aws-sdk-kms 1.29.0 → 1.34.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1032,6 +1032,7 @@ module Aws::KMS
1032
1032
  o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1033
1033
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1034
1034
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1035
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1035
1036
  end)
1036
1037
 
1037
1038
  api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1048,6 +1049,7 @@ module Aws::KMS
1048
1049
  o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
1049
1050
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1050
1051
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1052
+ o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
1051
1053
  end)
1052
1054
 
1053
1055
  api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
@@ -1387,6 +1389,7 @@ module Aws::KMS
1387
1389
  o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
1388
1390
  o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
1389
1391
  o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
1392
+ o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
1390
1393
  o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
1391
1394
  end)
1392
1395
 
@@ -6,6 +6,61 @@
6
6
  # WARNING ABOUT GENERATED CODE
7
7
 
8
8
  module Aws::KMS
9
+
10
+ # When KMS returns an error response, the Ruby SDK constructs and raises an error.
11
+ # These errors all extend Aws::KMS::Errors::ServiceError < {Aws::Errors::ServiceError}
12
+ #
13
+ # You can rescue all KMS errors using ServiceError:
14
+ #
15
+ # begin
16
+ # # do stuff
17
+ # rescue Aws::KMS::Errors::ServiceError
18
+ # # rescues all KMS API errors
19
+ # end
20
+ #
21
+ #
22
+ # ## Request Context
23
+ # ServiceError objects have a {Aws::Errors::ServiceError#context #context} method that returns
24
+ # information about the request that generated the error.
25
+ # See {Seahorse::Client::RequestContext} for more information.
26
+ #
27
+ # ## Error Classes
28
+ # * {AlreadyExistsException}
29
+ # * {CloudHsmClusterInUseException}
30
+ # * {CloudHsmClusterInvalidConfigurationException}
31
+ # * {CloudHsmClusterNotActiveException}
32
+ # * {CloudHsmClusterNotFoundException}
33
+ # * {CloudHsmClusterNotRelatedException}
34
+ # * {CustomKeyStoreHasCMKsException}
35
+ # * {CustomKeyStoreInvalidStateException}
36
+ # * {CustomKeyStoreNameInUseException}
37
+ # * {CustomKeyStoreNotFoundException}
38
+ # * {DependencyTimeoutException}
39
+ # * {DisabledException}
40
+ # * {ExpiredImportTokenException}
41
+ # * {IncorrectKeyException}
42
+ # * {IncorrectKeyMaterialException}
43
+ # * {IncorrectTrustAnchorException}
44
+ # * {InvalidAliasNameException}
45
+ # * {InvalidArnException}
46
+ # * {InvalidCiphertextException}
47
+ # * {InvalidGrantIdException}
48
+ # * {InvalidGrantTokenException}
49
+ # * {InvalidImportTokenException}
50
+ # * {InvalidKeyUsageException}
51
+ # * {InvalidMarkerException}
52
+ # * {KMSInternalException}
53
+ # * {KMSInvalidSignatureException}
54
+ # * {KMSInvalidStateException}
55
+ # * {KeyUnavailableException}
56
+ # * {LimitExceededException}
57
+ # * {MalformedPolicyDocumentException}
58
+ # * {NotFoundException}
59
+ # * {TagException}
60
+ # * {UnsupportedOperationException}
61
+ #
62
+ # Additionally, error classes are dynamically generated for service errors based on the error code
63
+ # if they are not defined above.
9
64
  module Errors
10
65
 
11
66
  extend Aws::Errors::DynamicErrors
@@ -23,7 +78,6 @@ module Aws::KMS
23
78
  def message
24
79
  @message || @data[:message]
25
80
  end
26
-
27
81
  end
28
82
 
29
83
  class CloudHsmClusterInUseException < ServiceError
@@ -39,7 +93,6 @@ module Aws::KMS
39
93
  def message
40
94
  @message || @data[:message]
41
95
  end
42
-
43
96
  end
44
97
 
45
98
  class CloudHsmClusterInvalidConfigurationException < ServiceError
@@ -55,7 +108,6 @@ module Aws::KMS
55
108
  def message
56
109
  @message || @data[:message]
57
110
  end
58
-
59
111
  end
60
112
 
61
113
  class CloudHsmClusterNotActiveException < ServiceError
@@ -71,7 +123,6 @@ module Aws::KMS
71
123
  def message
72
124
  @message || @data[:message]
73
125
  end
74
-
75
126
  end
76
127
 
77
128
  class CloudHsmClusterNotFoundException < ServiceError
@@ -87,7 +138,6 @@ module Aws::KMS
87
138
  def message
88
139
  @message || @data[:message]
89
140
  end
90
-
91
141
  end
92
142
 
93
143
  class CloudHsmClusterNotRelatedException < ServiceError
@@ -103,7 +153,6 @@ module Aws::KMS
103
153
  def message
104
154
  @message || @data[:message]
105
155
  end
106
-
107
156
  end
108
157
 
109
158
  class CustomKeyStoreHasCMKsException < ServiceError
@@ -119,7 +168,6 @@ module Aws::KMS
119
168
  def message
120
169
  @message || @data[:message]
121
170
  end
122
-
123
171
  end
124
172
 
125
173
  class CustomKeyStoreInvalidStateException < ServiceError
@@ -135,7 +183,6 @@ module Aws::KMS
135
183
  def message
136
184
  @message || @data[:message]
137
185
  end
138
-
139
186
  end
140
187
 
141
188
  class CustomKeyStoreNameInUseException < ServiceError
@@ -151,7 +198,6 @@ module Aws::KMS
151
198
  def message
152
199
  @message || @data[:message]
153
200
  end
154
-
155
201
  end
156
202
 
157
203
  class CustomKeyStoreNotFoundException < ServiceError
@@ -167,7 +213,6 @@ module Aws::KMS
167
213
  def message
168
214
  @message || @data[:message]
169
215
  end
170
-
171
216
  end
172
217
 
173
218
  class DependencyTimeoutException < ServiceError
@@ -183,7 +228,6 @@ module Aws::KMS
183
228
  def message
184
229
  @message || @data[:message]
185
230
  end
186
-
187
231
  end
188
232
 
189
233
  class DisabledException < ServiceError
@@ -199,7 +243,6 @@ module Aws::KMS
199
243
  def message
200
244
  @message || @data[:message]
201
245
  end
202
-
203
246
  end
204
247
 
205
248
  class ExpiredImportTokenException < ServiceError
@@ -215,7 +258,6 @@ module Aws::KMS
215
258
  def message
216
259
  @message || @data[:message]
217
260
  end
218
-
219
261
  end
220
262
 
221
263
  class IncorrectKeyException < ServiceError
@@ -231,7 +273,6 @@ module Aws::KMS
231
273
  def message
232
274
  @message || @data[:message]
233
275
  end
234
-
235
276
  end
236
277
 
237
278
  class IncorrectKeyMaterialException < ServiceError
@@ -247,7 +288,6 @@ module Aws::KMS
247
288
  def message
248
289
  @message || @data[:message]
249
290
  end
250
-
251
291
  end
252
292
 
253
293
  class IncorrectTrustAnchorException < ServiceError
@@ -263,7 +303,6 @@ module Aws::KMS
263
303
  def message
264
304
  @message || @data[:message]
265
305
  end
266
-
267
306
  end
268
307
 
269
308
  class InvalidAliasNameException < ServiceError
@@ -279,7 +318,6 @@ module Aws::KMS
279
318
  def message
280
319
  @message || @data[:message]
281
320
  end
282
-
283
321
  end
284
322
 
285
323
  class InvalidArnException < ServiceError
@@ -295,7 +333,6 @@ module Aws::KMS
295
333
  def message
296
334
  @message || @data[:message]
297
335
  end
298
-
299
336
  end
300
337
 
301
338
  class InvalidCiphertextException < ServiceError
@@ -311,7 +348,6 @@ module Aws::KMS
311
348
  def message
312
349
  @message || @data[:message]
313
350
  end
314
-
315
351
  end
316
352
 
317
353
  class InvalidGrantIdException < ServiceError
@@ -327,7 +363,6 @@ module Aws::KMS
327
363
  def message
328
364
  @message || @data[:message]
329
365
  end
330
-
331
366
  end
332
367
 
333
368
  class InvalidGrantTokenException < ServiceError
@@ -343,7 +378,6 @@ module Aws::KMS
343
378
  def message
344
379
  @message || @data[:message]
345
380
  end
346
-
347
381
  end
348
382
 
349
383
  class InvalidImportTokenException < ServiceError
@@ -359,7 +393,6 @@ module Aws::KMS
359
393
  def message
360
394
  @message || @data[:message]
361
395
  end
362
-
363
396
  end
364
397
 
365
398
  class InvalidKeyUsageException < ServiceError
@@ -375,7 +408,6 @@ module Aws::KMS
375
408
  def message
376
409
  @message || @data[:message]
377
410
  end
378
-
379
411
  end
380
412
 
381
413
  class InvalidMarkerException < ServiceError
@@ -391,7 +423,6 @@ module Aws::KMS
391
423
  def message
392
424
  @message || @data[:message]
393
425
  end
394
-
395
426
  end
396
427
 
397
428
  class KMSInternalException < ServiceError
@@ -407,7 +438,6 @@ module Aws::KMS
407
438
  def message
408
439
  @message || @data[:message]
409
440
  end
410
-
411
441
  end
412
442
 
413
443
  class KMSInvalidSignatureException < ServiceError
@@ -423,7 +453,6 @@ module Aws::KMS
423
453
  def message
424
454
  @message || @data[:message]
425
455
  end
426
-
427
456
  end
428
457
 
429
458
  class KMSInvalidStateException < ServiceError
@@ -439,7 +468,6 @@ module Aws::KMS
439
468
  def message
440
469
  @message || @data[:message]
441
470
  end
442
-
443
471
  end
444
472
 
445
473
  class KeyUnavailableException < ServiceError
@@ -455,7 +483,6 @@ module Aws::KMS
455
483
  def message
456
484
  @message || @data[:message]
457
485
  end
458
-
459
486
  end
460
487
 
461
488
  class LimitExceededException < ServiceError
@@ -471,7 +498,6 @@ module Aws::KMS
471
498
  def message
472
499
  @message || @data[:message]
473
500
  end
474
-
475
501
  end
476
502
 
477
503
  class MalformedPolicyDocumentException < ServiceError
@@ -487,7 +513,6 @@ module Aws::KMS
487
513
  def message
488
514
  @message || @data[:message]
489
515
  end
490
-
491
516
  end
492
517
 
493
518
  class NotFoundException < ServiceError
@@ -503,7 +528,6 @@ module Aws::KMS
503
528
  def message
504
529
  @message || @data[:message]
505
530
  end
506
-
507
531
  end
508
532
 
509
533
  class TagException < ServiceError
@@ -519,7 +543,6 @@ module Aws::KMS
519
543
  def message
520
544
  @message || @data[:message]
521
545
  end
522
-
523
546
  end
524
547
 
525
548
  class UnsupportedOperationException < ServiceError
@@ -535,7 +558,6 @@ module Aws::KMS
535
558
  def message
536
559
  @message || @data[:message]
537
560
  end
538
-
539
561
  end
540
562
 
541
563
  end
@@ -6,6 +6,7 @@
6
6
  # WARNING ABOUT GENERATED CODE
7
7
 
8
8
  module Aws::KMS
9
+
9
10
  class Resource
10
11
 
11
12
  # @param options ({})
@@ -76,8 +76,12 @@ module Aws::KMS
76
76
  end
77
77
 
78
78
  # @!attribute [rw] key_id
79
- # The unique identifier of the master key for which deletion is
79
+ # The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
80
80
  # canceled.
81
+ #
82
+ #
83
+ #
84
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
81
85
  # @return [String]
82
86
  #
83
87
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletionResponse AWS API Documentation
@@ -433,15 +437,16 @@ module Aws::KMS
433
437
  # @return [Array<String>]
434
438
  #
435
439
  # @!attribute [rw] constraints
436
- # Allows a cryptographic operation only when the encryption context
437
- # matches or includes the encryption context specified in this
440
+ # Allows a [cryptographic operation][1] only when the encryption
441
+ # context matches or includes the encryption context specified in this
438
442
  # structure. For more information about encryption context, see
439
- # [Encryption Context][1] in the <i> <i>AWS Key Management Service
443
+ # [Encryption Context][2] in the <i> <i>AWS Key Management Service
440
444
  # Developer Guide</i> </i>.
441
445
  #
442
446
  #
443
447
  #
444
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
448
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
449
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
445
450
  # @return [Types::GrantConstraints]
446
451
  #
447
452
  # @!attribute [rw] grant_tokens
@@ -575,8 +580,8 @@ module Aws::KMS
575
580
  # @return [String]
576
581
  #
577
582
  # @!attribute [rw] key_usage
578
- # Determines the cryptographic operations for which you can use the
579
- # CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
583
+ # Determines the [cryptographic operations][1] for which you can use
584
+ # the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
580
585
  # required only for asymmetric CMKs. You can't change the `KeyUsage`
581
586
  # value after the CMK is created.
582
587
  #
@@ -589,6 +594,10 @@ module Aws::KMS
589
594
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
590
595
  #
591
596
  # * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
597
+ #
598
+ #
599
+ #
600
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
592
601
  # @return [String]
593
602
  #
594
603
  # @!attribute [rw] customer_master_key_spec
@@ -922,12 +931,13 @@ module Aws::KMS
922
931
  #
923
932
  # * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
924
933
  # configuration was deleted. If AWS KMS cannot find all of the
925
- # subnets that were configured for the cluster when the custom key
926
- # store was created, attempts to connect fail. To fix this error,
927
- # create a cluster from a backup and associate it with your custom
928
- # key store. This process includes selecting a VPC and subnets. For
929
- # details, see [How to Fix a Connection Failure][1] in the *AWS Key
930
- # Management Service Developer Guide*.
934
+ # subnets in the cluster configuration, attempts to connect the
935
+ # custom key store to the AWS CloudHSM cluster fail. To fix this
936
+ # error, create a cluster from a recent backup and associate it with
937
+ # your custom key store. (This process creates a new cluster
938
+ # configuration with a VPC and private subnets.) For details, see
939
+ # [How to Fix a Connection Failure][1] in the *AWS Key Management
940
+ # Service Developer Guide*.
931
941
  #
932
942
  # * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
933
943
  # associated AWS CloudHSM cluster due to too many failed password
@@ -993,9 +1003,9 @@ module Aws::KMS
993
1003
  #
994
1004
  # @!attribute [rw] encryption_context
995
1005
  # Specifies the encryption context to use when decrypting the data. An
996
- # encryption context is valid only for cryptographic operations with a
997
- # symmetric CMK. The standard asymmetric encryption algorithms that
998
- # AWS KMS uses do not support an encryption context.
1006
+ # encryption context is valid only for [cryptographic operations][1]
1007
+ # with a symmetric CMK. The standard asymmetric encryption algorithms
1008
+ # that AWS KMS uses do not support an encryption context.
999
1009
  #
1000
1010
  # An *encryption context* is a collection of non-secret key-value
1001
1011
  # pairs that represents additional authenticated data. When you use an
@@ -1004,12 +1014,13 @@ module Aws::KMS
1004
1014
  # An encryption context is optional when encrypting with a symmetric
1005
1015
  # CMK, but it is highly recommended.
1006
1016
  #
1007
- # For more information, see [Encryption Context][1] in the *AWS Key
1017
+ # For more information, see [Encryption Context][2] in the *AWS Key
1008
1018
  # Management Service Developer Guide*.
1009
1019
  #
1010
1020
  #
1011
1021
  #
1012
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1022
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1023
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1013
1024
  # @return [Hash<String,String>]
1014
1025
  #
1015
1026
  # @!attribute [rw] grant_tokens
@@ -1081,8 +1092,12 @@ module Aws::KMS
1081
1092
  end
1082
1093
 
1083
1094
  # @!attribute [rw] key_id
1084
- # The ARN of the customer master key that was used to perform the
1085
- # decryption.
1095
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
1096
+ # decrypt the ciphertext.
1097
+ #
1098
+ #
1099
+ #
1100
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1086
1101
  # @return [String]
1087
1102
  #
1088
1103
  # @!attribute [rw] plaintext
@@ -1547,9 +1562,10 @@ module Aws::KMS
1547
1562
  #
1548
1563
  # @!attribute [rw] encryption_context
1549
1564
  # Specifies the encryption context that will be used to encrypt the
1550
- # data. An encryption context is valid only for cryptographic
1551
- # operations with a symmetric CMK. The standard asymmetric encryption
1552
- # algorithms that AWS KMS uses do not support an encryption context.
1565
+ # data. An encryption context is valid only for [cryptographic
1566
+ # operations][1] with a symmetric CMK. The standard asymmetric
1567
+ # encryption algorithms that AWS KMS uses do not support an encryption
1568
+ # context.
1553
1569
  #
1554
1570
  # An *encryption context* is a collection of non-secret key-value
1555
1571
  # pairs that represents additional authenticated data. When you use an
@@ -1558,12 +1574,13 @@ module Aws::KMS
1558
1574
  # An encryption context is optional when encrypting with a symmetric
1559
1575
  # CMK, but it is highly recommended.
1560
1576
  #
1561
- # For more information, see [Encryption Context][1] in the *AWS Key
1577
+ # For more information, see [Encryption Context][2] in the *AWS Key
1562
1578
  # Management Service Developer Guide*.
1563
1579
  #
1564
1580
  #
1565
1581
  #
1566
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1582
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1583
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1567
1584
  # @return [Hash<String,String>]
1568
1585
  #
1569
1586
  # @!attribute [rw] grant_tokens
@@ -1605,7 +1622,12 @@ module Aws::KMS
1605
1622
  # @return [String]
1606
1623
  #
1607
1624
  # @!attribute [rw] key_id
1608
- # The ID of the key used during encryption.
1625
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
1626
+ # encrypt the plaintext.
1627
+ #
1628
+ #
1629
+ #
1630
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1609
1631
  # @return [String]
1610
1632
  #
1611
1633
  # @!attribute [rw] encryption_algorithm
@@ -1669,7 +1691,9 @@ module Aws::KMS
1669
1691
  #
1670
1692
  # @!attribute [rw] key_id
1671
1693
  # Specifies the symmetric CMK that encrypts the private key in the
1672
- # data key pair. You cannot specify an asymmetric CMKs.
1694
+ # data key pair. You cannot specify an asymmetric CMK or a CMK in a
1695
+ # custom key store. To get the type and origin of your CMK, use the
1696
+ # DescribeKey operation.
1673
1697
  #
1674
1698
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1675
1699
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1738,7 +1762,12 @@ module Aws::KMS
1738
1762
  # @return [String]
1739
1763
  #
1740
1764
  # @!attribute [rw] key_id
1741
- # The identifier of the CMK that encrypted the private key.
1765
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
1766
+ # the private key.
1767
+ #
1768
+ #
1769
+ #
1770
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1742
1771
  # @return [String]
1743
1772
  #
1744
1773
  # @!attribute [rw] key_pair_spec
@@ -1790,7 +1819,8 @@ module Aws::KMS
1790
1819
  # @!attribute [rw] key_id
1791
1820
  # Specifies the CMK that encrypts the private key in the data key
1792
1821
  # pair. You must specify a symmetric CMK. You cannot use an asymmetric
1793
- # CMK. To get the type of your CMK, use the DescribeKey operation.
1822
+ # CMK or a CMK in a custom key store. To get the type and origin of
1823
+ # your CMK, use the DescribeKey operation.
1794
1824
  #
1795
1825
  # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1796
1826
  # name, or alias ARN. When using an alias name, prefix it with
@@ -1852,27 +1882,12 @@ module Aws::KMS
1852
1882
  # @return [String]
1853
1883
  #
1854
1884
  # @!attribute [rw] key_id
1855
- # Specifies the CMK that encrypted the private key in the data key
1856
- # pair. You must specify a symmetric CMK. You cannot use an asymmetric
1857
- # CMK. To get the type of your CMK, use the DescribeKey operation.
1885
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
1886
+ # the private key.
1858
1887
  #
1859
- # To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
1860
- # name, or alias ARN. When using an alias name, prefix it with
1861
- # `"alias/"`.
1862
1888
  #
1863
- # For example:
1864
1889
  #
1865
- # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
1866
- #
1867
- # * Key ARN:
1868
- # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
1869
- #
1870
- # * Alias name: `alias/ExampleAlias`
1871
- #
1872
- # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
1873
- #
1874
- # To get the key ID and key ARN for a CMK, use ListKeys or
1875
- # DescribeKey. To get the alias name and alias ARN, use ListAliases.
1890
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
1876
1891
  # @return [String]
1877
1892
  #
1878
1893
  # @!attribute [rw] key_pair_spec
@@ -1999,7 +2014,12 @@ module Aws::KMS
1999
2014
  # @return [String]
2000
2015
  #
2001
2016
  # @!attribute [rw] key_id
2002
- # The identifier of the CMK that encrypted the data key.
2017
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
2018
+ # the data key.
2019
+ #
2020
+ #
2021
+ #
2022
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2003
2023
  # @return [String]
2004
2024
  #
2005
2025
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
@@ -2107,7 +2127,12 @@ module Aws::KMS
2107
2127
  # @return [String]
2108
2128
  #
2109
2129
  # @!attribute [rw] key_id
2110
- # The identifier of the CMK that encrypted the data key.
2130
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
2131
+ # the data key.
2132
+ #
2133
+ #
2134
+ #
2135
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2111
2136
  # @return [String]
2112
2137
  #
2113
2138
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
@@ -2302,9 +2327,13 @@ module Aws::KMS
2302
2327
  end
2303
2328
 
2304
2329
  # @!attribute [rw] key_id
2305
- # The identifier of the CMK to use in a subsequent ImportKeyMaterial
2306
- # request. This is the same CMK specified in the
2307
- # `GetParametersForImport` request.
2330
+ # The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
2331
+ # subsequent ImportKeyMaterial request. This is the same CMK specified
2332
+ # in the `GetParametersForImport` request.
2333
+ #
2334
+ #
2335
+ #
2336
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2308
2337
  # @return [String]
2309
2338
  #
2310
2339
  # @!attribute [rw] import_token
@@ -2384,8 +2413,12 @@ module Aws::KMS
2384
2413
  end
2385
2414
 
2386
2415
  # @!attribute [rw] key_id
2387
- # The identifier of the asymmetric CMK from which the public key was
2388
- # downloaded.
2416
+ # The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
2417
+ # which the public key was downloaded.
2418
+ #
2419
+ #
2420
+ #
2421
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
2389
2422
  # @return [String]
2390
2423
  #
2391
2424
  # @!attribute [rw] public_key
@@ -2446,26 +2479,16 @@ module Aws::KMS
2446
2479
  include Aws::Structure
2447
2480
  end
2448
2481
 
2449
- # Use this structure to allow cryptographic operations in the grant only
2450
- # when the operation request includes the specified [encryption
2451
- # context][1].
2452
- #
2453
- # AWS KMS applies the grant constraints only when the grant allows a
2454
- # cryptographic operation that accepts an encryption context as input,
2455
- # such as the following.
2456
- #
2457
- # * Encrypt
2482
+ # Use this structure to allow [cryptographic operations][1] in the grant
2483
+ # only when the operation request includes the specified [encryption
2484
+ # context][2].
2458
2485
  #
2459
- # * Decrypt
2460
- #
2461
- # * GenerateDataKey
2462
- #
2463
- # * GenerateDataKeyWithoutPlaintext
2464
- #
2465
- # * ReEncrypt
2466
- #
2467
- # AWS KMS does not apply the grant constraints to other operations, such
2468
- # as DescribeKey or ScheduleKeyDeletion.
2486
+ # AWS KMS applies the grant constraints only to cryptographic operations
2487
+ # that support an encryption context, that is, all cryptographic
2488
+ # operations with a [symmetric CMK][3]. Grant constraints are not
2489
+ # applied to operations that do not support an encryption context, such
2490
+ # as cryptographic operations with asymmetric CMKs and management
2491
+ # operations, such as DescribeKey or ScheduleKeyDeletion.
2469
2492
  #
2470
2493
  # In a cryptographic operation, the encryption context in the decryption
2471
2494
  # operation must be an exact, case-sensitive match for the keys and
@@ -2479,13 +2502,15 @@ module Aws::KMS
2479
2502
  # differ only by case. To require a fully case-sensitive encryption
2480
2503
  # context, use the `kms:EncryptionContext:` and
2481
2504
  # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
2482
- # details, see [kms:EncryptionContext:][2] in the <i> <i>AWS Key
2505
+ # details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
2483
2506
  # Management Service Developer Guide</i> </i>.
2484
2507
  #
2485
2508
  #
2486
2509
  #
2487
- # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2488
- # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
2510
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2511
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
2512
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
2513
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
2489
2514
  #
2490
2515
  # @note When making an API call, you may pass GrantConstraints
2491
2516
  # data as a hash:
@@ -2501,17 +2526,25 @@ module Aws::KMS
2501
2526
  #
2502
2527
  # @!attribute [rw] encryption_context_subset
2503
2528
  # A list of key-value pairs that must be included in the encryption
2504
- # context of the cryptographic operation request. The grant allows the
2505
- # cryptographic operation only when the encryption context in the
2506
- # request includes the key-value pairs specified in this constraint,
2507
- # although it can include additional key-value pairs.
2529
+ # context of the [cryptographic operation][1] request. The grant
2530
+ # allows the cryptographic operation only when the encryption context
2531
+ # in the request includes the key-value pairs specified in this
2532
+ # constraint, although it can include additional key-value pairs.
2533
+ #
2534
+ #
2535
+ #
2536
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2508
2537
  # @return [Hash<String,String>]
2509
2538
  #
2510
2539
  # @!attribute [rw] encryption_context_equals
2511
2540
  # A list of key-value pairs that must match the encryption context in
2512
- # the cryptographic operation request. The grant allows the operation
2513
- # only when the encryption context in the request is the same as the
2514
- # encryption context specified in this constraint.
2541
+ # the [cryptographic operation][1] request. The grant allows the
2542
+ # operation only when the encryption context in the request is the
2543
+ # same as the encryption context specified in this constraint.
2544
+ #
2545
+ #
2546
+ #
2547
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2515
2548
  # @return [Hash<String,String>]
2516
2549
  #
2517
2550
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
@@ -2522,7 +2555,7 @@ module Aws::KMS
2522
2555
  include Aws::Structure
2523
2556
  end
2524
2557
 
2525
- # Contains information about an entry in a list of grants.
2558
+ # Contains information about a grant.
2526
2559
  #
2527
2560
  # @!attribute [rw] key_id
2528
2561
  # The unique identifier for the customer master key (CMK) to which the
@@ -2544,7 +2577,18 @@ module Aws::KMS
2544
2577
  # @return [Time]
2545
2578
  #
2546
2579
  # @!attribute [rw] grantee_principal
2547
- # The principal that receives the grant's permissions.
2580
+ # The identity that gets the permissions in the grant.
2581
+ #
2582
+ # The `GranteePrincipal` field in the `ListGrants` response usually
2583
+ # contains the user or role designated as the grantee principal in the
2584
+ # grant. However, when the grantee principal in the grant is an AWS
2585
+ # service, the `GranteePrincipal` field contains the [service
2586
+ # principal][1], which might represent several different grantee
2587
+ # principals.
2588
+ #
2589
+ #
2590
+ #
2591
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
2548
2592
  # @return [String]
2549
2593
  #
2550
2594
  # @!attribute [rw] retiring_principal
@@ -2930,15 +2974,19 @@ module Aws::KMS
2930
2974
  # @return [String]
2931
2975
  #
2932
2976
  # @!attribute [rw] key_usage
2933
- # The cryptographic operations for which you can use the CMK.
2977
+ # The [cryptographic operations][1] for which you can use the CMK.
2978
+ #
2979
+ #
2980
+ #
2981
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
2934
2982
  # @return [String]
2935
2983
  #
2936
2984
  # @!attribute [rw] key_state
2937
- # The state of the CMK.
2985
+ # The current status of the CMK.
2938
2986
  #
2939
2987
  # For more information about how key state affects the use of a CMK,
2940
- # see [How Key State Affects the Use of a Customer Master Key][1] in
2941
- # the *AWS Key Management Service Developer Guide*.
2988
+ # see [Key state: Effect on your CMK][1] in the *AWS Key Management
2989
+ # Service Developer Guide*.
2942
2990
  #
2943
2991
  #
2944
2992
  #
@@ -3011,16 +3059,16 @@ module Aws::KMS
3011
3059
  # @return [String]
3012
3060
  #
3013
3061
  # @!attribute [rw] encryption_algorithms
3014
- # A list of encryption algorithms that the CMK supports. You cannot
3015
- # use the CMK with other encryption algorithms within AWS KMS.
3062
+ # The encryption algorithms that the CMK supports. You cannot use the
3063
+ # CMK with other encryption algorithms within AWS KMS.
3016
3064
  #
3017
3065
  # This field appears only when the `KeyUsage` of the CMK is
3018
3066
  # `ENCRYPT_DECRYPT`.
3019
3067
  # @return [Array<String>]
3020
3068
  #
3021
3069
  # @!attribute [rw] signing_algorithms
3022
- # A list of signing algorithms that the CMK supports. You cannot use
3023
- # the CMK with other signing algorithms within AWS KMS.
3070
+ # The signing algorithms that the CMK supports. You cannot use the CMK
3071
+ # with other signing algorithms within AWS KMS.
3024
3072
  #
3025
3073
  # This field appears only when the `KeyUsage` of the CMK is
3026
3074
  # `SIGN_VERIFY`.
@@ -3794,7 +3842,12 @@ module Aws::KMS
3794
3842
  # @return [String]
3795
3843
  #
3796
3844
  # @!attribute [rw] key_id
3797
- # Unique identifier of the CMK used to reencrypt the data.
3845
+ # The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
3846
+ # reencrypt the data.
3847
+ #
3848
+ #
3849
+ #
3850
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
3798
3851
  # @return [String]
3799
3852
  #
3800
3853
  # @!attribute [rw] source_encryption_algorithm
@@ -3935,8 +3988,12 @@ module Aws::KMS
3935
3988
  end
3936
3989
 
3937
3990
  # @!attribute [rw] key_id
3938
- # The unique identifier of the customer master key (CMK) for which
3939
- # deletion is scheduled.
3991
+ # The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
3992
+ # scheduled.
3993
+ #
3994
+ #
3995
+ #
3996
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
3940
3997
  # @return [String]
3941
3998
  #
3942
3999
  # @!attribute [rw] deletion_date
@@ -4033,8 +4090,12 @@ module Aws::KMS
4033
4090
  end
4034
4091
 
4035
4092
  # @!attribute [rw] key_id
4036
- # The Amazon Resource Name (ARN) of the asymmetric CMK that was used
4037
- # to sign the message.
4093
+ # The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
4094
+ # was used to sign the message.
4095
+ #
4096
+ #
4097
+ #
4098
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
4038
4099
  # @return [String]
4039
4100
  #
4040
4101
  # @!attribute [rw] signature
@@ -4448,8 +4509,12 @@ module Aws::KMS
4448
4509
  end
4449
4510
 
4450
4511
  # @!attribute [rw] key_id
4451
- # The unique identifier for the asymmetric CMK that was used to verify
4452
- # the signature.
4512
+ # The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
4513
+ # was used to verify the signature.
4514
+ #
4515
+ #
4516
+ #
4517
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
4453
4518
  # @return [String]
4454
4519
  #
4455
4520
  # @!attribute [rw] signature_valid