aws-sdk-kms 1.29.0 → 1.34.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/lib/aws-sdk-kms.rb +7 -4
- data/lib/aws-sdk-kms/client.rb +243 -141
- data/lib/aws-sdk-kms/client_api.rb +3 -0
- data/lib/aws-sdk-kms/errors.rb +55 -33
- data/lib/aws-sdk-kms/resource.rb +1 -0
- data/lib/aws-sdk-kms/types.rb +165 -100
- metadata +5 -5
@@ -1032,6 +1032,7 @@ module Aws::KMS
|
|
1032
1032
|
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
1033
1033
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1034
1034
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1035
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
1035
1036
|
end)
|
1036
1037
|
|
1037
1038
|
api.add_operation(:generate_data_key_pair_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
|
@@ -1048,6 +1049,7 @@ module Aws::KMS
|
|
1048
1049
|
o.errors << Shapes::ShapeRef.new(shape: InvalidGrantTokenException)
|
1049
1050
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1050
1051
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1052
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
1051
1053
|
end)
|
1052
1054
|
|
1053
1055
|
api.add_operation(:generate_data_key_without_plaintext, Seahorse::Model::Operation.new.tap do |o|
|
@@ -1387,6 +1389,7 @@ module Aws::KMS
|
|
1387
1389
|
o.errors << Shapes::ShapeRef.new(shape: DependencyTimeoutException)
|
1388
1390
|
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
1389
1391
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1392
|
+
o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
|
1390
1393
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1391
1394
|
end)
|
1392
1395
|
|
data/lib/aws-sdk-kms/errors.rb
CHANGED
@@ -6,6 +6,61 @@
|
|
6
6
|
# WARNING ABOUT GENERATED CODE
|
7
7
|
|
8
8
|
module Aws::KMS
|
9
|
+
|
10
|
+
# When KMS returns an error response, the Ruby SDK constructs and raises an error.
|
11
|
+
# These errors all extend Aws::KMS::Errors::ServiceError < {Aws::Errors::ServiceError}
|
12
|
+
#
|
13
|
+
# You can rescue all KMS errors using ServiceError:
|
14
|
+
#
|
15
|
+
# begin
|
16
|
+
# # do stuff
|
17
|
+
# rescue Aws::KMS::Errors::ServiceError
|
18
|
+
# # rescues all KMS API errors
|
19
|
+
# end
|
20
|
+
#
|
21
|
+
#
|
22
|
+
# ## Request Context
|
23
|
+
# ServiceError objects have a {Aws::Errors::ServiceError#context #context} method that returns
|
24
|
+
# information about the request that generated the error.
|
25
|
+
# See {Seahorse::Client::RequestContext} for more information.
|
26
|
+
#
|
27
|
+
# ## Error Classes
|
28
|
+
# * {AlreadyExistsException}
|
29
|
+
# * {CloudHsmClusterInUseException}
|
30
|
+
# * {CloudHsmClusterInvalidConfigurationException}
|
31
|
+
# * {CloudHsmClusterNotActiveException}
|
32
|
+
# * {CloudHsmClusterNotFoundException}
|
33
|
+
# * {CloudHsmClusterNotRelatedException}
|
34
|
+
# * {CustomKeyStoreHasCMKsException}
|
35
|
+
# * {CustomKeyStoreInvalidStateException}
|
36
|
+
# * {CustomKeyStoreNameInUseException}
|
37
|
+
# * {CustomKeyStoreNotFoundException}
|
38
|
+
# * {DependencyTimeoutException}
|
39
|
+
# * {DisabledException}
|
40
|
+
# * {ExpiredImportTokenException}
|
41
|
+
# * {IncorrectKeyException}
|
42
|
+
# * {IncorrectKeyMaterialException}
|
43
|
+
# * {IncorrectTrustAnchorException}
|
44
|
+
# * {InvalidAliasNameException}
|
45
|
+
# * {InvalidArnException}
|
46
|
+
# * {InvalidCiphertextException}
|
47
|
+
# * {InvalidGrantIdException}
|
48
|
+
# * {InvalidGrantTokenException}
|
49
|
+
# * {InvalidImportTokenException}
|
50
|
+
# * {InvalidKeyUsageException}
|
51
|
+
# * {InvalidMarkerException}
|
52
|
+
# * {KMSInternalException}
|
53
|
+
# * {KMSInvalidSignatureException}
|
54
|
+
# * {KMSInvalidStateException}
|
55
|
+
# * {KeyUnavailableException}
|
56
|
+
# * {LimitExceededException}
|
57
|
+
# * {MalformedPolicyDocumentException}
|
58
|
+
# * {NotFoundException}
|
59
|
+
# * {TagException}
|
60
|
+
# * {UnsupportedOperationException}
|
61
|
+
#
|
62
|
+
# Additionally, error classes are dynamically generated for service errors based on the error code
|
63
|
+
# if they are not defined above.
|
9
64
|
module Errors
|
10
65
|
|
11
66
|
extend Aws::Errors::DynamicErrors
|
@@ -23,7 +78,6 @@ module Aws::KMS
|
|
23
78
|
def message
|
24
79
|
@message || @data[:message]
|
25
80
|
end
|
26
|
-
|
27
81
|
end
|
28
82
|
|
29
83
|
class CloudHsmClusterInUseException < ServiceError
|
@@ -39,7 +93,6 @@ module Aws::KMS
|
|
39
93
|
def message
|
40
94
|
@message || @data[:message]
|
41
95
|
end
|
42
|
-
|
43
96
|
end
|
44
97
|
|
45
98
|
class CloudHsmClusterInvalidConfigurationException < ServiceError
|
@@ -55,7 +108,6 @@ module Aws::KMS
|
|
55
108
|
def message
|
56
109
|
@message || @data[:message]
|
57
110
|
end
|
58
|
-
|
59
111
|
end
|
60
112
|
|
61
113
|
class CloudHsmClusterNotActiveException < ServiceError
|
@@ -71,7 +123,6 @@ module Aws::KMS
|
|
71
123
|
def message
|
72
124
|
@message || @data[:message]
|
73
125
|
end
|
74
|
-
|
75
126
|
end
|
76
127
|
|
77
128
|
class CloudHsmClusterNotFoundException < ServiceError
|
@@ -87,7 +138,6 @@ module Aws::KMS
|
|
87
138
|
def message
|
88
139
|
@message || @data[:message]
|
89
140
|
end
|
90
|
-
|
91
141
|
end
|
92
142
|
|
93
143
|
class CloudHsmClusterNotRelatedException < ServiceError
|
@@ -103,7 +153,6 @@ module Aws::KMS
|
|
103
153
|
def message
|
104
154
|
@message || @data[:message]
|
105
155
|
end
|
106
|
-
|
107
156
|
end
|
108
157
|
|
109
158
|
class CustomKeyStoreHasCMKsException < ServiceError
|
@@ -119,7 +168,6 @@ module Aws::KMS
|
|
119
168
|
def message
|
120
169
|
@message || @data[:message]
|
121
170
|
end
|
122
|
-
|
123
171
|
end
|
124
172
|
|
125
173
|
class CustomKeyStoreInvalidStateException < ServiceError
|
@@ -135,7 +183,6 @@ module Aws::KMS
|
|
135
183
|
def message
|
136
184
|
@message || @data[:message]
|
137
185
|
end
|
138
|
-
|
139
186
|
end
|
140
187
|
|
141
188
|
class CustomKeyStoreNameInUseException < ServiceError
|
@@ -151,7 +198,6 @@ module Aws::KMS
|
|
151
198
|
def message
|
152
199
|
@message || @data[:message]
|
153
200
|
end
|
154
|
-
|
155
201
|
end
|
156
202
|
|
157
203
|
class CustomKeyStoreNotFoundException < ServiceError
|
@@ -167,7 +213,6 @@ module Aws::KMS
|
|
167
213
|
def message
|
168
214
|
@message || @data[:message]
|
169
215
|
end
|
170
|
-
|
171
216
|
end
|
172
217
|
|
173
218
|
class DependencyTimeoutException < ServiceError
|
@@ -183,7 +228,6 @@ module Aws::KMS
|
|
183
228
|
def message
|
184
229
|
@message || @data[:message]
|
185
230
|
end
|
186
|
-
|
187
231
|
end
|
188
232
|
|
189
233
|
class DisabledException < ServiceError
|
@@ -199,7 +243,6 @@ module Aws::KMS
|
|
199
243
|
def message
|
200
244
|
@message || @data[:message]
|
201
245
|
end
|
202
|
-
|
203
246
|
end
|
204
247
|
|
205
248
|
class ExpiredImportTokenException < ServiceError
|
@@ -215,7 +258,6 @@ module Aws::KMS
|
|
215
258
|
def message
|
216
259
|
@message || @data[:message]
|
217
260
|
end
|
218
|
-
|
219
261
|
end
|
220
262
|
|
221
263
|
class IncorrectKeyException < ServiceError
|
@@ -231,7 +273,6 @@ module Aws::KMS
|
|
231
273
|
def message
|
232
274
|
@message || @data[:message]
|
233
275
|
end
|
234
|
-
|
235
276
|
end
|
236
277
|
|
237
278
|
class IncorrectKeyMaterialException < ServiceError
|
@@ -247,7 +288,6 @@ module Aws::KMS
|
|
247
288
|
def message
|
248
289
|
@message || @data[:message]
|
249
290
|
end
|
250
|
-
|
251
291
|
end
|
252
292
|
|
253
293
|
class IncorrectTrustAnchorException < ServiceError
|
@@ -263,7 +303,6 @@ module Aws::KMS
|
|
263
303
|
def message
|
264
304
|
@message || @data[:message]
|
265
305
|
end
|
266
|
-
|
267
306
|
end
|
268
307
|
|
269
308
|
class InvalidAliasNameException < ServiceError
|
@@ -279,7 +318,6 @@ module Aws::KMS
|
|
279
318
|
def message
|
280
319
|
@message || @data[:message]
|
281
320
|
end
|
282
|
-
|
283
321
|
end
|
284
322
|
|
285
323
|
class InvalidArnException < ServiceError
|
@@ -295,7 +333,6 @@ module Aws::KMS
|
|
295
333
|
def message
|
296
334
|
@message || @data[:message]
|
297
335
|
end
|
298
|
-
|
299
336
|
end
|
300
337
|
|
301
338
|
class InvalidCiphertextException < ServiceError
|
@@ -311,7 +348,6 @@ module Aws::KMS
|
|
311
348
|
def message
|
312
349
|
@message || @data[:message]
|
313
350
|
end
|
314
|
-
|
315
351
|
end
|
316
352
|
|
317
353
|
class InvalidGrantIdException < ServiceError
|
@@ -327,7 +363,6 @@ module Aws::KMS
|
|
327
363
|
def message
|
328
364
|
@message || @data[:message]
|
329
365
|
end
|
330
|
-
|
331
366
|
end
|
332
367
|
|
333
368
|
class InvalidGrantTokenException < ServiceError
|
@@ -343,7 +378,6 @@ module Aws::KMS
|
|
343
378
|
def message
|
344
379
|
@message || @data[:message]
|
345
380
|
end
|
346
|
-
|
347
381
|
end
|
348
382
|
|
349
383
|
class InvalidImportTokenException < ServiceError
|
@@ -359,7 +393,6 @@ module Aws::KMS
|
|
359
393
|
def message
|
360
394
|
@message || @data[:message]
|
361
395
|
end
|
362
|
-
|
363
396
|
end
|
364
397
|
|
365
398
|
class InvalidKeyUsageException < ServiceError
|
@@ -375,7 +408,6 @@ module Aws::KMS
|
|
375
408
|
def message
|
376
409
|
@message || @data[:message]
|
377
410
|
end
|
378
|
-
|
379
411
|
end
|
380
412
|
|
381
413
|
class InvalidMarkerException < ServiceError
|
@@ -391,7 +423,6 @@ module Aws::KMS
|
|
391
423
|
def message
|
392
424
|
@message || @data[:message]
|
393
425
|
end
|
394
|
-
|
395
426
|
end
|
396
427
|
|
397
428
|
class KMSInternalException < ServiceError
|
@@ -407,7 +438,6 @@ module Aws::KMS
|
|
407
438
|
def message
|
408
439
|
@message || @data[:message]
|
409
440
|
end
|
410
|
-
|
411
441
|
end
|
412
442
|
|
413
443
|
class KMSInvalidSignatureException < ServiceError
|
@@ -423,7 +453,6 @@ module Aws::KMS
|
|
423
453
|
def message
|
424
454
|
@message || @data[:message]
|
425
455
|
end
|
426
|
-
|
427
456
|
end
|
428
457
|
|
429
458
|
class KMSInvalidStateException < ServiceError
|
@@ -439,7 +468,6 @@ module Aws::KMS
|
|
439
468
|
def message
|
440
469
|
@message || @data[:message]
|
441
470
|
end
|
442
|
-
|
443
471
|
end
|
444
472
|
|
445
473
|
class KeyUnavailableException < ServiceError
|
@@ -455,7 +483,6 @@ module Aws::KMS
|
|
455
483
|
def message
|
456
484
|
@message || @data[:message]
|
457
485
|
end
|
458
|
-
|
459
486
|
end
|
460
487
|
|
461
488
|
class LimitExceededException < ServiceError
|
@@ -471,7 +498,6 @@ module Aws::KMS
|
|
471
498
|
def message
|
472
499
|
@message || @data[:message]
|
473
500
|
end
|
474
|
-
|
475
501
|
end
|
476
502
|
|
477
503
|
class MalformedPolicyDocumentException < ServiceError
|
@@ -487,7 +513,6 @@ module Aws::KMS
|
|
487
513
|
def message
|
488
514
|
@message || @data[:message]
|
489
515
|
end
|
490
|
-
|
491
516
|
end
|
492
517
|
|
493
518
|
class NotFoundException < ServiceError
|
@@ -503,7 +528,6 @@ module Aws::KMS
|
|
503
528
|
def message
|
504
529
|
@message || @data[:message]
|
505
530
|
end
|
506
|
-
|
507
531
|
end
|
508
532
|
|
509
533
|
class TagException < ServiceError
|
@@ -519,7 +543,6 @@ module Aws::KMS
|
|
519
543
|
def message
|
520
544
|
@message || @data[:message]
|
521
545
|
end
|
522
|
-
|
523
546
|
end
|
524
547
|
|
525
548
|
class UnsupportedOperationException < ServiceError
|
@@ -535,7 +558,6 @@ module Aws::KMS
|
|
535
558
|
def message
|
536
559
|
@message || @data[:message]
|
537
560
|
end
|
538
|
-
|
539
561
|
end
|
540
562
|
|
541
563
|
end
|
data/lib/aws-sdk-kms/resource.rb
CHANGED
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -76,8 +76,12 @@ module Aws::KMS
|
|
76
76
|
end
|
77
77
|
|
78
78
|
# @!attribute [rw] key_id
|
79
|
-
# The
|
79
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
|
80
80
|
# canceled.
|
81
|
+
#
|
82
|
+
#
|
83
|
+
#
|
84
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
81
85
|
# @return [String]
|
82
86
|
#
|
83
87
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletionResponse AWS API Documentation
|
@@ -433,15 +437,16 @@ module Aws::KMS
|
|
433
437
|
# @return [Array<String>]
|
434
438
|
#
|
435
439
|
# @!attribute [rw] constraints
|
436
|
-
# Allows a cryptographic operation only when the encryption
|
437
|
-
# matches or includes the encryption context specified in this
|
440
|
+
# Allows a [cryptographic operation][1] only when the encryption
|
441
|
+
# context matches or includes the encryption context specified in this
|
438
442
|
# structure. For more information about encryption context, see
|
439
|
-
# [Encryption Context][
|
443
|
+
# [Encryption Context][2] in the <i> <i>AWS Key Management Service
|
440
444
|
# Developer Guide</i> </i>.
|
441
445
|
#
|
442
446
|
#
|
443
447
|
#
|
444
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
448
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
449
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
445
450
|
# @return [Types::GrantConstraints]
|
446
451
|
#
|
447
452
|
# @!attribute [rw] grant_tokens
|
@@ -575,8 +580,8 @@ module Aws::KMS
|
|
575
580
|
# @return [String]
|
576
581
|
#
|
577
582
|
# @!attribute [rw] key_usage
|
578
|
-
# Determines the cryptographic operations for which you can use
|
579
|
-
# CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
|
583
|
+
# Determines the [cryptographic operations][1] for which you can use
|
584
|
+
# the CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
|
580
585
|
# required only for asymmetric CMKs. You can't change the `KeyUsage`
|
581
586
|
# value after the CMK is created.
|
582
587
|
#
|
@@ -589,6 +594,10 @@ module Aws::KMS
|
|
589
594
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
590
595
|
#
|
591
596
|
# * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
|
597
|
+
#
|
598
|
+
#
|
599
|
+
#
|
600
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
592
601
|
# @return [String]
|
593
602
|
#
|
594
603
|
# @!attribute [rw] customer_master_key_spec
|
@@ -922,12 +931,13 @@ module Aws::KMS
|
|
922
931
|
#
|
923
932
|
# * `SUBNET_NOT_FOUND` - A subnet in the AWS CloudHSM cluster
|
924
933
|
# configuration was deleted. If AWS KMS cannot find all of the
|
925
|
-
# subnets
|
926
|
-
# store
|
927
|
-
# create a cluster from a backup and associate it with
|
928
|
-
# key store. This process
|
929
|
-
#
|
930
|
-
#
|
934
|
+
# subnets in the cluster configuration, attempts to connect the
|
935
|
+
# custom key store to the AWS CloudHSM cluster fail. To fix this
|
936
|
+
# error, create a cluster from a recent backup and associate it with
|
937
|
+
# your custom key store. (This process creates a new cluster
|
938
|
+
# configuration with a VPC and private subnets.) For details, see
|
939
|
+
# [How to Fix a Connection Failure][1] in the *AWS Key Management
|
940
|
+
# Service Developer Guide*.
|
931
941
|
#
|
932
942
|
# * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
|
933
943
|
# associated AWS CloudHSM cluster due to too many failed password
|
@@ -993,9 +1003,9 @@ module Aws::KMS
|
|
993
1003
|
#
|
994
1004
|
# @!attribute [rw] encryption_context
|
995
1005
|
# Specifies the encryption context to use when decrypting the data. An
|
996
|
-
# encryption context is valid only for cryptographic operations
|
997
|
-
# symmetric CMK. The standard asymmetric encryption algorithms
|
998
|
-
# AWS KMS uses do not support an encryption context.
|
1006
|
+
# encryption context is valid only for [cryptographic operations][1]
|
1007
|
+
# with a symmetric CMK. The standard asymmetric encryption algorithms
|
1008
|
+
# that AWS KMS uses do not support an encryption context.
|
999
1009
|
#
|
1000
1010
|
# An *encryption context* is a collection of non-secret key-value
|
1001
1011
|
# pairs that represents additional authenticated data. When you use an
|
@@ -1004,12 +1014,13 @@ module Aws::KMS
|
|
1004
1014
|
# An encryption context is optional when encrypting with a symmetric
|
1005
1015
|
# CMK, but it is highly recommended.
|
1006
1016
|
#
|
1007
|
-
# For more information, see [Encryption Context][
|
1017
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
1008
1018
|
# Management Service Developer Guide*.
|
1009
1019
|
#
|
1010
1020
|
#
|
1011
1021
|
#
|
1012
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
1022
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1023
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1013
1024
|
# @return [Hash<String,String>]
|
1014
1025
|
#
|
1015
1026
|
# @!attribute [rw] grant_tokens
|
@@ -1081,8 +1092,12 @@ module Aws::KMS
|
|
1081
1092
|
end
|
1082
1093
|
|
1083
1094
|
# @!attribute [rw] key_id
|
1084
|
-
# The ARN of the
|
1085
|
-
#
|
1095
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
|
1096
|
+
# decrypt the ciphertext.
|
1097
|
+
#
|
1098
|
+
#
|
1099
|
+
#
|
1100
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1086
1101
|
# @return [String]
|
1087
1102
|
#
|
1088
1103
|
# @!attribute [rw] plaintext
|
@@ -1547,9 +1562,10 @@ module Aws::KMS
|
|
1547
1562
|
#
|
1548
1563
|
# @!attribute [rw] encryption_context
|
1549
1564
|
# Specifies the encryption context that will be used to encrypt the
|
1550
|
-
# data. An encryption context is valid only for cryptographic
|
1551
|
-
# operations with a symmetric CMK. The standard asymmetric
|
1552
|
-
# algorithms that AWS KMS uses do not support an encryption
|
1565
|
+
# data. An encryption context is valid only for [cryptographic
|
1566
|
+
# operations][1] with a symmetric CMK. The standard asymmetric
|
1567
|
+
# encryption algorithms that AWS KMS uses do not support an encryption
|
1568
|
+
# context.
|
1553
1569
|
#
|
1554
1570
|
# An *encryption context* is a collection of non-secret key-value
|
1555
1571
|
# pairs that represents additional authenticated data. When you use an
|
@@ -1558,12 +1574,13 @@ module Aws::KMS
|
|
1558
1574
|
# An encryption context is optional when encrypting with a symmetric
|
1559
1575
|
# CMK, but it is highly recommended.
|
1560
1576
|
#
|
1561
|
-
# For more information, see [Encryption Context][
|
1577
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
1562
1578
|
# Management Service Developer Guide*.
|
1563
1579
|
#
|
1564
1580
|
#
|
1565
1581
|
#
|
1566
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
1582
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1583
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1567
1584
|
# @return [Hash<String,String>]
|
1568
1585
|
#
|
1569
1586
|
# @!attribute [rw] grant_tokens
|
@@ -1605,7 +1622,12 @@ module Aws::KMS
|
|
1605
1622
|
# @return [String]
|
1606
1623
|
#
|
1607
1624
|
# @!attribute [rw] key_id
|
1608
|
-
# The
|
1625
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
|
1626
|
+
# encrypt the plaintext.
|
1627
|
+
#
|
1628
|
+
#
|
1629
|
+
#
|
1630
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1609
1631
|
# @return [String]
|
1610
1632
|
#
|
1611
1633
|
# @!attribute [rw] encryption_algorithm
|
@@ -1669,7 +1691,9 @@ module Aws::KMS
|
|
1669
1691
|
#
|
1670
1692
|
# @!attribute [rw] key_id
|
1671
1693
|
# Specifies the symmetric CMK that encrypts the private key in the
|
1672
|
-
# data key pair. You cannot specify an asymmetric
|
1694
|
+
# data key pair. You cannot specify an asymmetric CMK or a CMK in a
|
1695
|
+
# custom key store. To get the type and origin of your CMK, use the
|
1696
|
+
# DescribeKey operation.
|
1673
1697
|
#
|
1674
1698
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1675
1699
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -1738,7 +1762,12 @@ module Aws::KMS
|
|
1738
1762
|
# @return [String]
|
1739
1763
|
#
|
1740
1764
|
# @!attribute [rw] key_id
|
1741
|
-
# The
|
1765
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
|
1766
|
+
# the private key.
|
1767
|
+
#
|
1768
|
+
#
|
1769
|
+
#
|
1770
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1742
1771
|
# @return [String]
|
1743
1772
|
#
|
1744
1773
|
# @!attribute [rw] key_pair_spec
|
@@ -1790,7 +1819,8 @@ module Aws::KMS
|
|
1790
1819
|
# @!attribute [rw] key_id
|
1791
1820
|
# Specifies the CMK that encrypts the private key in the data key
|
1792
1821
|
# pair. You must specify a symmetric CMK. You cannot use an asymmetric
|
1793
|
-
# CMK. To get the type
|
1822
|
+
# CMK or a CMK in a custom key store. To get the type and origin of
|
1823
|
+
# your CMK, use the DescribeKey operation.
|
1794
1824
|
#
|
1795
1825
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1796
1826
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -1852,27 +1882,12 @@ module Aws::KMS
|
|
1852
1882
|
# @return [String]
|
1853
1883
|
#
|
1854
1884
|
# @!attribute [rw] key_id
|
1855
|
-
#
|
1856
|
-
#
|
1857
|
-
# CMK. To get the type of your CMK, use the DescribeKey operation.
|
1885
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
|
1886
|
+
# the private key.
|
1858
1887
|
#
|
1859
|
-
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1860
|
-
# name, or alias ARN. When using an alias name, prefix it with
|
1861
|
-
# `"alias/"`.
|
1862
1888
|
#
|
1863
|
-
# For example:
|
1864
1889
|
#
|
1865
|
-
#
|
1866
|
-
#
|
1867
|
-
# * Key ARN:
|
1868
|
-
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1869
|
-
#
|
1870
|
-
# * Alias name: `alias/ExampleAlias`
|
1871
|
-
#
|
1872
|
-
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1873
|
-
#
|
1874
|
-
# To get the key ID and key ARN for a CMK, use ListKeys or
|
1875
|
-
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1890
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
1876
1891
|
# @return [String]
|
1877
1892
|
#
|
1878
1893
|
# @!attribute [rw] key_pair_spec
|
@@ -1999,7 +2014,12 @@ module Aws::KMS
|
|
1999
2014
|
# @return [String]
|
2000
2015
|
#
|
2001
2016
|
# @!attribute [rw] key_id
|
2002
|
-
# The
|
2017
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
|
2018
|
+
# the data key.
|
2019
|
+
#
|
2020
|
+
#
|
2021
|
+
#
|
2022
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2003
2023
|
# @return [String]
|
2004
2024
|
#
|
2005
2025
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
|
@@ -2107,7 +2127,12 @@ module Aws::KMS
|
|
2107
2127
|
# @return [String]
|
2108
2128
|
#
|
2109
2129
|
# @!attribute [rw] key_id
|
2110
|
-
# The
|
2130
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that encrypted
|
2131
|
+
# the data key.
|
2132
|
+
#
|
2133
|
+
#
|
2134
|
+
#
|
2135
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2111
2136
|
# @return [String]
|
2112
2137
|
#
|
2113
2138
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextResponse AWS API Documentation
|
@@ -2302,9 +2327,13 @@ module Aws::KMS
|
|
2302
2327
|
end
|
2303
2328
|
|
2304
2329
|
# @!attribute [rw] key_id
|
2305
|
-
# The
|
2306
|
-
# request. This is the same CMK specified
|
2307
|
-
# `GetParametersForImport` request.
|
2330
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK to use in a
|
2331
|
+
# subsequent ImportKeyMaterial request. This is the same CMK specified
|
2332
|
+
# in the `GetParametersForImport` request.
|
2333
|
+
#
|
2334
|
+
#
|
2335
|
+
#
|
2336
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2308
2337
|
# @return [String]
|
2309
2338
|
#
|
2310
2339
|
# @!attribute [rw] import_token
|
@@ -2384,8 +2413,12 @@ module Aws::KMS
|
|
2384
2413
|
end
|
2385
2414
|
|
2386
2415
|
# @!attribute [rw] key_id
|
2387
|
-
# The
|
2388
|
-
# downloaded.
|
2416
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK from
|
2417
|
+
# which the public key was downloaded.
|
2418
|
+
#
|
2419
|
+
#
|
2420
|
+
#
|
2421
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2389
2422
|
# @return [String]
|
2390
2423
|
#
|
2391
2424
|
# @!attribute [rw] public_key
|
@@ -2446,26 +2479,16 @@ module Aws::KMS
|
|
2446
2479
|
include Aws::Structure
|
2447
2480
|
end
|
2448
2481
|
|
2449
|
-
# Use this structure to allow cryptographic operations in the grant
|
2450
|
-
# when the operation request includes the specified [encryption
|
2451
|
-
# context][
|
2452
|
-
#
|
2453
|
-
# AWS KMS applies the grant constraints only when the grant allows a
|
2454
|
-
# cryptographic operation that accepts an encryption context as input,
|
2455
|
-
# such as the following.
|
2456
|
-
#
|
2457
|
-
# * Encrypt
|
2482
|
+
# Use this structure to allow [cryptographic operations][1] in the grant
|
2483
|
+
# only when the operation request includes the specified [encryption
|
2484
|
+
# context][2].
|
2458
2485
|
#
|
2459
|
-
#
|
2460
|
-
#
|
2461
|
-
#
|
2462
|
-
#
|
2463
|
-
#
|
2464
|
-
#
|
2465
|
-
# * ReEncrypt
|
2466
|
-
#
|
2467
|
-
# AWS KMS does not apply the grant constraints to other operations, such
|
2468
|
-
# as DescribeKey or ScheduleKeyDeletion.
|
2486
|
+
# AWS KMS applies the grant constraints only to cryptographic operations
|
2487
|
+
# that support an encryption context, that is, all cryptographic
|
2488
|
+
# operations with a [symmetric CMK][3]. Grant constraints are not
|
2489
|
+
# applied to operations that do not support an encryption context, such
|
2490
|
+
# as cryptographic operations with asymmetric CMKs and management
|
2491
|
+
# operations, such as DescribeKey or ScheduleKeyDeletion.
|
2469
2492
|
#
|
2470
2493
|
# In a cryptographic operation, the encryption context in the decryption
|
2471
2494
|
# operation must be an exact, case-sensitive match for the keys and
|
@@ -2479,13 +2502,15 @@ module Aws::KMS
|
|
2479
2502
|
# differ only by case. To require a fully case-sensitive encryption
|
2480
2503
|
# context, use the `kms:EncryptionContext:` and
|
2481
2504
|
# `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
|
2482
|
-
# details, see [kms:EncryptionContext:][
|
2505
|
+
# details, see [kms:EncryptionContext:][4] in the <i> <i>AWS Key
|
2483
2506
|
# Management Service Developer Guide</i> </i>.
|
2484
2507
|
#
|
2485
2508
|
#
|
2486
2509
|
#
|
2487
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
2488
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2510
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2511
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2512
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
|
2513
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
|
2489
2514
|
#
|
2490
2515
|
# @note When making an API call, you may pass GrantConstraints
|
2491
2516
|
# data as a hash:
|
@@ -2501,17 +2526,25 @@ module Aws::KMS
|
|
2501
2526
|
#
|
2502
2527
|
# @!attribute [rw] encryption_context_subset
|
2503
2528
|
# A list of key-value pairs that must be included in the encryption
|
2504
|
-
# context of the cryptographic operation request. The grant
|
2505
|
-
# cryptographic operation only when the encryption context
|
2506
|
-
# request includes the key-value pairs specified in this
|
2507
|
-
# although it can include additional key-value pairs.
|
2529
|
+
# context of the [cryptographic operation][1] request. The grant
|
2530
|
+
# allows the cryptographic operation only when the encryption context
|
2531
|
+
# in the request includes the key-value pairs specified in this
|
2532
|
+
# constraint, although it can include additional key-value pairs.
|
2533
|
+
#
|
2534
|
+
#
|
2535
|
+
#
|
2536
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2508
2537
|
# @return [Hash<String,String>]
|
2509
2538
|
#
|
2510
2539
|
# @!attribute [rw] encryption_context_equals
|
2511
2540
|
# A list of key-value pairs that must match the encryption context in
|
2512
|
-
# the cryptographic operation request. The grant allows the
|
2513
|
-
# only when the encryption context in the request is the
|
2514
|
-
# encryption context specified in this constraint.
|
2541
|
+
# the [cryptographic operation][1] request. The grant allows the
|
2542
|
+
# operation only when the encryption context in the request is the
|
2543
|
+
# same as the encryption context specified in this constraint.
|
2544
|
+
#
|
2545
|
+
#
|
2546
|
+
#
|
2547
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2515
2548
|
# @return [Hash<String,String>]
|
2516
2549
|
#
|
2517
2550
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
|
@@ -2522,7 +2555,7 @@ module Aws::KMS
|
|
2522
2555
|
include Aws::Structure
|
2523
2556
|
end
|
2524
2557
|
|
2525
|
-
# Contains information about
|
2558
|
+
# Contains information about a grant.
|
2526
2559
|
#
|
2527
2560
|
# @!attribute [rw] key_id
|
2528
2561
|
# The unique identifier for the customer master key (CMK) to which the
|
@@ -2544,7 +2577,18 @@ module Aws::KMS
|
|
2544
2577
|
# @return [Time]
|
2545
2578
|
#
|
2546
2579
|
# @!attribute [rw] grantee_principal
|
2547
|
-
# The
|
2580
|
+
# The identity that gets the permissions in the grant.
|
2581
|
+
#
|
2582
|
+
# The `GranteePrincipal` field in the `ListGrants` response usually
|
2583
|
+
# contains the user or role designated as the grantee principal in the
|
2584
|
+
# grant. However, when the grantee principal in the grant is an AWS
|
2585
|
+
# service, the `GranteePrincipal` field contains the [service
|
2586
|
+
# principal][1], which might represent several different grantee
|
2587
|
+
# principals.
|
2588
|
+
#
|
2589
|
+
#
|
2590
|
+
#
|
2591
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
|
2548
2592
|
# @return [String]
|
2549
2593
|
#
|
2550
2594
|
# @!attribute [rw] retiring_principal
|
@@ -2930,15 +2974,19 @@ module Aws::KMS
|
|
2930
2974
|
# @return [String]
|
2931
2975
|
#
|
2932
2976
|
# @!attribute [rw] key_usage
|
2933
|
-
# The cryptographic operations for which you can use the CMK.
|
2977
|
+
# The [cryptographic operations][1] for which you can use the CMK.
|
2978
|
+
#
|
2979
|
+
#
|
2980
|
+
#
|
2981
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2934
2982
|
# @return [String]
|
2935
2983
|
#
|
2936
2984
|
# @!attribute [rw] key_state
|
2937
|
-
# The
|
2985
|
+
# The current status of the CMK.
|
2938
2986
|
#
|
2939
2987
|
# For more information about how key state affects the use of a CMK,
|
2940
|
-
# see [
|
2941
|
-
#
|
2988
|
+
# see [Key state: Effect on your CMK][1] in the *AWS Key Management
|
2989
|
+
# Service Developer Guide*.
|
2942
2990
|
#
|
2943
2991
|
#
|
2944
2992
|
#
|
@@ -3011,16 +3059,16 @@ module Aws::KMS
|
|
3011
3059
|
# @return [String]
|
3012
3060
|
#
|
3013
3061
|
# @!attribute [rw] encryption_algorithms
|
3014
|
-
#
|
3015
|
-
#
|
3062
|
+
# The encryption algorithms that the CMK supports. You cannot use the
|
3063
|
+
# CMK with other encryption algorithms within AWS KMS.
|
3016
3064
|
#
|
3017
3065
|
# This field appears only when the `KeyUsage` of the CMK is
|
3018
3066
|
# `ENCRYPT_DECRYPT`.
|
3019
3067
|
# @return [Array<String>]
|
3020
3068
|
#
|
3021
3069
|
# @!attribute [rw] signing_algorithms
|
3022
|
-
#
|
3023
|
-
#
|
3070
|
+
# The signing algorithms that the CMK supports. You cannot use the CMK
|
3071
|
+
# with other signing algorithms within AWS KMS.
|
3024
3072
|
#
|
3025
3073
|
# This field appears only when the `KeyUsage` of the CMK is
|
3026
3074
|
# `SIGN_VERIFY`.
|
@@ -3794,7 +3842,12 @@ module Aws::KMS
|
|
3794
3842
|
# @return [String]
|
3795
3843
|
#
|
3796
3844
|
# @!attribute [rw] key_id
|
3797
|
-
#
|
3845
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK that was used to
|
3846
|
+
# reencrypt the data.
|
3847
|
+
#
|
3848
|
+
#
|
3849
|
+
#
|
3850
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
3798
3851
|
# @return [String]
|
3799
3852
|
#
|
3800
3853
|
# @!attribute [rw] source_encryption_algorithm
|
@@ -3935,8 +3988,12 @@ module Aws::KMS
|
|
3935
3988
|
end
|
3936
3989
|
|
3937
3990
|
# @!attribute [rw] key_id
|
3938
|
-
# The
|
3939
|
-
#
|
3991
|
+
# The Amazon Resource Name ([key ARN][1]) of the CMK whose deletion is
|
3992
|
+
# scheduled.
|
3993
|
+
#
|
3994
|
+
#
|
3995
|
+
#
|
3996
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
3940
3997
|
# @return [String]
|
3941
3998
|
#
|
3942
3999
|
# @!attribute [rw] deletion_date
|
@@ -4033,8 +4090,12 @@ module Aws::KMS
|
|
4033
4090
|
end
|
4034
4091
|
|
4035
4092
|
# @!attribute [rw] key_id
|
4036
|
-
# The Amazon Resource Name (ARN) of the asymmetric CMK that
|
4037
|
-
# to sign the message.
|
4093
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
|
4094
|
+
# was used to sign the message.
|
4095
|
+
#
|
4096
|
+
#
|
4097
|
+
#
|
4098
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
4038
4099
|
# @return [String]
|
4039
4100
|
#
|
4040
4101
|
# @!attribute [rw] signature
|
@@ -4448,8 +4509,12 @@ module Aws::KMS
|
|
4448
4509
|
end
|
4449
4510
|
|
4450
4511
|
# @!attribute [rw] key_id
|
4451
|
-
# The
|
4452
|
-
# the signature.
|
4512
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric CMK that
|
4513
|
+
# was used to verify the signature.
|
4514
|
+
#
|
4515
|
+
#
|
4516
|
+
#
|
4517
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
4453
4518
|
# @return [String]
|
4454
4519
|
#
|
4455
4520
|
# @!attribute [rw] signature_valid
|