aws-sdk-kms 1.35.0 → 1.40.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/aws-sdk-kms.rb +3 -2
- data/lib/aws-sdk-kms/client.rb +984 -244
- data/lib/aws-sdk-kms/client_api.rb +2 -0
- data/lib/aws-sdk-kms/types.rb +123 -55
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6bf5d7d6190e97a932c923b974e00336bd9f011ce2a0f109a44897f6a19fc876
|
4
|
+
data.tar.gz: 62336c63a81cc1542c704405bc28156b43e90475444d12b97f647a2a98d56c33
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5e1e0ff07094584becfe74a24f482fa936b9819d5c2dca733a50c171254fffab3978d0828149a8ce85a0eab03e1b7b3969c0342253b42d8333ad213e7ce33da0
|
7
|
+
data.tar.gz: ad825d989dd35a99d9f7663e62591c7d926b4bd8ff583d4d8e750ccb9e3cd3009f80046a000239f238bd0faf19e3a386f84fb20b02b8e87c3c85d7a73345946a
|
data/lib/aws-sdk-kms.rb
CHANGED
@@ -7,6 +7,7 @@
|
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
10
|
+
|
10
11
|
require 'aws-sdk-core'
|
11
12
|
require 'aws-sigv4'
|
12
13
|
|
@@ -44,9 +45,9 @@ require_relative 'aws-sdk-kms/customizations'
|
|
44
45
|
#
|
45
46
|
# See {Errors} for more information.
|
46
47
|
#
|
47
|
-
#
|
48
|
+
# @!group service
|
48
49
|
module Aws::KMS
|
49
50
|
|
50
|
-
GEM_VERSION = '1.
|
51
|
+
GEM_VERSION = '1.40.0'
|
51
52
|
|
52
53
|
end
|
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -85,13 +85,28 @@ module Aws::KMS
|
|
85
85
|
# * `Aws::Credentials` - Used for configuring static, non-refreshing
|
86
86
|
# credentials.
|
87
87
|
#
|
88
|
+
# * `Aws::SharedCredentials` - Used for loading static credentials from a
|
89
|
+
# shared file, such as `~/.aws/config`.
|
90
|
+
#
|
91
|
+
# * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
|
92
|
+
#
|
93
|
+
# * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
|
94
|
+
# assume a role after providing credentials via the web.
|
95
|
+
#
|
96
|
+
# * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
|
97
|
+
# access token generated from `aws login`.
|
98
|
+
#
|
99
|
+
# * `Aws::ProcessCredentials` - Used for loading credentials from a
|
100
|
+
# process that outputs to stdout.
|
101
|
+
#
|
88
102
|
# * `Aws::InstanceProfileCredentials` - Used for loading credentials
|
89
103
|
# from an EC2 IMDS on an EC2 instance.
|
90
104
|
#
|
91
|
-
# * `Aws::
|
92
|
-
#
|
105
|
+
# * `Aws::ECSCredentials` - Used for loading credentials from
|
106
|
+
# instances running in ECS.
|
93
107
|
#
|
94
|
-
# * `Aws::
|
108
|
+
# * `Aws::CognitoIdentityCredentials` - Used for loading credentials
|
109
|
+
# from the Cognito Identity service.
|
95
110
|
#
|
96
111
|
# When `:credentials` are not configured directly, the following
|
97
112
|
# locations will be searched for credentials:
|
@@ -101,10 +116,10 @@ module Aws::KMS
|
|
101
116
|
# * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
|
102
117
|
# * `~/.aws/credentials`
|
103
118
|
# * `~/.aws/config`
|
104
|
-
# * EC2 IMDS instance profile - When used by default, the timeouts
|
105
|
-
# very aggressive. Construct and pass an instance of
|
106
|
-
# `Aws::InstanceProfileCredentails`
|
107
|
-
# timeouts.
|
119
|
+
# * EC2/ECS IMDS instance profile - When used by default, the timeouts
|
120
|
+
# are very aggressive. Construct and pass an instance of
|
121
|
+
# `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
122
|
+
# enable retries and extended timeouts.
|
108
123
|
#
|
109
124
|
# @option options [required, String] :region
|
110
125
|
# The AWS region to connect to. The configured `:region` is
|
@@ -324,8 +339,7 @@ module Aws::KMS
|
|
324
339
|
|
325
340
|
# Cancels the deletion of a customer master key (CMK). When this
|
326
341
|
# operation succeeds, the key state of the CMK is `Disabled`. To enable
|
327
|
-
# the CMK, use EnableKey.
|
328
|
-
# a different AWS account.
|
342
|
+
# the CMK, use EnableKey.
|
329
343
|
#
|
330
344
|
# For more information about scheduling and canceling deletion of a CMK,
|
331
345
|
# see [Deleting Customer Master Keys][1] in the *AWS Key Management
|
@@ -335,10 +349,18 @@ module Aws::KMS
|
|
335
349
|
# state. For details, see [How Key State Affects Use of a Customer
|
336
350
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
337
351
|
#
|
352
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
353
|
+
# in a different AWS account.
|
354
|
+
#
|
355
|
+
# **Required permissions**\: [kms:CancelKeyDeletion][3] (key policy)
|
356
|
+
#
|
357
|
+
# **Related operations**\: ScheduleKeyDeletion
|
358
|
+
#
|
338
359
|
#
|
339
360
|
#
|
340
361
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
|
341
362
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
363
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
342
364
|
#
|
343
365
|
# @option params [required, String] :key_id
|
344
366
|
# The unique identifier for the customer master key (CMK) for which to
|
@@ -433,6 +455,23 @@ module Aws::KMS
|
|
433
455
|
# store, see [Troubleshooting a Custom Key Store][5] in the *AWS Key
|
434
456
|
# Management Service Developer Guide*.
|
435
457
|
#
|
458
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
459
|
+
# custom key store in a different AWS account.
|
460
|
+
#
|
461
|
+
# **Required permissions**\: [kms:ConnectCustomKeyStore][6] (IAM policy)
|
462
|
+
#
|
463
|
+
# **Related operations**
|
464
|
+
#
|
465
|
+
# * CreateCustomKeyStore
|
466
|
+
#
|
467
|
+
# * DeleteCustomKeyStore
|
468
|
+
#
|
469
|
+
# * DescribeCustomKeyStores
|
470
|
+
#
|
471
|
+
# * DisconnectCustomKeyStore
|
472
|
+
#
|
473
|
+
# * UpdateCustomKeyStore
|
474
|
+
#
|
436
475
|
#
|
437
476
|
#
|
438
477
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
@@ -440,6 +479,7 @@ module Aws::KMS
|
|
440
479
|
# [3]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html
|
441
480
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
442
481
|
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
482
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
443
483
|
#
|
444
484
|
# @option params [required, String] :custom_key_store_id
|
445
485
|
# Enter the key store ID of the custom key store that you want to
|
@@ -463,96 +503,98 @@ module Aws::KMS
|
|
463
503
|
req.send_request(options)
|
464
504
|
end
|
465
505
|
|
466
|
-
# Creates a
|
467
|
-
#
|
468
|
-
# operations][1], such as Encrypt and
|
469
|
-
#
|
470
|
-
#
|
471
|
-
#
|
472
|
-
#
|
473
|
-
#
|
474
|
-
#
|
475
|
-
#
|
476
|
-
#
|
477
|
-
#
|
478
|
-
# an
|
479
|
-
#
|
480
|
-
#
|
506
|
+
# Creates a friendly name for a customer master key (CMK). You can use
|
507
|
+
# an alias to identify a CMK in the AWS KMS console, in the DescribeKey
|
508
|
+
# operation and in [cryptographic operations][1], such as Encrypt and
|
509
|
+
# GenerateDataKey.
|
510
|
+
#
|
511
|
+
# You can also change the CMK that's associated with the alias
|
512
|
+
# (UpdateAlias) or delete the alias (DeleteAlias) at any time. These
|
513
|
+
# operations don't affect the underlying CMK.
|
514
|
+
#
|
515
|
+
# You can associate the alias with any customer managed CMK in the same
|
516
|
+
# AWS Region. Each alias is associated with only on CMK at a time, but a
|
517
|
+
# CMK can have multiple aliases. A valid CMK is required. You can't
|
518
|
+
# create an alias without a CMK.
|
519
|
+
#
|
520
|
+
# The alias must be unique in the account and Region, but you can have
|
521
|
+
# aliases with the same name in different Regions. For detailed
|
522
|
+
# information about aliases, see [Using aliases][2] in the *AWS Key
|
523
|
+
# Management Service Developer Guide*.
|
481
524
|
#
|
482
525
|
# This operation does not return a response. To get the alias that you
|
483
526
|
# created, use the ListAliases operation.
|
484
527
|
#
|
485
|
-
#
|
528
|
+
# The CMK that you use for this operation must be in a compatible key
|
529
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
530
|
+
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
486
531
|
#
|
487
|
-
#
|
488
|
-
#
|
489
|
-
# in the same AWS account and Region.
|
532
|
+
# **Cross-account use**\: No. You cannot perform this operation on an
|
533
|
+
# alias in a different AWS account.
|
490
534
|
#
|
491
|
-
#
|
492
|
-
# AWS account and Region. However, you do not have permission to
|
493
|
-
# associate an alias with an [AWS managed CMK][2] or an [AWS owned
|
494
|
-
# CMK][3].
|
535
|
+
# **Required permissions**
|
495
536
|
#
|
496
|
-
# *
|
497
|
-
# operation. The current CMK and the new CMK must be the same type
|
498
|
-
# (both symmetric or both asymmetric) and they must have the same key
|
499
|
-
# usage (`ENCRYPT_DECRYPT` or `SIGN_VERIFY`). This restriction
|
500
|
-
# prevents cryptographic errors in code that uses aliases.
|
501
|
-
#
|
502
|
-
# * The alias name must begin with `alias/` followed by a name, such as
|
503
|
-
# `alias/ExampleAlias`. It can contain only alphanumeric characters,
|
504
|
-
# forward slashes (/), underscores (\_), and dashes (-). The alias
|
505
|
-
# name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
|
506
|
-
# reserved for [AWS managed CMKs][2].
|
507
|
-
#
|
508
|
-
# * The alias name must be unique within an AWS Region. However, you can
|
509
|
-
# use the same alias name in multiple Regions of the same AWS account.
|
510
|
-
# Each instance of the alias is associated with a CMK in its Region.
|
511
|
-
#
|
512
|
-
# * After you create an alias, you cannot change its alias name.
|
513
|
-
# However, you can use the DeleteAlias operation to delete the alias
|
514
|
-
# and then create a new alias with the desired name.
|
515
|
-
#
|
516
|
-
# * You can use an alias name or alias ARN to identify a CMK in AWS KMS
|
517
|
-
# [cryptographic operations][1] and in the DescribeKey operation.
|
518
|
-
# However, you cannot use alias names or alias ARNs in API operations
|
519
|
-
# that manage CMKs, such as DisableKey or GetKeyPolicy. For
|
520
|
-
# information about the valid CMK identifiers for each AWS KMS API
|
521
|
-
# operation, see the descriptions of the `KeyId` parameter in the API
|
522
|
-
# operation documentation.
|
537
|
+
# * [kms:CreateAlias][4] on the alias (IAM policy).
|
523
538
|
#
|
524
|
-
#
|
525
|
-
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
526
|
-
# appear in the response from the DescribeKey operation. To get the
|
527
|
-
# aliases and alias ARNs of CMKs in each AWS account and Region, use the
|
528
|
-
# ListAliases operation.
|
539
|
+
# * [kms:CreateAlias][4] on the CMK (key policy).
|
529
540
|
#
|
530
|
-
#
|
531
|
-
#
|
532
|
-
#
|
541
|
+
# For details, see [Controlling access to aliases][5] in the *AWS Key
|
542
|
+
# Management Service Developer Guide*.
|
543
|
+
#
|
544
|
+
# **Related operations:**
|
545
|
+
#
|
546
|
+
# * DeleteAlias
|
547
|
+
#
|
548
|
+
# * ListAliases
|
549
|
+
#
|
550
|
+
# * UpdateAlias
|
533
551
|
#
|
534
552
|
#
|
535
553
|
#
|
536
554
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
537
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
538
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
539
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
555
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
|
556
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
557
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
558
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
540
559
|
#
|
541
560
|
# @option params [required, String] :alias_name
|
542
561
|
# Specifies the alias name. This value must begin with `alias/` followed
|
543
|
-
# by a name, such as `alias/ExampleAlias`.
|
544
|
-
#
|
545
|
-
#
|
562
|
+
# by a name, such as `alias/ExampleAlias`.
|
563
|
+
#
|
564
|
+
# The `AliasName` value must be string of 1-256 characters. It can
|
565
|
+
# contain only alphanumeric characters, forward slashes (/), underscores
|
566
|
+
# (\_), and dashes (-). The alias name cannot begin with `alias/aws/`.
|
567
|
+
# The `alias/aws/` prefix is reserved for [AWS managed CMKs][1].
|
568
|
+
#
|
569
|
+
#
|
570
|
+
#
|
571
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
546
572
|
#
|
547
573
|
# @option params [required, String] :target_key_id
|
548
|
-
#
|
549
|
-
#
|
550
|
-
#
|
551
|
-
#
|
574
|
+
# Associates the alias with the specified [customer managed CMK][1]. The
|
575
|
+
# CMK must be in the same AWS Region.
|
576
|
+
#
|
577
|
+
# A valid CMK ID is required. If you supply a null or empty string
|
578
|
+
# value, this operation returns an error.
|
579
|
+
#
|
580
|
+
# For help finding the key ID and ARN, see [Finding the Key ID and
|
581
|
+
# ARN][2] in the *AWS Key Management Service Developer Guide*.
|
582
|
+
#
|
583
|
+
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
552
584
|
#
|
585
|
+
# For example:
|
553
586
|
#
|
587
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
554
588
|
#
|
555
|
-
#
|
589
|
+
# * Key ARN:
|
590
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
591
|
+
#
|
592
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
593
|
+
#
|
594
|
+
#
|
595
|
+
#
|
596
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
597
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn
|
556
598
|
#
|
557
599
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
558
600
|
#
|
@@ -606,12 +648,30 @@ module Aws::KMS
|
|
606
648
|
# For help with failures, see [Troubleshooting a Custom Key Store][4] in
|
607
649
|
# the *AWS Key Management Service Developer Guide*.
|
608
650
|
#
|
651
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
652
|
+
# custom key store in a different AWS account.
|
653
|
+
#
|
654
|
+
# **Required permissions**\: [kms:CreateCustomKeyStore][5] (IAM policy).
|
655
|
+
#
|
656
|
+
# **Related operations:**
|
657
|
+
#
|
658
|
+
# * ConnectCustomKeyStore
|
659
|
+
#
|
660
|
+
# * DeleteCustomKeyStore
|
661
|
+
#
|
662
|
+
# * DescribeCustomKeyStores
|
663
|
+
#
|
664
|
+
# * DisconnectCustomKeyStore
|
665
|
+
#
|
666
|
+
# * UpdateCustomKeyStore
|
667
|
+
#
|
609
668
|
#
|
610
669
|
#
|
611
670
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
612
671
|
# [2]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html
|
613
672
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
|
614
673
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
674
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
615
675
|
#
|
616
676
|
# @option params [required, String] :custom_key_store_name
|
617
677
|
# Specifies a friendly name for the custom key store. The name must be
|
@@ -713,17 +773,29 @@ module Aws::KMS
|
|
713
773
|
#
|
714
774
|
# For information about symmetric and asymmetric CMKs, see [Using
|
715
775
|
# Symmetric and Asymmetric CMKs][8] in the *AWS Key Management Service
|
716
|
-
# Developer Guide*.
|
717
|
-
#
|
718
|
-
# To perform this operation on a CMK in a different AWS account, specify
|
719
|
-
# the key ARN in the value of the `KeyId` parameter. For more
|
720
|
-
# information about grants, see [Grants][9] in the <i> <i>AWS Key
|
721
|
-
# Management Service Developer Guide</i> </i>.
|
776
|
+
# Developer Guide*. For more information about grants, see [Grants][9]
|
777
|
+
# in the <i> <i>AWS Key Management Service Developer Guide</i> </i>.
|
722
778
|
#
|
723
779
|
# The CMK that you use for this operation must be in a compatible key
|
724
780
|
# state. For details, see [How Key State Affects Use of a Customer
|
725
781
|
# Master Key][10] in the *AWS Key Management Service Developer Guide*.
|
726
782
|
#
|
783
|
+
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
784
|
+
# different AWS account, specify the key ARN in the value of the `KeyId`
|
785
|
+
# parameter.
|
786
|
+
#
|
787
|
+
# **Required permissions**\: [kms:CreateGrant][11] (key policy)
|
788
|
+
#
|
789
|
+
# **Related operations:**
|
790
|
+
#
|
791
|
+
# * ListGrants
|
792
|
+
#
|
793
|
+
# * ListRetirableGrants
|
794
|
+
#
|
795
|
+
# * RetireGrant
|
796
|
+
#
|
797
|
+
# * RevokeGrant
|
798
|
+
#
|
727
799
|
#
|
728
800
|
#
|
729
801
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
@@ -736,6 +808,7 @@ module Aws::KMS
|
|
736
808
|
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
737
809
|
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
738
810
|
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
811
|
+
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
739
812
|
#
|
740
813
|
# @option params [required, String] :key_id
|
741
814
|
# The unique identifier for the customer master key (CMK) that the grant
|
@@ -795,6 +868,10 @@ module Aws::KMS
|
|
795
868
|
# [Encryption Context][2] in the <i> <i>AWS Key Management Service
|
796
869
|
# Developer Guide</i> </i>.
|
797
870
|
#
|
871
|
+
# Grant constraints are not applied to operations that do not support an
|
872
|
+
# encryption context, such as cryptographic operations with asymmetric
|
873
|
+
# CMKs and management operations, such as DescribeKey or RetireGrant.
|
874
|
+
#
|
798
875
|
#
|
799
876
|
#
|
800
877
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
@@ -811,9 +888,8 @@ module Aws::KMS
|
|
811
888
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
812
889
|
#
|
813
890
|
# @option params [String] :name
|
814
|
-
# A friendly name for
|
815
|
-
#
|
816
|
-
# request.
|
891
|
+
# A friendly name for the grant. Use this value to prevent the
|
892
|
+
# unintended creation of duplicate grants when retrying this request.
|
817
893
|
#
|
818
894
|
# When this value is absent, all `CreateGrant` requests result in a new
|
819
895
|
# grant with a unique `GrantId` even if all the supplied parameters are
|
@@ -824,8 +900,8 @@ module Aws::KMS
|
|
824
900
|
# identical parameters; if the grant already exists, the original
|
825
901
|
# `GrantId` is returned without creating a new grant. Note that the
|
826
902
|
# returned grant token is unique with every `CreateGrant` request, even
|
827
|
-
# when a duplicate `GrantId` is returned. All grant tokens
|
828
|
-
#
|
903
|
+
# when a duplicate `GrantId` is returned. All grant tokens for the same
|
904
|
+
# grant ID can be used interchangeably.
|
829
905
|
#
|
830
906
|
# @return [Types::CreateGrantResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
831
907
|
#
|
@@ -887,8 +963,7 @@ module Aws::KMS
|
|
887
963
|
end
|
888
964
|
|
889
965
|
# Creates a unique customer managed [customer master key][1] (CMK) in
|
890
|
-
# your AWS account and Region.
|
891
|
-
# CMK in a different AWS account.
|
966
|
+
# your AWS account and Region.
|
892
967
|
#
|
893
968
|
# You can use the `CreateKey` operation to create symmetric or
|
894
969
|
# asymmetric CMKs.
|
@@ -963,6 +1038,22 @@ module Aws::KMS
|
|
963
1038
|
# Stores][6] in the <i> <i>AWS Key Management Service Developer
|
964
1039
|
# Guide</i> </i>.
|
965
1040
|
#
|
1041
|
+
# **Cross-account use**\: No. You cannot use this operation to create a
|
1042
|
+
# CMK in a different AWS account.
|
1043
|
+
#
|
1044
|
+
# **Required permissions**\: [kms:CreateKey][7] (IAM policy). To use the
|
1045
|
+
# `Tags` parameter, [kms:TagResource][7] (IAM policy). For examples and
|
1046
|
+
# information about related permissions, see [Allow a user to create
|
1047
|
+
# CMKs][8] in the *AWS Key Management Service Developer Guide*.
|
1048
|
+
#
|
1049
|
+
# **Related operations:**
|
1050
|
+
#
|
1051
|
+
# * DescribeKey
|
1052
|
+
#
|
1053
|
+
# * ListKeys
|
1054
|
+
#
|
1055
|
+
# * ScheduleKeyDeletion
|
1056
|
+
#
|
966
1057
|
#
|
967
1058
|
#
|
968
1059
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys
|
@@ -971,6 +1062,8 @@ module Aws::KMS
|
|
971
1062
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
972
1063
|
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
973
1064
|
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1065
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1066
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
974
1067
|
#
|
975
1068
|
# @option params [String] :policy
|
976
1069
|
# The key policy to attach to the CMK.
|
@@ -1000,11 +1093,15 @@ module Aws::KMS
|
|
1000
1093
|
#
|
1001
1094
|
# The key policy size quota is 32 kilobytes (32768 bytes).
|
1002
1095
|
#
|
1096
|
+
# For help writing and formatting a JSON policy document, see the [IAM
|
1097
|
+
# JSON Policy Reference][4] in the <i> <i>IAM User Guide</i> </i>.
|
1098
|
+
#
|
1003
1099
|
#
|
1004
1100
|
#
|
1005
1101
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
1006
1102
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
1007
1103
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
1104
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
1008
1105
|
#
|
1009
1106
|
# @option params [String] :description
|
1010
1107
|
# A description of the CMK.
|
@@ -1173,9 +1270,13 @@ module Aws::KMS
|
|
1173
1270
|
# Use this parameter to tag the CMK when it is created. To add tags to
|
1174
1271
|
# an existing CMK, use the TagResource operation.
|
1175
1272
|
#
|
1273
|
+
# To use this parameter, you must have [kms:TagResource][2] permission
|
1274
|
+
# in an IAM policy.
|
1275
|
+
#
|
1176
1276
|
#
|
1177
1277
|
#
|
1178
1278
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
1279
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1179
1280
|
#
|
1180
1281
|
# @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1181
1282
|
#
|
@@ -1288,35 +1389,57 @@ module Aws::KMS
|
|
1288
1389
|
# encryption][3]. These libraries return a ciphertext format that is
|
1289
1390
|
# incompatible with AWS KMS.
|
1290
1391
|
#
|
1291
|
-
# If the ciphertext was encrypted under a symmetric CMK,
|
1292
|
-
#
|
1293
|
-
#
|
1294
|
-
#
|
1295
|
-
#
|
1296
|
-
#
|
1297
|
-
# the `
|
1392
|
+
# If the ciphertext was encrypted under a symmetric CMK, the `KeyId`
|
1393
|
+
# parameter is optional. AWS KMS can get this information from metadata
|
1394
|
+
# that it adds to the symmetric ciphertext blob. This feature adds
|
1395
|
+
# durability to your implementation by ensuring that authorized users
|
1396
|
+
# can decrypt ciphertext decades after it was encrypted, even if
|
1397
|
+
# they've lost track of the CMK ID. However, specifying the CMK is
|
1398
|
+
# always recommended as a best practice. When you use the `KeyId`
|
1399
|
+
# parameter to specify a CMK, AWS KMS only uses the CMK you specify. If
|
1400
|
+
# the ciphertext was encrypted under a different CMK, the `Decrypt`
|
1401
|
+
# operation fails. This practice ensures that you use the CMK that you
|
1402
|
+
# intend.
|
1298
1403
|
#
|
1299
1404
|
# Whenever possible, use key policies to give users permission to call
|
1300
|
-
# the Decrypt operation on a particular CMK, instead of using IAM
|
1405
|
+
# the `Decrypt` operation on a particular CMK, instead of using IAM
|
1301
1406
|
# policies. Otherwise, you might create an IAM user policy that gives
|
1302
|
-
# the user Decrypt permission on all CMKs. This user could decrypt
|
1407
|
+
# the user `Decrypt` permission on all CMKs. This user could decrypt
|
1303
1408
|
# ciphertext that was encrypted by CMKs in other accounts if the key
|
1304
1409
|
# policy for the cross-account CMK permits it. If you must use an IAM
|
1305
1410
|
# policy for `Decrypt` permissions, limit the user to particular CMKs or
|
1306
|
-
# particular trusted accounts.
|
1411
|
+
# particular trusted accounts. For details, see [Best practices for IAM
|
1412
|
+
# policies][4] in the *AWS Key Management Service Developer Guide*.
|
1307
1413
|
#
|
1308
1414
|
# The CMK that you use for this operation must be in a compatible key
|
1309
1415
|
# state. For details, see [How Key State Affects Use of a Customer
|
1310
|
-
# Master Key][
|
1416
|
+
# Master Key][5] in the *AWS Key Management Service Developer Guide*.
|
1417
|
+
#
|
1418
|
+
# **Cross-account use**\: Yes. You can decrypt a ciphertext using a CMK
|
1419
|
+
# in a different AWS account.
|
1420
|
+
#
|
1421
|
+
# **Required permissions**\: [kms:Decrypt][6] (key policy)
|
1422
|
+
#
|
1423
|
+
# **Related operations:**
|
1424
|
+
#
|
1425
|
+
# * Encrypt
|
1426
|
+
#
|
1427
|
+
# * GenerateDataKey
|
1428
|
+
#
|
1429
|
+
# * GenerateDataKeyPair
|
1430
|
+
#
|
1431
|
+
# * ReEncrypt
|
1311
1432
|
#
|
1312
1433
|
#
|
1313
1434
|
#
|
1314
1435
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
1315
1436
|
# [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
1316
1437
|
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
1317
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1438
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices
|
1439
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1440
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1318
1441
|
#
|
1319
|
-
# @option params [required, String,
|
1442
|
+
# @option params [required, String, StringIO, File] :ciphertext_blob
|
1320
1443
|
# Ciphertext to be decrypted. The blob includes metadata.
|
1321
1444
|
#
|
1322
1445
|
# @option params [Hash<String,String>] :encryption_context
|
@@ -1351,22 +1474,20 @@ module Aws::KMS
|
|
1351
1474
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
1352
1475
|
#
|
1353
1476
|
# @option params [String] :key_id
|
1354
|
-
# Specifies the customer master key (CMK) that AWS KMS
|
1355
|
-
#
|
1356
|
-
#
|
1357
|
-
#
|
1358
|
-
# If you specify a `KeyId` value, the `Decrypt` operation succeeds only
|
1359
|
-
# if the specified CMK was used to encrypt the ciphertext.
|
1477
|
+
# Specifies the customer master key (CMK) that AWS KMS uses to decrypt
|
1478
|
+
# the ciphertext. Enter a key ID of the CMK that was used to encrypt the
|
1479
|
+
# ciphertext.
|
1360
1480
|
#
|
1361
1481
|
# This parameter is required only when the ciphertext was encrypted
|
1362
|
-
# under an asymmetric CMK.
|
1363
|
-
#
|
1364
|
-
#
|
1365
|
-
#
|
1482
|
+
# under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can get
|
1483
|
+
# the CMK from metadata that it adds to the symmetric ciphertext blob.
|
1484
|
+
# However, it is always recommended as a best practice. This practice
|
1485
|
+
# ensures that you use the CMK that you intend.
|
1366
1486
|
#
|
1367
1487
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1368
1488
|
# name, or alias ARN. When using an alias name, prefix it with
|
1369
|
-
# `"alias/"`.
|
1489
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
1490
|
+
# the key ARN or alias ARN.
|
1370
1491
|
#
|
1371
1492
|
# For example:
|
1372
1493
|
#
|
@@ -1406,6 +1527,7 @@ module Aws::KMS
|
|
1406
1527
|
#
|
1407
1528
|
# resp = client.decrypt({
|
1408
1529
|
# ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
|
1530
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # A key identifier for the CMK to use to decrypt the data.
|
1409
1531
|
# })
|
1410
1532
|
#
|
1411
1533
|
# resp.to_h outputs the following:
|
@@ -1441,8 +1563,7 @@ module Aws::KMS
|
|
1441
1563
|
req.send_request(options)
|
1442
1564
|
end
|
1443
1565
|
|
1444
|
-
# Deletes the specified alias.
|
1445
|
-
# alias in a different AWS account.
|
1566
|
+
# Deletes the specified alias.
|
1446
1567
|
#
|
1447
1568
|
# Because an alias is not a property of a CMK, you can delete and change
|
1448
1569
|
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
@@ -1454,6 +1575,31 @@ module Aws::KMS
|
|
1454
1575
|
# new alias. To associate an existing alias with a different customer
|
1455
1576
|
# master key (CMK), call UpdateAlias.
|
1456
1577
|
#
|
1578
|
+
# **Cross-account use**\: No. You cannot perform this operation on an
|
1579
|
+
# alias in a different AWS account.
|
1580
|
+
#
|
1581
|
+
# **Required permissions**
|
1582
|
+
#
|
1583
|
+
# * [kms:DeleteAlias][1] on the alias (IAM policy).
|
1584
|
+
#
|
1585
|
+
# * [kms:DeleteAlias][1] on the CMK (key policy).
|
1586
|
+
#
|
1587
|
+
# For details, see [Controlling access to aliases][2] in the *AWS Key
|
1588
|
+
# Management Service Developer Guide*.
|
1589
|
+
#
|
1590
|
+
# **Related operations:**
|
1591
|
+
#
|
1592
|
+
# * CreateAlias
|
1593
|
+
#
|
1594
|
+
# * ListAliases
|
1595
|
+
#
|
1596
|
+
# * UpdateAlias
|
1597
|
+
#
|
1598
|
+
#
|
1599
|
+
#
|
1600
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1601
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
1602
|
+
#
|
1457
1603
|
# @option params [required, String] :alias_name
|
1458
1604
|
# The alias to be deleted. The alias name must begin with `alias/`
|
1459
1605
|
# followed by the alias name, such as `alias/ExampleAlias`.
|
@@ -1516,12 +1662,30 @@ module Aws::KMS
|
|
1516
1662
|
# AWS KMS, which combines the convenience and extensive integration of
|
1517
1663
|
# AWS KMS with the isolation and control of a single-tenant key store.
|
1518
1664
|
#
|
1665
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
1666
|
+
# custom key store in a different AWS account.
|
1667
|
+
#
|
1668
|
+
# **Required permissions**\: [kms:DeleteCustomKeyStore][5] (IAM policy)
|
1669
|
+
#
|
1670
|
+
# **Related operations:**
|
1671
|
+
#
|
1672
|
+
# * ConnectCustomKeyStore
|
1673
|
+
#
|
1674
|
+
# * CreateCustomKeyStore
|
1675
|
+
#
|
1676
|
+
# * DescribeCustomKeyStores
|
1677
|
+
#
|
1678
|
+
# * DisconnectCustomKeyStore
|
1679
|
+
#
|
1680
|
+
# * UpdateCustomKeyStore
|
1681
|
+
#
|
1519
1682
|
#
|
1520
1683
|
#
|
1521
1684
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1522
1685
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1523
1686
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1524
1687
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
1688
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1525
1689
|
#
|
1526
1690
|
# @option params [required, String] :custom_key_store_id
|
1527
1691
|
# Enter the ID of the custom key store you want to delete. To find the
|
@@ -1548,7 +1712,6 @@ module Aws::KMS
|
|
1548
1712
|
# makes the specified customer master key (CMK) unusable. For more
|
1549
1713
|
# information about importing key material into AWS KMS, see [Importing
|
1550
1714
|
# Key Material][1] in the *AWS Key Management Service Developer Guide*.
|
1551
|
-
# You cannot perform this operation on a CMK in a different AWS account.
|
1552
1715
|
#
|
1553
1716
|
# When the specified CMK is in the `PendingDeletion` state, this
|
1554
1717
|
# operation does not change the CMK's state. Otherwise, it changes the
|
@@ -1561,10 +1724,23 @@ module Aws::KMS
|
|
1561
1724
|
# state. For details, see [How Key State Affects Use of a Customer
|
1562
1725
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1563
1726
|
#
|
1727
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
1728
|
+
# in a different AWS account.
|
1729
|
+
#
|
1730
|
+
# **Required permissions**\: [kms:DeleteImportedKeyMaterial][3] (key
|
1731
|
+
# policy)
|
1732
|
+
#
|
1733
|
+
# **Related operations:**
|
1734
|
+
#
|
1735
|
+
# * GetParametersForImport
|
1736
|
+
#
|
1737
|
+
# * ImportKeyMaterial
|
1738
|
+
#
|
1564
1739
|
#
|
1565
1740
|
#
|
1566
1741
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1567
1742
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1743
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1568
1744
|
#
|
1569
1745
|
# @option params [required, String] :key_id
|
1570
1746
|
# Identifies the CMK from which you are deleting imported key material.
|
@@ -1637,10 +1813,29 @@ module Aws::KMS
|
|
1637
1813
|
# Custom Key Stores][2] topic in the *AWS Key Management Service
|
1638
1814
|
# Developer Guide*.
|
1639
1815
|
#
|
1816
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
1817
|
+
# custom key store in a different AWS account.
|
1818
|
+
#
|
1819
|
+
# **Required permissions**\: [kms:DescribeCustomKeyStores][3] (IAM
|
1820
|
+
# policy)
|
1821
|
+
#
|
1822
|
+
# **Related operations:**
|
1823
|
+
#
|
1824
|
+
# * ConnectCustomKeyStore
|
1825
|
+
#
|
1826
|
+
# * CreateCustomKeyStore
|
1827
|
+
#
|
1828
|
+
# * DeleteCustomKeyStore
|
1829
|
+
#
|
1830
|
+
# * DisconnectCustomKeyStore
|
1831
|
+
#
|
1832
|
+
# * UpdateCustomKeyStore
|
1833
|
+
#
|
1640
1834
|
#
|
1641
1835
|
#
|
1642
1836
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1643
1837
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html
|
1838
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1644
1839
|
#
|
1645
1840
|
# @option params [String] :custom_key_store_id
|
1646
1841
|
# Gets only information about the specified custom key store. Enter the
|
@@ -1742,8 +1937,27 @@ module Aws::KMS
|
|
1742
1937
|
# CMK][4]. Then, it associates the alias with the new CMK, and returns
|
1743
1938
|
# the `KeyId` and `Arn` of the new CMK in the response.
|
1744
1939
|
#
|
1745
|
-
# To perform this operation
|
1746
|
-
# the key ARN or alias ARN in the value
|
1940
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
1941
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
1942
|
+
# of the `KeyId` parameter.
|
1943
|
+
#
|
1944
|
+
# **Required permissions**\: [kms:DescribeKey][5] (key policy)
|
1945
|
+
#
|
1946
|
+
# **Related operations:**
|
1947
|
+
#
|
1948
|
+
# * GetKeyPolicy
|
1949
|
+
#
|
1950
|
+
# * GetKeyRotationStatus
|
1951
|
+
#
|
1952
|
+
# * ListAliases
|
1953
|
+
#
|
1954
|
+
# * ListGrants
|
1955
|
+
#
|
1956
|
+
# * ListKeys
|
1957
|
+
#
|
1958
|
+
# * ListResourceTags
|
1959
|
+
#
|
1960
|
+
# * ListRetirableGrants
|
1747
1961
|
#
|
1748
1962
|
#
|
1749
1963
|
#
|
@@ -1751,6 +1965,7 @@ module Aws::KMS
|
|
1751
1965
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1752
1966
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
|
1753
1967
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1968
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1754
1969
|
#
|
1755
1970
|
# @option params [required, String] :key_id
|
1756
1971
|
# Describes the specified customer master key (CMK).
|
@@ -1860,9 +2075,8 @@ module Aws::KMS
|
|
1860
2075
|
req.send_request(options)
|
1861
2076
|
end
|
1862
2077
|
|
1863
|
-
# Sets the state of a customer master key (CMK) to disabled
|
1864
|
-
#
|
1865
|
-
# perform this operation on a CMK in a different AWS account.
|
2078
|
+
# Sets the state of a customer master key (CMK) to disabled. This change
|
2079
|
+
# temporarily prevents use of the CMK for [cryptographic operations][1].
|
1866
2080
|
#
|
1867
2081
|
# For more information about how key state affects the use of a CMK, see
|
1868
2082
|
# [How Key State Affects the Use of a Customer Master Key][2] in the <i>
|
@@ -1872,10 +2086,18 @@ module Aws::KMS
|
|
1872
2086
|
# state. For details, see [How Key State Affects Use of a Customer
|
1873
2087
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1874
2088
|
#
|
2089
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2090
|
+
# in a different AWS account.
|
2091
|
+
#
|
2092
|
+
# **Required permissions**\: [kms:DisableKey][3] (key policy)
|
2093
|
+
#
|
2094
|
+
# **Related operations**\: EnableKey
|
2095
|
+
#
|
1875
2096
|
#
|
1876
2097
|
#
|
1877
2098
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1878
2099
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2100
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1879
2101
|
#
|
1880
2102
|
# @option params [required, String] :key_id
|
1881
2103
|
# A unique identifier for the customer master key (CMK).
|
@@ -1921,23 +2143,34 @@ module Aws::KMS
|
|
1921
2143
|
# symmetric customer master key (CMK).
|
1922
2144
|
#
|
1923
2145
|
# You cannot enable automatic rotation of asymmetric CMKs, CMKs with
|
1924
|
-
# imported key material, or CMKs in a [custom key store][2].
|
1925
|
-
# perform this operation on a CMK in a different AWS account.
|
2146
|
+
# imported key material, or CMKs in a [custom key store][2].
|
1926
2147
|
#
|
1927
2148
|
# The CMK that you use for this operation must be in a compatible key
|
1928
2149
|
# state. For details, see [How Key State Affects Use of a Customer
|
1929
2150
|
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
1930
2151
|
#
|
2152
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2153
|
+
# in a different AWS account.
|
2154
|
+
#
|
2155
|
+
# **Required permissions**\: [kms:DisableKeyRotation][4] (key policy)
|
2156
|
+
#
|
2157
|
+
# **Related operations:**
|
2158
|
+
#
|
2159
|
+
# * EnableKeyRotation
|
2160
|
+
#
|
2161
|
+
# * GetKeyRotationStatus
|
2162
|
+
#
|
1931
2163
|
#
|
1932
2164
|
#
|
1933
2165
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
1934
2166
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1935
2167
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2168
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1936
2169
|
#
|
1937
2170
|
# @option params [required, String] :key_id
|
1938
|
-
# Identifies a symmetric customer master key (CMK). You cannot enable
|
1939
|
-
# automatic rotation of [asymmetric CMKs][1], CMKs with
|
1940
|
-
# material][2], or CMKs in a [custom key store][3].
|
2171
|
+
# Identifies a symmetric customer master key (CMK). You cannot enable or
|
2172
|
+
# disable automatic rotation of [asymmetric CMKs][1], CMKs with
|
2173
|
+
# [imported key material][2], or CMKs in a [custom key store][3].
|
1941
2174
|
#
|
1942
2175
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
1943
2176
|
#
|
@@ -2008,10 +2241,29 @@ module Aws::KMS
|
|
2008
2241
|
# AWS KMS, which combines the convenience and extensive integration of
|
2009
2242
|
# AWS KMS with the isolation and control of a single-tenant key store.
|
2010
2243
|
#
|
2244
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
2245
|
+
# custom key store in a different AWS account.
|
2246
|
+
#
|
2247
|
+
# **Required permissions**\: [kms:DisconnectCustomKeyStore][3] (IAM
|
2248
|
+
# policy)
|
2249
|
+
#
|
2250
|
+
# **Related operations:**
|
2251
|
+
#
|
2252
|
+
# * ConnectCustomKeyStore
|
2253
|
+
#
|
2254
|
+
# * CreateCustomKeyStore
|
2255
|
+
#
|
2256
|
+
# * DeleteCustomKeyStore
|
2257
|
+
#
|
2258
|
+
# * DescribeCustomKeyStores
|
2259
|
+
#
|
2260
|
+
# * UpdateCustomKeyStore
|
2261
|
+
#
|
2011
2262
|
#
|
2012
2263
|
#
|
2013
2264
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2014
2265
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2266
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2015
2267
|
#
|
2016
2268
|
# @option params [required, String] :custom_key_store_id
|
2017
2269
|
# Enter the ID of the custom key store you want to disconnect. To find
|
@@ -2036,17 +2288,24 @@ module Aws::KMS
|
|
2036
2288
|
end
|
2037
2289
|
|
2038
2290
|
# Sets the key state of a customer master key (CMK) to enabled. This
|
2039
|
-
# allows you to use the CMK for [cryptographic operations][1].
|
2040
|
-
# cannot perform this operation on a CMK in a different AWS account.
|
2291
|
+
# allows you to use the CMK for [cryptographic operations][1].
|
2041
2292
|
#
|
2042
2293
|
# The CMK that you use for this operation must be in a compatible key
|
2043
2294
|
# state. For details, see [How Key State Affects Use of a Customer
|
2044
2295
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2045
2296
|
#
|
2297
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2298
|
+
# in a different AWS account.
|
2299
|
+
#
|
2300
|
+
# **Required permissions**\: [kms:EnableKey][3] (key policy)
|
2301
|
+
#
|
2302
|
+
# **Related operations**\: DisableKey
|
2303
|
+
#
|
2046
2304
|
#
|
2047
2305
|
#
|
2048
2306
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
2049
2307
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2308
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2050
2309
|
#
|
2051
2310
|
# @option params [required, String] :key_id
|
2052
2311
|
# A unique identifier for the customer master key (CMK).
|
@@ -2089,8 +2348,7 @@ module Aws::KMS
|
|
2089
2348
|
end
|
2090
2349
|
|
2091
2350
|
# Enables [automatic rotation of the key material][1] for the specified
|
2092
|
-
# symmetric customer master key (CMK).
|
2093
|
-
# on a CMK in a different AWS account.
|
2351
|
+
# symmetric customer master key (CMK).
|
2094
2352
|
#
|
2095
2353
|
# You cannot enable automatic rotation of asymmetric CMKs, CMKs with
|
2096
2354
|
# imported key material, or CMKs in a [custom key store][2].
|
@@ -2099,11 +2357,23 @@ module Aws::KMS
|
|
2099
2357
|
# state. For details, see [How Key State Affects Use of a Customer
|
2100
2358
|
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
2101
2359
|
#
|
2360
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2361
|
+
# in a different AWS account.
|
2362
|
+
#
|
2363
|
+
# **Required permissions**\: [kms:EnableKeyRotation][4] (key policy)
|
2364
|
+
#
|
2365
|
+
# **Related operations:**
|
2366
|
+
#
|
2367
|
+
# * DisableKeyRotation
|
2368
|
+
#
|
2369
|
+
# * GetKeyRotationStatus
|
2370
|
+
#
|
2102
2371
|
#
|
2103
2372
|
#
|
2104
2373
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
2105
2374
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2106
2375
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2376
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2107
2377
|
#
|
2108
2378
|
# @option params [required, String] :key_id
|
2109
2379
|
# Identifies a symmetric customer master key (CMK). You cannot enable
|
@@ -2229,13 +2499,25 @@ module Aws::KMS
|
|
2229
2499
|
# state. For details, see [How Key State Affects Use of a Customer
|
2230
2500
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2231
2501
|
#
|
2232
|
-
# To perform this operation
|
2233
|
-
# the key ARN or alias ARN in the value
|
2502
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2503
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
2504
|
+
# of the `KeyId` parameter.
|
2505
|
+
#
|
2506
|
+
# **Required permissions**\: [kms:Encrypt][3] (key policy)
|
2507
|
+
#
|
2508
|
+
# **Related operations:**
|
2509
|
+
#
|
2510
|
+
# * Decrypt
|
2511
|
+
#
|
2512
|
+
# * GenerateDataKey
|
2513
|
+
#
|
2514
|
+
# * GenerateDataKeyPair
|
2234
2515
|
#
|
2235
2516
|
#
|
2236
2517
|
#
|
2237
2518
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2238
2519
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2520
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2239
2521
|
#
|
2240
2522
|
# @option params [required, String] :key_id
|
2241
2523
|
# A unique identifier for the customer master key (CMK).
|
@@ -2259,7 +2541,7 @@ module Aws::KMS
|
|
2259
2541
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
2260
2542
|
# To get the alias name and alias ARN, use ListAliases.
|
2261
2543
|
#
|
2262
|
-
# @option params [required, String,
|
2544
|
+
# @option params [required, String, StringIO, File] :plaintext
|
2263
2545
|
# Data to be encrypted.
|
2264
2546
|
#
|
2265
2547
|
# @option params [Hash<String,String>] :encryption_context
|
@@ -2414,6 +2696,24 @@ module Aws::KMS
|
|
2414
2696
|
# 2. Use the plaintext data key to decrypt data outside of AWS KMS,
|
2415
2697
|
# then erase the plaintext data key from memory.
|
2416
2698
|
#
|
2699
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2700
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
2701
|
+
# of the `KeyId` parameter.
|
2702
|
+
#
|
2703
|
+
# **Required permissions**\: [kms:GenerateDataKey][6] (key policy)
|
2704
|
+
#
|
2705
|
+
# **Related operations:**
|
2706
|
+
#
|
2707
|
+
# * Decrypt
|
2708
|
+
#
|
2709
|
+
# * Encrypt
|
2710
|
+
#
|
2711
|
+
# * GenerateDataKeyPair
|
2712
|
+
#
|
2713
|
+
# * GenerateDataKeyPairWithoutPlaintext
|
2714
|
+
#
|
2715
|
+
# * GenerateDataKeyWithoutPlaintext
|
2716
|
+
#
|
2417
2717
|
#
|
2418
2718
|
#
|
2419
2719
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
@@ -2421,6 +2721,7 @@ module Aws::KMS
|
|
2421
2721
|
# [3]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
2422
2722
|
# [4]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
|
2423
2723
|
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
2724
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2424
2725
|
#
|
2425
2726
|
# @option params [required, String] :key_id
|
2426
2727
|
# Identifies the symmetric CMK that encrypts the data key.
|
@@ -2582,10 +2883,29 @@ module Aws::KMS
|
|
2582
2883
|
# state. For details, see [How Key State Affects Use of a Customer
|
2583
2884
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2584
2885
|
#
|
2886
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2887
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
2888
|
+
# of the `KeyId` parameter.
|
2889
|
+
#
|
2890
|
+
# **Required permissions**\: [kms:GenerateDataKeyPair][3] (key policy)
|
2891
|
+
#
|
2892
|
+
# **Related operations:**
|
2893
|
+
#
|
2894
|
+
# * Decrypt
|
2895
|
+
#
|
2896
|
+
# * Encrypt
|
2897
|
+
#
|
2898
|
+
# * GenerateDataKey
|
2899
|
+
#
|
2900
|
+
# * GenerateDataKeyPairWithoutPlaintext
|
2901
|
+
#
|
2902
|
+
# * GenerateDataKeyWithoutPlaintext
|
2903
|
+
#
|
2585
2904
|
#
|
2586
2905
|
#
|
2587
2906
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2588
2907
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2908
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2589
2909
|
#
|
2590
2910
|
# @option params [Hash<String,String>] :encryption_context
|
2591
2911
|
# Specifies the encryption context that will be used when encrypting the
|
@@ -2718,10 +3038,30 @@ module Aws::KMS
|
|
2718
3038
|
# state. For details, see [How Key State Affects Use of a Customer
|
2719
3039
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2720
3040
|
#
|
3041
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3042
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
3043
|
+
# of the `KeyId` parameter.
|
3044
|
+
#
|
3045
|
+
# **Required permissions**\:
|
3046
|
+
# [kms:GenerateDataKeyPairWithoutPlaintext][3] (key policy)
|
3047
|
+
#
|
3048
|
+
# **Related operations:**
|
3049
|
+
#
|
3050
|
+
# * Decrypt
|
3051
|
+
#
|
3052
|
+
# * Encrypt
|
3053
|
+
#
|
3054
|
+
# * GenerateDataKey
|
3055
|
+
#
|
3056
|
+
# * GenerateDataKeyPair
|
3057
|
+
#
|
3058
|
+
# * GenerateDataKeyWithoutPlaintext
|
3059
|
+
#
|
2721
3060
|
#
|
2722
3061
|
#
|
2723
3062
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2724
3063
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3064
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2725
3065
|
#
|
2726
3066
|
# @option params [Hash<String,String>] :encryption_context
|
2727
3067
|
# Specifies the encryption context that will be used when encrypting the
|
@@ -2749,7 +3089,8 @@ module Aws::KMS
|
|
2749
3089
|
#
|
2750
3090
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2751
3091
|
# name, or alias ARN. When using an alias name, prefix it with
|
2752
|
-
# `"alias/"`.
|
3092
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
3093
|
+
# the key ARN or alias ARN.
|
2753
3094
|
#
|
2754
3095
|
# For example:
|
2755
3096
|
#
|
@@ -2862,10 +3203,30 @@ module Aws::KMS
|
|
2862
3203
|
# state. For details, see [How Key State Affects Use of a Customer
|
2863
3204
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2864
3205
|
#
|
3206
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3207
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
3208
|
+
# of the `KeyId` parameter.
|
3209
|
+
#
|
3210
|
+
# **Required permissions**\: [kms:GenerateDataKeyWithoutPlaintext][3]
|
3211
|
+
# (key policy)
|
3212
|
+
#
|
3213
|
+
# **Related operations:**
|
3214
|
+
#
|
3215
|
+
# * Decrypt
|
3216
|
+
#
|
3217
|
+
# * Encrypt
|
3218
|
+
#
|
3219
|
+
# * GenerateDataKey
|
3220
|
+
#
|
3221
|
+
# * GenerateDataKeyPair
|
3222
|
+
#
|
3223
|
+
# * GenerateDataKeyPairWithoutPlaintext
|
3224
|
+
#
|
2865
3225
|
#
|
2866
3226
|
#
|
2867
3227
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2868
3228
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3229
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2869
3230
|
#
|
2870
3231
|
# @option params [required, String] :key_id
|
2871
3232
|
# The identifier of the symmetric customer master key (CMK) that
|
@@ -2986,10 +3347,13 @@ module Aws::KMS
|
|
2986
3347
|
# For more information about entropy and random number generation, see
|
2987
3348
|
# the [AWS Key Management Service Cryptographic Details][2] whitepaper.
|
2988
3349
|
#
|
3350
|
+
# **Required permissions**\: [kms:GenerateRandom][3] (IAM policy)
|
3351
|
+
#
|
2989
3352
|
#
|
2990
3353
|
#
|
2991
3354
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2992
3355
|
# [2]: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
|
3356
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2993
3357
|
#
|
2994
3358
|
# @option params [Integer] :number_of_bytes
|
2995
3359
|
# The length of the byte string.
|
@@ -3042,7 +3406,17 @@ module Aws::KMS
|
|
3042
3406
|
end
|
3043
3407
|
|
3044
3408
|
# Gets a key policy attached to the specified customer master key (CMK).
|
3045
|
-
#
|
3409
|
+
#
|
3410
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3411
|
+
# in a different AWS account.
|
3412
|
+
#
|
3413
|
+
# **Required permissions**\: [kms:GetKeyPolicy][1] (key policy)
|
3414
|
+
#
|
3415
|
+
# **Related operations**\: PutKeyPolicy
|
3416
|
+
#
|
3417
|
+
#
|
3418
|
+
#
|
3419
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3046
3420
|
#
|
3047
3421
|
# @option params [required, String] :key_id
|
3048
3422
|
# A unique identifier for the customer master key (CMK).
|
@@ -3122,14 +3496,24 @@ module Aws::KMS
|
|
3122
3496
|
# you cancel the deletion, the original key rotation status is
|
3123
3497
|
# restored.
|
3124
3498
|
#
|
3125
|
-
# To perform this operation on a CMK in a
|
3126
|
-
# the key ARN in the value of the `KeyId`
|
3499
|
+
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
3500
|
+
# different AWS account, specify the key ARN in the value of the `KeyId`
|
3501
|
+
# parameter.
|
3502
|
+
#
|
3503
|
+
# **Required permissions**\: [kms:GetKeyRotationStatus][4] (key policy)
|
3504
|
+
#
|
3505
|
+
# **Related operations:**
|
3506
|
+
#
|
3507
|
+
# * DisableKeyRotation
|
3508
|
+
#
|
3509
|
+
# * EnableKeyRotation
|
3127
3510
|
#
|
3128
3511
|
#
|
3129
3512
|
#
|
3130
3513
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
3131
3514
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3132
3515
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3516
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3133
3517
|
#
|
3134
3518
|
# @option params [required, String] :key_id
|
3135
3519
|
# A unique identifier for the customer master key (CMK).
|
@@ -3210,10 +3594,23 @@ module Aws::KMS
|
|
3210
3594
|
# state. For details, see [How Key State Affects Use of a Customer
|
3211
3595
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
3212
3596
|
#
|
3597
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3598
|
+
# in a different AWS account.
|
3599
|
+
#
|
3600
|
+
# **Required permissions**\: [kms:GetParametersForImport][3] (key
|
3601
|
+
# policy)
|
3602
|
+
#
|
3603
|
+
# **Related operations:**
|
3604
|
+
#
|
3605
|
+
# * ImportKeyMaterial
|
3606
|
+
#
|
3607
|
+
# * DeleteImportedKeyMaterial
|
3608
|
+
#
|
3213
3609
|
#
|
3214
3610
|
#
|
3215
3611
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
3216
3612
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3613
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3217
3614
|
#
|
3218
3615
|
# @option params [required, String] :key_id
|
3219
3616
|
# The identifier of the symmetric CMK into which you will import key
|
@@ -3336,6 +3733,14 @@ module Aws::KMS
|
|
3336
3733
|
# state. For details, see [How Key State Affects Use of a Customer
|
3337
3734
|
# Master Key][7] in the *AWS Key Management Service Developer Guide*.
|
3338
3735
|
#
|
3736
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3737
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
3738
|
+
# of the `KeyId` parameter.
|
3739
|
+
#
|
3740
|
+
# **Required permissions**\: [kms:GetPublicKey][8] (key policy)
|
3741
|
+
#
|
3742
|
+
# **Related operations**\: CreateKey
|
3743
|
+
#
|
3339
3744
|
#
|
3340
3745
|
#
|
3341
3746
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
@@ -3345,6 +3750,7 @@ module Aws::KMS
|
|
3345
3750
|
# [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
|
3346
3751
|
# [6]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms
|
3347
3752
|
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3753
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3348
3754
|
#
|
3349
3755
|
# @option params [required, String] :key_id
|
3350
3756
|
# Identifies the asymmetric CMK that includes the public key.
|
@@ -3467,12 +3873,24 @@ module Aws::KMS
|
|
3467
3873
|
# state. For details, see [How Key State Affects Use of a Customer
|
3468
3874
|
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
3469
3875
|
#
|
3876
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3877
|
+
# in a different AWS account.
|
3878
|
+
#
|
3879
|
+
# **Required permissions**\: [kms:ImportKeyMaterial][5] (key policy)
|
3880
|
+
#
|
3881
|
+
# **Related operations:**
|
3882
|
+
#
|
3883
|
+
# * DeleteImportedKeyMaterial
|
3884
|
+
#
|
3885
|
+
# * GetParametersForImport
|
3886
|
+
#
|
3470
3887
|
#
|
3471
3888
|
#
|
3472
3889
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
|
3473
3890
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
3474
3891
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
|
3475
3892
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3893
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3476
3894
|
#
|
3477
3895
|
# @option params [required, String] :key_id
|
3478
3896
|
# The identifier of the symmetric CMK that receives the imported key
|
@@ -3491,12 +3909,12 @@ module Aws::KMS
|
|
3491
3909
|
#
|
3492
3910
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
3493
3911
|
#
|
3494
|
-
# @option params [required, String,
|
3912
|
+
# @option params [required, String, StringIO, File] :import_token
|
3495
3913
|
# The import token that you received in the response to a previous
|
3496
3914
|
# GetParametersForImport request. It must be from the same response that
|
3497
3915
|
# contained the public key that you used to encrypt the key material.
|
3498
3916
|
#
|
3499
|
-
# @option params [required, String,
|
3917
|
+
# @option params [required, String, StringIO, File] :encrypted_key_material
|
3500
3918
|
# The encrypted key material to import. The key material must be
|
3501
3919
|
# encrypted with the public wrapping key that GetParametersForImport
|
3502
3920
|
# returned, using the wrapping algorithm that you specified in the same
|
@@ -3548,13 +3966,12 @@ module Aws::KMS
|
|
3548
3966
|
req.send_request(options)
|
3549
3967
|
end
|
3550
3968
|
|
3551
|
-
# Gets a list of aliases in the caller's AWS account and region.
|
3552
|
-
#
|
3553
|
-
# aliases, see CreateAlias.
|
3969
|
+
# Gets a list of aliases in the caller's AWS account and region. For
|
3970
|
+
# more information about aliases, see CreateAlias.
|
3554
3971
|
#
|
3555
|
-
# By default, the ListAliases
|
3556
|
-
# and region. To get only the aliases
|
3557
|
-
# customer master key (CMK), use the `KeyId` parameter.
|
3972
|
+
# By default, the `ListAliases` operation returns all aliases in the
|
3973
|
+
# account and region. To get only the aliases associated with a
|
3974
|
+
# particular customer master key (CMK), use the `KeyId` parameter.
|
3558
3975
|
#
|
3559
3976
|
# The `ListAliases` response can include aliases that you created and
|
3560
3977
|
# associated with your customer managed CMKs, and aliases that AWS
|
@@ -3568,18 +3985,45 @@ module Aws::KMS
|
|
3568
3985
|
# including predefined aliases, do not count against your [AWS KMS
|
3569
3986
|
# aliases quota][1].
|
3570
3987
|
#
|
3988
|
+
# **Cross-account use**\: No. `ListAliases` does not return aliases in
|
3989
|
+
# other AWS accounts.
|
3990
|
+
#
|
3991
|
+
# **Required permissions**\: [kms:ListAliases][2] (IAM policy)
|
3992
|
+
#
|
3993
|
+
# For details, see [Controlling access to aliases][3] in the *AWS Key
|
3994
|
+
# Management Service Developer Guide*.
|
3995
|
+
#
|
3996
|
+
# **Related operations:**
|
3997
|
+
#
|
3998
|
+
# * CreateAlias
|
3999
|
+
#
|
4000
|
+
# * DeleteAlias
|
4001
|
+
#
|
4002
|
+
# * UpdateAlias
|
4003
|
+
#
|
3571
4004
|
#
|
3572
4005
|
#
|
3573
4006
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
|
4007
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4008
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
3574
4009
|
#
|
3575
4010
|
# @option params [String] :key_id
|
3576
|
-
# Lists only aliases that
|
3577
|
-
#
|
3578
|
-
# caller's account and region. You cannot use an alias name or alias
|
3579
|
-
# ARN in this value.
|
4011
|
+
# Lists only aliases that are associated with the specified CMK. Enter a
|
4012
|
+
# CMK in your AWS account.
|
3580
4013
|
#
|
3581
4014
|
# This parameter is optional. If you omit it, `ListAliases` returns all
|
3582
|
-
# aliases in the account and
|
4015
|
+
# aliases in the account and Region.
|
4016
|
+
#
|
4017
|
+
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
4018
|
+
#
|
4019
|
+
# For example:
|
4020
|
+
#
|
4021
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
4022
|
+
#
|
4023
|
+
# * Key ARN:
|
4024
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4025
|
+
#
|
4026
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
3583
4027
|
#
|
3584
4028
|
# @option params [Integer] :limit
|
3585
4029
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -3671,6 +4115,8 @@ module Aws::KMS
|
|
3671
4115
|
# resp.aliases[0].alias_name #=> String
|
3672
4116
|
# resp.aliases[0].alias_arn #=> String
|
3673
4117
|
# resp.aliases[0].target_key_id #=> String
|
4118
|
+
# resp.aliases[0].creation_date #=> Time
|
4119
|
+
# resp.aliases[0].last_updated_date #=> Time
|
3674
4120
|
# resp.next_marker #=> String
|
3675
4121
|
# resp.truncated #=> Boolean
|
3676
4122
|
#
|
@@ -3685,9 +4131,6 @@ module Aws::KMS
|
|
3685
4131
|
|
3686
4132
|
# Gets a list of all grants for the specified customer master key (CMK).
|
3687
4133
|
#
|
3688
|
-
# To perform this operation on a CMK in a different AWS account, specify
|
3689
|
-
# the key ARN in the value of the `KeyId` parameter.
|
3690
|
-
#
|
3691
4134
|
# <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
|
3692
4135
|
# contains the user or role designated as the grantee principal in the
|
3693
4136
|
# grant. However, when the grantee principal in the grant is an AWS
|
@@ -3697,9 +4140,26 @@ module Aws::KMS
|
|
3697
4140
|
#
|
3698
4141
|
# </note>
|
3699
4142
|
#
|
4143
|
+
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
4144
|
+
# different AWS account, specify the key ARN in the value of the `KeyId`
|
4145
|
+
# parameter.
|
4146
|
+
#
|
4147
|
+
# **Required permissions**\: [kms:ListGrants][2] (key policy)
|
4148
|
+
#
|
4149
|
+
# **Related operations:**
|
4150
|
+
#
|
4151
|
+
# * CreateGrant
|
4152
|
+
#
|
4153
|
+
# * ListRetirableGrants
|
4154
|
+
#
|
4155
|
+
# * RetireGrant
|
4156
|
+
#
|
4157
|
+
# * RevokeGrant
|
4158
|
+
#
|
3700
4159
|
#
|
3701
4160
|
#
|
3702
4161
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
|
4162
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3703
4163
|
#
|
3704
4164
|
# @option params [Integer] :limit
|
3705
4165
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -3843,9 +4303,23 @@ module Aws::KMS
|
|
3843
4303
|
# Gets the names of the key policies that are attached to a customer
|
3844
4304
|
# master key (CMK). This operation is designed to get policy names that
|
3845
4305
|
# you can use in a GetKeyPolicy operation. However, the only valid
|
3846
|
-
# policy name is `default`.
|
4306
|
+
# policy name is `default`.
|
4307
|
+
#
|
4308
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3847
4309
|
# in a different AWS account.
|
3848
4310
|
#
|
4311
|
+
# **Required permissions**\: [kms:ListKeyPolicies][1] (key policy)
|
4312
|
+
#
|
4313
|
+
# **Related operations:**
|
4314
|
+
#
|
4315
|
+
# * GetKeyPolicy
|
4316
|
+
#
|
4317
|
+
# * PutKeyPolicy
|
4318
|
+
#
|
4319
|
+
#
|
4320
|
+
#
|
4321
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4322
|
+
#
|
3849
4323
|
# @option params [required, String] :key_id
|
3850
4324
|
# A unique identifier for the customer master key (CMK).
|
3851
4325
|
#
|
@@ -3928,6 +4402,25 @@ module Aws::KMS
|
|
3928
4402
|
# Gets a list of all customer master keys (CMKs) in the caller's AWS
|
3929
4403
|
# account and Region.
|
3930
4404
|
#
|
4405
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
4406
|
+
# in a different AWS account.
|
4407
|
+
#
|
4408
|
+
# **Required permissions**\: [kms:ListKeys][1] (IAM policy)
|
4409
|
+
#
|
4410
|
+
# **Related operations:**
|
4411
|
+
#
|
4412
|
+
# * CreateKey
|
4413
|
+
#
|
4414
|
+
# * DescribeKey
|
4415
|
+
#
|
4416
|
+
# * ListAliases
|
4417
|
+
#
|
4418
|
+
# * ListResourceTags
|
4419
|
+
#
|
4420
|
+
#
|
4421
|
+
#
|
4422
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4423
|
+
#
|
3931
4424
|
# @option params [Integer] :limit
|
3932
4425
|
# Use this parameter to specify the maximum number of items to return.
|
3933
4426
|
# When this value is present, AWS KMS does not return more than the
|
@@ -4017,10 +4510,29 @@ module Aws::KMS
|
|
4017
4510
|
req.send_request(options)
|
4018
4511
|
end
|
4019
4512
|
|
4020
|
-
# Returns
|
4021
|
-
#
|
4513
|
+
# Returns all tags on the specified customer master key (CMK).
|
4514
|
+
#
|
4515
|
+
# For general information about tags, including the format and syntax,
|
4516
|
+
# see [Tagging AWS resources][1] in the *Amazon Web Services General
|
4517
|
+
# Reference*. For information about using tags in AWS KMS, see [Tagging
|
4518
|
+
# keys][2].
|
4519
|
+
#
|
4520
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
4521
|
+
# in a different AWS account.
|
4022
4522
|
#
|
4023
|
-
#
|
4523
|
+
# **Required permissions**\: [kms:ListResourceTags][3] (key policy)
|
4524
|
+
#
|
4525
|
+
# **Related operations:**
|
4526
|
+
#
|
4527
|
+
# * TagResource
|
4528
|
+
#
|
4529
|
+
# * UntagResource
|
4530
|
+
#
|
4531
|
+
#
|
4532
|
+
#
|
4533
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
4534
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
4535
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4024
4536
|
#
|
4025
4537
|
# @option params [required, String] :key_id
|
4026
4538
|
# A unique identifier for the customer master key (CMK).
|
@@ -4111,11 +4623,37 @@ module Aws::KMS
|
|
4111
4623
|
req.send_request(options)
|
4112
4624
|
end
|
4113
4625
|
|
4114
|
-
# Returns
|
4115
|
-
# `RetiringPrincipal`
|
4626
|
+
# Returns all grants in which the specified principal is the
|
4627
|
+
# `RetiringPrincipal` in the grant.
|
4628
|
+
#
|
4629
|
+
# You can specify any principal in your AWS account. The grants that are
|
4630
|
+
# returned include grants for CMKs in your AWS account and other AWS
|
4631
|
+
# accounts.
|
4116
4632
|
#
|
4117
|
-
#
|
4118
|
-
# retire a grant, use RetireGrant.
|
4633
|
+
# You might use this operation to determine which grants you may retire.
|
4634
|
+
# To retire a grant, use the RetireGrant operation.
|
4635
|
+
#
|
4636
|
+
# **Cross-account use**\: You must specify a principal in your AWS
|
4637
|
+
# account. However, this operation can return grants in any AWS account.
|
4638
|
+
# You do not need `kms:ListRetirableGrants` permission (or any other
|
4639
|
+
# additional permission) in any AWS account other than your own.
|
4640
|
+
#
|
4641
|
+
# **Required permissions**\: [kms:ListRetirableGrants][1] (IAM policy)
|
4642
|
+
# in your AWS account.
|
4643
|
+
#
|
4644
|
+
# **Related operations:**
|
4645
|
+
#
|
4646
|
+
# * CreateGrant
|
4647
|
+
#
|
4648
|
+
# * ListGrants
|
4649
|
+
#
|
4650
|
+
# * RetireGrant
|
4651
|
+
#
|
4652
|
+
# * RevokeGrant
|
4653
|
+
#
|
4654
|
+
#
|
4655
|
+
#
|
4656
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4119
4657
|
#
|
4120
4658
|
# @option params [Integer] :limit
|
4121
4659
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -4131,7 +4669,8 @@ module Aws::KMS
|
|
4131
4669
|
# from the truncated response you just received.
|
4132
4670
|
#
|
4133
4671
|
# @option params [required, String] :retiring_principal
|
4134
|
-
# The retiring principal for which to list grants.
|
4672
|
+
# The retiring principal for which to list grants. Enter a principal in
|
4673
|
+
# your AWS account.
|
4135
4674
|
#
|
4136
4675
|
# To specify the retiring principal, use the [Amazon Resource Name
|
4137
4676
|
# (ARN)][1] of an AWS principal. Valid AWS principals include AWS
|
@@ -4215,15 +4754,28 @@ module Aws::KMS
|
|
4215
4754
|
req.send_request(options)
|
4216
4755
|
end
|
4217
4756
|
|
4218
|
-
# Attaches a key policy to the specified customer master key (CMK).
|
4219
|
-
# cannot perform this operation on a CMK in a different AWS account.
|
4757
|
+
# Attaches a key policy to the specified customer master key (CMK).
|
4220
4758
|
#
|
4221
4759
|
# For more information about key policies, see [Key Policies][1] in the
|
4222
|
-
# *AWS Key Management Service Developer Guide*.
|
4760
|
+
# *AWS Key Management Service Developer Guide*. For help writing and
|
4761
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
4762
|
+
# Reference][2] in the <i> <i>IAM User Guide</i> </i>. For examples of
|
4763
|
+
# adding a key policy in multiple programming languages, see [Setting a
|
4764
|
+
# key policy][3] in the *AWS Key Management Service Developer Guide*.
|
4765
|
+
#
|
4766
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
4767
|
+
# in a different AWS account.
|
4768
|
+
#
|
4769
|
+
# **Required permissions**\: [kms:PutKeyPolicy][4] (key policy)
|
4770
|
+
#
|
4771
|
+
# **Related operations**\: GetKeyPolicy
|
4223
4772
|
#
|
4224
4773
|
#
|
4225
4774
|
#
|
4226
4775
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4776
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
4777
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy
|
4778
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4227
4779
|
#
|
4228
4780
|
# @option params [required, String] :key_id
|
4229
4781
|
# A unique identifier for the customer master key (CMK).
|
@@ -4346,21 +4898,27 @@ module Aws::KMS
|
|
4346
4898
|
# operation.
|
4347
4899
|
#
|
4348
4900
|
# * If your ciphertext was encrypted under an asymmetric CMK, you must
|
4349
|
-
#
|
4350
|
-
# ciphertext. You must also supply the encryption algorithm that
|
4351
|
-
# used. This information is required to decrypt the data.
|
4352
|
-
#
|
4353
|
-
# *
|
4354
|
-
#
|
4355
|
-
#
|
4356
|
-
#
|
4357
|
-
#
|
4358
|
-
#
|
4359
|
-
#
|
4360
|
-
#
|
4361
|
-
#
|
4362
|
-
#
|
4363
|
-
#
|
4901
|
+
# use the `SourceKeyId` parameter to identify the CMK that encrypted
|
4902
|
+
# the ciphertext. You must also supply the encryption algorithm that
|
4903
|
+
# was used. This information is required to decrypt the data.
|
4904
|
+
#
|
4905
|
+
# * If your ciphertext was encrypted under a symmetric CMK, the
|
4906
|
+
# `SourceKeyId` parameter is optional. AWS KMS can get this
|
4907
|
+
# information from metadata that it adds to the symmetric ciphertext
|
4908
|
+
# blob. This feature adds durability to your implementation by
|
4909
|
+
# ensuring that authorized users can decrypt ciphertext decades after
|
4910
|
+
# it was encrypted, even if they've lost track of the CMK ID.
|
4911
|
+
# However, specifying the source CMK is always recommended as a best
|
4912
|
+
# practice. When you use the `SourceKeyId` parameter to specify a CMK,
|
4913
|
+
# AWS KMS uses only the CMK you specify. If the ciphertext was
|
4914
|
+
# encrypted under a different CMK, the `ReEncrypt` operation fails.
|
4915
|
+
# This practice ensures that you use the CMK that you intend.
|
4916
|
+
#
|
4917
|
+
# * To reencrypt the data, you must use the `DestinationKeyId` parameter
|
4918
|
+
# specify the CMK that re-encrypts the data after it is decrypted. You
|
4919
|
+
# can select a symmetric or asymmetric CMK. If the destination CMK is
|
4920
|
+
# an asymmetric CMK, you must also provide the encryption algorithm.
|
4921
|
+
# The algorithm that you choose must be compatible with the CMK.
|
4364
4922
|
#
|
4365
4923
|
# When you use an asymmetric CMK to encrypt or reencrypt data, be sure
|
4366
4924
|
# to record the CMK and encryption algorithm that you choose. You will
|
@@ -4374,23 +4932,36 @@ module Aws::KMS
|
|
4374
4932
|
# ciphertext generated with asymmetric keys. The standard format for
|
4375
4933
|
# asymmetric key ciphertext does not include configurable fields.
|
4376
4934
|
#
|
4377
|
-
#
|
4378
|
-
#
|
4935
|
+
# The CMK that you use for this operation must be in a compatible key
|
4936
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
4937
|
+
# Master Key][6] in the *AWS Key Management Service Developer Guide*.
|
4938
|
+
#
|
4939
|
+
# **Cross-account use**\: Yes. The source CMK and destination CMK can be
|
4940
|
+
# in different AWS accounts. Either or both CMKs can be in a different
|
4941
|
+
# account than the caller.
|
4379
4942
|
#
|
4380
|
-
#
|
4943
|
+
# **Required permissions**\:
|
4381
4944
|
#
|
4382
|
-
# *
|
4945
|
+
# * [kms:ReEncryptFrom][7] permission on the source CMK (key policy)
|
4946
|
+
#
|
4947
|
+
# * [kms:ReEncryptTo][7] permission on the destination CMK (key policy)
|
4383
4948
|
#
|
4384
4949
|
# To permit reencryption from or to a CMK, include the
|
4385
|
-
# `"kms:ReEncrypt*"` permission in your [key policy][
|
4950
|
+
# `"kms:ReEncrypt*"` permission in your [key policy][8]. This permission
|
4386
4951
|
# is automatically included in the key policy when you use the console
|
4387
4952
|
# to create a CMK. But you must include it manually when you create a
|
4388
4953
|
# CMK programmatically or when you use the PutKeyPolicy operation to set
|
4389
4954
|
# a key policy.
|
4390
4955
|
#
|
4391
|
-
#
|
4392
|
-
#
|
4393
|
-
#
|
4956
|
+
# **Related operations:**
|
4957
|
+
#
|
4958
|
+
# * Decrypt
|
4959
|
+
#
|
4960
|
+
# * Encrypt
|
4961
|
+
#
|
4962
|
+
# * GenerateDataKey
|
4963
|
+
#
|
4964
|
+
# * GenerateDataKeyPair
|
4394
4965
|
#
|
4395
4966
|
#
|
4396
4967
|
#
|
@@ -4399,10 +4970,11 @@ module Aws::KMS
|
|
4399
4970
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
4400
4971
|
# [4]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
4401
4972
|
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
4402
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
4403
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4973
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4974
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4975
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4404
4976
|
#
|
4405
|
-
# @option params [required, String,
|
4977
|
+
# @option params [required, String, StringIO, File] :ciphertext_blob
|
4406
4978
|
# Ciphertext of the data to reencrypt.
|
4407
4979
|
#
|
4408
4980
|
# @option params [Hash<String,String>] :source_encryption_context
|
@@ -4425,23 +4997,20 @@ module Aws::KMS
|
|
4425
4997
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
4426
4998
|
#
|
4427
4999
|
# @option params [String] :source_key_id
|
4428
|
-
#
|
4429
|
-
# before it
|
5000
|
+
# Specifies the customer master key (CMK) that AWS KMS will use to
|
5001
|
+
# decrypt the ciphertext before it is re-encrypted. Enter a key ID of
|
5002
|
+
# the CMK that was used to encrypt the ciphertext.
|
4430
5003
|
#
|
4431
5004
|
# This parameter is required only when the ciphertext was encrypted
|
4432
|
-
# under an asymmetric CMK.
|
4433
|
-
#
|
4434
|
-
#
|
4435
|
-
#
|
4436
|
-
# it is reencrypted.
|
4437
|
-
#
|
4438
|
-
# If you specify a `KeyId` value, the decrypt part of the `ReEncrypt`
|
4439
|
-
# operation succeeds only if the specified CMK was used to encrypt the
|
4440
|
-
# ciphertext.
|
5005
|
+
# under an asymmetric CMK. If you used a symmetric CMK, AWS KMS can get
|
5006
|
+
# the CMK from metadata that it adds to the symmetric ciphertext blob.
|
5007
|
+
# However, it is always recommended as a best practice. This practice
|
5008
|
+
# ensures that you use the CMK that you intend.
|
4441
5009
|
#
|
4442
5010
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
4443
5011
|
# name, or alias ARN. When using an alias name, prefix it with
|
4444
|
-
# `"alias/"`.
|
5012
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
5013
|
+
# the key ARN or alias ARN.
|
4445
5014
|
#
|
4446
5015
|
# For example:
|
4447
5016
|
#
|
@@ -4549,14 +5118,14 @@ module Aws::KMS
|
|
4549
5118
|
#
|
4550
5119
|
# resp = client.re_encrypt({
|
4551
5120
|
# ciphertext_blob: "<binary data>", # The data to reencrypt.
|
4552
|
-
# destination_key_id: "0987dcba-09fe-87dc-65ba-ab0987654321", # The identifier of the CMK to use to reencrypt the data. You can use
|
5121
|
+
# destination_key_id: "0987dcba-09fe-87dc-65ba-ab0987654321", # The identifier of the CMK to use to reencrypt the data. You can use any valid key identifier.
|
4553
5122
|
# })
|
4554
5123
|
#
|
4555
5124
|
# resp.to_h outputs the following:
|
4556
5125
|
# {
|
4557
5126
|
# ciphertext_blob: "<binary data>", # The reencrypted data.
|
4558
5127
|
# key_id: "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The ARN of the CMK that was used to reencrypt the data.
|
4559
|
-
# source_key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was used to
|
5128
|
+
# source_key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was originally used to encrypt the data.
|
4560
5129
|
# }
|
4561
5130
|
#
|
4562
5131
|
# @example Request syntax with placeholder values
|
@@ -4611,6 +5180,28 @@ module Aws::KMS
|
|
4611
5180
|
# base64-encoded string. A grant ID is a 64 character unique identifier
|
4612
5181
|
# of a grant. The CreateGrant operation returns both.
|
4613
5182
|
#
|
5183
|
+
# **Cross-account use**\: Yes. You can retire a grant on a CMK in a
|
5184
|
+
# different AWS account.
|
5185
|
+
#
|
5186
|
+
# **Required permissions:**\: Permission to retire a grant is specified
|
5187
|
+
# in the grant. You cannot control access to this operation in a policy.
|
5188
|
+
# For more information, see [Using grants][1] in the *AWS Key Management
|
5189
|
+
# Service Developer Guide*.
|
5190
|
+
#
|
5191
|
+
# **Related operations:**
|
5192
|
+
#
|
5193
|
+
# * CreateGrant
|
5194
|
+
#
|
5195
|
+
# * ListGrants
|
5196
|
+
#
|
5197
|
+
# * ListRetirableGrants
|
5198
|
+
#
|
5199
|
+
# * RevokeGrant
|
5200
|
+
#
|
5201
|
+
#
|
5202
|
+
#
|
5203
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
5204
|
+
#
|
4614
5205
|
# @option params [String] :grant_token
|
4615
5206
|
# Token that identifies the grant to be retired.
|
4616
5207
|
#
|
@@ -4662,8 +5253,25 @@ module Aws::KMS
|
|
4662
5253
|
# (CMK). You can revoke a grant to actively deny operations that depend
|
4663
5254
|
# on it.
|
4664
5255
|
#
|
4665
|
-
# To perform this operation on a CMK in a
|
4666
|
-
# the key ARN in the value of the `KeyId`
|
5256
|
+
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
5257
|
+
# different AWS account, specify the key ARN in the value of the `KeyId`
|
5258
|
+
# parameter.
|
5259
|
+
#
|
5260
|
+
# **Required permissions**\: [kms:RevokeGrant][1] (key policy)
|
5261
|
+
#
|
5262
|
+
# **Related operations:**
|
5263
|
+
#
|
5264
|
+
# * CreateGrant
|
5265
|
+
#
|
5266
|
+
# * ListGrants
|
5267
|
+
#
|
5268
|
+
# * ListRetirableGrants
|
5269
|
+
#
|
5270
|
+
# * RetireGrant
|
5271
|
+
#
|
5272
|
+
#
|
5273
|
+
#
|
5274
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4667
5275
|
#
|
4668
5276
|
# @option params [required, String] :key_id
|
4669
5277
|
# A unique identifier for the customer master key associated with the
|
@@ -4733,8 +5341,6 @@ module Aws::KMS
|
|
4733
5341
|
# manually [delete the orphaned key material][2] from the cluster and
|
4734
5342
|
# its backups.
|
4735
5343
|
#
|
4736
|
-
# You cannot perform this operation on a CMK in a different AWS account.
|
4737
|
-
#
|
4738
5344
|
# For more information about scheduling a CMK for deletion, see
|
4739
5345
|
# [Deleting Customer Master Keys][3] in the *AWS Key Management Service
|
4740
5346
|
# Developer Guide*.
|
@@ -4743,12 +5349,24 @@ module Aws::KMS
|
|
4743
5349
|
# state. For details, see [How Key State Affects Use of a Customer
|
4744
5350
|
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
4745
5351
|
#
|
5352
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5353
|
+
# in a different AWS account.
|
5354
|
+
#
|
5355
|
+
# **Required permissions**\: [kms:ScheduleKeyDeletion][5] (key policy)
|
5356
|
+
#
|
5357
|
+
# **Related operations**
|
5358
|
+
#
|
5359
|
+
# * CancelKeyDeletion
|
5360
|
+
#
|
5361
|
+
# * DisableKey
|
5362
|
+
#
|
4746
5363
|
#
|
4747
5364
|
#
|
4748
5365
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
4749
5366
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
4750
5367
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
|
4751
5368
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5369
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4752
5370
|
#
|
4753
5371
|
# @option params [required, String] :key_id
|
4754
5372
|
# The unique identifier of the customer master key (CMK) to delete.
|
@@ -4855,11 +5473,20 @@ module Aws::KMS
|
|
4855
5473
|
# state. For details, see [How Key State Affects Use of a Customer
|
4856
5474
|
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
4857
5475
|
#
|
5476
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
5477
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
5478
|
+
# of the `KeyId` parameter.
|
5479
|
+
#
|
5480
|
+
# **Required permissions**\: [kms:Sign][4] (key policy)
|
5481
|
+
#
|
5482
|
+
# **Related operations**\: Verify
|
5483
|
+
#
|
4858
5484
|
#
|
4859
5485
|
#
|
4860
5486
|
# [1]: https://en.wikipedia.org/wiki/Digital_signature
|
4861
5487
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
4862
5488
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5489
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4863
5490
|
#
|
4864
5491
|
# @option params [required, String] :key_id
|
4865
5492
|
# Identifies an asymmetric CMK. AWS KMS uses the private key in the
|
@@ -4886,7 +5513,7 @@ module Aws::KMS
|
|
4886
5513
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
4887
5514
|
# To get the alias name and alias ARN, use ListAliases.
|
4888
5515
|
#
|
4889
|
-
# @option params [required, String,
|
5516
|
+
# @option params [required, String, StringIO, File] :message
|
4890
5517
|
# Specifies the message or message digest to sign. Messages can be
|
4891
5518
|
# 0-4096 bytes. To sign a larger message, provide the message digest.
|
4892
5519
|
#
|
@@ -4945,31 +5572,50 @@ module Aws::KMS
|
|
4945
5572
|
req.send_request(options)
|
4946
5573
|
end
|
4947
5574
|
|
4948
|
-
# Adds or edits tags
|
4949
|
-
#
|
5575
|
+
# Adds or edits tags on a [customer managed CMK][1].
|
5576
|
+
#
|
5577
|
+
# Each tag consists of a tag key and a tag value, both of which are
|
5578
|
+
# case-sensitive strings. The tag value can be an empty (null) string.
|
4950
5579
|
#
|
4951
|
-
#
|
4952
|
-
#
|
5580
|
+
# To add a tag, specify a new tag key and a tag value. To edit a tag,
|
5581
|
+
# specify an existing tag key and a new tag value.
|
4953
5582
|
#
|
4954
|
-
# You can
|
4955
|
-
#
|
4956
|
-
#
|
5583
|
+
# You can use this operation to tag a [customer managed CMK][1], but you
|
5584
|
+
# cannot tag an [AWS managed CMK][2], an [AWS owned CMK][3], or an
|
5585
|
+
# alias.
|
4957
5586
|
#
|
4958
|
-
# For information about
|
4959
|
-
# see [
|
4960
|
-
#
|
5587
|
+
# For general information about tags, including the format and syntax,
|
5588
|
+
# see [Tagging AWS resources][4] in the *Amazon Web Services General
|
5589
|
+
# Reference*. For information about using tags in AWS KMS, see [Tagging
|
5590
|
+
# keys][5].
|
4961
5591
|
#
|
4962
5592
|
# The CMK that you use for this operation must be in a compatible key
|
4963
5593
|
# state. For details, see [How Key State Affects Use of a Customer
|
4964
|
-
# Master Key][
|
5594
|
+
# Master Key][6] in the *AWS Key Management Service Developer Guide*.
|
4965
5595
|
#
|
5596
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5597
|
+
# in a different AWS account.
|
4966
5598
|
#
|
5599
|
+
# **Required permissions**\: [kms:TagResource][7] (key policy)
|
4967
5600
|
#
|
4968
|
-
#
|
4969
|
-
#
|
5601
|
+
# **Related operations**
|
5602
|
+
#
|
5603
|
+
# * UntagResource
|
5604
|
+
#
|
5605
|
+
# * ListResourceTags
|
5606
|
+
#
|
5607
|
+
#
|
5608
|
+
#
|
5609
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5610
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
5611
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
5612
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
5613
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5614
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5615
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4970
5616
|
#
|
4971
5617
|
# @option params [required, String] :key_id
|
4972
|
-
#
|
5618
|
+
# Identifies a customer managed CMK in the account and Region.
|
4973
5619
|
#
|
4974
5620
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
4975
5621
|
#
|
@@ -4983,7 +5629,14 @@ module Aws::KMS
|
|
4983
5629
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
4984
5630
|
#
|
4985
5631
|
# @option params [required, Array<Types::Tag>] :tags
|
4986
|
-
# One or more tags.
|
5632
|
+
# One or more tags.
|
5633
|
+
#
|
5634
|
+
# Each tag consists of a tag key and a tag value. The tag value can be
|
5635
|
+
# an empty (null) string.
|
5636
|
+
#
|
5637
|
+
# You cannot have more than one tag on a CMK with the same tag key. If
|
5638
|
+
# you specify an existing tag key with a different tag value, AWS KMS
|
5639
|
+
# replaces the current tag value with the specified one.
|
4987
5640
|
#
|
4988
5641
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
4989
5642
|
#
|
@@ -5023,23 +5676,44 @@ module Aws::KMS
|
|
5023
5676
|
req.send_request(options)
|
5024
5677
|
end
|
5025
5678
|
|
5026
|
-
#
|
5027
|
-
#
|
5028
|
-
# account.
|
5679
|
+
# Deletes tags from a [customer managed CMK][1]. To delete a tag,
|
5680
|
+
# specify the tag key and the CMK.
|
5029
5681
|
#
|
5030
|
-
#
|
5031
|
-
#
|
5682
|
+
# When it succeeds, the `UntagResource` operation doesn't return any
|
5683
|
+
# output. Also, if the specified tag key isn't found on the CMK, it
|
5684
|
+
# doesn't throw an exception or return a response. To confirm that the
|
5685
|
+
# operation worked, use the ListResourceTags operation.
|
5686
|
+
#
|
5687
|
+
# For general information about tags, including the format and syntax,
|
5688
|
+
# see [Tagging AWS resources][2] in the *Amazon Web Services General
|
5689
|
+
# Reference*. For information about using tags in AWS KMS, see [Tagging
|
5690
|
+
# keys][3].
|
5032
5691
|
#
|
5033
5692
|
# The CMK that you use for this operation must be in a compatible key
|
5034
5693
|
# state. For details, see [How Key State Affects Use of a Customer
|
5035
|
-
# Master Key][
|
5694
|
+
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
5036
5695
|
#
|
5696
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5697
|
+
# in a different AWS account.
|
5037
5698
|
#
|
5699
|
+
# **Required permissions**\: [kms:UntagResource][5] (key policy)
|
5038
5700
|
#
|
5039
|
-
#
|
5701
|
+
# **Related operations**
|
5702
|
+
#
|
5703
|
+
# * TagResource
|
5704
|
+
#
|
5705
|
+
# * ListResourceTags
|
5706
|
+
#
|
5707
|
+
#
|
5708
|
+
#
|
5709
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5710
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
5711
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5712
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5713
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5040
5714
|
#
|
5041
5715
|
# @option params [required, String] :key_id
|
5042
|
-
#
|
5716
|
+
# Identifies the CMK from which you are removing tags.
|
5043
5717
|
#
|
5044
5718
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
5045
5719
|
#
|
@@ -5089,8 +5763,7 @@ module Aws::KMS
|
|
5089
5763
|
# Associates an existing AWS KMS alias with a different customer master
|
5090
5764
|
# key (CMK). Each alias is associated with only one CMK at a time,
|
5091
5765
|
# although a CMK can have multiple aliases. The alias and the CMK must
|
5092
|
-
# be in the same AWS account and region.
|
5093
|
-
# operation on an alias in a different AWS account.
|
5766
|
+
# be in the same AWS account and region.
|
5094
5767
|
#
|
5095
5768
|
# The current and new CMK must be the same type (both symmetric or both
|
5096
5769
|
# asymmetric), and they must have the same key usage (`ENCRYPT_DECRYPT`
|
@@ -5113,9 +5786,33 @@ module Aws::KMS
|
|
5113
5786
|
# state. For details, see [How Key State Affects Use of a Customer
|
5114
5787
|
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
5115
5788
|
#
|
5789
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5790
|
+
# in a different AWS account.
|
5791
|
+
#
|
5792
|
+
# **Required permissions**
|
5793
|
+
#
|
5794
|
+
# * [kms:UpdateAlias][2] on the alias (IAM policy).
|
5795
|
+
#
|
5796
|
+
# * [kms:UpdateAlias][2] on the current CMK (key policy).
|
5797
|
+
#
|
5798
|
+
# * [kms:UpdateAlias][2] on the new CMK (key policy).
|
5799
|
+
#
|
5800
|
+
# For details, see [Controlling access to aliases][3] in the *AWS Key
|
5801
|
+
# Management Service Developer Guide*.
|
5802
|
+
#
|
5803
|
+
# **Related operations:**
|
5804
|
+
#
|
5805
|
+
# * CreateAlias
|
5806
|
+
#
|
5807
|
+
# * DeleteAlias
|
5808
|
+
#
|
5809
|
+
# * ListAliases
|
5810
|
+
#
|
5116
5811
|
#
|
5117
5812
|
#
|
5118
5813
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5814
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5815
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
5119
5816
|
#
|
5120
5817
|
# @option params [required, String] :alias_name
|
5121
5818
|
# Identifies the alias that is changing its CMK. This value must begin
|
@@ -5124,8 +5821,9 @@ module Aws::KMS
|
|
5124
5821
|
# name.
|
5125
5822
|
#
|
5126
5823
|
# @option params [required, String] :target_key_id
|
5127
|
-
# Identifies the CMK to associate with the alias.
|
5128
|
-
#
|
5824
|
+
# Identifies the [customer managed CMK][1] to associate with the alias.
|
5825
|
+
# You don't have permission to associate an alias with an [AWS managed
|
5826
|
+
# CMK][2].
|
5129
5827
|
#
|
5130
5828
|
# The CMK must be in the same AWS account and Region as the alias. Also,
|
5131
5829
|
# the new target CMK must be the same type as the current target CMK
|
@@ -5146,6 +5844,11 @@ module Aws::KMS
|
|
5146
5844
|
# To verify that the alias is mapped to the correct CMK, use
|
5147
5845
|
# ListAliases.
|
5148
5846
|
#
|
5847
|
+
#
|
5848
|
+
#
|
5849
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5850
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
5851
|
+
#
|
5149
5852
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
5150
5853
|
#
|
5151
5854
|
#
|
@@ -5215,11 +5918,29 @@ module Aws::KMS
|
|
5215
5918
|
# AWS KMS, which combines the convenience and extensive integration of
|
5216
5919
|
# AWS KMS with the isolation and control of a single-tenant key store.
|
5217
5920
|
#
|
5921
|
+
# **Cross-account use**\: No. You cannot perform this operation on a
|
5922
|
+
# custom key store in a different AWS account.
|
5923
|
+
#
|
5924
|
+
# **Required permissions**\: [kms:UpdateCustomKeyStore][4] (IAM policy)
|
5925
|
+
#
|
5926
|
+
# **Related operations:**
|
5927
|
+
#
|
5928
|
+
# * ConnectCustomKeyStore
|
5929
|
+
#
|
5930
|
+
# * CreateCustomKeyStore
|
5931
|
+
#
|
5932
|
+
# * DeleteCustomKeyStore
|
5933
|
+
#
|
5934
|
+
# * DescribeCustomKeyStores
|
5935
|
+
#
|
5936
|
+
# * DisconnectCustomKeyStore
|
5937
|
+
#
|
5218
5938
|
#
|
5219
5939
|
#
|
5220
5940
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
5221
5941
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password
|
5222
5942
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
5943
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5223
5944
|
#
|
5224
5945
|
# @option params [required, String] :custom_key_store_id
|
5225
5946
|
# Identifies the custom key store that you want to update. Enter the ID
|
@@ -5279,15 +6000,25 @@ module Aws::KMS
|
|
5279
6000
|
# Updates the description of a customer master key (CMK). To see the
|
5280
6001
|
# description of a CMK, use DescribeKey.
|
5281
6002
|
#
|
5282
|
-
# You cannot perform this operation on a CMK in a different AWS account.
|
5283
|
-
#
|
5284
6003
|
# The CMK that you use for this operation must be in a compatible key
|
5285
6004
|
# state. For details, see [How Key State Affects Use of a Customer
|
5286
6005
|
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
5287
6006
|
#
|
6007
|
+
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
6008
|
+
# in a different AWS account.
|
6009
|
+
#
|
6010
|
+
# **Required permissions**\: [kms:UpdateKeyDescription][2] (key policy)
|
6011
|
+
#
|
6012
|
+
# **Related operations**
|
6013
|
+
#
|
6014
|
+
# * CreateKey
|
6015
|
+
#
|
6016
|
+
# * DescribeKey
|
6017
|
+
#
|
5288
6018
|
#
|
5289
6019
|
#
|
5290
6020
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6021
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5291
6022
|
#
|
5292
6023
|
# @option params [required, String] :key_id
|
5293
6024
|
# A unique identifier for the customer master key (CMK).
|
@@ -5369,10 +6100,19 @@ module Aws::KMS
|
|
5369
6100
|
# state. For details, see [How Key State Affects Use of a Customer
|
5370
6101
|
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
5371
6102
|
#
|
6103
|
+
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
6104
|
+
# different AWS account, specify the key ARN or alias ARN in the value
|
6105
|
+
# of the `KeyId` parameter.
|
6106
|
+
#
|
6107
|
+
# **Required permissions**\: [kms:Verify][3] (key policy)
|
6108
|
+
#
|
6109
|
+
# **Related operations**\: Sign
|
6110
|
+
#
|
5372
6111
|
#
|
5373
6112
|
#
|
5374
6113
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
5375
6114
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6115
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5376
6116
|
#
|
5377
6117
|
# @option params [required, String] :key_id
|
5378
6118
|
# Identifies the asymmetric CMK that will be used to verify the
|
@@ -5399,7 +6139,7 @@ module Aws::KMS
|
|
5399
6139
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
5400
6140
|
# To get the alias name and alias ARN, use ListAliases.
|
5401
6141
|
#
|
5402
|
-
# @option params [required, String,
|
6142
|
+
# @option params [required, String, StringIO, File] :message
|
5403
6143
|
# Specifies the message that was signed. You can submit a raw message of
|
5404
6144
|
# up to 4096 bytes, or a hash digest of the message. If you submit a
|
5405
6145
|
# digest, use the `MessageType` parameter with a value of `DIGEST`.
|
@@ -5417,7 +6157,7 @@ module Aws::KMS
|
|
5417
6157
|
# is a message digest. If you use the `DIGEST` value with a raw message,
|
5418
6158
|
# the security of the verification operation can be compromised.
|
5419
6159
|
#
|
5420
|
-
# @option params [required, String,
|
6160
|
+
# @option params [required, String, StringIO, File] :signature
|
5421
6161
|
# The signature that the `Sign` operation generated.
|
5422
6162
|
#
|
5423
6163
|
# @option params [required, String] :signing_algorithm
|
@@ -5479,7 +6219,7 @@ module Aws::KMS
|
|
5479
6219
|
params: params,
|
5480
6220
|
config: config)
|
5481
6221
|
context[:gem_name] = 'aws-sdk-kms'
|
5482
|
-
context[:gem_version] = '1.
|
6222
|
+
context[:gem_version] = '1.40.0'
|
5483
6223
|
Seahorse::Client::Request.new(handlers, context)
|
5484
6224
|
end
|
5485
6225
|
|