aws-sdk-kms 1.31.0 → 1.36.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-kms.rb +3 -1
- data/lib/aws-sdk-kms/client.rb +172 -130
- data/lib/aws-sdk-kms/client_api.rb +5 -0
- data/lib/aws-sdk-kms/customizations.rb +1 -0
- data/lib/aws-sdk-kms/errors.rb +2 -0
- data/lib/aws-sdk-kms/resource.rb +2 -0
- data/lib/aws-sdk-kms/types.rb +279 -100
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4cf10aeb5e6e34a2a77a77b1431b7886d0906dbe3a4a70fe0e3a93c8dcbaaa2b
|
4
|
+
data.tar.gz: 3fc2165a42629c08b730f694a40abb6a040ec857c6cacdd5f7d6cda050256e15
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3dd329302083121bd51e9a0af46611bf888b2f947d020167b1df1324795d9894198fdb2d1b04a56bbbef891bc6bb7870327220ec21087787fb9902897b4b34ab
|
7
|
+
data.tar.gz: b942fac422db7a8ca0dc8c15ca71dd177ee930d111b4de29928d2fcadb40725a7e38e2083a63fb63dd8b122b956c97b9e3de47b23db3cab7d206345677a04921
|
data/lib/aws-sdk-kms.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# WARNING ABOUT GENERATED CODE
|
2
4
|
#
|
3
5
|
# This file is generated. See the contributing guide for more information:
|
@@ -45,6 +47,6 @@ require_relative 'aws-sdk-kms/customizations'
|
|
45
47
|
# @service
|
46
48
|
module Aws::KMS
|
47
49
|
|
48
|
-
GEM_VERSION = '1.
|
50
|
+
GEM_VERSION = '1.36.0'
|
49
51
|
|
50
52
|
end
|
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# WARNING ABOUT GENERATED CODE
|
2
4
|
#
|
3
5
|
# This file is generated. See the contributing guide for more information:
|
@@ -24,6 +26,7 @@ require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
|
|
24
26
|
require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
|
25
27
|
require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
26
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
29
|
+
require 'aws-sdk-core/plugins/http_checksum.rb'
|
27
30
|
require 'aws-sdk-core/plugins/signature_v4.rb'
|
28
31
|
require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
|
29
32
|
|
@@ -69,6 +72,7 @@ module Aws::KMS
|
|
69
72
|
add_plugin(Aws::Plugins::ClientMetricsPlugin)
|
70
73
|
add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
|
71
74
|
add_plugin(Aws::Plugins::TransferEncoding)
|
75
|
+
add_plugin(Aws::Plugins::HttpChecksum)
|
72
76
|
add_plugin(Aws::Plugins::SignatureV4)
|
73
77
|
add_plugin(Aws::Plugins::Protocols::JsonRpc)
|
74
78
|
|
@@ -161,7 +165,7 @@ module Aws::KMS
|
|
161
165
|
# @option options [String] :endpoint
|
162
166
|
# The client endpoint is normally constructed from the `:region`
|
163
167
|
# option. You should only configure an `:endpoint` when connecting
|
164
|
-
# to test endpoints. This should be a valid HTTP(S) URI.
|
168
|
+
# to test or custom endpoints. This should be a valid HTTP(S) URI.
|
165
169
|
#
|
166
170
|
# @option options [Integer] :endpoint_cache_max_entries (1000)
|
167
171
|
# Used for the maximum size limit of the LRU cache storing endpoints data
|
@@ -176,7 +180,7 @@ module Aws::KMS
|
|
176
180
|
# requests fetching endpoints information. Defaults to 60 sec.
|
177
181
|
#
|
178
182
|
# @option options [Boolean] :endpoint_discovery (false)
|
179
|
-
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
183
|
+
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
180
184
|
#
|
181
185
|
# @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
|
182
186
|
# The log formatter.
|
@@ -460,9 +464,9 @@ module Aws::KMS
|
|
460
464
|
end
|
461
465
|
|
462
466
|
# Creates a display name for a customer managed customer master key
|
463
|
-
# (CMK). You can use an alias to identify a CMK in cryptographic
|
464
|
-
# operations, such as Encrypt and GenerateDataKey. You can change
|
465
|
-
# CMK associated with the alias at any time.
|
467
|
+
# (CMK). You can use an alias to identify a CMK in [cryptographic
|
468
|
+
# operations][1], such as Encrypt and GenerateDataKey. You can change
|
469
|
+
# the CMK associated with the alias at any time.
|
466
470
|
#
|
467
471
|
# Aliases are easier to remember than key IDs. They can also help to
|
468
472
|
# simplify your applications. For example, if you use an alias in your
|
@@ -486,8 +490,8 @@ module Aws::KMS
|
|
486
490
|
#
|
487
491
|
# * You can associate an alias with any customer managed CMK in the same
|
488
492
|
# AWS account and Region. However, you do not have permission to
|
489
|
-
# associate an alias with an [AWS managed CMK][
|
490
|
-
# CMK][
|
493
|
+
# associate an alias with an [AWS managed CMK][2] or an [AWS owned
|
494
|
+
# CMK][3].
|
491
495
|
#
|
492
496
|
# * To change the CMK associated with an alias, use the UpdateAlias
|
493
497
|
# operation. The current CMK and the new CMK must be the same type
|
@@ -499,7 +503,7 @@ module Aws::KMS
|
|
499
503
|
# `alias/ExampleAlias`. It can contain only alphanumeric characters,
|
500
504
|
# forward slashes (/), underscores (\_), and dashes (-). The alias
|
501
505
|
# name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
|
502
|
-
# reserved for [AWS managed CMKs][
|
506
|
+
# reserved for [AWS managed CMKs][2].
|
503
507
|
#
|
504
508
|
# * The alias name must be unique within an AWS Region. However, you can
|
505
509
|
# use the same alias name in multiple Regions of the same AWS account.
|
@@ -510,12 +514,12 @@ module Aws::KMS
|
|
510
514
|
# and then create a new alias with the desired name.
|
511
515
|
#
|
512
516
|
# * You can use an alias name or alias ARN to identify a CMK in AWS KMS
|
513
|
-
# cryptographic operations and in the DescribeKey operation.
|
514
|
-
# you cannot use alias names or alias ARNs in API operations
|
515
|
-
# manage CMKs, such as DisableKey or GetKeyPolicy. For
|
516
|
-
# about the valid CMK identifiers for each AWS KMS API
|
517
|
-
# the descriptions of the `KeyId` parameter in the API
|
518
|
-
# documentation.
|
517
|
+
# [cryptographic operations][1] and in the DescribeKey operation.
|
518
|
+
# However, you cannot use alias names or alias ARNs in API operations
|
519
|
+
# that manage CMKs, such as DisableKey or GetKeyPolicy. For
|
520
|
+
# information about the valid CMK identifiers for each AWS KMS API
|
521
|
+
# operation, see the descriptions of the `KeyId` parameter in the API
|
522
|
+
# operation documentation.
|
519
523
|
#
|
520
524
|
# Because an alias is not a property of a CMK, you can delete and change
|
521
525
|
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
@@ -525,13 +529,14 @@ module Aws::KMS
|
|
525
529
|
#
|
526
530
|
# The CMK that you use for this operation must be in a compatible key
|
527
531
|
# state. For details, see [How Key State Affects Use of a Customer
|
528
|
-
# Master Key][
|
532
|
+
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
529
533
|
#
|
530
534
|
#
|
531
535
|
#
|
532
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
533
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-
|
534
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
536
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
537
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
538
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
539
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
535
540
|
#
|
536
541
|
# @option params [required, String] :alias_name
|
537
542
|
# Specifies the alias name. This value must begin with `alias/` followed
|
@@ -677,8 +682,8 @@ module Aws::KMS
|
|
677
682
|
# grant are met. When setting permissions, grants are an alternative to
|
678
683
|
# key policies.
|
679
684
|
#
|
680
|
-
# To create a grant that allows a cryptographic operation only when
|
681
|
-
# request includes a particular [encryption context][
|
685
|
+
# To create a grant that allows a [cryptographic operation][1] only when
|
686
|
+
# the request includes a particular [encryption context][2], use the
|
682
687
|
# `Constraints` parameter. For details, see GrantConstraints.
|
683
688
|
#
|
684
689
|
# You can create grants on symmetric and asymmetric CMKs. However, if
|
@@ -693,9 +698,9 @@ module Aws::KMS
|
|
693
698
|
#
|
694
699
|
# * Grants for asymmetric CMKs cannot allow operations that are not
|
695
700
|
# supported for asymmetric CMKs, including operations that [generate
|
696
|
-
# data keys][
|
697
|
-
# [automatic key rotation][
|
698
|
-
# [custom key stores][
|
701
|
+
# data keys][3] or [data key pairs][4], or operations related to
|
702
|
+
# [automatic key rotation][5], [imported key material][6], or CMKs in
|
703
|
+
# [custom key stores][7].
|
699
704
|
#
|
700
705
|
# * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
|
701
706
|
# cannot allow the Sign or Verify operations. Grants for asymmetric
|
@@ -707,29 +712,30 @@ module Aws::KMS
|
|
707
712
|
# asymmetric CMKs.
|
708
713
|
#
|
709
714
|
# For information about symmetric and asymmetric CMKs, see [Using
|
710
|
-
# Symmetric and Asymmetric CMKs][
|
715
|
+
# Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
|
711
716
|
# Developer Guide*.
|
712
717
|
#
|
713
718
|
# To perform this operation on a CMK in a different AWS account, specify
|
714
719
|
# the key ARN in the value of the `KeyId` parameter. For more
|
715
|
-
# information about grants, see [Grants][
|
720
|
+
# information about grants, see [Grants][9] in the <i> <i>AWS Key
|
716
721
|
# Management Service Developer Guide</i> </i>.
|
717
722
|
#
|
718
723
|
# The CMK that you use for this operation must be in a compatible key
|
719
724
|
# state. For details, see [How Key State Affects Use of a Customer
|
720
|
-
# Master Key][
|
725
|
+
# Master Key][10] in the *AWS Key Management Service Developer Guide*.
|
721
726
|
#
|
722
727
|
#
|
723
728
|
#
|
724
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
725
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/
|
726
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/
|
727
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/
|
728
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
729
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
730
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
731
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
732
|
-
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
729
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
730
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
731
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
|
732
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
|
733
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
734
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
735
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
736
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
737
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
738
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
733
739
|
#
|
734
740
|
# @option params [required, String] :key_id
|
735
741
|
# The unique identifier for the customer master key (CMK) that the grant
|
@@ -783,15 +789,16 @@ module Aws::KMS
|
|
783
789
|
# A list of operations that the grant permits.
|
784
790
|
#
|
785
791
|
# @option params [Types::GrantConstraints] :constraints
|
786
|
-
# Allows a cryptographic operation only when the encryption context
|
792
|
+
# Allows a [cryptographic operation][1] only when the encryption context
|
787
793
|
# matches or includes the encryption context specified in this
|
788
794
|
# structure. For more information about encryption context, see
|
789
|
-
# [Encryption Context][
|
795
|
+
# [Encryption Context][2] in the <i> <i>AWS Key Management Service
|
790
796
|
# Developer Guide</i> </i>.
|
791
797
|
#
|
792
798
|
#
|
793
799
|
#
|
794
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
800
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
801
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
795
802
|
#
|
796
803
|
# @option params [Array<String>] :grant_tokens
|
797
804
|
# A list of grant tokens.
|
@@ -1006,10 +1013,10 @@ module Aws::KMS
|
|
1006
1013
|
# for a task.
|
1007
1014
|
#
|
1008
1015
|
# @option params [String] :key_usage
|
1009
|
-
# Determines the cryptographic operations for which you can use the
|
1010
|
-
# The default value is `ENCRYPT_DECRYPT`. This parameter is
|
1011
|
-
# only for asymmetric CMKs. You can't change the `KeyUsage`
|
1012
|
-
# the CMK is created.
|
1016
|
+
# Determines the [cryptographic operations][1] for which you can use the
|
1017
|
+
# CMK. The default value is `ENCRYPT_DECRYPT`. This parameter is
|
1018
|
+
# required only for asymmetric CMKs. You can't change the `KeyUsage`
|
1019
|
+
# value after the CMK is created.
|
1013
1020
|
#
|
1014
1021
|
# Select only one valid value.
|
1015
1022
|
#
|
@@ -1020,6 +1027,10 @@ module Aws::KMS
|
|
1020
1027
|
#
|
1021
1028
|
# * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
|
1022
1029
|
#
|
1030
|
+
#
|
1031
|
+
#
|
1032
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1033
|
+
#
|
1023
1034
|
# @option params [String] :customer_master_key_spec
|
1024
1035
|
# Specifies the type of CMK to create. The default value,
|
1025
1036
|
# `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
|
@@ -1310,9 +1321,9 @@ module Aws::KMS
|
|
1310
1321
|
#
|
1311
1322
|
# @option params [Hash<String,String>] :encryption_context
|
1312
1323
|
# Specifies the encryption context to use when decrypting the data. An
|
1313
|
-
# encryption context is valid only for cryptographic operations
|
1314
|
-
# symmetric CMK. The standard asymmetric encryption algorithms
|
1315
|
-
# KMS uses do not support an encryption context.
|
1324
|
+
# encryption context is valid only for [cryptographic operations][1]
|
1325
|
+
# with a symmetric CMK. The standard asymmetric encryption algorithms
|
1326
|
+
# that AWS KMS uses do not support an encryption context.
|
1316
1327
|
#
|
1317
1328
|
# An *encryption context* is a collection of non-secret key-value pairs
|
1318
1329
|
# that represents additional authenticated data. When you use an
|
@@ -1321,12 +1332,13 @@ module Aws::KMS
|
|
1321
1332
|
# encryption context is optional when encrypting with a symmetric CMK,
|
1322
1333
|
# but it is highly recommended.
|
1323
1334
|
#
|
1324
|
-
# For more information, see [Encryption Context][
|
1335
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
1325
1336
|
# Management Service Developer Guide*.
|
1326
1337
|
#
|
1327
1338
|
#
|
1328
1339
|
#
|
1329
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
1340
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1341
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1330
1342
|
#
|
1331
1343
|
# @option params [Array<String>] :grant_tokens
|
1332
1344
|
# A list of grant tokens.
|
@@ -1479,13 +1491,13 @@ module Aws::KMS
|
|
1479
1491
|
# The custom key store that you delete cannot contain any AWS KMS
|
1480
1492
|
# [customer master keys (CMKs)][2]. Before deleting the key store,
|
1481
1493
|
# verify that you will never need to use any of the CMKs in the key
|
1482
|
-
# store for any cryptographic operations. Then, use
|
1483
|
-
# to delete the AWS KMS customer master keys (CMKs)
|
1484
|
-
# When the scheduled waiting period expires, the
|
1485
|
-
# operation deletes the CMKs. Then it makes a best
|
1486
|
-
# key material from the associated cluster.
|
1487
|
-
# manually [delete the orphaned key
|
1488
|
-
# its backups.
|
1494
|
+
# store for any [cryptographic operations][3]. Then, use
|
1495
|
+
# ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs)
|
1496
|
+
# from the key store. When the scheduled waiting period expires, the
|
1497
|
+
# `ScheduleKeyDeletion` operation deletes the CMKs. Then it makes a best
|
1498
|
+
# effort to delete the key material from the associated cluster.
|
1499
|
+
# However, you might need to manually [delete the orphaned key
|
1500
|
+
# material][4] from the cluster and its backups.
|
1489
1501
|
#
|
1490
1502
|
# After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore
|
1491
1503
|
# to disconnect the key store from AWS KMS. Then, you can delete the
|
@@ -1508,7 +1520,8 @@ module Aws::KMS
|
|
1508
1520
|
#
|
1509
1521
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1510
1522
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1511
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1523
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1524
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
1512
1525
|
#
|
1513
1526
|
# @option params [required, String] :custom_key_store_id
|
1514
1527
|
# Enter the ID of the custom key store you want to delete. To find the
|
@@ -1848,20 +1861,21 @@ module Aws::KMS
|
|
1848
1861
|
end
|
1849
1862
|
|
1850
1863
|
# Sets the state of a customer master key (CMK) to disabled, thereby
|
1851
|
-
# preventing its use for cryptographic operations. You cannot
|
1852
|
-
# this operation on a CMK in a different AWS account.
|
1864
|
+
# preventing its use for [cryptographic operations][1]. You cannot
|
1865
|
+
# perform this operation on a CMK in a different AWS account.
|
1853
1866
|
#
|
1854
1867
|
# For more information about how key state affects the use of a CMK, see
|
1855
|
-
# [How Key State Affects the Use of a Customer Master Key][
|
1868
|
+
# [How Key State Affects the Use of a Customer Master Key][2] in the <i>
|
1856
1869
|
# <i>AWS Key Management Service Developer Guide</i> </i>.
|
1857
1870
|
#
|
1858
1871
|
# The CMK that you use for this operation must be in a compatible key
|
1859
1872
|
# state. For details, see [How Key State Affects Use of a Customer
|
1860
|
-
# Master Key][
|
1873
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1861
1874
|
#
|
1862
1875
|
#
|
1863
1876
|
#
|
1864
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1877
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1878
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1865
1879
|
#
|
1866
1880
|
# @option params [required, String] :key_id
|
1867
1881
|
# A unique identifier for the customer master key (CMK).
|
@@ -1976,8 +1990,8 @@ module Aws::KMS
|
|
1976
1990
|
#
|
1977
1991
|
# <note markdown="1"> While a custom key store is disconnected, all attempts to create
|
1978
1992
|
# customer master keys (CMKs) in the custom key store or to use existing
|
1979
|
-
# CMKs in cryptographic operations will fail. This action can
|
1980
|
-
# users from storing and accessing sensitive data.
|
1993
|
+
# CMKs in [cryptographic operations][2] will fail. This action can
|
1994
|
+
# prevent users from storing and accessing sensitive data.
|
1981
1995
|
#
|
1982
1996
|
# </note>
|
1983
1997
|
#
|
@@ -1997,6 +2011,7 @@ module Aws::KMS
|
|
1997
2011
|
#
|
1998
2012
|
#
|
1999
2013
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2014
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2000
2015
|
#
|
2001
2016
|
# @option params [required, String] :custom_key_store_id
|
2002
2017
|
# Enter the ID of the custom key store you want to disconnect. To find
|
@@ -2021,16 +2036,17 @@ module Aws::KMS
|
|
2021
2036
|
end
|
2022
2037
|
|
2023
2038
|
# Sets the key state of a customer master key (CMK) to enabled. This
|
2024
|
-
# allows you to use the CMK for cryptographic operations. You
|
2025
|
-
# perform this operation on a CMK in a different AWS account.
|
2039
|
+
# allows you to use the CMK for [cryptographic operations][1]. You
|
2040
|
+
# cannot perform this operation on a CMK in a different AWS account.
|
2026
2041
|
#
|
2027
2042
|
# The CMK that you use for this operation must be in a compatible key
|
2028
2043
|
# state. For details, see [How Key State Affects Use of a Customer
|
2029
|
-
# Master Key][
|
2044
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2030
2045
|
#
|
2031
2046
|
#
|
2032
2047
|
#
|
2033
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2048
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2049
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2034
2050
|
#
|
2035
2051
|
# @option params [required, String] :key_id
|
2036
2052
|
# A unique identifier for the customer master key (CMK).
|
@@ -2142,11 +2158,13 @@ module Aws::KMS
|
|
2142
2158
|
# identifier or database password, or other sensitive information.
|
2143
2159
|
#
|
2144
2160
|
# * You can use the `Encrypt` operation to move encrypted data from one
|
2145
|
-
# AWS
|
2146
|
-
# use the plaintext key to encrypt
|
2147
|
-
#
|
2148
|
-
#
|
2149
|
-
#
|
2161
|
+
# AWS Region to another. For example, in Region A, generate a data key
|
2162
|
+
# and use the plaintext key to encrypt your data. Then, in Region A,
|
2163
|
+
# use the `Encrypt` operation to encrypt the plaintext data key under
|
2164
|
+
# a CMK in Region B. Now, you can move the encrypted data and the
|
2165
|
+
# encrypted data key to Region B. When necessary, you can decrypt the
|
2166
|
+
# encrypted data key and the encrypted data entirely within in Region
|
2167
|
+
# B.
|
2150
2168
|
#
|
2151
2169
|
# You don't need to use the `Encrypt` operation to encrypt a data key.
|
2152
2170
|
# The GenerateDataKey and GenerateDataKeyPair operations return a
|
@@ -2246,9 +2264,10 @@ module Aws::KMS
|
|
2246
2264
|
#
|
2247
2265
|
# @option params [Hash<String,String>] :encryption_context
|
2248
2266
|
# Specifies the encryption context that will be used to encrypt the
|
2249
|
-
# data. An encryption context is valid only for cryptographic
|
2250
|
-
# with a symmetric CMK. The standard asymmetric
|
2251
|
-
# that AWS KMS uses do not support an encryption
|
2267
|
+
# data. An encryption context is valid only for [cryptographic
|
2268
|
+
# operations][1] with a symmetric CMK. The standard asymmetric
|
2269
|
+
# encryption algorithms that AWS KMS uses do not support an encryption
|
2270
|
+
# context.
|
2252
2271
|
#
|
2253
2272
|
# An *encryption context* is a collection of non-secret key-value pairs
|
2254
2273
|
# that represents additional authenticated data. When you use an
|
@@ -2257,12 +2276,13 @@ module Aws::KMS
|
|
2257
2276
|
# encryption context is optional when encrypting with a symmetric CMK,
|
2258
2277
|
# but it is highly recommended.
|
2259
2278
|
#
|
2260
|
-
# For more information, see [Encryption Context][
|
2279
|
+
# For more information, see [Encryption Context][2] in the *AWS Key
|
2261
2280
|
# Management Service Developer Guide*.
|
2262
2281
|
#
|
2263
2282
|
#
|
2264
2283
|
#
|
2265
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
2284
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2285
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2266
2286
|
#
|
2267
2287
|
# @option params [Array<String>] :grant_tokens
|
2268
2288
|
# A list of grant tokens.
|
@@ -2333,28 +2353,22 @@ module Aws::KMS
|
|
2333
2353
|
req.send_request(options)
|
2334
2354
|
end
|
2335
2355
|
|
2336
|
-
# Generates a unique symmetric data key
|
2337
|
-
# plaintext copy of the data key and a copy that is
|
2338
|
-
# customer master key (CMK) that you specify. You can
|
2339
|
-
# key to encrypt your data outside of AWS KMS and
|
2340
|
-
# data key with the encrypted data.
|
2356
|
+
# Generates a unique symmetric data key for client-side encryption. This
|
2357
|
+
# operation returns a plaintext copy of the data key and a copy that is
|
2358
|
+
# encrypted under a customer master key (CMK) that you specify. You can
|
2359
|
+
# use the plaintext key to encrypt your data outside of AWS KMS and
|
2360
|
+
# store the encrypted data key with the encrypted data.
|
2341
2361
|
#
|
2342
2362
|
# `GenerateDataKey` returns a unique data key for each request. The
|
2343
|
-
# bytes in the key are not related to the caller or CMK
|
2344
|
-
# encrypt the data key.
|
2363
|
+
# bytes in the plaintext key are not related to the caller or the CMK.
|
2345
2364
|
#
|
2346
2365
|
# To generate a data key, specify the symmetric CMK that will be used to
|
2347
2366
|
# encrypt the data key. You cannot use an asymmetric CMK to generate
|
2348
2367
|
# data keys. To get the type of your CMK, use the DescribeKey operation.
|
2349
|
-
#
|
2350
2368
|
# You must also specify the length of the data key. Use either the
|
2351
2369
|
# `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
|
2352
2370
|
# and 256-bit data keys, use the `KeySpec` parameter.
|
2353
2371
|
#
|
2354
|
-
# If the operation succeeds, the plaintext copy of the data key is in
|
2355
|
-
# the `Plaintext` field of the response, and the encrypted copy of the
|
2356
|
-
# data key in the `CiphertextBlob` field.
|
2357
|
-
#
|
2358
2372
|
# To get only an encrypted copy of the data key, use
|
2359
2373
|
# GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
|
2360
2374
|
# pair, use the GenerateDataKeyPair or
|
@@ -2365,7 +2379,7 @@ module Aws::KMS
|
|
2365
2379
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2366
2380
|
# you must specify the same encryption context (a case-sensitive exact
|
2367
2381
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2368
|
-
# to decrypt fails with an InvalidCiphertextException
|
2382
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2369
2383
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2370
2384
|
# Service Developer Guide*.
|
2371
2385
|
#
|
@@ -2373,30 +2387,40 @@ module Aws::KMS
|
|
2373
2387
|
# state. For details, see [How Key State Affects Use of a Customer
|
2374
2388
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2375
2389
|
#
|
2390
|
+
# **How to use your data key**
|
2391
|
+
#
|
2376
2392
|
# We recommend that you use the following pattern to encrypt data
|
2377
|
-
# locally in your application
|
2393
|
+
# locally in your application. You can write your own code or use a
|
2394
|
+
# client-side encryption library, such as the [AWS Encryption SDK][3],
|
2395
|
+
# the [Amazon DynamoDB Encryption Client][4], or [Amazon S3 client-side
|
2396
|
+
# encryption][5] to do these tasks for you.
|
2378
2397
|
#
|
2379
|
-
#
|
2398
|
+
# To encrypt data outside of AWS KMS:
|
2380
2399
|
#
|
2381
|
-
#
|
2382
|
-
# the response) to encrypt data locally, then erase the plaintext
|
2383
|
-
# data key from memory.
|
2400
|
+
# 1. Use the `GenerateDataKey` operation to get a data key.
|
2384
2401
|
#
|
2385
|
-
#
|
2386
|
-
#
|
2402
|
+
# 2. Use the plaintext data key (in the `Plaintext` field of the
|
2403
|
+
# response) to encrypt your data outside of AWS KMS. Then erase the
|
2404
|
+
# plaintext data key from memory.
|
2387
2405
|
#
|
2388
|
-
#
|
2406
|
+
# 3. Store the encrypted data key (in the `CiphertextBlob` field of the
|
2407
|
+
# response) with the encrypted data.
|
2408
|
+
#
|
2409
|
+
# To decrypt data outside of AWS KMS:
|
2389
2410
|
#
|
2390
2411
|
# 1. Use the Decrypt operation to decrypt the encrypted data key. The
|
2391
2412
|
# operation returns a plaintext copy of the data key.
|
2392
2413
|
#
|
2393
|
-
# 2. Use the plaintext data key to decrypt data
|
2394
|
-
# plaintext data key from memory.
|
2414
|
+
# 2. Use the plaintext data key to decrypt data outside of AWS KMS,
|
2415
|
+
# then erase the plaintext data key from memory.
|
2395
2416
|
#
|
2396
2417
|
#
|
2397
2418
|
#
|
2398
2419
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2399
2420
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2421
|
+
# [3]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
2422
|
+
# [4]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
|
2423
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
2400
2424
|
#
|
2401
2425
|
# @option params [required, String] :key_id
|
2402
2426
|
# Identifies the symmetric CMK that encrypts the data key.
|
@@ -2534,8 +2558,8 @@ module Aws::KMS
|
|
2534
2558
|
#
|
2535
2559
|
# To generate a data key pair, you must specify a symmetric customer
|
2536
2560
|
# master key (CMK) to encrypt the private key in a data key pair. You
|
2537
|
-
# cannot use an asymmetric CMK
|
2538
|
-
# DescribeKey operation.
|
2561
|
+
# cannot use an asymmetric CMK or a CMK in a custom key store. To get
|
2562
|
+
# the type and origin of your CMK, use the DescribeKey operation.
|
2539
2563
|
#
|
2540
2564
|
# If you are using the data key pair to encrypt data, or for any
|
2541
2565
|
# operation where you don't immediately need a private key, consider
|
@@ -2550,7 +2574,7 @@ module Aws::KMS
|
|
2550
2574
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2551
2575
|
# you must specify the same encryption context (a case-sensitive exact
|
2552
2576
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2553
|
-
# to decrypt fails with an InvalidCiphertextException
|
2577
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2554
2578
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2555
2579
|
# Service Developer Guide*.
|
2556
2580
|
#
|
@@ -2583,7 +2607,9 @@ module Aws::KMS
|
|
2583
2607
|
#
|
2584
2608
|
# @option params [required, String] :key_id
|
2585
2609
|
# Specifies the symmetric CMK that encrypts the private key in the data
|
2586
|
-
# key pair. You cannot specify an asymmetric
|
2610
|
+
# key pair. You cannot specify an asymmetric CMK or a CMK in a custom
|
2611
|
+
# key store. To get the type and origin of your CMK, use the DescribeKey
|
2612
|
+
# operation.
|
2587
2613
|
#
|
2588
2614
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2589
2615
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -2666,8 +2692,9 @@ module Aws::KMS
|
|
2666
2692
|
#
|
2667
2693
|
# To generate a data key pair, you must specify a symmetric customer
|
2668
2694
|
# master key (CMK) to encrypt the private key in the data key pair. You
|
2669
|
-
# cannot use an asymmetric CMK
|
2670
|
-
# `KeySpec` field in the
|
2695
|
+
# cannot use an asymmetric CMK or a CMK in a custom key store. To get
|
2696
|
+
# the type and origin of your CMK, use the `KeySpec` field in the
|
2697
|
+
# DescribeKey response.
|
2671
2698
|
#
|
2672
2699
|
# You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
|
2673
2700
|
# returns to encrypt data or verify a signature outside of AWS KMS.
|
@@ -2683,7 +2710,7 @@ module Aws::KMS
|
|
2683
2710
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2684
2711
|
# you must specify the same encryption context (a case-sensitive exact
|
2685
2712
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2686
|
-
# to decrypt fails with an InvalidCiphertextException
|
2713
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2687
2714
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2688
2715
|
# Service Developer Guide*.
|
2689
2716
|
#
|
@@ -2716,8 +2743,9 @@ module Aws::KMS
|
|
2716
2743
|
#
|
2717
2744
|
# @option params [required, String] :key_id
|
2718
2745
|
# Specifies the CMK that encrypts the private key in the data key pair.
|
2719
|
-
# You must specify a symmetric CMK. You cannot use an asymmetric CMK
|
2720
|
-
# get the type of your CMK,
|
2746
|
+
# You must specify a symmetric CMK. You cannot use an asymmetric CMK or
|
2747
|
+
# a CMK in a custom key store. To get the type and origin of your CMK,
|
2748
|
+
# use the DescribeKey operation.
|
2721
2749
|
#
|
2722
2750
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2723
2751
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -2826,7 +2854,7 @@ module Aws::KMS
|
|
2826
2854
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
2827
2855
|
# you must specify the same encryption context (a case-sensitive exact
|
2828
2856
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
2829
|
-
# to decrypt fails with an InvalidCiphertextException
|
2857
|
+
# to decrypt fails with an `InvalidCiphertextException`. For more
|
2830
2858
|
# information, see [Encryption Context][1] in the *AWS Key Management
|
2831
2859
|
# Service Developer Guide*.
|
2832
2860
|
#
|
@@ -3660,6 +3688,19 @@ module Aws::KMS
|
|
3660
3688
|
# To perform this operation on a CMK in a different AWS account, specify
|
3661
3689
|
# the key ARN in the value of the `KeyId` parameter.
|
3662
3690
|
#
|
3691
|
+
# <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
|
3692
|
+
# contains the user or role designated as the grantee principal in the
|
3693
|
+
# grant. However, when the grantee principal in the grant is an AWS
|
3694
|
+
# service, the `GranteePrincipal` field contains the [service
|
3695
|
+
# principal][1], which might represent several different grantee
|
3696
|
+
# principals.
|
3697
|
+
#
|
3698
|
+
# </note>
|
3699
|
+
#
|
3700
|
+
#
|
3701
|
+
#
|
3702
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
|
3703
|
+
#
|
3663
3704
|
# @option params [Integer] :limit
|
3664
3705
|
# Use this parameter to specify the maximum number of items to return.
|
3665
3706
|
# When this value is present, AWS KMS does not return more than the
|
@@ -4289,16 +4330,16 @@ module Aws::KMS
|
|
4289
4330
|
# under which data is encrypted, such as when you [manually rotate][1] a
|
4290
4331
|
# CMK or change the CMK that protects a ciphertext. You can also use it
|
4291
4332
|
# to reencrypt ciphertext under the same CMK, such as to change the
|
4292
|
-
# encryption context of a ciphertext.
|
4333
|
+
# [encryption context][2] of a ciphertext.
|
4293
4334
|
#
|
4294
4335
|
# The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
|
4295
4336
|
# using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or
|
4296
4337
|
# GenerateDataKey. It can also decrypt ciphertext that was encrypted by
|
4297
|
-
# using the public key of an asymmetric CMK outside of AWS KMS.
|
4298
|
-
# it cannot decrypt ciphertext produced by other libraries,
|
4299
|
-
# [AWS Encryption SDK][
|
4300
|
-
# These libraries return a ciphertext format that is
|
4301
|
-
# AWS KMS.
|
4338
|
+
# using the public key of an [asymmetric CMK][3] outside of AWS KMS.
|
4339
|
+
# However, it cannot decrypt ciphertext produced by other libraries,
|
4340
|
+
# such as the [AWS Encryption SDK][4] or [Amazon S3 client-side
|
4341
|
+
# encryption][5]. These libraries return a ciphertext format that is
|
4342
|
+
# incompatible with AWS KMS.
|
4302
4343
|
#
|
4303
4344
|
# When you use the `ReEncrypt` operation, you need to provide
|
4304
4345
|
# information for the decrypt operation and the subsequent encrypt
|
@@ -4336,29 +4377,30 @@ module Aws::KMS
|
|
4336
4377
|
# Unlike other AWS KMS API operations, `ReEncrypt` callers must have two
|
4337
4378
|
# permissions:
|
4338
4379
|
#
|
4339
|
-
# * `kms:
|
4380
|
+
# * `kms:ReEncryptFrom` permission on the source CMK
|
4340
4381
|
#
|
4341
|
-
# * `kms:
|
4382
|
+
# * `kms:ReEncryptTo` permission on the destination CMK
|
4342
4383
|
#
|
4343
|
-
# To permit reencryption from
|
4344
|
-
#
|
4345
|
-
#
|
4346
|
-
#
|
4347
|
-
#
|
4348
|
-
#
|
4349
|
-
# PutKeyPolicy operation set a key policy.
|
4384
|
+
# To permit reencryption from or to a CMK, include the
|
4385
|
+
# `"kms:ReEncrypt*"` permission in your [key policy][6]. This permission
|
4386
|
+
# is automatically included in the key policy when you use the console
|
4387
|
+
# to create a CMK. But you must include it manually when you create a
|
4388
|
+
# CMK programmatically or when you use the PutKeyPolicy operation to set
|
4389
|
+
# a key policy.
|
4350
4390
|
#
|
4351
4391
|
# The CMK that you use for this operation must be in a compatible key
|
4352
4392
|
# state. For details, see [How Key State Affects Use of a Customer
|
4353
|
-
# Master Key][
|
4393
|
+
# Master Key][7] in the *AWS Key Management Service Developer Guide*.
|
4354
4394
|
#
|
4355
4395
|
#
|
4356
4396
|
#
|
4357
4397
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
|
4358
|
-
# [2]: https://docs.aws.amazon.com/
|
4359
|
-
# [3]: https://docs.aws.amazon.com/
|
4360
|
-
# [4]: https://docs.aws.amazon.com/
|
4361
|
-
# [5]: https://docs.aws.amazon.com/
|
4398
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
4399
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
4400
|
+
# [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
4401
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
4402
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4403
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4362
4404
|
#
|
4363
4405
|
# @option params [required, String, IO] :ciphertext_blob
|
4364
4406
|
# Ciphertext of the data to reencrypt.
|
@@ -5437,7 +5479,7 @@ module Aws::KMS
|
|
5437
5479
|
params: params,
|
5438
5480
|
config: config)
|
5439
5481
|
context[:gem_name] = 'aws-sdk-kms'
|
5440
|
-
context[:gem_version] = '1.
|
5482
|
+
context[:gem_version] = '1.36.0'
|
5441
5483
|
Seahorse::Client::Request.new(handlers, context)
|
5442
5484
|
end
|
5443
5485
|
|