
|
-
|
539
561
|
end
|
540
562
|
|
541
563
|
end
|
data/lib/aws-sdk-kms/resource.rb
CHANGED
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -76,8 +76,12 @@ module Aws::KMS
|
|
76
76
|
end
|
77
77
|
|
78
78
|
# @!attribute [rw] key_id
|
79
|
-
# The
|
79
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
|
80
80
|
# canceled.
|
81
|
+
#
|
82
|
+
#
|
83
|
+
#
|
84
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
81
85
|
# @return [String]
|
82
86
|
#
|
83
87
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletionResponse AWS API Documentation
|
@@ -433,15 +437,16 @@ module Aws::KMS
|
|
433
437
|
# @return [Array<String>]
|
434
438
|
#
|
435
439
|
# @!attribute [rw] constraints
|
436
|
-
# Allows a cryptographic operation only when the encryption
|
437
|
-
# matches or includes the encryption context specified in this
|
440
|
+
# Allows a [cryptographic operation][1] only when the encryption
|
441
|
+
# context matches or includes the encryption context specified in this
|
438
442
|
# structure. For more information about encryption context, see
|
439
|
-
# [Encryption Context][
|
443
|
+
# [Encryption Context][2] in the <i> <i>AWS Key Management Service
|
440
444
|
# Developer Guide</i> </i>.
|
441
445
|
#
|
442
446
|
#
|
443
447
|
#
|
444
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
448
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
449
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
445
450
|
# @return [Types::GrantConstraints]
|
446
451
|
#
|
447
452
|
# @!attribute [rw] grant_tokens
|
@@ -575,8 +580,8 @@ module Aws::KMS
|
|
575
580
|
# @return [String]
|
576
581
|
#
|
577
582
|
# @!attribute [rw] key_usage
|
578
|
-
# Determines the cryptographic operations for which you can use
|
579
|
-
# CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
|
583
|
+
# Determines the [cryptographic operations][1] for which you can use
|
584
|
+
# the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
|
580
585
|
# required only for asymmetric CMKs. You can't change the `KeyUsage`
|
581
586
|
# value after the CMK is created.
|
582
587
|
#
|
@@ -589,6 +594,10 @@ module Aws::KMS
|
|
589
594
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
590
595
|
#
|
591
596
|
# * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
|
597
|
+
#
|
598
|
+
#
|
599
|
+
#
|
600
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
592
601
|
# @return [String]
|
593
602
|
#
|
594
603
|
# @!attribute [rw] customer_master_key_spec
|
@@ -920,6 +929,16 @@ module Aws::KMS
|
|
920
929
|
# * `NETWORK_ERRORS` - Network errors are preventing AWS KMS from
|
921
930
|
# connecting to the custom key store.
|
922
931
|
#
|
932
|
+
# * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
|
933
|
+
# configuration was deleted. If AWS KMS cannot find all of the
|
934
|
+
# subnets in the cluster configuration, attempts to connect the
|
935
|
+
# custom key store to the AWS CloudHSM cluster fail. To fix this
|
936
|
+
# error, create a cluster from a recent backup and associate it with
|
937
|
+
# your custom key store. (This process creates a new cluster
|
938
|
+
# configuration with a VPC and private subnets.) For details, see
|
939
|
+
# [How to Fix a Connection Failure][1] in the *AWS Key Management
|
940
|
+
# Service Developer Guide*.
|
941
|
+
#
|
923
942
|
# * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
|
924
943
|
# associated AWS CloudHSM cluster due to too many failed password
|
925
944
|
# attempts. Before you can connect your custom key store to its AWS
|
@@ -984,9 +1003,9 @@ module Aws::KMS
|
|
984
1003
|
#
|
985
1004
|
# @!attribute [rw] encryption_context
|
986
1005
|
# Specifies the encryption context to use when decrypting the data. An
|
987
|
-
# encryption context is valid only for cryptographic operations
|
988
|
-
# symmetric CMK. The standard asymmetric encryption algorithms
|
989
|
-
# AWS KMS uses do not support an encryption context.
|
1006
|
+
# encryption context is valid only for [cryptographic operations][1]
|
1007
|
+
# with a symmetric CMK. The standard asymmetric encryption algorithms
|
1008
|
+
# that AWS KMS uses do not support an encryption context.
|
990
1009
|
#
|
991
1010
|
# An *encryption context* is a collection of non-secret key-value
|
992
1011
|
# pairs that represents additional authenticated data. When you use an
|
@@ -995,12 +1014,13 @@ module Aws::KMS
|
|
995
1014
|
# An encryption context is optional when encrypting with a symmetric
|
996
1015
|
# CMK, but it is highly recommended.
|
997
1016
|
#
|
998
|
-
# For more information, see [Encryption Context][
|
1017
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
999
1018
|
# Management Service Developer Guide*.
|
1000
1019
|
#
|
1001
1020
|
#
|
1002
1021
|
#
|
1003
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
1022
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1023
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1004
1024
|
# @return [Hash<String,String>]
|
1005
1025
|
#
|
1006
1026
|
# @!attribute [rw] grant_tokens
|
@@ -1072,8 +1092,12 @@ module Aws::KMS
|
|
1072
1092
|
end
|
1073
1093
|
|
1074
1094
|
# @!attribute [rw] key_id
|
1075
|
-
# The ARN of the
|
1076
|
-
#
|
1095
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
|
1096
|
+
# decrypt the ciphertext.
|
1097
|
+
#
|
1098
|
+
#
|
1099
|
+
#
|
1100
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1077
1101
|
# @return [String]
|
1078
1102
|
#
|
1079
1103
|
# @!attribute [rw] plaintext
|
@@ -1538,9 +1562,10 @@ module Aws::KMS
|
|
1538
1562
|
#
|
1539
1563
|
# @!attribute [rw] encryption_context
|
1540
1564
|
# Specifies the encryption context that will be used to encrypt the
|
1541
|
-
# data. An encryption context is valid only for cryptographic
|
1542
|
-
# operations with a symmetric CMK. The standard asymmetric
|
1543
|
-
# algorithms that AWS KMS uses do not support an encryption
|
1565
|
+
# data. An encryption context is valid only for [cryptographic
|
1566
|
+
# operations][1] with a symmetric CMK. The standard asymmetric
|
1567
|
+
# encryption algorithms that AWS KMS uses do not support an encryption
|
1568
|
+
# context.
|
1544
1569
|
#
|
1545
1570
|
# An *encryption context* is a collection of non-secret key-value
|
1546
1571
|
# pairs that represents additional authenticated data. When you use an
|
@@ -1549,12 +1574,13 @@ module Aws::KMS
|
|
1549
1574
|
# An encryption context is optional when encrypting with a symmetric
|
1550
1575
|
# CMK, but it is highly recommended.
|
1551
1576
|
#
|
1552
|
-
# For more information, see [Encryption Context][
|
1577
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
1553
1578
|
# Management Service Developer Guide*.
|
1554
1579
|
#
|
1555
1580
|
#
|
1556
1581
|
#
|
1557
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
1582
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1583
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1558
1584
|
# @return [Hash<String,String>]
|
1559
1585
|
#
|
1560
1586
|
# @!attribute [rw] grant_tokens
|
@@ -1596,7 +1622,12 @@ module Aws::KMS
|
|
1596
1622
|
# @return [String]
|
1597
1623
|
#
|
1598
1624
|
# @!attribute [rw] key_id
|
1599
|
-
# The
|
1625
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
|
1626
|
+
# encrypt the plaintext.
|
1627
|
+
#
|
1628
|
+
#
|
1629
|
+
#
|
1630
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1600
1631
|
# @return [String]
|
1601
1632
|
#
|
1602
1633
|
# @!attribute [rw] encryption_algorithm
|
@@ -1660,7 +1691,9 @@ module Aws::KMS
|
|
1660
1691
|
#
|
1661
1692
|
# @!attribute [rw] key_id
|
1662
1693
|
# Specifies the symmetric CMK that encrypts the private key in the
|
1663
|
-
# data key pair. You cannot specify an asymmetric
|
1694
|
+
# data key pair. You cannot specify an asymmetric CMK or a CMK in a
|
1695
|
+
# custom key store. To get the type and origin of your CMK, use the
|
1696
|
+
# DescribeKey operation.
|
1664
1697
|
#
|
1665
1698
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1666
1699
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -1729,7 +1762,12 @@ module Aws::KMS
|
|
1729
1762
|
# @return [String]
|
1730
1763
|
#
|
1731
1764
|
# @!attribute [rw] key_id
|
1732
|
-
# The
|
1765
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
|
1766
|
+
# the private key.
|
1767
|
+
#
|
1768
|
+
#
|
1769
|
+
#
|
1770
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1733
1771
|
# @return [String]
|
1734
1772
|
#
|
1735
1773
|
# @!attribute [rw] key_pair_spec
|
@@ -1781,7 +1819,8 @@ module Aws::KMS
|
|
1781
1819
|
# @!attribute [rw] key_id
|
1782
1820
|
# Specifies the CMK that encrypts the private key in the data key
|
1783
1821
|
# pair. You must specify a symmetric CMK. You cannot use an asymmetric
|
1784
|
-
# CMK. To get the type
|
1822
|
+
# CMK or a CMK in a custom key store. To get the type and origin of
|
1823
|
+
# your CMK, use the DescribeKey operation.
|
1785
1824
|
#
|
1786
1825
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1787
1826
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -1843,27 +1882,12 @@ module Aws::KMS
|
|
1843
1882
|
# @return [String]
|
1844
1883
|
#
|
1845
1884
|
# @!attribute [rw] key_id
|
1846
|
-
#
|
1847
|
-
#
|
1848
|
-
# CMK. To get the type of your CMK, use the DescribeKey operation.
|
1885
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
|
1886
|
+
# the private key.
|
1849
1887
|
#
|
1850
|
-
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1851
|
-
# name, or alias ARN. When using an alias name, prefix it with
|
1852
|
-
# `"alias/"`.
|
1853
|
-
#
|
1854
|
-
# For example:
|
1855
|
-
#
|
1856
|
-
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
1857
1888
|
#
|
1858
|
-
# * Key ARN:
|
1859
|
-
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1860
|
-
#
|
1861
|
-
# * Alias name: `alias/ExampleAlias`
|
1862
|
-
#
|
1863
|
-
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1864
1889
|
#
|
1865
|
-
#
|
1866
|
-
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1890
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1867
1891
|
# @return [String]
|
1868
1892
|
#
|
1869
1893
|
# @!attribute [rw] key_pair_spec
|
@@ -1990,7 +2014,12 @@ module Aws::KMS
|
|
1990
2014
|
# @return [String]
|
1991
2015
|
#
|
1992
2016
|
# @!attribute [rw] key_id
|
1993
|
-
# The
|
2017
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
|
2018
|
+
# the data key.
|
2019
|
+
#
|
2020
|
+
#
|
2021
|
+
#
|
2022
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1994
2023
|
# @return [String]
|
1995
2024
|
#
|
1996
2025
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
|
@@ -2098,7 +2127,12 @@ module Aws::KMS
|
|
2098
2127
|
# @return [String]
|
2099
2128
|
#
|
2100
2129
|
# @!attribute [rw] key_id
|
2101
|
-
# The
|
2130
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
|
2131
|
+
# the data key.
|
2132
|
+
#
|
2133
|
+
#
|
2134
|
+
#
|
2135
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2102
2136
|
# @return [String]
|
2103
2137
|
#
|
2104
2138
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
|
@@ -2293,9 +2327,13 @@ module Aws::KMS
|
|
2293
2327
|
end
|
2294
2328
|
|
2295
2329
|
# @!attribute [rw] key_id
|
2296
|
-
# The
|
2297
|
-
# request. This is the same CMK specified
|
2298
|
-
# `GetParametersForImport` request.
|
2330
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
|
2331
|
+
# subsequent ImportKeyMaterial request. This is the same CMK specified
|
2332
|
+
# in the `GetParametersForImport` request.
|
2333
|
+
#
|
2334
|
+
#
|
2335
|
+
#
|
2336
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2299
2337
|
# @return [String]
|
2300
2338
|
#
|
2301
2339
|
# @!attribute [rw] import_token
|
@@ -2375,21 +2413,27 @@ module Aws::KMS
|
|
2375
2413
|
end
|
2376
2414
|
|
2377
2415
|
# @!attribute [rw] key_id
|
2378
|
-
# The
|
2379
|
-
# downloaded.
|
2416
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
|
2417
|
+
# which the public key was downloaded.
|
2418
|
+
#
|
2419
|
+
#
|
2420
|
+
#
|
2421
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2380
2422
|
# @return [String]
|
2381
2423
|
#
|
2382
2424
|
# @!attribute [rw] public_key
|
2383
2425
|
# The exported public key.
|
2384
2426
|
#
|
2385
|
-
#
|
2386
|
-
# (
|
2387
|
-
#
|
2427
|
+
# The value is a DER-encoded X.509 public key, also known as
|
2428
|
+
# `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1]. When you
|
2429
|
+
# use the HTTP API or the AWS CLI, the value is Base64-encoded.
|
2430
|
+
# Otherwise, it is not Base64-encoded.
|
2431
|
+
#
|
2388
2432
|
#
|
2389
2433
|
#
|
2390
2434
|
#
|
2391
|
-
#
|
2392
|
-
# [
|
2435
|
+
#
|
2436
|
+
# [1]: https://tools.ietf.org/html/rfc5280
|
2393
2437
|
# @return [String]
|
2394
2438
|
#
|
2395
2439
|
# @!attribute [rw] customer_master_key_spec
|
@@ -2435,26 +2479,16 @@ module Aws::KMS
|
|
2435
2479
|
include Aws::Structure
|
2436
2480
|
end
|
2437
2481
|
|
2438
|
-
# Use this structure to allow cryptographic operations in the grant
|
2439
|
-
# when the operation request includes the specified [encryption
|
2440
|
-
# context][
|
2441
|
-
#
|
2442
|
-
# AWS KMS applies the grant constraints only when the grant allows a
|
2443
|
-
# cryptographic operation that accepts an encryption context as input,
|
2444
|
-
# such as the following.
|
2445
|
-
#
|
2446
|
-
# * Encrypt
|
2447
|
-
#
|
2448
|
-
# * Decrypt
|
2449
|
-
#
|
2450
|
-
# * GenerateDataKey
|
2451
|
-
#
|
2452
|
-
# * GenerateDataKeyWithoutPlaintext
|
2482
|
+
# Use this structure to allow [cryptographic operations][1] in the grant
|
2483
|
+
# only when the operation request includes the specified [encryption
|
2484
|
+
# context][2].
|
2453
2485
|
#
|
2454
|
-
#
|
2455
|
-
#
|
2456
|
-
#
|
2457
|
-
#
|
2486
|
+
# AWS KMS applies the grant constraints only to cryptographic operations
|
2487
|
+
# that support an encryption context, that is, all cryptographic
|
2488
|
+
# operations with a [symmetric CMK][3]. Grant constraints are not
|
2489
|
+
# applied to operations that do not support an encryption context, such
|
2490
|
+
# as cryptographic operations with asymmetric CMKs and management
|
2491
|
+
# operations, such as DescribeKey or ScheduleKeyDeletion.
|
2458
2492
|
#
|
2459
2493
|
# In a cryptographic operation, the encryption context in the decryption
|
2460
2494
|
# operation must be an exact, case-sensitive match for the keys and
|
@@ -2468,13 +2502,15 @@ module Aws::KMS
|
|
2468
2502
|
# differ only by case. To require a fully case-sensitive encryption
|
2469
2503
|
# context, use the `kms:EncryptionContext:` and
|
2470
2504
|
# `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
|
2471
|
-
# details, see [kms:EncryptionContext:][
|
2505
|
+
# details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
|
2472
2506
|
# Management Service Developer Guide</i> </i>.
|
2473
2507
|
#
|
2474
2508
|
#
|
2475
2509
|
#
|
2476
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
2477
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2510
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2511
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2512
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
|
2513
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
|
2478
2514
|
#
|
2479
2515
|
# @note When making an API call, you may pass GrantConstraints
|
2480
2516
|
# data as a hash:
|
@@ -2490,17 +2526,25 @@ module Aws::KMS
|
|
2490
2526
|
#
|
2491
2527
|
# @!attribute [rw] encryption_context_subset
|
2492
2528
|
# A list of key-value pairs that must be included in the encryption
|
2493
|
-
# context of the cryptographic operation request. The grant
|
2494
|
-
# cryptographic operation only when the encryption context
|
2495
|
-
# request includes the key-value pairs specified in this
|
2496
|
-
# although it can include additional key-value pairs.
|
2529
|
+
# context of the [cryptographic operation][1] request. The grant
|
2530
|
+
# allows the cryptographic operation only when the encryption context
|
2531
|
+
# in the request includes the key-value pairs specified in this
|
2532
|
+
# constraint, although it can include additional key-value pairs.
|
2533
|
+
#
|
2534
|
+
#
|
2535
|
+
#
|
2536
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2497
2537
|
# @return [Hash<String,String>]
|
2498
2538
|
#
|
2499
2539
|
# @!attribute [rw] encryption_context_equals
|
2500
2540
|
# A list of key-value pairs that must match the encryption context in
|
2501
|
-
# the cryptographic operation request. The grant allows the
|
2502
|
-
# only when the encryption context in the request is the
|
2503
|
-
# encryption context specified in this constraint.
|
2541
|
+
# the [cryptographic operation][1] request. The grant allows the
|
2542
|
+
# operation only when the encryption context in the request is the
|
2543
|
+
# same as the encryption context specified in this constraint.
|
2544
|
+
#
|
2545
|
+
#
|
2546
|
+
#
|
2547
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2504
2548
|
# @return [Hash<String,String>]
|
2505
2549
|
#
|
2506
2550
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
|
@@ -2511,7 +2555,7 @@ module Aws::KMS
|
|
2511
2555
|
include Aws::Structure
|
2512
2556
|
end
|
2513
2557
|
|
2514
|
-
# Contains information about
|
2558
|
+
# Contains information about a grant.
|
2515
2559
|
#
|
2516
2560
|
# @!attribute [rw] key_id
|
2517
2561
|
# The unique identifier for the customer master key (CMK) to which the
|
@@ -2533,7 +2577,18 @@ module Aws::KMS
|
|
2533
2577
|
# @return [Time]
|
2534
2578
|
#
|
2535
2579
|
# @!attribute [rw] grantee_principal
|
2536
|
-
# The
|
2580
|
+
# The identity that gets the permissions in the grant.
|
2581
|
+
#
|
2582
|
+
# The `GranteePrincipal` field in the `ListGrants` response usually
|
2583
|
+
# contains the user or role designated as the grantee principal in the
|
2584
|
+
# grant. However, when the grantee principal in the grant is an AWS
|
2585
|
+
# service, the `GranteePrincipal` field contains the [service
|
2586
|
+
# principal][1], which might represent several different grantee
|
2587
|
+
# principals.
|
2588
|
+
#
|
2589
|
+
#
|
2590
|
+
#
|
2591
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
|
2537
2592
|
# @return [String]
|
2538
2593
|
#
|
2539
2594
|
# @!attribute [rw] retiring_principal
|
@@ -2919,15 +2974,19 @@ module Aws::KMS
|
|
2919
2974
|
# @return [String]
|
2920
2975
|
#
|
2921
2976
|
# @!attribute [rw] key_usage
|
2922
|
-
# The cryptographic operations for which you can use the CMK.
|
2977
|
+
# The [cryptographic operations][1] for which you can use the CMK.
|
2978
|
+
#
|
2979
|
+
#
|
2980
|
+
#
|
2981
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2923
2982
|
# @return [String]
|
2924
2983
|
#
|
2925
2984
|
# @!attribute [rw] key_state
|
2926
|
-
# The
|
2985
|
+
# The current status of the CMK.
|
2927
2986
|
#
|
2928
2987
|
# For more information about how key state affects the use of a CMK,
|
2929
|
-
# see [
|
2930
|
-
#
|
2988
|
+
# see [Key state: Effect on your CMK][1] in the *AWS Key Management
|
2989
|
+
# Service Developer Guide*.
|
2931
2990
|
#
|
2932
2991
|
#
|
2933
2992
|
#
|
@@ -3000,16 +3059,16 @@ module Aws::KMS
|
|
3000
3059
|
# @return [String]
|
3001
3060
|
#
|
3002
3061
|
# @!attribute [rw] encryption_algorithms
|
3003
|
-
#
|
3004
|
-
#
|
3062
|
+
# The encryption algorithms that the CMK supports. You cannot use the
|
3063
|
+
# CMK with other encryption algorithms within AWS KMS.
|
3005
3064
|
#
|
3006
3065
|
# This field appears only when the `KeyUsage` of the CMK is
|
3007
3066
|
# `ENCRYPT_DECRYPT`.
|
3008
3067
|
# @return [Array<String>]
|
3009
3068
|
#
|
3010
3069
|
# @!attribute [rw] signing_algorithms
|
3011
|
-
#
|
3012
|
-
#
|
3070
|
+
# The signing algorithms that the CMK supports. You cannot use the CMK
|
3071
|
+
# with other signing algorithms within AWS KMS.
|
3013
3072
|
#
|
3014
3073
|
# This field appears only when the `KeyUsage` of the CMK is
|
3015
3074
|
# `SIGN_VERIFY`.
|
@@ -3783,7 +3842,12 @@ module Aws::KMS
|
|
3783
3842
|
# @return [String]
|
3784
3843
|
#
|
3785
3844
|
# @!attribute [rw] key_id
|
3786
|
-
#
|
3845
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
|
3846
|
+
# reencrypt the data.
|
3847
|
+
#
|
3848
|
+
#
|
3849
|
+
#
|
3850
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
3787
3851
|
# @return [String]
|
3788
3852
|
#
|
3789
3853
|
# @!attribute [rw] source_encryption_algorithm
|
@@ -3924,8 +3988,12 @@ module Aws::KMS
|
|
3924
3988
|
end
|
3925
3989
|
|
3926
3990
|
# @!attribute [rw] key_id
|
3927
|
-
# The
|
3928
|
-
#
|
3991
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
|
3992
|
+
# scheduled.
|
3993
|
+
#
|
3994
|
+
#
|
3995
|
+
#
|
3996
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
3929
3997
|
# @return [String]
|
3930
3998
|
#
|
3931
3999
|
# @!attribute [rw] deletion_date
|
@@ -3988,8 +4056,8 @@ module Aws::KMS
|
|
3988
4056
|
#
|
3989
4057
|
# @!attribute [rw] message_type
|
3990
4058
|
# Tells AWS KMS whether the value of the `Message` parameter is a
|
3991
|
-
# message or message digest.
|
3992
|
-
# indicate a message digest, enter `DIGEST`.
|
4059
|
+
# message or message digest. The default value, RAW, indicates a
|
4060
|
+
# message. To indicate a message digest, enter `DIGEST`.
|
3993
4061
|
# @return [String]
|
3994
4062
|
#
|
3995
4063
|
# @!attribute [rw] grant_tokens
|
@@ -4022,12 +4090,33 @@ module Aws::KMS
|
|
4022
4090
|
end
|
4023
4091
|
|
4024
4092
|
# @!attribute [rw] key_id
|
4025
|
-
# The Amazon Resource Name (ARN) of the asymmetric CMK that
|
4026
|
-
# to sign the message.
|
4093
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
|
4094
|
+
# was used to sign the message.
|
4095
|
+
#
|
4096
|
+
#
|
4097
|
+
#
|
4098
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
4027
4099
|
# @return [String]
|
4028
4100
|
#
|
4029
4101
|
# @!attribute [rw] signature
|
4030
4102
|
# The cryptographic signature that was generated for the message.
|
4103
|
+
#
|
4104
|
+
# * When used with the supported RSA signing algorithms, the encoding
|
4105
|
+
# of this value is defined by [PKCS #1 in RFC 8017][1].
|
4106
|
+
#
|
4107
|
+
# * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
|
4108
|
+
# `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
|
4109
|
+
# object as defined by ANS X9.62–2005 and [RFC 3279 Section
|
4110
|
+
# 2.2.3][2]. This is the most commonly used signature format and is
|
4111
|
+
# appropriate for most uses.
|
4112
|
+
#
|
4113
|
+
# When you use the HTTP API or the AWS CLI, the value is
|
4114
|
+
# Base64-encoded. Otherwise, it is not Base64-encoded.
|
4115
|
+
#
|
4116
|
+
#
|
4117
|
+
#
|
4118
|
+
# [1]: https://tools.ietf.org/html/rfc8017
|
4119
|
+
# [2]: https://tools.ietf.org/html/rfc3279#section-2.2.3
|
4031
4120
|
# @return [String]
|
4032
4121
|
#
|
4033
4122
|
# @!attribute [rw] signing_algorithm
|
@@ -4420,8 +4509,12 @@ module Aws::KMS
|
|
4420
4509
|
end
|
4421
4510
|
|
4422
4511
|
# @!attribute [rw] key_id
|
4423
|
-
# The
|
4424
|
-
# the signature.
|
4512
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
|
4513
|
+
# was used to verify the signature.
|
4514
|
+
#
|
4515
|
+
#
|
4516
|
+
#
|
4517
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
4425
4518
|
# @return [String]
|
4426
4519
|
#
|
4427
4520
|
# @!attribute [rw] signature_valid
|