aws-sdk-kms 1.30.0 → 1.35.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/lib/aws-sdk-kms.rb +3 -1
- data/lib/aws-sdk-kms/client.rb +201 -148
- data/lib/aws-sdk-kms/client_api.rb +5 -0
- data/lib/aws-sdk-kms/customizations.rb +1 -0
- data/lib/aws-sdk-kms/errors.rb +2 -0
- data/lib/aws-sdk-kms/resource.rb +3 -7
- data/lib/aws-sdk-kms/types.rb +279 -100
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: f0fa513891ad1756561999a381c8d2a4fdf4f07d0e7611aa29c2c91512ed1c86
|
4
|
+
data.tar.gz: ecb3627109b5f165f03e6222a9b507ca2e7f7e2617f028181a40f66fd9745a1a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 83ada3d7ea655b7a7aeca15796f4e7eda84dac4b9b429762db553d1ed895e5052f68316b1f656cecae7ef363644d0b8ce6b74a83ff86478fe7b7ab6ad1d0b59b
|
7
|
+
data.tar.gz: b7e24899bacd2e077871c74176a42f007cf10c3bbe08e8edb0af09f93e49ced1b76ee4aaf4f73579f7895218260b78181d8f926f14888fcc8b8803b9f921f9e7
|
data/lib/aws-sdk-kms.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# WARNING ABOUT GENERATED CODE
|
2
4
|
#
|
3
5
|
# This file is generated. See the contributing guide for more information:
|
@@ -45,6 +47,6 @@ require_relative 'aws-sdk-kms/customizations'
|
|
45
47
|
# @service
|
46
48
|
module Aws::KMS
|
47
49
|
|
48
|
-
GEM_VERSION = '1.
|
50
|
+
GEM_VERSION = '1.35.0'
|
49
51
|
|
50
52
|
end
|
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# WARNING ABOUT GENERATED CODE
|
2
4
|
#
|
3
5
|
# This file is generated. See the contributing guide for more information:
|
@@ -24,6 +26,7 @@ require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
|
|
24
26
|
require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
|
25
27
|
require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
26
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
29
|
+
require 'aws-sdk-core/plugins/http_checksum.rb'
|
27
30
|
require 'aws-sdk-core/plugins/signature_v4.rb'
|
28
31
|
require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
|
29
32
|
|
@@ -32,11 +35,11 @@ Aws::Plugins::GlobalConfiguration.add_identifier(:kms)
|
|
32
35
|
module Aws::KMS
|
33
36
|
# An API client for KMS. To construct a client, you need to configure a `:region` and `:credentials`.
|
34
37
|
#
|
35
|
-
#
|
36
|
-
#
|
37
|
-
#
|
38
|
-
#
|
39
|
-
#
|
38
|
+
# client = Aws::KMS::Client.new(
|
39
|
+
# region: region_name,
|
40
|
+
# credentials: credentials,
|
41
|
+
# # ...
|
42
|
+
# )
|
40
43
|
#
|
41
44
|
# For details on configuring region and credentials see
|
42
45
|
# the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html).
|
@@ -69,6 +72,7 @@ module Aws::KMS
|
|
69
72
|
add_plugin(Aws::Plugins::ClientMetricsPlugin)
|
70
73
|
add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
|
71
74
|
add_plugin(Aws::Plugins::TransferEncoding)
|
75
|
+
add_plugin(Aws::Plugins::HttpChecksum)
|
72
76
|
add_plugin(Aws::Plugins::SignatureV4)
|
73
77
|
add_plugin(Aws::Plugins::Protocols::JsonRpc)
|
74
78
|
|
@@ -105,7 +109,7 @@ module Aws::KMS
|
|
105
109
|
# @option options [required, String] :region
|
106
110
|
# The AWS region to connect to. The configured `:region` is
|
107
111
|
# used to determine the service `:endpoint`. When not passed,
|
108
|
-
# a default `:region` is
|
112
|
+
# a default `:region` is searched for in the following locations:
|
109
113
|
#
|
110
114
|
# * `Aws.config[:region]`
|
111
115
|
# * `ENV['AWS_REGION']`
|
@@ -161,7 +165,7 @@ module Aws::KMS
|
|
161
165
|
# @option options [String] :endpoint
|
162
166
|
# The client endpoint is normally constructed from the `:region`
|
163
167
|
# option. You should only configure an `:endpoint` when connecting
|
164
|
-
# to test endpoints. This should be
|
168
|
+
# to test or custom endpoints. This should be a valid HTTP(S) URI.
|
165
169
|
#
|
166
170
|
# @option options [Integer] :endpoint_cache_max_entries (1000)
|
167
171
|
# Used for the maximum size limit of the LRU cache storing endpoints data
|
@@ -176,7 +180,7 @@ module Aws::KMS
|
|
176
180
|
# requests fetching endpoints information. Defaults to 60 sec.
|
177
181
|
#
|
178
182
|
# @option options [Boolean] :endpoint_discovery (false)
|
179
|
-
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
183
|
+
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
180
184
|
#
|
181
185
|
# @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
|
182
186
|
# The log formatter.
|
@@ -229,15 +233,19 @@ module Aws::KMS
|
|
229
233
|
#
|
230
234
|
# @option options [String] :retry_mode ("legacy")
|
231
235
|
# Specifies which retry algorithm to use. Values are:
|
232
|
-
#
|
233
|
-
#
|
234
|
-
#
|
235
|
-
#
|
236
|
-
#
|
237
|
-
#
|
238
|
-
#
|
239
|
-
#
|
240
|
-
#
|
236
|
+
#
|
237
|
+
# * `legacy` - The pre-existing retry behavior. This is default value if
|
238
|
+
# no retry mode is provided.
|
239
|
+
#
|
240
|
+
# * `standard` - A standardized set of retry rules across the AWS SDKs.
|
241
|
+
# This includes support for retry quotas, which limit the number of
|
242
|
+
# unsuccessful retries a client can make.
|
243
|
+
#
|
244
|
+
# * `adaptive` - An experimental retry mode that includes all the
|
245
|
+
# functionality of `standard` mode along with automatic client side
|
246
|
+
# throttling. This is a provisional mode that may change behavior
|
247
|
+
# in the future.
|
248
|
+
#
|
241
249
|
#
|
242
250
|
# @option options [String] :secret_access_key
|
243
251
|
#
|
@@ -275,8 +283,7 @@ module Aws::KMS
|
|
275
283
|
#
|
276
284
|
# @option options [Integer] :http_read_timeout (60) The default
|
277
285
|
# number of seconds to wait for response data. This value can
|
278
|
-
# safely be set
|
279
|
-
# per-request on the session yielded by {#session_for}.
|
286
|
+
# safely be set per-request on the session.
|
280
287
|
#
|
281
288
|
# @option options [Float] :http_idle_timeout (5) The number of
|
282
289
|
# seconds a connection is allowed to sit idle before it is
|
@@ -288,7 +295,7 @@ module Aws::KMS
|
|
288
295
|
# request body. This option has no effect unless the request has
|
289
296
|
# "Expect" header set to "100-continue". Defaults to `nil` which
|
290
297
|
# disables this behaviour. This value can safely be set per
|
291
|
-
# request on the session
|
298
|
+
# request on the session.
|
292
299
|
#
|
293
300
|
# @option options [Boolean] :http_wire_trace (false) When `true`,
|
294
301
|
# HTTP debug output will be sent to the `:logger`.
|
@@ -457,9 +464,9 @@ module Aws::KMS
|
|
457
464
|
end
|
458
465
|
|
459
466
|
# Creates a display name for a customer managed customer master key
|
460
|
-
# (CMK). You can use an alias to identify a CMK in cryptographic
|
461
|
-
# operations, such as Encrypt and GenerateDataKey. You can change
|
462
|
-
# CMK associated with the alias at any time.
|
467
|
+
# (CMK). You can use an alias to identify a CMK in [cryptographic
|
468
|
+
# operations][1], such as Encrypt and GenerateDataKey. You can change
|
469
|
+
# the CMK associated with the alias at any time.
|
463
470
|
#
|
464
471
|
# Aliases are easier to remember than key IDs. They can also help to
|
465
472
|
# simplify your applications. For example, if you use an alias in your
|
@@ -483,8 +490,8 @@ module Aws::KMS
|
|
483
490
|
#
|
484
491
|
# * You can associate an alias with any customer managed CMK in the same
|
485
492
|
# AWS account and Region. However, you do not have permission to
|
486
|
-
# associate an alias with an [AWS managed CMK][
|
487
|
-
# CMK][
|
493
|
+
# associate an alias with an [AWS managed CMK][2] or an [AWS owned
|
494
|
+
# CMK][3].
|
488
495
|
#
|
489
496
|
# * To change the CMK associated with an alias, use the UpdateAlias
|
490
497
|
# operation. The current CMK and the new CMK must be the same type
|
@@ -496,7 +503,7 @@ module Aws::KMS
|
|
496
503
|
# `alias/ExampleAlias`. It can contain only alphanumeric characters,
|
497
504
|
# forward slashes (/), underscores (\_), and dashes (-). The alias
|
498
505
|
# name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
|
499
|
-
# reserved for [AWS managed CMKs][
|
506
|
+
# reserved for [AWS managed CMKs][2].
|
500
507
|
#
|
501
508
|
# * The alias name must be unique within an AWS Region. However, you can
|
502
509
|
# use the same alias name in multiple Regions of the same AWS account.
|
@@ -507,12 +514,12 @@ module Aws::KMS
|
|
507
514
|
# and then create a new alias with the desired name.
|
508
515
|
#
|
509
516
|
# * You can use an alias name or alias ARN to identify a CMK in AWS KMS
|
510
|
-
# cryptographic operations and in the DescribeKey operation.
|
511
|
-
# you cannot use alias names or alias ARNs in API operations
|
512
|
-
# manage CMKs, such as DisableKey or GetKeyPolicy. For
|
513
|
-
# about the valid CMK identifiers for each AWS KMS API
|
514
|
-
# the descriptions of the `KeyId` parameter in the API
|
515
|
-
# documentation.
|
517
|
+
# [cryptographic operations][1] and in the DescribeKey operation.
|
518
|
+
# However, you cannot use alias names or alias ARNs in API operations
|
519
|
+
# that manage CMKs, such as DisableKey or GetKeyPolicy. For
|
520
|
+
# information about the valid CMK identifiers for each AWS KMS API
|
521
|
+
# operation, see the descriptions of the `KeyId` parameter in the API
|
522
|
+
# operation documentation.
|
516
523
|
#
|
517
524
|
# Because an alias is not a property of a CMK, you can delete and change
|
518
525
|
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
@@ -522,13 +529,14 @@ module Aws::KMS
|
|
522
529
|
#
|
523
530
|
# The CMK that you use for this operation must be in a compatible key
|
524
531
|
# state. For details, see [How Key State Affects Use of a Customer
|
525
|
-
# Master Key][
|
532
|
+
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
526
533
|
#
|
527
534
|
#
|
528
535
|
#
|
529
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
530
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-
|
531
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
536
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
537
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
538
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
539
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
532
540
|
#
|
533
541
|
# @option params [required, String] :alias_name
|
534
542
|
# Specifies the alias name. This value must begin with `alias/` followed
|
@@ -674,8 +682,8 @@ module Aws::KMS
|
|
674
682
|
# grant are met. When setting permissions, grants are an alternative to
|
675
683
|
# key policies.
|
676
684
|
#
|
677
|
-
# To create a grant that allows a cryptographic operation only when
|
678
|
-
# request includes a particular [encryption context][
|
685
|
+
# To create a grant that allows a [cryptographic operation][1] only when
|
686
|
+
# the request includes a particular [encryption context][2], use the
|
679
687
|
# `Constraints` parameter. For details, see GrantConstraints.
|
680
688
|
#
|
681
689
|
# You can create grants on symmetric and asymmetric CMKs. However, if
|
@@ -690,9 +698,9 @@ module Aws::KMS
|
|
690
698
|
#
|
691
699
|
# * Grants for asymmetric CMKs cannot allow operations that are not
|
692
700
|
# supported for asymmetric CMKs, including operations that [generate
|
693
|
-
# data keys][
|
694
|
-
# [automatic key rotation][
|
695
|
-
# [custom key stores][
|
701
|
+
# data keys][3] or [data key pairs][4], or operations related to
|
702
|
+
# [automatic key rotation][5], [imported key material][6], or CMKs in
|
703
|
+
# [custom key stores][7].
|
696
704
|
#
|
697
705
|
# * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
|
698
706
|
# cannot allow the Sign or Verify operations. Grants for asymmetric
|
@@ -704,29 +712,30 @@ module Aws::KMS
|
|
704
712
|
# asymmetric CMKs.
|
705
713
|
#
|
706
714
|
# For information about symmetric and asymmetric CMKs, see [Using
|
707
|
-
# Symmetric and Asymmetric CMKs][
|
715
|
+
# Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
|
708
716
|
# Developer Guide*.
|
709
717
|
#
|
710
718
|
# To perform this operation on a CMK in a different AWS account, specify
|
711
719
|
# the key ARN in the value of the `KeyId` parameter. For more
|
712
|
-
# information about grants, see [Grants][
|
720
|
+
# information about grants, see [Grants][9] in the <i> <i>AWS Key
|
713
721
|
# Management Service Developer Guide</i> </i>.
|
714
722
|
#
|
715
723
|
# The CMK that you use for this operation must be in a compatible key
|
716
724
|
# state. For details, see [How Key State Affects Use of a Customer
|
717
|
-
# Master Key][
|
725
|
+
# Master Key][10] in the *AWS Key Management Service Developer Guide*.
|
718
726
|
#
|
719
727
|
#
|
720
728
|
#
|
721
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
722
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/
|
723
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/
|
724
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/
|
725
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
726
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
727
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
728
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
729
|
-
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
729
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
730
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
731
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
|
732
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
|
733
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
734
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
735
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
736
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
737
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
738
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
730
739
|
#
|
731
740
|
# @option params [required, String] :key_id
|
732
741
|
# The unique identifier for the customer master key (CMK) that the grant
|
@@ -780,15 +789,16 @@ module Aws::KMS
|
|
780
789
|
# A list of operations that the grant permits.
|
781
790
|
#
|
782
791
|
# @option params [Types::GrantConstraints] :constraints
|
783
|
-
# Allows a cryptographic operation only when the encryption context
|
792
|
+
# Allows a [cryptographic operation][1] only when the encryption context
|
784
793
|
# matches or includes the encryption context specified in this
|
785
794
|
# structure. For more information about encryption context, see
|
786
|
-
# [Encryption Context][
|
795
|
+
# [Encryption Context][2] in the <i> <i>AWS Key Management Service
|
787
796
|
# Developer Guide</i> </i>.
|
788
797
|
#
|
789
798
|
#
|
790
799
|
#
|
791
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
800
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
801
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
792
802
|
#
|
793
803
|
# @option params [Array<String>] :grant_tokens
|
794
804
|
# A list of grant tokens.
|
@@ -1003,10 +1013,10 @@ module Aws::KMS
|
|
1003
1013
|
# for a task.
|
1004
1014
|
#
|
1005
1015
|
# @option params [String] :key_usage
|
1006
|
-
# Determines the cryptographic operations for which you can use the
|
1007
|
-
# The default value is `ENCRYPT_DECRYPT`. This parameter is
|
1008
|
-
# only for asymmetric CMKs. You can't change the `KeyUsage`
|
1009
|
-
# the CMK is created.
|
1016
|
+
# Determines the [cryptographic operations][1] for which you can use the
|
1017
|
+
# CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
|
1018
|
+
# required only for asymmetric CMKs. You can't change the `KeyUsage`
|
1019
|
+
# value after the CMK is created.
|
1010
1020
|
#
|
1011
1021
|
# Select only one valid value.
|
1012
1022
|
#
|
@@ -1017,6 +1027,10 @@ module Aws::KMS
|
|
1017
1027
|
#
|
1018
1028
|
# * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
|
1019
1029
|
#
|
1030
|
+
#
|
1031
|
+
#
|
1032
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1033
|
+
#
|
1020
1034
|
# @option params [String] :customer_master_key_spec
|
1021
1035
|
# Specifies the type of CMK to create. The default value,
|
1022
1036
|
# `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
|
@@ -1307,9 +1321,9 @@ module Aws::KMS
|
|
1307
1321
|
#
|
1308
1322
|
# @option params [Hash<String,String>] :encryption_context
|
1309
1323
|
# Specifies the encryption context to use when decrypting the data. An
|
1310
|
-
# encryption context is valid only for cryptographic operations
|
1311
|
-
# symmetric CMK. The standard asymmetric encryption algorithms
|
1312
|
-
# KMS uses do not support an encryption context.
|
1324
|
+
# encryption context is valid only for [cryptographic operations][1]
|
1325
|
+
# with a symmetric CMK. The standard asymmetric encryption algorithms
|
1326
|
+
# that AWS KMS uses do not support an encryption context.
|
1313
1327
|
#
|
1314
1328
|
# An *encryption context* is a collection of non-secret key-value pairs
|
1315
1329
|
# that represents additional authenticated data. When you use an
|
@@ -1318,12 +1332,13 @@ module Aws::KMS
|
|
1318
1332
|
# encryption context is optional when encrypting with a symmetric CMK,
|
1319
1333
|
# but it is highly recommended.
|
1320
1334
|
#
|
1321
|
-
# For more information, see [Encryption Context][
|
1335
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
1322
1336
|
# Management Service Developer Guide*.
|
1323
1337
|
#
|
1324
1338
|
#
|
1325
1339
|
#
|
1326
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
1340
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1341
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1327
1342
|
#
|
1328
1343
|
# @option params [Array<String>] :grant_tokens
|
1329
1344
|
# A list of grant tokens.
|
@@ -1476,13 +1491,13 @@ module Aws::KMS
|
|
1476
1491
|
# The custom key store that you delete cannot contain any AWS KMS
|
1477
1492
|
# [customer master keys (CMKs)][2]. Before deleting the key store,
|
1478
1493
|
# verify that you will never need to use any of the CMKs in the key
|
1479
|
-
# store for any cryptographic operations. Then, use
|
1480
|
-
# to delete the AWS KMS customer master keys (CMKs)
|
1481
|
-
# When the scheduled waiting period expires, the
|
1482
|
-
# operation deletes the CMKs. Then it makes a best
|
1483
|
-
# key material from the associated cluster.
|
1484
|
-
# manually [delete the orphaned key
|
1485
|
-
# its backups.
|
1494
|
+
# store for any [cryptographic operations][3]. Then, use
|
1495
|
+
# ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs)
|
1496
|
+
# from the key store. When the scheduled waiting period expires, the
|
1497
|
+
# `ScheduleKeyDeletion` operation deletes the CMKs. Then it makes a best
|
1498
|
+
# effort to delete the key material from the associated cluster.
|
1499
|
+
# However, you might need to manually [delete the orphaned key
|
1500
|
+
# material][4] from the cluster and its backups.
|
1486
1501
|
#
|
1487
1502
|
# After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore
|
1488
1503
|
# to disconnect the key store from AWS KMS. Then, you can delete the
|
@@ -1505,7 +1520,8 @@ module Aws::KMS
|
|
1505
1520
|
#
|
1506
1521
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1507
1522
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1508
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1523
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1524
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
1509
1525
|
#
|
1510
1526
|
# @option params [required, String] :custom_key_store_id
|
1511
1527
|
# Enter the ID of the custom key store you want to delete. To find the
|
@@ -1845,20 +1861,21 @@ module Aws::KMS
|
|
1845
1861
|
end
|
1846
1862
|
|
1847
1863
|
# Sets the state of a customer master key (CMK) to disabled, thereby
|
1848
|
-
# preventing its use for cryptographic operations. You cannot
|
1849
|
-
# this operation on a CMK in a different AWS account.
|
1864
|
+
# preventing its use for [cryptographic operations][1]. You cannot
|
1865
|
+
# perform this operation on a CMK in a different AWS account.
|
1850
1866
|
#
|
1851
1867
|
# For more information about how key state affects the use of a CMK, see
|
1852
|
-
# [How Key State Affects the Use of a Customer Master Key][
|
1868
|
+
# [How Key State Affects the Use of a Customer Master Key][2] in the <i>
|
1853
1869
|
# <i>AWS Key Management Service Developer Guide</i> </i>.
|
1854
1870
|
#
|
1855
1871
|
# The CMK that you use for this operation must be in a compatible key
|
1856
1872
|
# state. For details, see [How Key State Affects Use of a Customer
|
1857
|
-
# Master Key][
|
1873
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1858
1874
|
#
|
1859
1875
|
#
|
1860
1876
|
#
|
1861
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1877
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1878
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1862
1879
|
#
|
1863
1880
|
# @option params [required, String] :key_id
|
1864
1881
|
# A unique identifier for the customer master key (CMK).
|
@@ -1973,8 +1990,8 @@ module Aws::KMS
|
|
1973
1990
|
#
|
1974
1991
|
# <note markdown="1"> While a custom key store is disconnected, all attempts to create
|
1975
1992
|
# customer master keys (CMKs) in the custom key store or to use existing
|
1976
|
-
# CMKs in cryptographic operations will fail. This action can
|
1977
|
-
# users from storing and accessing sensitive data.
|
1993
|
+
# CMKs in [cryptographic operations][2] will fail. This action can
|
1994
|
+
# prevent users from storing and accessing sensitive data.
|
1978
1995
|
#
|
1979
1996
|
# </note>
|
1980
1997
|
#
|
@@ -1994,6 +2011,7 @@ module Aws::KMS
|
|
1994
2011
|
#
|
1995
2012
|
#
|
1996
2013
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2014
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1997
2015
|
#
|
1998
2016
|
# @option params [required, String] :custom_key_store_id
|
1999
2017
|
# Enter the ID of the custom key store you want to disconnect. To find
|
@@ -2018,16 +2036,17 @@ module Aws::KMS
|
|
2018
2036
|
end
|
2019
2037
|
|
2020
2038
|
# Sets the key state of a customer master key (CMK) to enabled. This
|
2021
|
-
# allows you to use the CMK for cryptographic operations. You
|
2022
|
-
# perform this operation on a CMK in a different AWS account.
|
2039
|
+
# allows you to use the CMK for [cryptographic operations][1]. You
|
2040
|
+
# cannot perform this operation on a CMK in a different AWS account.
|
2023
2041
|
#
|
2024
2042
|
# The CMK that you use for this operation must be in a compatible key
|
2025
2043
|
# state. For details, see [How Key State Affects Use of a Customer
|
2026
|
-
# Master Key][
|
2044
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2027
2045
|
#
|
2028
2046
|
#
|
2029
2047
|
#
|
2030
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2048
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2049
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2031
2050
|
#
|
2032
2051
|
# @option params [required, String] :key_id
|
2033
2052
|
# A unique identifier for the customer master key (CMK).
|
@@ -2139,11 +2158,13 @@ module Aws::KMS
|
|
2139
2158
|
# identifier or database password, or other sensitive information.
|
2140
2159
|
#
|
2141
2160
|
# * You can use the `Encrypt` operation to move encrypted data from one
|
2142
|
-
# AWS
|
2143
|
-
# use the plaintext key to encrypt
|
2144
|
-
#
|
2145
|
-
#
|
2146
|
-
#
|
2161
|
+
# AWS Region to another. For example, in Region A, generate a data key
|
2162
|
+
# and use the plaintext key to encrypt your data. Then, in Region A,
|
2163
|
+
# use the `Encrypt` operation to encrypt the plaintext data key under
|
2164
|
+
# a CMK in Region B. Now, you can move the encrypted data and the
|
2165
|
+
# encrypted data key to Region B. When necessary, you can decrypt the
|
2166
|
+
# encrypted data key and the encrypted data entirely within in Region
|
2167
|
+
# B.
|
2147
2168
|
#
|
2148
2169
|
# You don't need to use the `Encrypt` operation to encrypt a data key.
|
2149
2170
|
# The GenerateDataKey and GenerateDataKeyPair operations return a
|
@@ -2243,9 +2264,10 @@ module Aws::KMS
|
|
2243
2264
|
#
|
2244
2265
|
# @option params [Hash<String,String>] :encryption_context
|
2245
2266
|
# Specifies the encryption context that will be used to encrypt the
|
2246
|
-
# data. An encryption context is valid only for cryptographic
|
2247
|
-
# with a symmetric CMK. The standard asymmetric
|
2248
|
-
# that AWS KMS uses do not support an encryption
|
2267
|
+
# data. An encryption context is valid only for [cryptographic
|
2268
|
+
# operations][1] with a symmetric CMK. The standard asymmetric
|
2269
|
+
# encryption algorithms that AWS KMS uses do not support an encryption
|
2270
|
+
# context.
|
2249
2271
|
#
|
2250
2272
|
# An *encryption context* is a collection of non-secret key-value pairs
|
2251
2273
|
# that represents additional authenticated data. When you use an
|
@@ -2254,12 +2276,13 @@ module Aws::KMS
|
|
2254
2276
|
# encryption context is optional when encrypting with a symmetric CMK,
|
2255
2277
|
# but it is highly recommended.
|
2256
2278
|
#
|
2257
|
-
# For more information, see [Encryption Context][
|
2279
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
2258
2280
|
# Management Service Developer Guide*.
|
2259
2281
|
#
|
2260
2282
|
#
|
2261
2283
|
#
|
2262
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
2284
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2285
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2263
2286
|
#
|
2264
2287
|
# @option params [Array<String>] :grant_tokens
|
2265
2288
|
# A list of grant tokens.
|
@@ -2330,28 +2353,22 @@ module Aws::KMS
|
|
2330
2353
|
req.send_request(options)
|
2331
2354
|
end
|
2332
2355
|
|
2333
|
-
# Generates a unique symmetric data key
|
2334
|
-
# plaintext copy of the data key and a copy that is
|
2335
|
-
# customer master key (CMK) that you specify. You can
|
2336
|
-
# key to encrypt your data outside of AWS KMS and
|
2337
|
-
# data key with the encrypted data.
|
2356
|
+
# Generates a unique symmetric data key for client-side encryption. This
|
2357
|
+
# operation returns a plaintext copy of the data key and a copy that is
|
2358
|
+
# encrypted under a customer master key (CMK) that you specify. You can
|
2359
|
+
# use the plaintext key to encrypt your data outside of AWS KMS and
|
2360
|
+
# store the encrypted data key with the encrypted data.
|
2338
2361
|
#
|
2339
2362
|
# `GenerateDataKey` returns a unique data key for each request. The
|
2340
|
-
# bytes in the key are not related to the caller or CMK
|
2341
|
-
# encrypt the data key.
|
2363
|
+
# bytes in the plaintext key are not related to the caller or the CMK.
|
2342
2364
|
#
|
2343
2365
|
# To generate a data key, specify the symmetric CMK that will be used to
|
2344
2366
|
# encrypt the data key. You cannot use an asymmetric CMK to generate
|
2345
2367
|
# data keys. To get the type of your CMK, use the DescribeKey operation.
|
2346
|
-
#
|
2347
2368
|
# You must also specify the length of the data key. Use either the
|
2348
2369
|
# `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
|
2349
2370
|
# and 256-bit data keys, use the `KeySpec` parameter.
|
2350
2371
|
#
|
2351
|
-
# If the operation succeeds, the plaintext copy of the data key is in
|
2352
|
-
# the `Plaintext` field of the response, and the encrypted copy of the
|
2353
|
-
# data key in the `CiphertextBlob` field.
|
2354
|
-
#
|
2355
2372
|
# To get only an encrypted copy of the data key, use
|
2356
2373
|
# GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
|
2357
2374
|
# pair, use the GenerateDataKeyPair or
|
@@ -2362,7 +2379,7 @@ module Aws::KMS
|
|
2362
2379
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2363
2380
|
# you must specify the same encryption context (a case-sensitive exact
|
2364
2381
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2365
|
-
# to decrypt fails with an InvalidCiphertextException
|
2382
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2366
2383
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2367
2384
|
# Service Developer Guide*.
|
2368
2385
|
#
|
@@ -2370,30 +2387,40 @@ module Aws::KMS
|
|
2370
2387
|
# state. For details, see [How Key State Affects Use of a Customer
|
2371
2388
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2372
2389
|
#
|
2390
|
+
# **How to use your data key**
|
2391
|
+
#
|
2373
2392
|
# We recommend that you use the following pattern to encrypt data
|
2374
|
-
# locally in your application
|
2393
|
+
# locally in your application. You can write your own code or use a
|
2394
|
+
# client-side encryption library, such as the [AWS Encryption SDK][3],
|
2395
|
+
# the [Amazon DynamoDB Encryption Client][4], or [Amazon S3 client-side
|
2396
|
+
# encryption][5] to do these tasks for you.
|
2375
2397
|
#
|
2376
|
-
#
|
2398
|
+
# To encrypt data outside of AWS KMS:
|
2377
2399
|
#
|
2378
|
-
#
|
2379
|
-
#
|
2380
|
-
#
|
2400
|
+
# 1. Use the `GenerateDataKey` operation to get a data key.
|
2401
|
+
#
|
2402
|
+
# 2. Use the plaintext data key (in the `Plaintext` field of the
|
2403
|
+
# response) to encrypt your data outside of AWS KMS. Then erase the
|
2404
|
+
# plaintext data key from memory.
|
2381
2405
|
#
|
2382
|
-
# 3. Store the encrypted data key (
|
2383
|
-
#
|
2406
|
+
# 3. Store the encrypted data key (in the `CiphertextBlob` field of the
|
2407
|
+
# response) with the encrypted data.
|
2384
2408
|
#
|
2385
|
-
# To decrypt data
|
2409
|
+
# To decrypt data outside of AWS KMS:
|
2386
2410
|
#
|
2387
2411
|
# 1. Use the Decrypt operation to decrypt the encrypted data key. The
|
2388
2412
|
# operation returns a plaintext copy of the data key.
|
2389
2413
|
#
|
2390
|
-
# 2. Use the plaintext data key to decrypt data
|
2391
|
-
# plaintext data key from memory.
|
2414
|
+
# 2. Use the plaintext data key to decrypt data outside of AWS KMS,
|
2415
|
+
# then erase the plaintext data key from memory.
|
2392
2416
|
#
|
2393
2417
|
#
|
2394
2418
|
#
|
2395
2419
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2396
2420
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2421
|
+
# [3]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
2422
|
+
# [4]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
|
2423
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
2397
2424
|
#
|
2398
2425
|
# @option params [required, String] :key_id
|
2399
2426
|
# Identifies the symmetric CMK that encrypts the data key.
|
@@ -2531,8 +2558,8 @@ module Aws::KMS
|
|
2531
2558
|
#
|
2532
2559
|
# To generate a data key pair, you must specify a symmetric customer
|
2533
2560
|
# master key (CMK) to encrypt the private key in a data key pair. You
|
2534
|
-
# cannot use an asymmetric CMK
|
2535
|
-
# DescribeKey operation.
|
2561
|
+
# cannot use an asymmetric CMK or a CMK in a custom key store. To get
|
2562
|
+
# the type and origin of your CMK, use the DescribeKey operation.
|
2536
2563
|
#
|
2537
2564
|
# If you are using the data key pair to encrypt data, or for any
|
2538
2565
|
# operation where you don't immediately need a private key, consider
|
@@ -2547,7 +2574,7 @@ module Aws::KMS
|
|
2547
2574
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2548
2575
|
# you must specify the same encryption context (a case-sensitive exact
|
2549
2576
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2550
|
-
# to decrypt fails with an InvalidCiphertextException
|
2577
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2551
2578
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2552
2579
|
# Service Developer Guide*.
|
2553
2580
|
#
|
@@ -2580,7 +2607,9 @@ module Aws::KMS
|
|
2580
2607
|
#
|
2581
2608
|
# @option params [required, String] :key_id
|
2582
2609
|
# Specifies the symmetric CMK that encrypts the private key in the data
|
2583
|
-
# key pair. You cannot specify an asymmetric
|
2610
|
+
# key pair. You cannot specify an asymmetric CMK or a CMK in a custom
|
2611
|
+
# key store. To get the type and origin of your CMK, use the DescribeKey
|
2612
|
+
# operation.
|
2584
2613
|
#
|
2585
2614
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2586
2615
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -2663,8 +2692,9 @@ module Aws::KMS
|
|
2663
2692
|
#
|
2664
2693
|
# To generate a data key pair, you must specify a symmetric customer
|
2665
2694
|
# master key (CMK) to encrypt the private key in the data key pair. You
|
2666
|
-
# cannot use an asymmetric CMK
|
2667
|
-
# `KeySpec` field in the
|
2695
|
+
# cannot use an asymmetric CMK or a CMK in a custom key store. To get
|
2696
|
+
# the type and origin of your CMK, use the `KeySpec` field in the
|
2697
|
+
# DescribeKey response.
|
2668
2698
|
#
|
2669
2699
|
# You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
|
2670
2700
|
# returns to encrypt data or verify a signature outside of AWS KMS.
|
@@ -2680,7 +2710,7 @@ module Aws::KMS
|
|
2680
2710
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2681
2711
|
# you must specify the same encryption context (a case-sensitive exact
|
2682
2712
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2683
|
-
# to decrypt fails with an InvalidCiphertextException
|
2713
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2684
2714
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2685
2715
|
# Service Developer Guide*.
|
2686
2716
|
#
|
@@ -2713,8 +2743,9 @@ module Aws::KMS
|
|
2713
2743
|
#
|
2714
2744
|
# @option params [required, String] :key_id
|
2715
2745
|
# Specifies the CMK that encrypts the private key in the data key pair.
|
2716
|
-
# You must specify a symmetric CMK. You cannot use an asymmetric CMK
|
2717
|
-
# get the type of your CMK,
|
2746
|
+
# You must specify a symmetric CMK. You cannot use an asymmetric CMK or
|
2747
|
+
# a CMK in a custom key store. To get the type and origin of your CMK,
|
2748
|
+
# use the DescribeKey operation.
|
2718
2749
|
#
|
2719
2750
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2720
2751
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -2823,7 +2854,7 @@ module Aws::KMS
|
|
2823
2854
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2824
2855
|
# you must specify the same encryption context (a case-sensitive exact
|
2825
2856
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2826
|
-
# to decrypt fails with an InvalidCiphertextException
|
2857
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2827
2858
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2828
2859
|
# Service Developer Guide*.
|
2829
2860
|
#
|
@@ -3569,6 +3600,8 @@ module Aws::KMS
|
|
3569
3600
|
# * {Types::ListAliasesResponse#next_marker #next_marker} => String
|
3570
3601
|
# * {Types::ListAliasesResponse#truncated #truncated} => Boolean
|
3571
3602
|
#
|
3603
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
3604
|
+
#
|
3572
3605
|
#
|
3573
3606
|
# @example Example: To list aliases
|
3574
3607
|
#
|
@@ -3655,6 +3688,19 @@ module Aws::KMS
|
|
3655
3688
|
# To perform this operation on a CMK in a different AWS account, specify
|
3656
3689
|
# the key ARN in the value of the `KeyId` parameter.
|
3657
3690
|
#
|
3691
|
+
# <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
|
3692
|
+
# contains the user or role designated as the grantee principal in the
|
3693
|
+
# grant. However, when the grantee principal in the grant is an AWS
|
3694
|
+
# service, the `GranteePrincipal` field contains the [service
|
3695
|
+
# principal][1], which might represent several different grantee
|
3696
|
+
# principals.
|
3697
|
+
#
|
3698
|
+
# </note>
|
3699
|
+
#
|
3700
|
+
#
|
3701
|
+
#
|
3702
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
|
3703
|
+
#
|
3658
3704
|
# @option params [Integer] :limit
|
3659
3705
|
# Use this parameter to specify the maximum number of items to return.
|
3660
3706
|
# When this value is present, AWS KMS does not return more than the
|
@@ -3689,6 +3735,8 @@ module Aws::KMS
|
|
3689
3735
|
# * {Types::ListGrantsResponse#next_marker #next_marker} => String
|
3690
3736
|
# * {Types::ListGrantsResponse#truncated #truncated} => Boolean
|
3691
3737
|
#
|
3738
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
3739
|
+
#
|
3692
3740
|
#
|
3693
3741
|
# @example Example: To list grants for a customer master key (CMK)
|
3694
3742
|
#
|
@@ -3834,6 +3882,8 @@ module Aws::KMS
|
|
3834
3882
|
# * {Types::ListKeyPoliciesResponse#next_marker #next_marker} => String
|
3835
3883
|
# * {Types::ListKeyPoliciesResponse#truncated #truncated} => Boolean
|
3836
3884
|
#
|
3885
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
3886
|
+
#
|
3837
3887
|
#
|
3838
3888
|
# @example Example: To list key policies for a customer master key (CMK)
|
3839
3889
|
#
|
@@ -3898,6 +3948,8 @@ module Aws::KMS
|
|
3898
3948
|
# * {Types::ListKeysResponse#next_marker #next_marker} => String
|
3899
3949
|
# * {Types::ListKeysResponse#truncated #truncated} => Boolean
|
3900
3950
|
#
|
3951
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
3952
|
+
#
|
3901
3953
|
#
|
3902
3954
|
# @example Example: To list customer master keys (CMKs)
|
3903
3955
|
#
|
@@ -4278,16 +4330,16 @@ module Aws::KMS
|
|
4278
4330
|
# under which data is encrypted, such as when you [manually rotate][1] a
|
4279
4331
|
# CMK or change the CMK that protects a ciphertext. You can also use it
|
4280
4332
|
# to reencrypt ciphertext under the same CMK, such as to change the
|
4281
|
-
# encryption context of a ciphertext.
|
4333
|
+
# [encryption context][2] of a ciphertext.
|
4282
4334
|
#
|
4283
4335
|
# The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
|
4284
4336
|
# using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or
|
4285
4337
|
# GenerateDataKey. It can also decrypt ciphertext that was encrypted by
|
4286
|
-
# using the public key of an asymmetric CMK outside of AWS KMS.
|
4287
|
-
# it cannot decrypt ciphertext produced by other libraries,
|
4288
|
-
# [AWS Encryption SDK][
|
4289
|
-
# These libraries return a ciphertext format that is
|
4290
|
-
# AWS KMS.
|
4338
|
+
# using the public key of an [asymmetric CMK][3] outside of AWS KMS.
|
4339
|
+
# However, it cannot decrypt ciphertext produced by other libraries,
|
4340
|
+
# such as the [AWS Encryption SDK][4] or [Amazon S3 client-side
|
4341
|
+
# encryption][5]. These libraries return a ciphertext format that is
|
4342
|
+
# incompatible with AWS KMS.
|
4291
4343
|
#
|
4292
4344
|
# When you use the `ReEncrypt` operation, you need to provide
|
4293
4345
|
# information for the decrypt operation and the subsequent encrypt
|
@@ -4325,29 +4377,30 @@ module Aws::KMS
|
|
4325
4377
|
# Unlike other AWS KMS API operations, `ReEncrypt` callers must have two
|
4326
4378
|
# permissions:
|
4327
4379
|
#
|
4328
|
-
# * `kms:
|
4329
|
-
#
|
4330
|
-
# * `kms:EncryptTo` permission on the destination CMK
|
4380
|
+
# * `kms:ReEncryptFrom` permission on the source CMK
|
4331
4381
|
#
|
4332
|
-
#
|
4382
|
+
# * `kms:ReEncryptTo` permission on the destination CMK
|
4333
4383
|
#
|
4334
|
-
# or to a CMK, include the
|
4335
|
-
# policy][
|
4336
|
-
#
|
4337
|
-
#
|
4338
|
-
# PutKeyPolicy operation set
|
4384
|
+
# To permit reencryption from or to a CMK, include the
|
4385
|
+
# `"kms:ReEncrypt*"` permission in your [key policy][6]. This permission
|
4386
|
+
# is automatically included in the key policy when you use the console
|
4387
|
+
# to create a CMK. But you must include it manually when you create a
|
4388
|
+
# CMK programmatically or when you use the PutKeyPolicy operation to set
|
4389
|
+
# a key policy.
|
4339
4390
|
#
|
4340
4391
|
# The CMK that you use for this operation must be in a compatible key
|
4341
4392
|
# state. For details, see [How Key State Affects Use of a Customer
|
4342
|
-
# Master Key][
|
4393
|
+
# Master Key][7] in the *AWS Key Management Service Developer Guide*.
|
4343
4394
|
#
|
4344
4395
|
#
|
4345
4396
|
#
|
4346
4397
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
|
4347
|
-
# [2]: https://docs.aws.amazon.com/
|
4348
|
-
# [3]: https://docs.aws.amazon.com/
|
4349
|
-
# [4]: https://docs.aws.amazon.com/
|
4350
|
-
# [5]: https://docs.aws.amazon.com/
|
4398
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
4399
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
4400
|
+
# [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
4401
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
4402
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4403
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4351
4404
|
#
|
4352
4405
|
# @option params [required, String, IO] :ciphertext_blob
|
4353
4406
|
# Ciphertext of the data to reencrypt.
|
@@ -5426,7 +5479,7 @@ module Aws::KMS
|
|
5426
5479
|
params: params,
|
5427
5480
|
config: config)
|
5428
5481
|
context[:gem_name] = 'aws-sdk-kms'
|
5429
|
-
context[:gem_version] = '1.
|
5482
|
+
context[:gem_version] = '1.35.0'
|
5430
5483
|
Seahorse::Client::Request.new(handlers, context)
|
5431
5484
|
end
|
5432
5485
|
|