aws-sdk-kms 1.40.0 → 1.44.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +299 -0
- data/LICENSE.txt +202 -0
- data/VERSION +1 -0
- data/lib/aws-sdk-kms.rb +2 -2
- data/lib/aws-sdk-kms/client.rb +1071 -387
- data/lib/aws-sdk-kms/client_api.rb +80 -1
- data/lib/aws-sdk-kms/customizations.rb +1 -1
- data/lib/aws-sdk-kms/errors.rb +1 -1
- data/lib/aws-sdk-kms/resource.rb +1 -1
- data/lib/aws-sdk-kms/types.rb +700 -161
- metadata +11 -9
data/VERSION
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
1.44.0
|
data/lib/aws-sdk-kms.rb
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
# WARNING ABOUT GENERATED CODE
|
4
4
|
#
|
5
5
|
# This file is generated. See the contributing guide for more information:
|
6
|
-
# https://github.com/aws/aws-sdk-ruby/blob/
|
6
|
+
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
@@ -48,6 +48,6 @@ require_relative 'aws-sdk-kms/customizations'
|
|
48
48
|
# @!group service
|
49
49
|
module Aws::KMS
|
50
50
|
|
51
|
-
GEM_VERSION = '1.
|
51
|
+
GEM_VERSION = '1.44.0'
|
52
52
|
|
53
53
|
end
|
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
# WARNING ABOUT GENERATED CODE
|
4
4
|
#
|
5
5
|
# This file is generated. See the contributing guide for more information:
|
6
|
-
# https://github.com/aws/aws-sdk-ruby/blob/
|
6
|
+
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
@@ -346,8 +346,8 @@ module Aws::KMS
|
|
346
346
|
# Service Developer Guide*.
|
347
347
|
#
|
348
348
|
# The CMK that you use for this operation must be in a compatible key
|
349
|
-
# state. For details, see [
|
350
|
-
#
|
349
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
350
|
+
# Key Management Service Developer Guide*.
|
351
351
|
#
|
352
352
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
353
353
|
# in a different AWS account.
|
@@ -363,10 +363,10 @@ module Aws::KMS
|
|
363
363
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
364
364
|
#
|
365
365
|
# @option params [required, String] :key_id
|
366
|
-
#
|
367
|
-
#
|
366
|
+
# Identifies the customer master key (CMK) whose deletion is being
|
367
|
+
# canceled.
|
368
368
|
#
|
369
|
-
# Specify the key ID or
|
369
|
+
# Specify the key ID or key ARN of the CMK.
|
370
370
|
#
|
371
371
|
# For example:
|
372
372
|
#
|
@@ -503,42 +503,48 @@ module Aws::KMS
|
|
503
503
|
req.send_request(options)
|
504
504
|
end
|
505
505
|
|
506
|
-
# Creates a friendly name for a customer master key (CMK).
|
507
|
-
# an alias to identify a CMK in the AWS KMS console, in the DescribeKey
|
508
|
-
# operation and in [cryptographic operations][1], such as Encrypt and
|
509
|
-
# GenerateDataKey.
|
506
|
+
# Creates a friendly name for a customer master key (CMK).
|
510
507
|
#
|
511
|
-
#
|
512
|
-
#
|
513
|
-
#
|
508
|
+
# <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
|
509
|
+
# the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
510
|
+
# Management Service Developer Guide*.
|
511
|
+
#
|
512
|
+
# </note>
|
513
|
+
#
|
514
|
+
# You can use an alias to identify a CMK in the AWS KMS console, in the
|
515
|
+
# DescribeKey operation and in [cryptographic operations][2], such as
|
516
|
+
# Encrypt and GenerateDataKey. You can also change the CMK that's
|
517
|
+
# associated with the alias (UpdateAlias) or delete the alias
|
518
|
+
# (DeleteAlias) at any time. These operations don't affect the
|
519
|
+
# underlying CMK.
|
514
520
|
#
|
515
521
|
# You can associate the alias with any customer managed CMK in the same
|
516
|
-
# AWS Region. Each alias is associated with only
|
517
|
-
# CMK can have multiple aliases. A valid CMK is required. You can't
|
522
|
+
# AWS Region. Each alias is associated with only one CMK at a time, but
|
523
|
+
# a CMK can have multiple aliases. A valid CMK is required. You can't
|
518
524
|
# create an alias without a CMK.
|
519
525
|
#
|
520
526
|
# The alias must be unique in the account and Region, but you can have
|
521
527
|
# aliases with the same name in different Regions. For detailed
|
522
|
-
# information about aliases, see [Using aliases][
|
528
|
+
# information about aliases, see [Using aliases][3] in the *AWS Key
|
523
529
|
# Management Service Developer Guide*.
|
524
530
|
#
|
525
531
|
# This operation does not return a response. To get the alias that you
|
526
532
|
# created, use the ListAliases operation.
|
527
533
|
#
|
528
534
|
# The CMK that you use for this operation must be in a compatible key
|
529
|
-
# state. For details, see [
|
530
|
-
#
|
535
|
+
# state. For details, see [Key state: Effect on your CMK][4] in the *AWS
|
536
|
+
# Key Management Service Developer Guide*.
|
531
537
|
#
|
532
538
|
# **Cross-account use**\: No. You cannot perform this operation on an
|
533
539
|
# alias in a different AWS account.
|
534
540
|
#
|
535
541
|
# **Required permissions**
|
536
542
|
#
|
537
|
-
# * [kms:CreateAlias][
|
543
|
+
# * [kms:CreateAlias][5] on the alias (IAM policy).
|
538
544
|
#
|
539
|
-
# * [kms:CreateAlias][
|
545
|
+
# * [kms:CreateAlias][5] on the CMK (key policy).
|
540
546
|
#
|
541
|
-
# For details, see [Controlling access to aliases][
|
547
|
+
# For details, see [Controlling access to aliases][6] in the *AWS Key
|
542
548
|
# Management Service Developer Guide*.
|
543
549
|
#
|
544
550
|
# **Related operations:**
|
@@ -551,11 +557,12 @@ module Aws::KMS
|
|
551
557
|
#
|
552
558
|
#
|
553
559
|
#
|
554
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
555
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
556
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
557
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
558
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-
|
560
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
561
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
562
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
|
563
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
564
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
565
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
559
566
|
#
|
560
567
|
# @option params [required, String] :alias_name
|
561
568
|
# Specifies the alias name. This value must begin with `alias/` followed
|
@@ -580,7 +587,7 @@ module Aws::KMS
|
|
580
587
|
# For help finding the key ID and ARN, see [Finding the Key ID and
|
581
588
|
# ARN][2] in the *AWS Key Management Service Developer Guide*.
|
582
589
|
#
|
583
|
-
# Specify the key ID or
|
590
|
+
# Specify the key ID or key ARN of the CMK.
|
584
591
|
#
|
585
592
|
# For example:
|
586
593
|
#
|
@@ -737,54 +744,54 @@ module Aws::KMS
|
|
737
744
|
req.send_request(options)
|
738
745
|
end
|
739
746
|
|
740
|
-
# Adds a grant to a customer master key (CMK).
|
741
|
-
#
|
742
|
-
# grant
|
743
|
-
#
|
744
|
-
#
|
745
|
-
#
|
746
|
-
#
|
747
|
-
#
|
748
|
-
#
|
749
|
-
#
|
750
|
-
#
|
751
|
-
#
|
752
|
-
#
|
753
|
-
#
|
754
|
-
#
|
755
|
-
#
|
756
|
-
#
|
757
|
-
#
|
758
|
-
#
|
759
|
-
#
|
760
|
-
#
|
761
|
-
#
|
762
|
-
#
|
763
|
-
#
|
764
|
-
#
|
765
|
-
#
|
766
|
-
#
|
767
|
-
#
|
768
|
-
#
|
769
|
-
#
|
770
|
-
#
|
771
|
-
#
|
772
|
-
#
|
747
|
+
# Adds a grant to a customer master key (CMK).
|
748
|
+
#
|
749
|
+
# A *grant* is a policy instrument that allows AWS principals to use AWS
|
750
|
+
# KMS customer master keys (CMKs) in cryptographic operations. It also
|
751
|
+
# can allow them to view a CMK (DescribeKey) and create and manage
|
752
|
+
# grants. When authorizing access to a CMK, grants are considered along
|
753
|
+
# with key policies and IAM policies. Grants are often used for
|
754
|
+
# temporary permissions because you can create one, use its permissions,
|
755
|
+
# and delete it without changing your key policies or IAM policies.
|
756
|
+
#
|
757
|
+
# For detailed information about grants, including grant terminology,
|
758
|
+
# see [Using grants][1] in the <i> <i>AWS Key Management Service
|
759
|
+
# Developer Guide</i> </i>. For examples of working with grants in
|
760
|
+
# several programming languages, see [Programming grants][2].
|
761
|
+
#
|
762
|
+
# The `CreateGrant` operation returns a `GrantToken` and a `GrantId`.
|
763
|
+
#
|
764
|
+
# * When you create, retire, or revoke a grant, there might be a brief
|
765
|
+
# delay, usually less than five minutes, until the grant is available
|
766
|
+
# throughout AWS KMS. This state is known as *eventual consistency*.
|
767
|
+
# Once the grant has achieved eventual consistency, the grantee
|
768
|
+
# principal can use the permissions in the grant without identifying
|
769
|
+
# the grant.
|
770
|
+
#
|
771
|
+
# However, to use the permissions in the grant immediately, use the
|
772
|
+
# `GrantToken` that `CreateGrant` returns. For details, see [Using a
|
773
|
+
# grant token][3] in the <i> <i>AWS Key Management Service Developer
|
774
|
+
# Guide</i> </i>.
|
775
|
+
#
|
776
|
+
# * The `CreateGrant` operation also returns a `GrantId`. You can use
|
777
|
+
# the `GrantId` and a key identifier to identify the grant in the
|
778
|
+
# RetireGrant and RevokeGrant operations. To find the grant ID, use
|
779
|
+
# the ListGrants or ListRetirableGrants operations.
|
773
780
|
#
|
774
781
|
# For information about symmetric and asymmetric CMKs, see [Using
|
775
|
-
# Symmetric and Asymmetric CMKs][
|
776
|
-
# Developer Guide*. For more information about grants, see [Grants][
|
782
|
+
# Symmetric and Asymmetric CMKs][4] in the *AWS Key Management Service
|
783
|
+
# Developer Guide*. For more information about grants, see [Grants][1]
|
777
784
|
# in the <i> <i>AWS Key Management Service Developer Guide</i> </i>.
|
778
785
|
#
|
779
786
|
# The CMK that you use for this operation must be in a compatible key
|
780
|
-
# state. For details, see [
|
781
|
-
#
|
787
|
+
# state. For details, see [Key state: Effect on your CMK][5] in the *AWS
|
788
|
+
# Key Management Service Developer Guide*.
|
782
789
|
#
|
783
790
|
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
784
791
|
# different AWS account, specify the key ARN in the value of the `KeyId`
|
785
792
|
# parameter.
|
786
793
|
#
|
787
|
-
# **Required permissions**\: [kms:CreateGrant][
|
794
|
+
# **Required permissions**\: [kms:CreateGrant][6] (key policy)
|
788
795
|
#
|
789
796
|
# **Related operations:**
|
790
797
|
#
|
@@ -798,24 +805,19 @@ module Aws::KMS
|
|
798
805
|
#
|
799
806
|
#
|
800
807
|
#
|
801
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
802
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
803
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/
|
804
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/
|
805
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
806
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
807
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
808
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
809
|
-
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
810
|
-
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
811
|
-
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
808
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
809
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
|
810
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
811
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
812
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
813
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
812
814
|
#
|
813
815
|
# @option params [required, String] :key_id
|
814
|
-
#
|
815
|
-
#
|
816
|
+
# Identifies the customer master key (CMK) for the grant. The grant
|
817
|
+
# gives principals permission to use this CMK.
|
816
818
|
#
|
817
|
-
# Specify the key ID or
|
818
|
-
#
|
819
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
820
|
+
# different AWS account, you must use the key ARN.
|
819
821
|
#
|
820
822
|
# For example:
|
821
823
|
#
|
@@ -827,8 +829,7 @@ module Aws::KMS
|
|
827
829
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
828
830
|
#
|
829
831
|
# @option params [required, String] :grantee_principal
|
830
|
-
# The
|
831
|
-
# the grant permits.
|
832
|
+
# The identity that gets the permissions specified in the grant.
|
832
833
|
#
|
833
834
|
# To specify the principal, use the [Amazon Resource Name (ARN)][1] of
|
834
835
|
# an AWS principal. Valid AWS principals include AWS accounts (root),
|
@@ -861,26 +862,52 @@ module Aws::KMS
|
|
861
862
|
# @option params [required, Array<String>] :operations
|
862
863
|
# A list of operations that the grant permits.
|
863
864
|
#
|
865
|
+
# The operation must be supported on the CMK. For example, you cannot
|
866
|
+
# create a grant for a symmetric CMK that allows the Sign operation, or
|
867
|
+
# a grant for an asymmetric CMK that allows the GenerateDataKey
|
868
|
+
# operation. If you try, AWS KMS returns a `ValidationError` exception.
|
869
|
+
# For details, see [Grant operations][1] in the *AWS Key Management
|
870
|
+
# Service Developer Guide*.
|
871
|
+
#
|
872
|
+
#
|
873
|
+
#
|
874
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
875
|
+
#
|
864
876
|
# @option params [Types::GrantConstraints] :constraints
|
865
|
-
#
|
866
|
-
#
|
867
|
-
#
|
868
|
-
#
|
869
|
-
#
|
877
|
+
# Specifies a grant constraint.
|
878
|
+
#
|
879
|
+
# AWS KMS supports the `EncryptionContextEquals` and
|
880
|
+
# `EncryptionContextSubset` grant constraints. Each constraint value can
|
881
|
+
# include up to 8 encryption context pairs. The encryption context value
|
882
|
+
# in each constraint cannot exceed 384 characters.
|
883
|
+
#
|
884
|
+
# These grant constraints allow a [cryptographic operation][1] only when
|
885
|
+
# the encryption context in the request matches
|
886
|
+
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
887
|
+
# the encryption context specified in this structure. For more
|
888
|
+
# information about encryption context, see [Encryption Context][2] in
|
889
|
+
# the <i> <i>AWS Key Management Service Developer Guide</i> </i>. For
|
890
|
+
# information about grant constraints, see [Using grant constraints][3]
|
891
|
+
# in the *AWS Key Management Service Developer Guide*.
|
870
892
|
#
|
871
|
-
#
|
872
|
-
# encryption context
|
873
|
-
#
|
893
|
+
# The encryption context grant constraints are supported only on
|
894
|
+
# operations that include an encryption context. You cannot use an
|
895
|
+
# encryption context grant constraint for cryptographic operations with
|
896
|
+
# asymmetric CMKs or for management operations, such as DescribeKey or
|
897
|
+
# RetireGrant.
|
874
898
|
#
|
875
899
|
#
|
876
900
|
#
|
877
901
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
878
902
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
903
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
879
904
|
#
|
880
905
|
# @option params [Array<String>] :grant_tokens
|
881
906
|
# A list of grant tokens.
|
882
907
|
#
|
883
|
-
#
|
908
|
+
# Use a grant token when your permission to call this operation comes
|
909
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
910
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
884
911
|
# Service Developer Guide*.
|
885
912
|
#
|
886
913
|
#
|
@@ -1009,7 +1036,31 @@ module Aws::KMS
|
|
1009
1036
|
#
|
1010
1037
|
#
|
1011
1038
|
#
|
1012
|
-
#
|
1039
|
+
# Multi-Region primary keys
|
1040
|
+
# Imported key material
|
1041
|
+
#
|
1042
|
+
# : To create a multi-Region *primary key* in the local AWS Region, use
|
1043
|
+
# the `MultiRegion` parameter with a value of `True`. To create a
|
1044
|
+
# multi-Region *replica key*, that is, a CMK with the same key ID and
|
1045
|
+
# key material as a primary key, but in a different AWS Region, use
|
1046
|
+
# the ReplicateKey operation. To change a replica key to a primary
|
1047
|
+
# key, and its primary key to a replica key, use the
|
1048
|
+
# UpdatePrimaryRegion operation.
|
1049
|
+
#
|
1050
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
1051
|
+
# lets you create multiple interoperable CMKs in different AWS
|
1052
|
+
# Regions. Because these CMKs have the same key ID, key material, and
|
1053
|
+
# other metadata, you can use them to encrypt data in one AWS Region
|
1054
|
+
# and decrypt it in a different AWS Region without making a
|
1055
|
+
# cross-Region call or exposing the plaintext data. For more
|
1056
|
+
# information about multi-Region keys, see [Using multi-Region
|
1057
|
+
# keys][5] in the *AWS Key Management Service Developer Guide*.
|
1058
|
+
#
|
1059
|
+
# You can create symmetric and asymmetric multi-Region keys and
|
1060
|
+
# multi-Region keys with imported key material. You cannot create
|
1061
|
+
# multi-Region keys in a custom key store.
|
1062
|
+
#
|
1063
|
+
#
|
1013
1064
|
#
|
1014
1065
|
# : To import your own key material, begin by creating a symmetric CMK
|
1015
1066
|
# with no key material. To do this, use the `Origin` parameter of
|
@@ -1018,33 +1069,41 @@ module Aws::KMS
|
|
1018
1069
|
# token, and use the public key to encrypt your key material. Then,
|
1019
1070
|
# use ImportKeyMaterial with your import token to import the key
|
1020
1071
|
# material. For step-by-step instructions, see [Importing Key
|
1021
|
-
# Material][
|
1072
|
+
# Material][6] in the <i> <i>AWS Key Management Service Developer
|
1022
1073
|
# Guide</i> </i>. You cannot import the key material into an
|
1023
1074
|
# asymmetric CMK.
|
1024
1075
|
#
|
1076
|
+
# To create a multi-Region primary key with imported key material, use
|
1077
|
+
# the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
|
1078
|
+
# the `MultiRegion` parameter with a value of `True`. To create
|
1079
|
+
# replicas of the multi-Region primary key, use the ReplicateKey
|
1080
|
+
# operation. For more information about multi-Region keys, see [Using
|
1081
|
+
# multi-Region keys][5] in the *AWS Key Management Service Developer
|
1082
|
+
# Guide*.
|
1083
|
+
#
|
1025
1084
|
#
|
1026
1085
|
#
|
1027
|
-
# Custom
|
1086
|
+
# Custom key store
|
1028
1087
|
#
|
1029
|
-
# : To create a symmetric CMK in a [custom key store][
|
1088
|
+
# : To create a symmetric CMK in a [custom key store][7], use the
|
1030
1089
|
# `CustomKeyStoreId` parameter to specify the custom key store. You
|
1031
1090
|
# must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
|
1032
1091
|
# The AWS CloudHSM cluster that is associated with the custom key
|
1033
1092
|
# store must have at least two active HSMs in different Availability
|
1034
1093
|
# Zones in the AWS Region.
|
1035
1094
|
#
|
1036
|
-
# You cannot create an asymmetric CMK
|
1037
|
-
# information about custom key stores in AWS KMS
|
1038
|
-
# Stores][
|
1039
|
-
# Guide</i> </i>.
|
1095
|
+
# You cannot create an asymmetric CMK or a multi-Region CMK in a
|
1096
|
+
# custom key store. For information about custom key stores in AWS KMS
|
1097
|
+
# see [Using Custom Key Stores][7] in the <i> <i>AWS Key Management
|
1098
|
+
# Service Developer Guide</i> </i>.
|
1040
1099
|
#
|
1041
1100
|
# **Cross-account use**\: No. You cannot use this operation to create a
|
1042
1101
|
# CMK in a different AWS account.
|
1043
1102
|
#
|
1044
|
-
# **Required permissions**\: [kms:CreateKey][
|
1045
|
-
# `Tags` parameter, [kms:TagResource][
|
1103
|
+
# **Required permissions**\: [kms:CreateKey][8] (IAM policy). To use the
|
1104
|
+
# `Tags` parameter, [kms:TagResource][8] (IAM policy). For examples and
|
1046
1105
|
# information about related permissions, see [Allow a user to create
|
1047
|
-
# CMKs][
|
1106
|
+
# CMKs][9] in the *AWS Key Management Service Developer Guide*.
|
1048
1107
|
#
|
1049
1108
|
# **Related operations:**
|
1050
1109
|
#
|
@@ -1060,10 +1119,11 @@ module Aws::KMS
|
|
1060
1119
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
|
1061
1120
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs
|
1062
1121
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
1063
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1064
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1065
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1066
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1122
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
1123
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1124
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1125
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1126
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
1067
1127
|
#
|
1068
1128
|
# @option params [String] :policy
|
1069
1129
|
# The key policy to attach to the CMK.
|
@@ -1107,7 +1167,7 @@ module Aws::KMS
|
|
1107
1167
|
# A description of the CMK.
|
1108
1168
|
#
|
1109
1169
|
# Use a description that helps you decide whether the CMK is appropriate
|
1110
|
-
# for a task.
|
1170
|
+
# for a task. The default value is an empty string (no description).
|
1111
1171
|
#
|
1112
1172
|
# @option params [String] :key_usage
|
1113
1173
|
# Determines the [cryptographic operations][1] for which you can use the
|
@@ -1191,20 +1251,19 @@ module Aws::KMS
|
|
1191
1251
|
# @option params [String] :origin
|
1192
1252
|
# The source of the key material for the CMK. You cannot change the
|
1193
1253
|
# origin after you create the CMK. The default is `AWS_KMS`, which means
|
1194
|
-
# AWS KMS creates the key material.
|
1254
|
+
# that AWS KMS creates the key material.
|
1195
1255
|
#
|
1196
|
-
#
|
1197
|
-
#
|
1198
|
-
#
|
1199
|
-
#
|
1200
|
-
# Key Management Service Developer Guide*. This value is valid only for
|
1256
|
+
# To create a CMK with no key material (for imported key material), set
|
1257
|
+
# the value to `EXTERNAL`. For more information about importing key
|
1258
|
+
# material into AWS KMS, see [Importing Key Material][1] in the *AWS Key
|
1259
|
+
# Management Service Developer Guide*. This value is valid only for
|
1201
1260
|
# symmetric CMKs.
|
1202
1261
|
#
|
1203
|
-
#
|
1204
|
-
#
|
1205
|
-
#
|
1206
|
-
#
|
1207
|
-
#
|
1262
|
+
# To create a CMK in an AWS KMS [custom key store][2] and create its key
|
1263
|
+
# material in the associated AWS CloudHSM cluster, set this value to
|
1264
|
+
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter to
|
1265
|
+
# identify the custom key store. This value is valid only for symmetric
|
1266
|
+
# CMKs.
|
1208
1267
|
#
|
1209
1268
|
#
|
1210
1269
|
#
|
@@ -1219,8 +1278,9 @@ module Aws::KMS
|
|
1219
1278
|
# with the custom key store must have at least two active HSMs, each in
|
1220
1279
|
# a different Availability Zone in the Region.
|
1221
1280
|
#
|
1222
|
-
# This parameter is valid only for symmetric CMKs
|
1223
|
-
# asymmetric CMK in a custom key
|
1281
|
+
# This parameter is valid only for symmetric CMKs and regional CMKs. You
|
1282
|
+
# cannot create an asymmetric CMK or a multi-Region CMK in a custom key
|
1283
|
+
# store.
|
1224
1284
|
#
|
1225
1285
|
# To find the ID of a custom key store, use the DescribeCustomKeyStores
|
1226
1286
|
# operation.
|
@@ -1258,25 +1318,63 @@ module Aws::KMS
|
|
1258
1318
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
1259
1319
|
#
|
1260
1320
|
# @option params [Array<Types::Tag>] :tags
|
1261
|
-
#
|
1262
|
-
#
|
1263
|
-
#
|
1321
|
+
# Assigns one or more tags to the CMK. Use this parameter to tag the CMK
|
1322
|
+
# when it is created. To tag an existing CMK, use the TagResource
|
1323
|
+
# operation.
|
1264
1324
|
#
|
1265
|
-
#
|
1266
|
-
#
|
1267
|
-
#
|
1268
|
-
# Keys][1].
|
1325
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
1326
|
+
# For details, see [Using ABAC in AWS KMS][1] in the *AWS Key Management
|
1327
|
+
# Service Developer Guide*.
|
1269
1328
|
#
|
1270
|
-
#
|
1271
|
-
# an existing CMK, use the TagResource operation.
|
1329
|
+
# </note>
|
1272
1330
|
#
|
1273
1331
|
# To use this parameter, you must have [kms:TagResource][2] permission
|
1274
1332
|
# in an IAM policy.
|
1275
1333
|
#
|
1334
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
1335
|
+
# the tag value are required, but the tag value can be an empty (null)
|
1336
|
+
# string. You cannot have more than one tag on a CMK with the same tag
|
1337
|
+
# key. If you specify an existing tag key with a different tag value,
|
1338
|
+
# AWS KMS replaces the current tag value with the specified one.
|
1339
|
+
#
|
1340
|
+
# When you assign tags to an AWS resource, AWS generates a cost
|
1341
|
+
# allocation report with usage and costs aggregated by tags. Tags can
|
1342
|
+
# also be used to control access to a CMK. For details, see [Tagging
|
1343
|
+
# Keys][3].
|
1276
1344
|
#
|
1277
1345
|
#
|
1278
|
-
#
|
1346
|
+
#
|
1347
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
1279
1348
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1349
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
1350
|
+
#
|
1351
|
+
# @option params [Boolean] :multi_region
|
1352
|
+
# Creates a multi-Region primary key that you can replicate into other
|
1353
|
+
# AWS Regions. You cannot change this value after you create the CMK.
|
1354
|
+
#
|
1355
|
+
# For a multi-Region key, set this parameter to `True`. For a
|
1356
|
+
# single-Region CMK, omit this parameter or set it to `False`. The
|
1357
|
+
# default value is `False`.
|
1358
|
+
#
|
1359
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
1360
|
+
# lets you create multiple interoperable CMKs in different AWS Regions.
|
1361
|
+
# Because these CMKs have the same key ID, key material, and other
|
1362
|
+
# metadata, you can use them to encrypt data in one AWS Region and
|
1363
|
+
# decrypt it in a different AWS Region without making a cross-Region
|
1364
|
+
# call or exposing the plaintext data. For more information about
|
1365
|
+
# multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
|
1366
|
+
# Management Service Developer Guide*.
|
1367
|
+
#
|
1368
|
+
# This value creates a *primary key*, not a replica. To create a
|
1369
|
+
# *replica key*, use the ReplicateKey operation.
|
1370
|
+
#
|
1371
|
+
# You can create a symmetric or asymmetric multi-Region CMK, and you can
|
1372
|
+
# create a multi-Region CMK with imported key material. However, you
|
1373
|
+
# cannot create a multi-Region CMK in a custom key store.
|
1374
|
+
#
|
1375
|
+
#
|
1376
|
+
#
|
1377
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
1280
1378
|
#
|
1281
1379
|
# @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1282
1380
|
#
|
@@ -1328,6 +1426,7 @@ module Aws::KMS
|
|
1328
1426
|
# tag_value: "TagValueType", # required
|
1329
1427
|
# },
|
1330
1428
|
# ],
|
1429
|
+
# multi_region: false,
|
1331
1430
|
# })
|
1332
1431
|
#
|
1333
1432
|
# @example Response structure
|
@@ -1339,7 +1438,7 @@ module Aws::KMS
|
|
1339
1438
|
# resp.key_metadata.enabled #=> Boolean
|
1340
1439
|
# resp.key_metadata.description #=> String
|
1341
1440
|
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
1342
|
-
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
1441
|
+
# resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
1343
1442
|
# resp.key_metadata.deletion_date #=> Time
|
1344
1443
|
# resp.key_metadata.valid_to #=> Time
|
1345
1444
|
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
@@ -1352,6 +1451,14 @@ module Aws::KMS
|
|
1352
1451
|
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
1353
1452
|
# resp.key_metadata.signing_algorithms #=> Array
|
1354
1453
|
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
1454
|
+
# resp.key_metadata.multi_region #=> Boolean
|
1455
|
+
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
1456
|
+
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
1457
|
+
# resp.key_metadata.multi_region_configuration.primary_key.region #=> String
|
1458
|
+
# resp.key_metadata.multi_region_configuration.replica_keys #=> Array
|
1459
|
+
# resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
|
1460
|
+
# resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
|
1461
|
+
# resp.key_metadata.pending_deletion_window_in_days #=> Integer
|
1355
1462
|
#
|
1356
1463
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey AWS API Documentation
|
1357
1464
|
#
|
@@ -1412,8 +1519,8 @@ module Aws::KMS
|
|
1412
1519
|
# policies][4] in the *AWS Key Management Service Developer Guide*.
|
1413
1520
|
#
|
1414
1521
|
# The CMK that you use for this operation must be in a compatible key
|
1415
|
-
# state. For details, see [
|
1416
|
-
#
|
1522
|
+
# state. For details, see [Key state: Effect on your CMK][5] in the *AWS
|
1523
|
+
# Key Management Service Developer Guide*.
|
1417
1524
|
#
|
1418
1525
|
# **Cross-account use**\: Yes. You can decrypt a ciphertext using a CMK
|
1419
1526
|
# in a different AWS account.
|
@@ -1466,8 +1573,12 @@ module Aws::KMS
|
|
1466
1573
|
# @option params [Array<String>] :grant_tokens
|
1467
1574
|
# A list of grant tokens.
|
1468
1575
|
#
|
1469
|
-
#
|
1470
|
-
#
|
1576
|
+
# Use a grant token when your permission to call this operation comes
|
1577
|
+
# from a newly created grant that has not yet achieved eventual
|
1578
|
+
# consistency. Use a grant token when your permission to call this
|
1579
|
+
# operation comes from a new grant that has not yet achieved *eventual
|
1580
|
+
# consistency*. For more information, see [Grant token][1] in the *AWS
|
1581
|
+
# Key Management Service Developer Guide*.
|
1471
1582
|
#
|
1472
1583
|
#
|
1473
1584
|
#
|
@@ -1484,10 +1595,9 @@ module Aws::KMS
|
|
1484
1595
|
# However, it is always recommended as a best practice. This practice
|
1485
1596
|
# ensures that you use the CMK that you intend.
|
1486
1597
|
#
|
1487
|
-
# To specify a CMK, use its key ID,
|
1488
|
-
#
|
1489
|
-
#
|
1490
|
-
# the key ARN or alias ARN.
|
1598
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
1599
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
1600
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
1491
1601
|
#
|
1492
1602
|
# For example:
|
1493
1603
|
#
|
@@ -1565,6 +1675,12 @@ module Aws::KMS
|
|
1565
1675
|
|
1566
1676
|
# Deletes the specified alias.
|
1567
1677
|
#
|
1678
|
+
# <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
|
1679
|
+
# the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
1680
|
+
# Management Service Developer Guide*.
|
1681
|
+
#
|
1682
|
+
# </note>
|
1683
|
+
#
|
1568
1684
|
# Because an alias is not a property of a CMK, you can delete and change
|
1569
1685
|
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
1570
1686
|
# appear in the response from the DescribeKey operation. To get the
|
@@ -1580,11 +1696,11 @@ module Aws::KMS
|
|
1580
1696
|
#
|
1581
1697
|
# **Required permissions**
|
1582
1698
|
#
|
1583
|
-
# * [kms:DeleteAlias][
|
1699
|
+
# * [kms:DeleteAlias][2] on the alias (IAM policy).
|
1584
1700
|
#
|
1585
|
-
# * [kms:DeleteAlias][
|
1701
|
+
# * [kms:DeleteAlias][2] on the CMK (key policy).
|
1586
1702
|
#
|
1587
|
-
# For details, see [Controlling access to aliases][
|
1703
|
+
# For details, see [Controlling access to aliases][3] in the *AWS Key
|
1588
1704
|
# Management Service Developer Guide*.
|
1589
1705
|
#
|
1590
1706
|
# **Related operations:**
|
@@ -1597,8 +1713,9 @@ module Aws::KMS
|
|
1597
1713
|
#
|
1598
1714
|
#
|
1599
1715
|
#
|
1600
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1601
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-
|
1716
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
1717
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1718
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
1602
1719
|
#
|
1603
1720
|
# @option params [required, String] :alias_name
|
1604
1721
|
# The alias to be deleted. The alias name must begin with `alias/`
|
@@ -1721,8 +1838,8 @@ module Aws::KMS
|
|
1721
1838
|
# reimport the same key material into the CMK.
|
1722
1839
|
#
|
1723
1840
|
# The CMK that you use for this operation must be in a compatible key
|
1724
|
-
# state. For details, see [
|
1725
|
-
#
|
1841
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
1842
|
+
# Key Management Service Developer Guide*.
|
1726
1843
|
#
|
1727
1844
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
1728
1845
|
# in a different AWS account.
|
@@ -1746,7 +1863,7 @@ module Aws::KMS
|
|
1746
1863
|
# Identifies the CMK from which you are deleting imported key material.
|
1747
1864
|
# The `Origin` of the CMK must be `EXTERNAL`.
|
1748
1865
|
#
|
1749
|
-
# Specify the key ID or
|
1866
|
+
# Specify the key ID or key ARN of the CMK.
|
1750
1867
|
#
|
1751
1868
|
# For example:
|
1752
1869
|
#
|
@@ -1784,14 +1901,14 @@ module Aws::KMS
|
|
1784
1901
|
end
|
1785
1902
|
|
1786
1903
|
# Gets information about [custom key stores][1] in the account and
|
1787
|
-
#
|
1904
|
+
# Region.
|
1788
1905
|
#
|
1789
1906
|
# This operation is part of the [Custom Key Store feature][1] feature in
|
1790
1907
|
# AWS KMS, which combines the convenience and extensive integration of
|
1791
1908
|
# AWS KMS with the isolation and control of a single-tenant key store.
|
1792
1909
|
#
|
1793
1910
|
# By default, this operation returns information about all custom key
|
1794
|
-
# stores in the account and
|
1911
|
+
# stores in the account and Region. To get only information about a
|
1795
1912
|
# particular custom key store, use either the `CustomKeyStoreName` or
|
1796
1913
|
# `CustomKeyStoreId` parameter (but not both).
|
1797
1914
|
#
|
@@ -1842,7 +1959,7 @@ module Aws::KMS
|
|
1842
1959
|
# key store ID.
|
1843
1960
|
#
|
1844
1961
|
# By default, this operation gets information about all custom key
|
1845
|
-
# stores in the account and
|
1962
|
+
# stores in the account and Region. To limit the output to a particular
|
1846
1963
|
# custom key store, you can use either the `CustomKeyStoreId` or
|
1847
1964
|
# `CustomKeyStoreName` parameter, but not both.
|
1848
1965
|
#
|
@@ -1851,7 +1968,7 @@ module Aws::KMS
|
|
1851
1968
|
# friendly name of the custom key store.
|
1852
1969
|
#
|
1853
1970
|
# By default, this operation gets information about all custom key
|
1854
|
-
# stores in the account and
|
1971
|
+
# stores in the account and Region. To limit the output to a particular
|
1855
1972
|
# custom key store, you can use either the `CustomKeyStoreId` or
|
1856
1973
|
# `CustomKeyStoreName` parameter, but not both.
|
1857
1974
|
#
|
@@ -1974,10 +2091,9 @@ module Aws::KMS
|
|
1974
2091
|
# KMS associates the alias with an [AWS managed CMK][1] and returns its
|
1975
2092
|
# `KeyId` and `Arn` in the response.
|
1976
2093
|
#
|
1977
|
-
# To specify a CMK, use its key ID,
|
1978
|
-
#
|
1979
|
-
#
|
1980
|
-
# the key ARN or alias ARN.
|
2094
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2095
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
2096
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
1981
2097
|
#
|
1982
2098
|
# For example:
|
1983
2099
|
#
|
@@ -2000,7 +2116,9 @@ module Aws::KMS
|
|
2000
2116
|
# @option params [Array<String>] :grant_tokens
|
2001
2117
|
# A list of grant tokens.
|
2002
2118
|
#
|
2003
|
-
#
|
2119
|
+
# Use a grant token when your permission to call this operation comes
|
2120
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
2121
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
2004
2122
|
# Service Developer Guide*.
|
2005
2123
|
#
|
2006
2124
|
#
|
@@ -2012,9 +2130,9 @@ module Aws::KMS
|
|
2012
2130
|
# * {Types::DescribeKeyResponse#key_metadata #key_metadata} => Types::KeyMetadata
|
2013
2131
|
#
|
2014
2132
|
#
|
2015
|
-
# @example Example: To
|
2133
|
+
# @example Example: To get details about a customer master key (CMK)
|
2016
2134
|
#
|
2017
|
-
# # The following example
|
2135
|
+
# # The following example gets metadata about a symmetric CMK.
|
2018
2136
|
#
|
2019
2137
|
# resp = client.describe_key({
|
2020
2138
|
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the CMK that you want information about. You can use the key ID or the Amazon Resource Name (ARN) of the CMK.
|
@@ -2026,12 +2144,17 @@ module Aws::KMS
|
|
2026
2144
|
# aws_account_id: "111122223333",
|
2027
2145
|
# arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
|
2028
2146
|
# creation_date: Time.parse("2017-07-05T14:04:55-07:00"),
|
2147
|
+
# customer_master_key_spec: "SYMMETRIC_DEFAULT",
|
2029
2148
|
# description: "",
|
2030
2149
|
# enabled: true,
|
2150
|
+
# encryption_algorithms: [
|
2151
|
+
# "SYMMETRIC_DEFAULT",
|
2152
|
+
# ],
|
2031
2153
|
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
|
2032
2154
|
# key_manager: "CUSTOMER",
|
2033
2155
|
# key_state: "Enabled",
|
2034
2156
|
# key_usage: "ENCRYPT_DECRYPT",
|
2157
|
+
# multi_region: false,
|
2035
2158
|
# origin: "AWS_KMS",
|
2036
2159
|
# }, # An object that contains information about the specified CMK.
|
2037
2160
|
# }
|
@@ -2052,7 +2175,7 @@ module Aws::KMS
|
|
2052
2175
|
# resp.key_metadata.enabled #=> Boolean
|
2053
2176
|
# resp.key_metadata.description #=> String
|
2054
2177
|
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
2055
|
-
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
2178
|
+
# resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
2056
2179
|
# resp.key_metadata.deletion_date #=> Time
|
2057
2180
|
# resp.key_metadata.valid_to #=> Time
|
2058
2181
|
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
@@ -2065,6 +2188,14 @@ module Aws::KMS
|
|
2065
2188
|
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
2066
2189
|
# resp.key_metadata.signing_algorithms #=> Array
|
2067
2190
|
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
2191
|
+
# resp.key_metadata.multi_region #=> Boolean
|
2192
|
+
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
2193
|
+
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
2194
|
+
# resp.key_metadata.multi_region_configuration.primary_key.region #=> String
|
2195
|
+
# resp.key_metadata.multi_region_configuration.replica_keys #=> Array
|
2196
|
+
# resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
|
2197
|
+
# resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
|
2198
|
+
# resp.key_metadata.pending_deletion_window_in_days #=> Integer
|
2068
2199
|
#
|
2069
2200
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey AWS API Documentation
|
2070
2201
|
#
|
@@ -2079,12 +2210,12 @@ module Aws::KMS
|
|
2079
2210
|
# temporarily prevents use of the CMK for [cryptographic operations][1].
|
2080
2211
|
#
|
2081
2212
|
# For more information about how key state affects the use of a CMK, see
|
2082
|
-
# [
|
2083
|
-
#
|
2213
|
+
# [Key state: Effect on your CMK][2] in the <i> <i>AWS Key Management
|
2214
|
+
# Service Developer Guide</i> </i>.
|
2084
2215
|
#
|
2085
2216
|
# The CMK that you use for this operation must be in a compatible key
|
2086
|
-
# state. For details, see [
|
2087
|
-
#
|
2217
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
2218
|
+
# Key Management Service Developer Guide*.
|
2088
2219
|
#
|
2089
2220
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2090
2221
|
# in a different AWS account.
|
@@ -2100,9 +2231,9 @@ module Aws::KMS
|
|
2100
2231
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2101
2232
|
#
|
2102
2233
|
# @option params [required, String] :key_id
|
2103
|
-
#
|
2234
|
+
# Identifies the customer master key (CMK) to disable.
|
2104
2235
|
#
|
2105
|
-
# Specify the key ID or
|
2236
|
+
# Specify the key ID or key ARN of the CMK.
|
2106
2237
|
#
|
2107
2238
|
# For example:
|
2108
2239
|
#
|
@@ -2142,17 +2273,19 @@ module Aws::KMS
|
|
2142
2273
|
# Disables [automatic rotation of the key material][1] for the specified
|
2143
2274
|
# symmetric customer master key (CMK).
|
2144
2275
|
#
|
2145
|
-
# You cannot enable automatic rotation of asymmetric CMKs, CMKs
|
2146
|
-
# imported key material, or CMKs in a [custom key store][
|
2276
|
+
# You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
|
2277
|
+
# with [imported key material][3], or CMKs in a [custom key store][4].
|
2278
|
+
# To enable or disable automatic rotation of a set of related
|
2279
|
+
# [multi-Region keys][5], set the property on the primary key.
|
2147
2280
|
#
|
2148
2281
|
# The CMK that you use for this operation must be in a compatible key
|
2149
|
-
# state. For details, see [
|
2150
|
-
#
|
2282
|
+
# state. For details, see [Key state: Effect on your CMK][6] in the *AWS
|
2283
|
+
# Key Management Service Developer Guide*.
|
2151
2284
|
#
|
2152
2285
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2153
2286
|
# in a different AWS account.
|
2154
2287
|
#
|
2155
|
-
# **Required permissions**\: [kms:DisableKeyRotation][
|
2288
|
+
# **Required permissions**\: [kms:DisableKeyRotation][7] (key policy)
|
2156
2289
|
#
|
2157
2290
|
# **Related operations:**
|
2158
2291
|
#
|
@@ -2163,16 +2296,19 @@ module Aws::KMS
|
|
2163
2296
|
#
|
2164
2297
|
#
|
2165
2298
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
2166
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2167
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2168
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2299
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
2300
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
2301
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2302
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
2303
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2304
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2169
2305
|
#
|
2170
2306
|
# @option params [required, String] :key_id
|
2171
2307
|
# Identifies a symmetric customer master key (CMK). You cannot enable or
|
2172
2308
|
# disable automatic rotation of [asymmetric CMKs][1], CMKs with
|
2173
2309
|
# [imported key material][2], or CMKs in a [custom key store][3].
|
2174
2310
|
#
|
2175
|
-
# Specify the key ID or
|
2311
|
+
# Specify the key ID or key ARN of the CMK.
|
2176
2312
|
#
|
2177
2313
|
# For example:
|
2178
2314
|
#
|
@@ -2291,8 +2427,8 @@ module Aws::KMS
|
|
2291
2427
|
# allows you to use the CMK for [cryptographic operations][1].
|
2292
2428
|
#
|
2293
2429
|
# The CMK that you use for this operation must be in a compatible key
|
2294
|
-
# state. For details, see [
|
2295
|
-
#
|
2430
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
2431
|
+
# Key Management Service Developer Guide*.
|
2296
2432
|
#
|
2297
2433
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2298
2434
|
# in a different AWS account.
|
@@ -2308,9 +2444,9 @@ module Aws::KMS
|
|
2308
2444
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2309
2445
|
#
|
2310
2446
|
# @option params [required, String] :key_id
|
2311
|
-
#
|
2447
|
+
# Identifies the customer master key (CMK) to enable.
|
2312
2448
|
#
|
2313
|
-
# Specify the key ID or
|
2449
|
+
# Specify the key ID or key ARN of the CMK.
|
2314
2450
|
#
|
2315
2451
|
# For example:
|
2316
2452
|
#
|
@@ -2350,17 +2486,19 @@ module Aws::KMS
|
|
2350
2486
|
# Enables [automatic rotation of the key material][1] for the specified
|
2351
2487
|
# symmetric customer master key (CMK).
|
2352
2488
|
#
|
2353
|
-
# You cannot enable automatic rotation of asymmetric CMKs, CMKs
|
2354
|
-
# imported key material, or CMKs in a [custom key store][
|
2489
|
+
# You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
|
2490
|
+
# with [imported key material][3], or CMKs in a [custom key store][4].
|
2491
|
+
# To enable or disable automatic rotation of a set of related
|
2492
|
+
# [multi-Region keys][5], set the property on the primary key.
|
2355
2493
|
#
|
2356
2494
|
# The CMK that you use for this operation must be in a compatible key
|
2357
|
-
# state. For details, see [
|
2358
|
-
#
|
2495
|
+
# state. For details, see [Key state: Effect on your CMK][6] in the *AWS
|
2496
|
+
# Key Management Service Developer Guide*.
|
2359
2497
|
#
|
2360
2498
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2361
2499
|
# in a different AWS account.
|
2362
2500
|
#
|
2363
|
-
# **Required permissions**\: [kms:EnableKeyRotation][
|
2501
|
+
# **Required permissions**\: [kms:EnableKeyRotation][7] (key policy)
|
2364
2502
|
#
|
2365
2503
|
# **Related operations:**
|
2366
2504
|
#
|
@@ -2371,16 +2509,21 @@ module Aws::KMS
|
|
2371
2509
|
#
|
2372
2510
|
#
|
2373
2511
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
2374
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2375
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2376
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2512
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
2513
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
2514
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2515
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
2516
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2517
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2377
2518
|
#
|
2378
2519
|
# @option params [required, String] :key_id
|
2379
2520
|
# Identifies a symmetric customer master key (CMK). You cannot enable
|
2380
|
-
# automatic rotation of asymmetric CMKs, CMKs with imported key
|
2381
|
-
# material, or CMKs in a [custom key store][
|
2521
|
+
# automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
|
2522
|
+
# material][2], or CMKs in a [custom key store][3]. To enable or disable
|
2523
|
+
# automatic rotation of a set of related [multi-Region keys][4], set the
|
2524
|
+
# property on the primary key.
|
2382
2525
|
#
|
2383
|
-
# Specify the key ID or
|
2526
|
+
# Specify the key ID or key ARN of the CMK.
|
2384
2527
|
#
|
2385
2528
|
# For example:
|
2386
2529
|
#
|
@@ -2393,7 +2536,10 @@ module Aws::KMS
|
|
2393
2536
|
#
|
2394
2537
|
#
|
2395
2538
|
#
|
2396
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2539
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
2540
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
2541
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2542
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
2397
2543
|
#
|
2398
2544
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
2399
2545
|
#
|
@@ -2496,8 +2642,8 @@ module Aws::KMS
|
|
2496
2642
|
# * `RSAES_OAEP_SHA_256`\: 446 bytes
|
2497
2643
|
#
|
2498
2644
|
# The CMK that you use for this operation must be in a compatible key
|
2499
|
-
# state. For details, see [
|
2500
|
-
#
|
2645
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
2646
|
+
# Key Management Service Developer Guide*.
|
2501
2647
|
#
|
2502
2648
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2503
2649
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -2520,12 +2666,12 @@ module Aws::KMS
|
|
2520
2666
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2521
2667
|
#
|
2522
2668
|
# @option params [required, String] :key_id
|
2523
|
-
#
|
2669
|
+
# Identifies the customer master key (CMK) to use in the encryption
|
2670
|
+
# operation.
|
2524
2671
|
#
|
2525
|
-
# To specify a CMK, use its key ID,
|
2526
|
-
#
|
2527
|
-
#
|
2528
|
-
# the key ARN or alias ARN.
|
2672
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2673
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
2674
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
2529
2675
|
#
|
2530
2676
|
# For example:
|
2531
2677
|
#
|
@@ -2569,7 +2715,9 @@ module Aws::KMS
|
|
2569
2715
|
# @option params [Array<String>] :grant_tokens
|
2570
2716
|
# A list of grant tokens.
|
2571
2717
|
#
|
2572
|
-
#
|
2718
|
+
# Use a grant token when your permission to call this operation comes
|
2719
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
2720
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
2573
2721
|
# Service Developer Guide*.
|
2574
2722
|
#
|
2575
2723
|
#
|
@@ -2666,8 +2814,8 @@ module Aws::KMS
|
|
2666
2814
|
# Service Developer Guide*.
|
2667
2815
|
#
|
2668
2816
|
# The CMK that you use for this operation must be in a compatible key
|
2669
|
-
# state. For details, see [
|
2670
|
-
#
|
2817
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
2818
|
+
# Key Management Service Developer Guide*.
|
2671
2819
|
#
|
2672
2820
|
# **How to use your data key**
|
2673
2821
|
#
|
@@ -2726,10 +2874,9 @@ module Aws::KMS
|
|
2726
2874
|
# @option params [required, String] :key_id
|
2727
2875
|
# Identifies the symmetric CMK that encrypts the data key.
|
2728
2876
|
#
|
2729
|
-
# To specify a CMK, use its key ID,
|
2730
|
-
#
|
2731
|
-
#
|
2732
|
-
# the key ARN or alias ARN.
|
2877
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2878
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
2879
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
2733
2880
|
#
|
2734
2881
|
# For example:
|
2735
2882
|
#
|
@@ -2783,7 +2930,9 @@ module Aws::KMS
|
|
2783
2930
|
# @option params [Array<String>] :grant_tokens
|
2784
2931
|
# A list of grant tokens.
|
2785
2932
|
#
|
2786
|
-
#
|
2933
|
+
# Use a grant token when your permission to call this operation comes
|
2934
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
2935
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
2787
2936
|
# Service Developer Guide*.
|
2788
2937
|
#
|
2789
2938
|
#
|
@@ -2880,8 +3029,8 @@ module Aws::KMS
|
|
2880
3029
|
# Service Developer Guide*.
|
2881
3030
|
#
|
2882
3031
|
# The CMK that you use for this operation must be in a compatible key
|
2883
|
-
# state. For details, see [
|
2884
|
-
#
|
3032
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
3033
|
+
# Key Management Service Developer Guide*.
|
2885
3034
|
#
|
2886
3035
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2887
3036
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -2931,10 +3080,9 @@ module Aws::KMS
|
|
2931
3080
|
# key store. To get the type and origin of your CMK, use the DescribeKey
|
2932
3081
|
# operation.
|
2933
3082
|
#
|
2934
|
-
# To specify a CMK, use its key ID,
|
2935
|
-
#
|
2936
|
-
#
|
2937
|
-
# the key ARN or alias ARN.
|
3083
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
3084
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
3085
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
2938
3086
|
#
|
2939
3087
|
# For example:
|
2940
3088
|
#
|
@@ -2961,7 +3109,9 @@ module Aws::KMS
|
|
2961
3109
|
# @option params [Array<String>] :grant_tokens
|
2962
3110
|
# A list of grant tokens.
|
2963
3111
|
#
|
2964
|
-
#
|
3112
|
+
# Use a grant token when your permission to call this operation comes
|
3113
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3114
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
2965
3115
|
# Service Developer Guide*.
|
2966
3116
|
#
|
2967
3117
|
#
|
@@ -3035,8 +3185,8 @@ module Aws::KMS
|
|
3035
3185
|
# Service Developer Guide*.
|
3036
3186
|
#
|
3037
3187
|
# The CMK that you use for this operation must be in a compatible key
|
3038
|
-
# state. For details, see [
|
3039
|
-
#
|
3188
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
3189
|
+
# Key Management Service Developer Guide*.
|
3040
3190
|
#
|
3041
3191
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3042
3192
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -3087,10 +3237,9 @@ module Aws::KMS
|
|
3087
3237
|
# a CMK in a custom key store. To get the type and origin of your CMK,
|
3088
3238
|
# use the DescribeKey operation.
|
3089
3239
|
#
|
3090
|
-
# To specify a CMK, use its key ID,
|
3091
|
-
#
|
3092
|
-
#
|
3093
|
-
# the key ARN or alias ARN.
|
3240
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
3241
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
3242
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
3094
3243
|
#
|
3095
3244
|
# For example:
|
3096
3245
|
#
|
@@ -3117,7 +3266,9 @@ module Aws::KMS
|
|
3117
3266
|
# @option params [Array<String>] :grant_tokens
|
3118
3267
|
# A list of grant tokens.
|
3119
3268
|
#
|
3120
|
-
#
|
3269
|
+
# Use a grant token when your permission to call this operation comes
|
3270
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3271
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
3121
3272
|
# Service Developer Guide*.
|
3122
3273
|
#
|
3123
3274
|
#
|
@@ -3200,8 +3351,8 @@ module Aws::KMS
|
|
3200
3351
|
# Service Developer Guide*.
|
3201
3352
|
#
|
3202
3353
|
# The CMK that you use for this operation must be in a compatible key
|
3203
|
-
# state. For details, see [
|
3204
|
-
#
|
3354
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
3355
|
+
# Key Management Service Developer Guide*.
|
3205
3356
|
#
|
3206
3357
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3207
3358
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -3232,10 +3383,9 @@ module Aws::KMS
|
|
3232
3383
|
# The identifier of the symmetric customer master key (CMK) that
|
3233
3384
|
# encrypts the data key.
|
3234
3385
|
#
|
3235
|
-
# To specify a CMK, use its key ID,
|
3236
|
-
#
|
3237
|
-
#
|
3238
|
-
# the key ARN or alias ARN.
|
3386
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
3387
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
3388
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
3239
3389
|
#
|
3240
3390
|
# For example:
|
3241
3391
|
#
|
@@ -3282,7 +3432,9 @@ module Aws::KMS
|
|
3282
3432
|
# @option params [Array<String>] :grant_tokens
|
3283
3433
|
# A list of grant tokens.
|
3284
3434
|
#
|
3285
|
-
#
|
3435
|
+
# Use a grant token when your permission to call this operation comes
|
3436
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3437
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
3286
3438
|
# Service Developer Guide*.
|
3287
3439
|
#
|
3288
3440
|
#
|
@@ -3345,14 +3497,14 @@ module Aws::KMS
|
|
3345
3497
|
# ID.
|
3346
3498
|
#
|
3347
3499
|
# For more information about entropy and random number generation, see
|
3348
|
-
#
|
3500
|
+
# [AWS Key Management Service Cryptographic Details][2].
|
3349
3501
|
#
|
3350
3502
|
# **Required permissions**\: [kms:GenerateRandom][3] (IAM policy)
|
3351
3503
|
#
|
3352
3504
|
#
|
3353
3505
|
#
|
3354
3506
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3355
|
-
# [2]: https://
|
3507
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
|
3356
3508
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3357
3509
|
#
|
3358
3510
|
# @option params [Integer] :number_of_bytes
|
@@ -3419,9 +3571,9 @@ module Aws::KMS
|
|
3419
3571
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3420
3572
|
#
|
3421
3573
|
# @option params [required, String] :key_id
|
3422
|
-
#
|
3574
|
+
# Gets the key policy for the specified customer master key (CMK).
|
3423
3575
|
#
|
3424
|
-
# Specify the key ID or
|
3576
|
+
# Specify the key ID or key ARN of the CMK.
|
3425
3577
|
#
|
3426
3578
|
# For example:
|
3427
3579
|
#
|
@@ -3479,13 +3631,15 @@ module Aws::KMS
|
|
3479
3631
|
# key material][1] is enabled for the specified customer master key
|
3480
3632
|
# (CMK).
|
3481
3633
|
#
|
3482
|
-
# You cannot enable automatic rotation of asymmetric CMKs, CMKs
|
3483
|
-
# imported key material, or CMKs in a [custom key store][
|
3634
|
+
# You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
|
3635
|
+
# with [imported key material][3], or CMKs in a [custom key store][4].
|
3636
|
+
# To enable or disable automatic rotation of a set of related
|
3637
|
+
# [multi-Region keys][5], set the property on the primary key. The key
|
3484
3638
|
# rotation status for these CMKs is always `false`.
|
3485
3639
|
#
|
3486
3640
|
# The CMK that you use for this operation must be in a compatible key
|
3487
|
-
# state. For details, see [
|
3488
|
-
#
|
3641
|
+
# state. For details, see [Key state: Effect on your CMK][6] in the *AWS
|
3642
|
+
# Key Management Service Developer Guide*.
|
3489
3643
|
#
|
3490
3644
|
# * Disabled: The key rotation status does not change when you disable a
|
3491
3645
|
# CMK. However, while the CMK is disabled, AWS KMS does not rotate the
|
@@ -3500,7 +3654,7 @@ module Aws::KMS
|
|
3500
3654
|
# different AWS account, specify the key ARN in the value of the `KeyId`
|
3501
3655
|
# parameter.
|
3502
3656
|
#
|
3503
|
-
# **Required permissions**\: [kms:GetKeyRotationStatus][
|
3657
|
+
# **Required permissions**\: [kms:GetKeyRotationStatus][7] (key policy)
|
3504
3658
|
#
|
3505
3659
|
# **Related operations:**
|
3506
3660
|
#
|
@@ -3511,15 +3665,18 @@ module Aws::KMS
|
|
3511
3665
|
#
|
3512
3666
|
#
|
3513
3667
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
3514
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
3515
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
3516
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
3668
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
3669
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
3670
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3671
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
3672
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3673
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3517
3674
|
#
|
3518
3675
|
# @option params [required, String] :key_id
|
3519
|
-
#
|
3676
|
+
# Gets the rotation status for the specified customer master key (CMK).
|
3520
3677
|
#
|
3521
|
-
# Specify the key ID or
|
3522
|
-
#
|
3678
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
3679
|
+
# different AWS account, you must use the key ARN.
|
3523
3680
|
#
|
3524
3681
|
# For example:
|
3525
3682
|
#
|
@@ -3591,8 +3748,8 @@ module Aws::KMS
|
|
3591
3748
|
# `GetParametersForImport` request.
|
3592
3749
|
#
|
3593
3750
|
# The CMK that you use for this operation must be in a compatible key
|
3594
|
-
# state. For details, see [
|
3595
|
-
#
|
3751
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
3752
|
+
# Key Management Service Developer Guide*.
|
3596
3753
|
#
|
3597
3754
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3598
3755
|
# in a different AWS account.
|
@@ -3616,7 +3773,7 @@ module Aws::KMS
|
|
3616
3773
|
# The identifier of the symmetric CMK into which you will import key
|
3617
3774
|
# material. The `Origin` of the CMK must be `EXTERNAL`.
|
3618
3775
|
#
|
3619
|
-
# Specify the key ID or
|
3776
|
+
# Specify the key ID or key ARN of the CMK.
|
3620
3777
|
#
|
3621
3778
|
# For example:
|
3622
3779
|
#
|
@@ -3730,8 +3887,8 @@ module Aws::KMS
|
|
3730
3887
|
# algorithm in a verification operation.
|
3731
3888
|
#
|
3732
3889
|
# The CMK that you use for this operation must be in a compatible key
|
3733
|
-
# state. For details, see [
|
3734
|
-
#
|
3890
|
+
# state. For details, see [Key state: Effect on your CMK][7] in the *AWS
|
3891
|
+
# Key Management Service Developer Guide*.
|
3735
3892
|
#
|
3736
3893
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3737
3894
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -3755,10 +3912,9 @@ module Aws::KMS
|
|
3755
3912
|
# @option params [required, String] :key_id
|
3756
3913
|
# Identifies the asymmetric CMK that includes the public key.
|
3757
3914
|
#
|
3758
|
-
# To specify a CMK, use its key ID,
|
3759
|
-
#
|
3760
|
-
#
|
3761
|
-
# the key ARN or alias ARN.
|
3915
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
3916
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
3917
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
3762
3918
|
#
|
3763
3919
|
# For example:
|
3764
3920
|
#
|
@@ -3777,7 +3933,9 @@ module Aws::KMS
|
|
3777
3933
|
# @option params [Array<String>] :grant_tokens
|
3778
3934
|
# A list of grant tokens.
|
3779
3935
|
#
|
3780
|
-
#
|
3936
|
+
# Use a grant token when your permission to call this operation comes
|
3937
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3938
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
3781
3939
|
# Service Developer Guide*.
|
3782
3940
|
#
|
3783
3941
|
#
|
@@ -3870,8 +4028,8 @@ module Aws::KMS
|
|
3870
4028
|
# Service Developer Guide*.
|
3871
4029
|
#
|
3872
4030
|
# The CMK that you use for this operation must be in a compatible key
|
3873
|
-
# state. For details, see [
|
3874
|
-
#
|
4031
|
+
# state. For details, see [Key state: Effect on your CMK][4] in the *AWS
|
4032
|
+
# Key Management Service Developer Guide*.
|
3875
4033
|
#
|
3876
4034
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3877
4035
|
# in a different AWS account.
|
@@ -3898,7 +4056,7 @@ module Aws::KMS
|
|
3898
4056
|
# same CMK specified in the `KeyID` parameter of the corresponding
|
3899
4057
|
# GetParametersForImport request.
|
3900
4058
|
#
|
3901
|
-
# Specify the key ID or
|
4059
|
+
# Specify the key ID or key ARN of the CMK.
|
3902
4060
|
#
|
3903
4061
|
# For example:
|
3904
4062
|
#
|
@@ -4014,7 +4172,7 @@ module Aws::KMS
|
|
4014
4172
|
# This parameter is optional. If you omit it, `ListAliases` returns all
|
4015
4173
|
# aliases in the account and Region.
|
4016
4174
|
#
|
4017
|
-
# Specify the key ID or
|
4175
|
+
# Specify the key ID or key ARN of the CMK.
|
4018
4176
|
#
|
4019
4177
|
# For example:
|
4020
4178
|
#
|
@@ -4131,6 +4289,9 @@ module Aws::KMS
|
|
4131
4289
|
|
4132
4290
|
# Gets a list of all grants for the specified customer master key (CMK).
|
4133
4291
|
#
|
4292
|
+
# You must specify the CMK in all requests. You can filter the grant
|
4293
|
+
# list by grant ID or grantee principal.
|
4294
|
+
#
|
4134
4295
|
# <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
|
4135
4296
|
# contains the user or role designated as the grantee principal in the
|
4136
4297
|
# grant. However, when the grantee principal in the grant is an AWS
|
@@ -4175,10 +4336,11 @@ module Aws::KMS
|
|
4175
4336
|
# from the truncated response you just received.
|
4176
4337
|
#
|
4177
4338
|
# @option params [required, String] :key_id
|
4178
|
-
#
|
4339
|
+
# Returns only grants for the specified customer master key (CMK). This
|
4340
|
+
# parameter is required.
|
4179
4341
|
#
|
4180
|
-
# Specify the key ID or
|
4181
|
-
#
|
4342
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
4343
|
+
# different AWS account, you must use the key ARN.
|
4182
4344
|
#
|
4183
4345
|
# For example:
|
4184
4346
|
#
|
@@ -4189,6 +4351,14 @@ module Aws::KMS
|
|
4189
4351
|
#
|
4190
4352
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
4191
4353
|
#
|
4354
|
+
# @option params [String] :grant_id
|
4355
|
+
# Returns only the grant with the specified grant ID. The grant ID
|
4356
|
+
# uniquely identifies the grant.
|
4357
|
+
#
|
4358
|
+
# @option params [String] :grantee_principal
|
4359
|
+
# Returns only grants where the specified principal is the grantee
|
4360
|
+
# principal for the grant.
|
4361
|
+
#
|
4192
4362
|
# @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
4193
4363
|
#
|
4194
4364
|
# * {Types::ListGrantsResponse#grants #grants} => Array<Types::GrantListEntry>
|
@@ -4270,6 +4440,8 @@ module Aws::KMS
|
|
4270
4440
|
# limit: 1,
|
4271
4441
|
# marker: "MarkerType",
|
4272
4442
|
# key_id: "KeyIdType", # required
|
4443
|
+
# grant_id: "GrantIdType",
|
4444
|
+
# grantee_principal: "PrincipalIdType",
|
4273
4445
|
# })
|
4274
4446
|
#
|
4275
4447
|
# @example Response structure
|
@@ -4321,9 +4493,10 @@ module Aws::KMS
|
|
4321
4493
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4322
4494
|
#
|
4323
4495
|
# @option params [required, String] :key_id
|
4324
|
-
#
|
4496
|
+
# Gets the names of key policies for the specified customer master key
|
4497
|
+
# (CMK).
|
4325
4498
|
#
|
4326
|
-
# Specify the key ID or
|
4499
|
+
# Specify the key ID or key ARN of the CMK.
|
4327
4500
|
#
|
4328
4501
|
# For example:
|
4329
4502
|
#
|
@@ -4524,6 +4697,10 @@ module Aws::KMS
|
|
4524
4697
|
#
|
4525
4698
|
# **Related operations:**
|
4526
4699
|
#
|
4700
|
+
# * CreateKey
|
4701
|
+
#
|
4702
|
+
# * ReplicateKey
|
4703
|
+
#
|
4527
4704
|
# * TagResource
|
4528
4705
|
#
|
4529
4706
|
# * UntagResource
|
@@ -4535,9 +4712,9 @@ module Aws::KMS
|
|
4535
4712
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4536
4713
|
#
|
4537
4714
|
# @option params [required, String] :key_id
|
4538
|
-
#
|
4715
|
+
# Gets tags on the specified customer master key (CMK).
|
4539
4716
|
#
|
4540
|
-
# Specify the key ID or
|
4717
|
+
# Specify the key ID or key ARN of the CMK.
|
4541
4718
|
#
|
4542
4719
|
# For example:
|
4543
4720
|
#
|
@@ -4623,8 +4800,10 @@ module Aws::KMS
|
|
4623
4800
|
req.send_request(options)
|
4624
4801
|
end
|
4625
4802
|
|
4626
|
-
# Returns all grants in
|
4627
|
-
#
|
4803
|
+
# Returns information about all grants in the AWS account and Region
|
4804
|
+
# that have the specified retiring principal. For more information about
|
4805
|
+
# grants, see [Grants][1] in the <i> <i>AWS Key Management Service
|
4806
|
+
# Developer Guide</i> </i>.
|
4628
4807
|
#
|
4629
4808
|
# You can specify any principal in your AWS account. The grants that are
|
4630
4809
|
# returned include grants for CMKs in your AWS account and other AWS
|
@@ -4638,7 +4817,7 @@ module Aws::KMS
|
|
4638
4817
|
# You do not need `kms:ListRetirableGrants` permission (or any other
|
4639
4818
|
# additional permission) in any AWS account other than your own.
|
4640
4819
|
#
|
4641
|
-
# **Required permissions**\: [kms:ListRetirableGrants][
|
4820
|
+
# **Required permissions**\: [kms:ListRetirableGrants][2] (IAM policy)
|
4642
4821
|
# in your AWS account.
|
4643
4822
|
#
|
4644
4823
|
# **Related operations:**
|
@@ -4653,7 +4832,8 @@ module Aws::KMS
|
|
4653
4832
|
#
|
4654
4833
|
#
|
4655
4834
|
#
|
4656
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4835
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
4836
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4657
4837
|
#
|
4658
4838
|
# @option params [Integer] :limit
|
4659
4839
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -4778,9 +4958,9 @@ module Aws::KMS
|
|
4778
4958
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4779
4959
|
#
|
4780
4960
|
# @option params [required, String] :key_id
|
4781
|
-
#
|
4961
|
+
# Sets the key policy on the specified customer master key (CMK).
|
4782
4962
|
#
|
4783
|
-
# Specify the key ID or
|
4963
|
+
# Specify the key ID or key ARN of the CMK.
|
4784
4964
|
#
|
4785
4965
|
# For example:
|
4786
4966
|
#
|
@@ -4933,8 +5113,8 @@ module Aws::KMS
|
|
4933
5113
|
# asymmetric key ciphertext does not include configurable fields.
|
4934
5114
|
#
|
4935
5115
|
# The CMK that you use for this operation must be in a compatible key
|
4936
|
-
# state. For details, see [
|
4937
|
-
#
|
5116
|
+
# state. For details, see [Key state: Effect on your CMK][6] in the *AWS
|
5117
|
+
# Key Management Service Developer Guide*.
|
4938
5118
|
#
|
4939
5119
|
# **Cross-account use**\: Yes. The source CMK and destination CMK can be
|
4940
5120
|
# in different AWS accounts. Either or both CMKs can be in a different
|
@@ -5007,10 +5187,9 @@ module Aws::KMS
|
|
5007
5187
|
# However, it is always recommended as a best practice. This practice
|
5008
5188
|
# ensures that you use the CMK that you intend.
|
5009
5189
|
#
|
5010
|
-
# To specify a CMK, use its key ID,
|
5011
|
-
#
|
5012
|
-
#
|
5013
|
-
# the key ARN or alias ARN.
|
5190
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
5191
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
5192
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
5014
5193
|
#
|
5015
5194
|
# For example:
|
5016
5195
|
#
|
@@ -5032,10 +5211,9 @@ module Aws::KMS
|
|
5032
5211
|
# `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
|
5033
5212
|
# DescribeKey operation.
|
5034
5213
|
#
|
5035
|
-
# To specify a CMK, use its key ID,
|
5036
|
-
#
|
5037
|
-
#
|
5038
|
-
# the key ARN or alias ARN.
|
5214
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
5215
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
5216
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
5039
5217
|
#
|
5040
5218
|
# For example:
|
5041
5219
|
#
|
@@ -5096,7 +5274,9 @@ module Aws::KMS
|
|
5096
5274
|
# @option params [Array<String>] :grant_tokens
|
5097
5275
|
# A list of grant tokens.
|
5098
5276
|
#
|
5099
|
-
#
|
5277
|
+
# Use a grant token when your permission to call this operation comes
|
5278
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
5279
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
5100
5280
|
# Service Developer Guide*.
|
5101
5281
|
#
|
5102
5282
|
#
|
@@ -5162,31 +5342,331 @@ module Aws::KMS
|
|
5162
5342
|
req.send_request(options)
|
5163
5343
|
end
|
5164
5344
|
|
5165
|
-
#
|
5166
|
-
#
|
5167
|
-
#
|
5168
|
-
#
|
5345
|
+
# Replicates a multi-Region key into the specified Region. This
|
5346
|
+
# operation creates a multi-Region replica key based on a multi-Region
|
5347
|
+
# primary key in a different Region of the same AWS partition. You can
|
5348
|
+
# create multiple replicas of a primary key, but each must be in a
|
5349
|
+
# different Region. To create a multi-Region primary key, use the
|
5350
|
+
# CreateKey operation.
|
5351
|
+
#
|
5352
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
5353
|
+
# lets you create multiple interoperable CMKs in different AWS Regions.
|
5354
|
+
# Because these CMKs have the same key ID, key material, and other
|
5355
|
+
# metadata, you can use them to encrypt data in one AWS Region and
|
5356
|
+
# decrypt it in a different AWS Region without making a cross-Region
|
5357
|
+
# call or exposing the plaintext data. For more information about
|
5358
|
+
# multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
|
5359
|
+
# Management Service Developer Guide*.
|
5360
|
+
#
|
5361
|
+
# A *replica key* is a fully-functional CMK that can be used
|
5362
|
+
# independently of its primary and peer replica keys. A primary key and
|
5363
|
+
# its replica keys share properties that make them interoperable. They
|
5364
|
+
# have the same [key ID][2] and key material. They also have the same
|
5365
|
+
# [key spec][3], [key usage][4], [key material origin][5], and
|
5366
|
+
# [automatic key rotation status][6]. AWS KMS automatically synchronizes
|
5367
|
+
# these shared properties among related multi-Region keys. All other
|
5368
|
+
# properties of a replica key can differ, including its [key policy][7],
|
5369
|
+
# [tags][8], [aliases][9], and [key state][10]. AWS KMS pricing and
|
5370
|
+
# quotas for CMKs apply to each primary key and replica key.
|
5371
|
+
#
|
5372
|
+
# When this operation completes, the new replica key has a transient key
|
5373
|
+
# state of `Creating`. This key state changes to `Enabled` (or
|
5374
|
+
# `PendingImport`) after a few seconds when the process of creating the
|
5375
|
+
# new replica key is complete. While the key state is `Creating`, you
|
5376
|
+
# can manage key, but you cannot yet use it in cryptographic operations.
|
5377
|
+
# If you are creating and using the replica key programmatically, retry
|
5378
|
+
# on `KMSInvalidStateException` or call `DescribeKey` to check its
|
5379
|
+
# `KeyState` value before using it. For details about the `Creating` key
|
5380
|
+
# state, see [Key state: Effect on your
|
5381
|
+
# CMK](kms/latest/developerguide/key-state.html) in the *AWS Key
|
5382
|
+
# Management Service Developer Guide*.
|
5383
|
+
#
|
5384
|
+
# The AWS CloudTrail log of a `ReplicateKey` operation records a
|
5385
|
+
# `ReplicateKey` operation in the primary key's Region and a CreateKey
|
5386
|
+
# operation in the replica key's Region.
|
5387
|
+
#
|
5388
|
+
# If you replicate a multi-Region primary key with imported key
|
5389
|
+
# material, the replica key is created with no key material. You must
|
5390
|
+
# import the same key material that you imported into the primary key.
|
5391
|
+
# For details, see [Importing key material into multi-Region
|
5392
|
+
# keys](kms/latest/developerguide/multi-region-keys-import.html) in the
|
5393
|
+
# *AWS Key Management Service Developer Guide*.
|
5394
|
+
#
|
5395
|
+
# To convert a replica key to a primary key, use the UpdatePrimaryRegion
|
5396
|
+
# operation.
|
5397
|
+
#
|
5398
|
+
# <note markdown="1"> `ReplicateKey` uses different default values for the `KeyPolicy` and
|
5399
|
+
# `Tags` parameters than those used in the AWS KMS console. For details,
|
5400
|
+
# see the parameter descriptions.
|
5401
|
+
#
|
5402
|
+
# </note>
|
5403
|
+
#
|
5404
|
+
# **Cross-account use**\: No. You cannot use this operation to create a
|
5405
|
+
# CMK in a different AWS account.
|
5406
|
+
#
|
5407
|
+
# **Required permissions**\:
|
5408
|
+
#
|
5409
|
+
# * `kms:ReplicateKey` on the primary CMK (in the primary CMK's
|
5410
|
+
# Region). Include this permission in the primary CMK's key policy.
|
5411
|
+
#
|
5412
|
+
# * `kms:CreateKey` in an IAM policy in the replica Region.
|
5413
|
+
#
|
5414
|
+
# * To use the `Tags` parameter, `kms:TagResource` in an IAM policy in
|
5415
|
+
# the replica Region.
|
5416
|
+
#
|
5417
|
+
# **Related operations**
|
5418
|
+
#
|
5419
|
+
# * CreateKey
|
5420
|
+
#
|
5421
|
+
# * UpdatePrimaryRegion
|
5422
|
+
#
|
5423
|
+
#
|
5424
|
+
#
|
5425
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
5426
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
|
5427
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec
|
5428
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage
|
5429
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
|
5430
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
5431
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
5432
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5433
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
|
5434
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5435
|
+
#
|
5436
|
+
# @option params [required, String] :key_id
|
5437
|
+
# Identifies the multi-Region primary key that is being replicated. To
|
5438
|
+
# determine whether a CMK is a multi-Region primary key, use the
|
5439
|
+
# DescribeKey operation to check the value of the `MultiRegionKeyType`
|
5440
|
+
# property.
|
5169
5441
|
#
|
5170
|
-
#
|
5442
|
+
# Specify the key ID or key ARN of a multi-Region primary key.
|
5171
5443
|
#
|
5172
|
-
#
|
5444
|
+
# For example:
|
5445
|
+
#
|
5446
|
+
# * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
|
5447
|
+
#
|
5448
|
+
# * Key ARN:
|
5449
|
+
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
5450
|
+
#
|
5451
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
5452
|
+
#
|
5453
|
+
# @option params [required, String] :replica_region
|
5454
|
+
# The Region ID of the AWS Region for this replica key.
|
5455
|
+
#
|
5456
|
+
# Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
|
5457
|
+
# list of AWS Regions in which AWS KMS is supported, see [AWS KMS
|
5458
|
+
# service endpoints][1] in the *Amazon Web Services General Reference*.
|
5459
|
+
#
|
5460
|
+
# The replica must be in a different AWS Region than its primary key and
|
5461
|
+
# other replicas of that primary key, but in the same AWS partition. AWS
|
5462
|
+
# KMS must be available in the replica Region. If the Region is not
|
5463
|
+
# enabled by default, the AWS account must be enabled in the Region.
|
5464
|
+
#
|
5465
|
+
# For information about AWS partitions, see [Amazon Resource Names
|
5466
|
+
# (ARNs) in the *Amazon Web Services General Reference*.][2] For
|
5467
|
+
# information about enabling and disabling Regions, see [Enabling a
|
5468
|
+
# Region][3] and [Disabling a Region][4] in the *Amazon Web Services
|
5469
|
+
# General Reference*.
|
5173
5470
|
#
|
5174
|
-
# * The `GranteePrincipal`, if `RetireGrant` is an operation specified
|
5175
|
-
# in the grant
|
5176
5471
|
#
|
5177
|
-
#
|
5178
|
-
#
|
5179
|
-
#
|
5180
|
-
#
|
5181
|
-
#
|
5472
|
+
#
|
5473
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
5474
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
5475
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
5476
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
5477
|
+
#
|
5478
|
+
# @option params [String] :policy
|
5479
|
+
# The key policy to attach to the CMK. This parameter is optional. If
|
5480
|
+
# you do not provide a key policy, AWS KMS attaches the [default key
|
5481
|
+
# policy][1] to the CMK.
|
5482
|
+
#
|
5483
|
+
# The key policy is not a shared property of multi-Region keys. You can
|
5484
|
+
# specify the same key policy or a different key policy for each key in
|
5485
|
+
# a set of related multi-Region keys. AWS KMS does not synchronize this
|
5486
|
+
# property.
|
5487
|
+
#
|
5488
|
+
# If you provide a key policy, it must meet the following criteria:
|
5489
|
+
#
|
5490
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
|
5491
|
+
# policy must give the caller `kms:PutKeyPolicy` permission on the
|
5492
|
+
# replica CMK. This reduces the risk that the CMK becomes
|
5493
|
+
# unmanageable. For more information, refer to the scenario in the
|
5494
|
+
# [Default Key Policy][2] section of the <i> <i>AWS Key Management
|
5495
|
+
# Service Developer Guide</i> </i>.
|
5496
|
+
#
|
5497
|
+
# * Each statement in the key policy must contain one or more
|
5498
|
+
# principals. The principals in the key policy must exist and be
|
5499
|
+
# visible to AWS KMS. When you create a new AWS principal (for
|
5500
|
+
# example, an IAM user or role), you might need to enforce a delay
|
5501
|
+
# before including the new principal in a key policy because the new
|
5502
|
+
# principal might not be immediately visible to AWS KMS. For more
|
5503
|
+
# information, see [Changes that I make are not always immediately
|
5504
|
+
# visible][3] in the *AWS Identity and Access Management User Guide*.
|
5505
|
+
#
|
5506
|
+
# * The key policy size quota is 32 kilobytes (32768 bytes).
|
5507
|
+
#
|
5508
|
+
#
|
5509
|
+
#
|
5510
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
5511
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
5512
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
5513
|
+
#
|
5514
|
+
# @option params [Boolean] :bypass_policy_lockout_safety_check
|
5515
|
+
# A flag to indicate whether to bypass the key policy lockout safety
|
5516
|
+
# check.
|
5517
|
+
#
|
5518
|
+
# Setting this value to true increases the risk that the CMK becomes
|
5519
|
+
# unmanageable. Do not set this value to true indiscriminately.
|
5520
|
+
#
|
5521
|
+
# For more information, refer to the scenario in the [Default Key
|
5522
|
+
# Policy][1] section in the *AWS Key Management Service Developer
|
5523
|
+
# Guide*.
|
5524
|
+
#
|
5525
|
+
# Use this parameter only when you intend to prevent the principal that
|
5526
|
+
# is making the request from making a subsequent `PutKeyPolicy` request
|
5527
|
+
# on the CMK.
|
5528
|
+
#
|
5529
|
+
# The default value is false.
|
5530
|
+
#
|
5531
|
+
#
|
5532
|
+
#
|
5533
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
5534
|
+
#
|
5535
|
+
# @option params [String] :description
|
5536
|
+
# A description of the CMK. Use a description that helps you decide
|
5537
|
+
# whether the CMK is appropriate for a task. The default value is an
|
5538
|
+
# empty string (no description).
|
5539
|
+
#
|
5540
|
+
# The description is not a shared property of multi-Region keys. You can
|
5541
|
+
# specify the same description or a different description for each key
|
5542
|
+
# in a set of related multi-Region keys. AWS KMS does not synchronize
|
5543
|
+
# this property.
|
5544
|
+
#
|
5545
|
+
# @option params [Array<Types::Tag>] :tags
|
5546
|
+
# Assigns one or more tags to the replica key. Use this parameter to tag
|
5547
|
+
# the CMK when it is created. To tag an existing CMK, use the
|
5548
|
+
# TagResource operation.
|
5549
|
+
#
|
5550
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
5551
|
+
# For details, see [Using ABAC in AWS KMS][1] in the *AWS Key Management
|
5552
|
+
# Service Developer Guide*.
|
5553
|
+
#
|
5554
|
+
# </note>
|
5555
|
+
#
|
5556
|
+
# To use this parameter, you must have [kms:TagResource][2] permission
|
5557
|
+
# in an IAM policy.
|
5558
|
+
#
|
5559
|
+
# Tags are not a shared property of multi-Region keys. You can specify
|
5560
|
+
# the same tags or different tags for each key in a set of related
|
5561
|
+
# multi-Region keys. AWS KMS does not synchronize this property.
|
5562
|
+
#
|
5563
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
5564
|
+
# the tag value are required, but the tag value can be an empty (null)
|
5565
|
+
# string. You cannot have more than one tag on a CMK with the same tag
|
5566
|
+
# key. If you specify an existing tag key with a different tag value,
|
5567
|
+
# AWS KMS replaces the current tag value with the specified one.
|
5568
|
+
#
|
5569
|
+
# When you assign tags to an AWS resource, AWS generates a cost
|
5570
|
+
# allocation report with usage and costs aggregated by tags. Tags can
|
5571
|
+
# also be used to control access to a CMK. For details, see [Tagging
|
5572
|
+
# Keys][3].
|
5573
|
+
#
|
5574
|
+
#
|
5575
|
+
#
|
5576
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
5577
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5578
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5579
|
+
#
|
5580
|
+
# @return [Types::ReplicateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
5581
|
+
#
|
5582
|
+
# * {Types::ReplicateKeyResponse#replica_key_metadata #replica_key_metadata} => Types::KeyMetadata
|
5583
|
+
# * {Types::ReplicateKeyResponse#replica_policy #replica_policy} => String
|
5584
|
+
# * {Types::ReplicateKeyResponse#replica_tags #replica_tags} => Array<Types::Tag>
|
5585
|
+
#
|
5586
|
+
# @example Request syntax with placeholder values
|
5587
|
+
#
|
5588
|
+
# resp = client.replicate_key({
|
5589
|
+
# key_id: "KeyIdType", # required
|
5590
|
+
# replica_region: "RegionType", # required
|
5591
|
+
# policy: "PolicyType",
|
5592
|
+
# bypass_policy_lockout_safety_check: false,
|
5593
|
+
# description: "DescriptionType",
|
5594
|
+
# tags: [
|
5595
|
+
# {
|
5596
|
+
# tag_key: "TagKeyType", # required
|
5597
|
+
# tag_value: "TagValueType", # required
|
5598
|
+
# },
|
5599
|
+
# ],
|
5600
|
+
# })
|
5601
|
+
#
|
5602
|
+
# @example Response structure
|
5603
|
+
#
|
5604
|
+
# resp.replica_key_metadata.aws_account_id #=> String
|
5605
|
+
# resp.replica_key_metadata.key_id #=> String
|
5606
|
+
# resp.replica_key_metadata.arn #=> String
|
5607
|
+
# resp.replica_key_metadata.creation_date #=> Time
|
5608
|
+
# resp.replica_key_metadata.enabled #=> Boolean
|
5609
|
+
# resp.replica_key_metadata.description #=> String
|
5610
|
+
# resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
5611
|
+
# resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
5612
|
+
# resp.replica_key_metadata.deletion_date #=> Time
|
5613
|
+
# resp.replica_key_metadata.valid_to #=> Time
|
5614
|
+
# resp.replica_key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
5615
|
+
# resp.replica_key_metadata.custom_key_store_id #=> String
|
5616
|
+
# resp.replica_key_metadata.cloud_hsm_cluster_id #=> String
|
5617
|
+
# resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
5618
|
+
# resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
5619
|
+
# resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
|
5620
|
+
# resp.replica_key_metadata.encryption_algorithms #=> Array
|
5621
|
+
# resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
5622
|
+
# resp.replica_key_metadata.signing_algorithms #=> Array
|
5623
|
+
# resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
5624
|
+
# resp.replica_key_metadata.multi_region #=> Boolean
|
5625
|
+
# resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
5626
|
+
# resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
|
5627
|
+
# resp.replica_key_metadata.multi_region_configuration.primary_key.region #=> String
|
5628
|
+
# resp.replica_key_metadata.multi_region_configuration.replica_keys #=> Array
|
5629
|
+
# resp.replica_key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
|
5630
|
+
# resp.replica_key_metadata.multi_region_configuration.replica_keys[0].region #=> String
|
5631
|
+
# resp.replica_key_metadata.pending_deletion_window_in_days #=> Integer
|
5632
|
+
# resp.replica_policy #=> String
|
5633
|
+
# resp.replica_tags #=> Array
|
5634
|
+
# resp.replica_tags[0].tag_key #=> String
|
5635
|
+
# resp.replica_tags[0].tag_value #=> String
|
5636
|
+
#
|
5637
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey AWS API Documentation
|
5638
|
+
#
|
5639
|
+
# @overload replicate_key(params = {})
|
5640
|
+
# @param [Hash] params ({})
|
5641
|
+
def replicate_key(params = {}, options = {})
|
5642
|
+
req = build_request(:replicate_key, params)
|
5643
|
+
req.send_request(options)
|
5644
|
+
end
|
5645
|
+
|
5646
|
+
# Deletes a grant. Typically, you retire a grant when you no longer need
|
5647
|
+
# its permissions. To identify the grant to retire, use a [grant
|
5648
|
+
# token][1], or both the grant ID and a key identifier (key ID or key
|
5649
|
+
# ARN) of the customer master key (CMK). The CreateGrant operation
|
5650
|
+
# returns both values.
|
5651
|
+
#
|
5652
|
+
# This operation can be called by the *retiring principal* for a grant,
|
5653
|
+
# by the *grantee principal* if the grant allows the `RetireGrant`
|
5654
|
+
# operation, and by the AWS account (root user) in which the grant is
|
5655
|
+
# created. It can also be called by principals to whom permission for
|
5656
|
+
# retiring a grant is delegated. For details, see [Retiring and revoking
|
5657
|
+
# grants][2] in the *AWS Key Management Service Developer Guide*.
|
5658
|
+
#
|
5659
|
+
# For detailed information about grants, including grant terminology,
|
5660
|
+
# see [Using grants][3] in the <i> <i>AWS Key Management Service
|
5661
|
+
# Developer Guide</i> </i>. For examples of working with grants in
|
5662
|
+
# several programming languages, see [Programming grants][4].
|
5182
5663
|
#
|
5183
5664
|
# **Cross-account use**\: Yes. You can retire a grant on a CMK in a
|
5184
5665
|
# different AWS account.
|
5185
5666
|
#
|
5186
|
-
# **Required permissions:**\:
|
5187
|
-
#
|
5188
|
-
#
|
5189
|
-
# Service Developer Guide*.
|
5667
|
+
# **Required permissions:**\:Permission to retire a grant is determined
|
5668
|
+
# primarily by the grant. For details, see [Retiring and revoking
|
5669
|
+
# grants][2] in the *AWS Key Management Service Developer Guide*.
|
5190
5670
|
#
|
5191
5671
|
# **Related operations:**
|
5192
5672
|
#
|
@@ -5200,20 +5680,34 @@ module Aws::KMS
|
|
5200
5680
|
#
|
5201
5681
|
#
|
5202
5682
|
#
|
5203
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
5683
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
5684
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
|
5685
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
5686
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
|
5204
5687
|
#
|
5205
5688
|
# @option params [String] :grant_token
|
5206
|
-
#
|
5689
|
+
# Identifies the grant to be retired. You can use a grant token to
|
5690
|
+
# identify a new grant even before it has achieved eventual consistency.
|
5691
|
+
#
|
5692
|
+
# Only the CreateGrant operation returns a grant token. For details, see
|
5693
|
+
# [Grant token][1] and [Eventual consistency][2] in the *AWS Key
|
5694
|
+
# Management Service Developer Guide*.
|
5695
|
+
#
|
5696
|
+
#
|
5697
|
+
#
|
5698
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
5699
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
|
5207
5700
|
#
|
5208
5701
|
# @option params [String] :key_id
|
5209
|
-
# The
|
5702
|
+
# The key ARN CMK associated with the grant. To find the key ARN, use
|
5703
|
+
# the ListKeys operation.
|
5210
5704
|
#
|
5211
5705
|
# For example:
|
5212
5706
|
# `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
5213
5707
|
#
|
5214
5708
|
# @option params [String] :grant_id
|
5215
|
-
#
|
5216
|
-
#
|
5709
|
+
# Identifies the grant to retire. To get the grant ID, use CreateGrant,
|
5710
|
+
# ListGrants, or ListRetirableGrants.
|
5217
5711
|
#
|
5218
5712
|
# * Grant ID Example -
|
5219
5713
|
# 0123456789012345678901234567890123456789012345678901234567890123
|
@@ -5249,15 +5743,22 @@ module Aws::KMS
|
|
5249
5743
|
req.send_request(options)
|
5250
5744
|
end
|
5251
5745
|
|
5252
|
-
#
|
5253
|
-
#
|
5254
|
-
#
|
5746
|
+
# Deletes the specified grant. You revoke a grant to terminate the
|
5747
|
+
# permissions that the grant allows. For more information, see [Retiring
|
5748
|
+
# and revoking grants][1] in the <i> <i>AWS Key Management Service
|
5749
|
+
# Developer Guide</i> </i>.
|
5750
|
+
#
|
5751
|
+
# When you create, retire, or revoke a grant, there might be a brief
|
5752
|
+
# delay, usually less than five minutes, until the grant is available
|
5753
|
+
# throughout AWS KMS. This state is known as *eventual consistency*. For
|
5754
|
+
# details, see [Eventual consistency][2] in the <i> <i>AWS Key
|
5755
|
+
# Management Service Developer Guide</i> </i>.
|
5255
5756
|
#
|
5256
5757
|
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
5257
5758
|
# different AWS account, specify the key ARN in the value of the `KeyId`
|
5258
5759
|
# parameter.
|
5259
5760
|
#
|
5260
|
-
# **Required permissions**\: [kms:RevokeGrant][
|
5761
|
+
# **Required permissions**\: [kms:RevokeGrant][3] (key policy).
|
5261
5762
|
#
|
5262
5763
|
# **Related operations:**
|
5263
5764
|
#
|
@@ -5271,14 +5772,17 @@ module Aws::KMS
|
|
5271
5772
|
#
|
5272
5773
|
#
|
5273
5774
|
#
|
5274
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5775
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete
|
5776
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
|
5777
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5275
5778
|
#
|
5276
5779
|
# @option params [required, String] :key_id
|
5277
|
-
# A unique identifier for the customer master key associated with
|
5278
|
-
# grant.
|
5780
|
+
# A unique identifier for the customer master key (CMK) associated with
|
5781
|
+
# the grant. To get the key ID and key ARN for a CMK, use ListKeys or
|
5782
|
+
# DescribeKey.
|
5279
5783
|
#
|
5280
|
-
# Specify the key ID or
|
5281
|
-
#
|
5784
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
5785
|
+
# different AWS account, you must use the key ARN.
|
5282
5786
|
#
|
5283
5787
|
# For example:
|
5284
5788
|
#
|
@@ -5290,7 +5794,8 @@ module Aws::KMS
|
|
5290
5794
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
5291
5795
|
#
|
5292
5796
|
# @option params [required, String] :grant_id
|
5293
|
-
#
|
5797
|
+
# Identifies the grant to revoke. To get the grant ID, use CreateGrant,
|
5798
|
+
# ListGrants, or ListRetirableGrants.
|
5294
5799
|
#
|
5295
5800
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
5296
5801
|
#
|
@@ -5320,19 +5825,21 @@ module Aws::KMS
|
|
5320
5825
|
req.send_request(options)
|
5321
5826
|
end
|
5322
5827
|
|
5323
|
-
# Schedules the deletion of a customer master key (CMK).
|
5324
|
-
# a waiting period
|
5325
|
-
#
|
5326
|
-
#
|
5327
|
-
#
|
5328
|
-
#
|
5329
|
-
#
|
5330
|
-
#
|
5828
|
+
# Schedules the deletion of a customer master key (CMK). By default, AWS
|
5829
|
+
# KMS applies a waiting period of 30 days, but you can specify a waiting
|
5830
|
+
# period of 7-30 days. When this operation is successful, the key state
|
5831
|
+
# of the CMK changes to `PendingDeletion` and the key can't be used in
|
5832
|
+
# any cryptographic operations. It remains in this state for the
|
5833
|
+
# duration of the waiting period. Before the waiting period ends, you
|
5834
|
+
# can use CancelKeyDeletion to cancel the deletion of the CMK. After the
|
5835
|
+
# waiting period ends, AWS KMS deletes the CMK, its key material, and
|
5836
|
+
# all AWS KMS data associated with it, including all aliases that refer
|
5837
|
+
# to it.
|
5331
5838
|
#
|
5332
5839
|
# Deleting a CMK is a destructive and potentially dangerous operation.
|
5333
5840
|
# When a CMK is deleted, all data that was encrypted under the CMK is
|
5334
|
-
# unrecoverable.
|
5335
|
-
# DisableKey.
|
5841
|
+
# unrecoverable. (The only exception is a multi-Region replica key.) To
|
5842
|
+
# prevent the use of a CMK without deleting it, use DisableKey.
|
5336
5843
|
#
|
5337
5844
|
# If you schedule deletion of a CMK from a [custom key store][1], when
|
5338
5845
|
# the waiting period expires, `ScheduleKeyDeletion` deletes the CMK from
|
@@ -5341,18 +5848,30 @@ module Aws::KMS
|
|
5341
5848
|
# manually [delete the orphaned key material][2] from the cluster and
|
5342
5849
|
# its backups.
|
5343
5850
|
#
|
5851
|
+
# You can schedule the deletion of a multi-Region primary key and its
|
5852
|
+
# replica keys at any time. However, AWS KMS will not delete a
|
5853
|
+
# multi-Region primary key with existing replica keys. If you schedule
|
5854
|
+
# the deletion of a primary key with replicas, its key state changes to
|
5855
|
+
# `PendingReplicaDeletion` and it cannot be replicated or used in
|
5856
|
+
# cryptographic operations. This status can continue indefinitely. When
|
5857
|
+
# the last of its replicas keys is deleted (not just scheduled), the key
|
5858
|
+
# state of the primary key changes to `PendingDeletion` and its waiting
|
5859
|
+
# period (`PendingWindowInDays`) begins. For details, see [Deleting
|
5860
|
+
# multi-Region keys][3] in the *AWS Key Management Service Developer
|
5861
|
+
# Guide*.
|
5862
|
+
#
|
5344
5863
|
# For more information about scheduling a CMK for deletion, see
|
5345
|
-
# [Deleting Customer Master Keys][
|
5864
|
+
# [Deleting Customer Master Keys][4] in the *AWS Key Management Service
|
5346
5865
|
# Developer Guide*.
|
5347
5866
|
#
|
5348
5867
|
# The CMK that you use for this operation must be in a compatible key
|
5349
|
-
# state. For details, see [
|
5350
|
-
#
|
5868
|
+
# state. For details, see [Key state: Effect on your CMK][5] in the *AWS
|
5869
|
+
# Key Management Service Developer Guide*.
|
5351
5870
|
#
|
5352
5871
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5353
5872
|
# in a different AWS account.
|
5354
5873
|
#
|
5355
|
-
# **Required permissions**\:
|
5874
|
+
# **Required permissions**\: kms:ScheduleKeyDeletion (key policy)
|
5356
5875
|
#
|
5357
5876
|
# **Related operations**
|
5358
5877
|
#
|
@@ -5364,14 +5883,14 @@ module Aws::KMS
|
|
5364
5883
|
#
|
5365
5884
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
5366
5885
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
5367
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5368
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5369
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5886
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html
|
5887
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
|
5888
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5370
5889
|
#
|
5371
5890
|
# @option params [required, String] :key_id
|
5372
5891
|
# The unique identifier of the customer master key (CMK) to delete.
|
5373
5892
|
#
|
5374
|
-
# Specify the key ID or
|
5893
|
+
# Specify the key ID or key ARN of the CMK.
|
5375
5894
|
#
|
5376
5895
|
# For example:
|
5377
5896
|
#
|
@@ -5386,6 +5905,10 @@ module Aws::KMS
|
|
5386
5905
|
# The waiting period, specified in number of days. After the waiting
|
5387
5906
|
# period ends, AWS KMS deletes the customer master key (CMK).
|
5388
5907
|
#
|
5908
|
+
# If the CMK is a multi-Region primary key with replicas, the waiting
|
5909
|
+
# period begins when the last of its replica keys is deleted. Otherwise,
|
5910
|
+
# the waiting period begins immediately.
|
5911
|
+
#
|
5389
5912
|
# This value is optional. If you include a value, it must be between 7
|
5390
5913
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
5391
5914
|
#
|
@@ -5393,6 +5916,8 @@ module Aws::KMS
|
|
5393
5916
|
#
|
5394
5917
|
# * {Types::ScheduleKeyDeletionResponse#key_id #key_id} => String
|
5395
5918
|
# * {Types::ScheduleKeyDeletionResponse#deletion_date #deletion_date} => Time
|
5919
|
+
# * {Types::ScheduleKeyDeletionResponse#key_state #key_state} => String
|
5920
|
+
# * {Types::ScheduleKeyDeletionResponse#pending_window_in_days #pending_window_in_days} => Integer
|
5396
5921
|
#
|
5397
5922
|
#
|
5398
5923
|
# @example Example: To schedule a customer master key (CMK) for deletion
|
@@ -5421,6 +5946,8 @@ module Aws::KMS
|
|
5421
5946
|
#
|
5422
5947
|
# resp.key_id #=> String
|
5423
5948
|
# resp.deletion_date #=> Time
|
5949
|
+
# resp.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
5950
|
+
# resp.pending_window_in_days #=> Integer
|
5424
5951
|
#
|
5425
5952
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion AWS API Documentation
|
5426
5953
|
#
|
@@ -5470,8 +5997,8 @@ module Aws::KMS
|
|
5470
5997
|
# KMS.
|
5471
5998
|
#
|
5472
5999
|
# The CMK that you use for this operation must be in a compatible key
|
5473
|
-
# state. For details, see [
|
5474
|
-
#
|
6000
|
+
# state. For details, see [Key state: Effect on your CMK][3] in the *AWS
|
6001
|
+
# Key Management Service Developer Guide*.
|
5475
6002
|
#
|
5476
6003
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
5477
6004
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -5494,10 +6021,9 @@ module Aws::KMS
|
|
5494
6021
|
# must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
|
5495
6022
|
# DescribeKey operation.
|
5496
6023
|
#
|
5497
|
-
# To specify a CMK, use its key ID,
|
5498
|
-
#
|
5499
|
-
#
|
5500
|
-
# the key ARN or alias ARN.
|
6024
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
6025
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
6026
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
5501
6027
|
#
|
5502
6028
|
# For example:
|
5503
6029
|
#
|
@@ -5528,7 +6054,9 @@ module Aws::KMS
|
|
5528
6054
|
# @option params [Array<String>] :grant_tokens
|
5529
6055
|
# A list of grant tokens.
|
5530
6056
|
#
|
5531
|
-
#
|
6057
|
+
# Use a grant token when your permission to call this operation comes
|
6058
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
6059
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
5532
6060
|
# Service Developer Guide*.
|
5533
6061
|
#
|
5534
6062
|
#
|
@@ -5574,50 +6102,65 @@ module Aws::KMS
|
|
5574
6102
|
|
5575
6103
|
# Adds or edits tags on a [customer managed CMK][1].
|
5576
6104
|
#
|
6105
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
6106
|
+
# For details, see [Using ABAC in AWS KMS][2] in the *AWS Key Management
|
6107
|
+
# Service Developer Guide*.
|
6108
|
+
#
|
6109
|
+
# </note>
|
6110
|
+
#
|
5577
6111
|
# Each tag consists of a tag key and a tag value, both of which are
|
5578
6112
|
# case-sensitive strings. The tag value can be an empty (null) string.
|
5579
|
-
#
|
5580
6113
|
# To add a tag, specify a new tag key and a tag value. To edit a tag,
|
5581
6114
|
# specify an existing tag key and a new tag value.
|
5582
6115
|
#
|
5583
6116
|
# You can use this operation to tag a [customer managed CMK][1], but you
|
5584
|
-
# cannot tag an [AWS managed CMK][
|
5585
|
-
# alias.
|
6117
|
+
# cannot tag an [AWS managed CMK][3], an [AWS owned CMK][4], a [custom
|
6118
|
+
# key store][5], or an [alias][6].
|
6119
|
+
#
|
6120
|
+
# You can also add tags to a CMK while creating it (CreateKey) or
|
6121
|
+
# replicating it (ReplicateKey).
|
5586
6122
|
#
|
6123
|
+
# For information about using tags in AWS KMS, see [Tagging keys][7].
|
5587
6124
|
# For general information about tags, including the format and syntax,
|
5588
|
-
# see [Tagging AWS resources][
|
5589
|
-
# Reference*.
|
5590
|
-
# keys][5].
|
6125
|
+
# see [Tagging AWS resources][8] in the *Amazon Web Services General
|
6126
|
+
# Reference*.
|
5591
6127
|
#
|
5592
6128
|
# The CMK that you use for this operation must be in a compatible key
|
5593
|
-
# state. For details, see [
|
5594
|
-
#
|
6129
|
+
# state. For details, see [Key state: Effect on your CMK][9] in the *AWS
|
6130
|
+
# Key Management Service Developer Guide*.
|
5595
6131
|
#
|
5596
6132
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5597
6133
|
# in a different AWS account.
|
5598
6134
|
#
|
5599
|
-
# **Required permissions**\: [kms:TagResource][
|
6135
|
+
# **Required permissions**\: [kms:TagResource][10] (key policy)
|
5600
6136
|
#
|
5601
6137
|
# **Related operations**
|
5602
6138
|
#
|
5603
|
-
# *
|
6139
|
+
# * CreateKey
|
5604
6140
|
#
|
5605
6141
|
# * ListResourceTags
|
5606
6142
|
#
|
6143
|
+
# * ReplicateKey
|
6144
|
+
#
|
6145
|
+
# * UntagResource
|
6146
|
+
#
|
5607
6147
|
#
|
5608
6148
|
#
|
5609
6149
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5610
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5611
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-
|
5612
|
-
# [4]: https://docs.aws.amazon.com/
|
5613
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5614
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5615
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
6150
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
6151
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
6152
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
6153
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept
|
6154
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept
|
6155
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
6156
|
+
# [8]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
6157
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6158
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5616
6159
|
#
|
5617
6160
|
# @option params [required, String] :key_id
|
5618
6161
|
# Identifies a customer managed CMK in the account and Region.
|
5619
6162
|
#
|
5620
|
-
# Specify the key ID or
|
6163
|
+
# Specify the key ID or key ARN of the CMK.
|
5621
6164
|
#
|
5622
6165
|
# For example:
|
5623
6166
|
#
|
@@ -5679,43 +6222,54 @@ module Aws::KMS
|
|
5679
6222
|
# Deletes tags from a [customer managed CMK][1]. To delete a tag,
|
5680
6223
|
# specify the tag key and the CMK.
|
5681
6224
|
#
|
6225
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
6226
|
+
# For details, see [Using ABAC in AWS KMS][2] in the *AWS Key Management
|
6227
|
+
# Service Developer Guide*.
|
6228
|
+
#
|
6229
|
+
# </note>
|
6230
|
+
#
|
5682
6231
|
# When it succeeds, the `UntagResource` operation doesn't return any
|
5683
6232
|
# output. Also, if the specified tag key isn't found on the CMK, it
|
5684
6233
|
# doesn't throw an exception or return a response. To confirm that the
|
5685
6234
|
# operation worked, use the ListResourceTags operation.
|
5686
6235
|
#
|
6236
|
+
# For information about using tags in AWS KMS, see [Tagging keys][3].
|
5687
6237
|
# For general information about tags, including the format and syntax,
|
5688
|
-
# see [Tagging AWS resources][
|
5689
|
-
# Reference*.
|
5690
|
-
# keys][3].
|
6238
|
+
# see [Tagging AWS resources][4] in the *Amazon Web Services General
|
6239
|
+
# Reference*.
|
5691
6240
|
#
|
5692
6241
|
# The CMK that you use for this operation must be in a compatible key
|
5693
|
-
# state. For details, see [
|
5694
|
-
#
|
6242
|
+
# state. For details, see [Key state: Effect on your CMK][5] in the *AWS
|
6243
|
+
# Key Management Service Developer Guide*.
|
5695
6244
|
#
|
5696
6245
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5697
6246
|
# in a different AWS account.
|
5698
6247
|
#
|
5699
|
-
# **Required permissions**\: [kms:UntagResource][
|
6248
|
+
# **Required permissions**\: [kms:UntagResource][6] (key policy)
|
5700
6249
|
#
|
5701
6250
|
# **Related operations**
|
5702
6251
|
#
|
5703
|
-
# *
|
6252
|
+
# * CreateKey
|
5704
6253
|
#
|
5705
6254
|
# * ListResourceTags
|
5706
6255
|
#
|
6256
|
+
# * ReplicateKey
|
6257
|
+
#
|
6258
|
+
# * TagResource
|
6259
|
+
#
|
5707
6260
|
#
|
5708
6261
|
#
|
5709
6262
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5710
|
-
# [2]: https://docs.aws.amazon.com/
|
6263
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
5711
6264
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5712
|
-
# [4]: https://docs.aws.amazon.com/
|
5713
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
6265
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
6266
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6267
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5714
6268
|
#
|
5715
6269
|
# @option params [required, String] :key_id
|
5716
6270
|
# Identifies the CMK from which you are removing tags.
|
5717
6271
|
#
|
5718
|
-
# Specify the key ID or
|
6272
|
+
# Specify the key ID or key ARN of the CMK.
|
5719
6273
|
#
|
5720
6274
|
# For example:
|
5721
6275
|
#
|
@@ -5763,7 +6317,13 @@ module Aws::KMS
|
|
5763
6317
|
# Associates an existing AWS KMS alias with a different customer master
|
5764
6318
|
# key (CMK). Each alias is associated with only one CMK at a time,
|
5765
6319
|
# although a CMK can have multiple aliases. The alias and the CMK must
|
5766
|
-
# be in the same AWS account and
|
6320
|
+
# be in the same AWS account and Region.
|
6321
|
+
#
|
6322
|
+
# <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
|
6323
|
+
# the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
6324
|
+
# Management Service Developer Guide*.
|
6325
|
+
#
|
6326
|
+
# </note>
|
5767
6327
|
#
|
5768
6328
|
# The current and new CMK must be the same type (both symmetric or both
|
5769
6329
|
# asymmetric), and they must have the same key usage (`ENCRYPT_DECRYPT`
|
@@ -5783,21 +6343,21 @@ module Aws::KMS
|
|
5783
6343
|
# operation.
|
5784
6344
|
#
|
5785
6345
|
# The CMK that you use for this operation must be in a compatible key
|
5786
|
-
# state. For details, see [
|
5787
|
-
#
|
6346
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
6347
|
+
# Key Management Service Developer Guide*.
|
5788
6348
|
#
|
5789
6349
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5790
6350
|
# in a different AWS account.
|
5791
6351
|
#
|
5792
6352
|
# **Required permissions**
|
5793
6353
|
#
|
5794
|
-
# * [kms:UpdateAlias][
|
6354
|
+
# * [kms:UpdateAlias][3] on the alias (IAM policy).
|
5795
6355
|
#
|
5796
|
-
# * [kms:UpdateAlias][
|
6356
|
+
# * [kms:UpdateAlias][3] on the current CMK (key policy).
|
5797
6357
|
#
|
5798
|
-
# * [kms:UpdateAlias][
|
6358
|
+
# * [kms:UpdateAlias][3] on the new CMK (key policy).
|
5799
6359
|
#
|
5800
|
-
# For details, see [Controlling access to aliases][
|
6360
|
+
# For details, see [Controlling access to aliases][4] in the *AWS Key
|
5801
6361
|
# Management Service Developer Guide*.
|
5802
6362
|
#
|
5803
6363
|
# **Related operations:**
|
@@ -5810,9 +6370,10 @@ module Aws::KMS
|
|
5810
6370
|
#
|
5811
6371
|
#
|
5812
6372
|
#
|
5813
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5814
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5815
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-
|
6373
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
6374
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6375
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
6376
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
5816
6377
|
#
|
5817
6378
|
# @option params [required, String] :alias_name
|
5818
6379
|
# Identifies the alias that is changing its CMK. This value must begin
|
@@ -5830,7 +6391,7 @@ module Aws::KMS
|
|
5830
6391
|
# (both symmetric or both asymmetric) and they must have the same key
|
5831
6392
|
# usage.
|
5832
6393
|
#
|
5833
|
-
# Specify the key ID or
|
6394
|
+
# Specify the key ID or key ARN of the CMK.
|
5834
6395
|
#
|
5835
6396
|
# For example:
|
5836
6397
|
#
|
@@ -6001,8 +6562,8 @@ module Aws::KMS
|
|
6001
6562
|
# description of a CMK, use DescribeKey.
|
6002
6563
|
#
|
6003
6564
|
# The CMK that you use for this operation must be in a compatible key
|
6004
|
-
# state. For details, see [
|
6005
|
-
#
|
6565
|
+
# state. For details, see [Key state: Effect on your CMK][1] in the *AWS
|
6566
|
+
# Key Management Service Developer Guide*.
|
6006
6567
|
#
|
6007
6568
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
6008
6569
|
# in a different AWS account.
|
@@ -6021,9 +6582,9 @@ module Aws::KMS
|
|
6021
6582
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
6022
6583
|
#
|
6023
6584
|
# @option params [required, String] :key_id
|
6024
|
-
#
|
6585
|
+
# Updates the description of the specified customer master key (CMK).
|
6025
6586
|
#
|
6026
|
-
# Specify the key ID or
|
6587
|
+
# Specify the key ID or key ARN of the CMK.
|
6027
6588
|
#
|
6028
6589
|
# For example:
|
6029
6590
|
#
|
@@ -6065,6 +6626,128 @@ module Aws::KMS
|
|
6065
6626
|
req.send_request(options)
|
6066
6627
|
end
|
6067
6628
|
|
6629
|
+
# Changes the primary key of a multi-Region key.
|
6630
|
+
#
|
6631
|
+
# This operation changes the replica key in the specified Region to a
|
6632
|
+
# primary key and changes the former primary key to a replica key. For
|
6633
|
+
# example, suppose you have a primary key in `us-east-1` and a replica
|
6634
|
+
# key in `eu-west-2`. If you run `UpdatePrimaryRegion` with a
|
6635
|
+
# `PrimaryRegion` value of `eu-west-2`, the primary key is now the key
|
6636
|
+
# in `eu-west-2`, and the key in `us-east-1` becomes a replica key. For
|
6637
|
+
# details, see
|
6638
|
+
#
|
6639
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
6640
|
+
# lets you create multiple interoperable CMKs in different AWS Regions.
|
6641
|
+
# Because these CMKs have the same key ID, key material, and other
|
6642
|
+
# metadata, you can use them to encrypt data in one AWS Region and
|
6643
|
+
# decrypt it in a different AWS Region without making a cross-Region
|
6644
|
+
# call or exposing the plaintext data. For more information about
|
6645
|
+
# multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
|
6646
|
+
# Management Service Developer Guide*.
|
6647
|
+
#
|
6648
|
+
# The *primary key* of a multi-Region key is the source for properties
|
6649
|
+
# that are always shared by primary and replica keys, including the key
|
6650
|
+
# material, [key ID][2], [key spec][3], [key usage][4], [key material
|
6651
|
+
# origin][5], and [automatic key rotation][6]. It's the only key that
|
6652
|
+
# can be replicated. You cannot [delete the primary key][7] until all
|
6653
|
+
# replicas are deleted.
|
6654
|
+
#
|
6655
|
+
# The key ID and primary Region that you specify uniquely identify the
|
6656
|
+
# replica key that will become the primary key. The primary Region must
|
6657
|
+
# already have a replica key. This operation does not create a CMK in
|
6658
|
+
# the specified Region. To find the replica keys, use the DescribeKey
|
6659
|
+
# operation on the primary key or any replica key. To create a replica
|
6660
|
+
# key, use the ReplicateKey operation.
|
6661
|
+
#
|
6662
|
+
# You can run this operation while using the affected multi-Region keys
|
6663
|
+
# in cryptographic operations. This operation should not delay,
|
6664
|
+
# interrupt, or cause failures in cryptographic operations.
|
6665
|
+
#
|
6666
|
+
# Even after this operation completes, the process of updating the
|
6667
|
+
# primary Region might still be in progress for a few more seconds.
|
6668
|
+
# Operations such as `DescribeKey` might display both the old and new
|
6669
|
+
# primary keys as replicas. The old and new primary keys have a
|
6670
|
+
# transient key state of `Updating`. The original key state is restored
|
6671
|
+
# when the update is complete. While the key state is `Updating`, you
|
6672
|
+
# can use the keys in cryptographic operations, but you cannot replicate
|
6673
|
+
# the new primary key or perform certain management operations, such as
|
6674
|
+
# enabling or disabling these keys. For details about the `Updating` key
|
6675
|
+
# state, see [Key state: Effect on your
|
6676
|
+
# CMK](kms/latest/developerguide/key-state.html) in the *AWS Key
|
6677
|
+
# Management Service Developer Guide*.
|
6678
|
+
#
|
6679
|
+
# This operation does not return any output. To verify that primary key
|
6680
|
+
# is changed, use the DescribeKey operation.
|
6681
|
+
#
|
6682
|
+
# **Cross-account use**\: No. You cannot use this operation in a
|
6683
|
+
# different AWS account.
|
6684
|
+
#
|
6685
|
+
# **Required permissions**\:
|
6686
|
+
#
|
6687
|
+
# * `kms:UpdatePrimaryRegion` on the current primary CMK (in the primary
|
6688
|
+
# CMK's Region). Include this permission primary CMK's key policy.
|
6689
|
+
#
|
6690
|
+
# * `kms:UpdatePrimaryRegion` on the current replica CMK (in the replica
|
6691
|
+
# CMK's Region). Include this permission in the replica CMK's key
|
6692
|
+
# policy.
|
6693
|
+
#
|
6694
|
+
# **Related operations**
|
6695
|
+
#
|
6696
|
+
# * CreateKey
|
6697
|
+
#
|
6698
|
+
# * ReplicateKey
|
6699
|
+
#
|
6700
|
+
#
|
6701
|
+
#
|
6702
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
6703
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
|
6704
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec
|
6705
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage
|
6706
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
|
6707
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
6708
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html
|
6709
|
+
#
|
6710
|
+
# @option params [required, String] :key_id
|
6711
|
+
# Identifies the current primary key. When the operation completes, this
|
6712
|
+
# CMK will be a replica key.
|
6713
|
+
#
|
6714
|
+
# Specify the key ID or key ARN of a multi-Region primary key.
|
6715
|
+
#
|
6716
|
+
# For example:
|
6717
|
+
#
|
6718
|
+
# * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
|
6719
|
+
#
|
6720
|
+
# * Key ARN:
|
6721
|
+
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
6722
|
+
#
|
6723
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
6724
|
+
#
|
6725
|
+
# @option params [required, String] :primary_region
|
6726
|
+
# The AWS Region of the new primary key. Enter the Region ID, such as
|
6727
|
+
# `us-east-1` or `ap-southeast-2`. There must be an existing replica key
|
6728
|
+
# in this Region.
|
6729
|
+
#
|
6730
|
+
# When the operation completes, the multi-Region key in this Region will
|
6731
|
+
# be the primary key.
|
6732
|
+
#
|
6733
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
6734
|
+
#
|
6735
|
+
# @example Request syntax with placeholder values
|
6736
|
+
#
|
6737
|
+
# resp = client.update_primary_region({
|
6738
|
+
# key_id: "KeyIdType", # required
|
6739
|
+
# primary_region: "RegionType", # required
|
6740
|
+
# })
|
6741
|
+
#
|
6742
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion AWS API Documentation
|
6743
|
+
#
|
6744
|
+
# @overload update_primary_region(params = {})
|
6745
|
+
# @param [Hash] params ({})
|
6746
|
+
def update_primary_region(params = {}, options = {})
|
6747
|
+
req = build_request(:update_primary_region, params)
|
6748
|
+
req.send_request(options)
|
6749
|
+
end
|
6750
|
+
|
6068
6751
|
# Verifies a digital signature that was generated by the Sign operation.
|
6069
6752
|
#
|
6070
6753
|
#
|
@@ -6097,8 +6780,8 @@ module Aws::KMS
|
|
6097
6780
|
# signatures.
|
6098
6781
|
#
|
6099
6782
|
# The CMK that you use for this operation must be in a compatible key
|
6100
|
-
# state. For details, see [
|
6101
|
-
#
|
6783
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
6784
|
+
# Key Management Service Developer Guide*.
|
6102
6785
|
#
|
6103
6786
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
6104
6787
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -6120,10 +6803,9 @@ module Aws::KMS
|
|
6120
6803
|
# signature. If you specify a different CMK, the signature verification
|
6121
6804
|
# fails.
|
6122
6805
|
#
|
6123
|
-
# To specify a CMK, use its key ID,
|
6124
|
-
#
|
6125
|
-
#
|
6126
|
-
# the key ARN or alias ARN.
|
6806
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
6807
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
6808
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
6127
6809
|
#
|
6128
6810
|
# For example:
|
6129
6811
|
#
|
@@ -6167,7 +6849,9 @@ module Aws::KMS
|
|
6167
6849
|
# @option params [Array<String>] :grant_tokens
|
6168
6850
|
# A list of grant tokens.
|
6169
6851
|
#
|
6170
|
-
#
|
6852
|
+
# Use a grant token when your permission to call this operation comes
|
6853
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
6854
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
6171
6855
|
# Service Developer Guide*.
|
6172
6856
|
#
|
6173
6857
|
#
|
@@ -6219,7 +6903,7 @@ module Aws::KMS
|
|
6219
6903
|
params: params,
|
6220
6904
|
config: config)
|
6221
6905
|
context[:gem_name] = 'aws-sdk-kms'
|
6222
|
-
context[:gem_version] = '1.
|
6906
|
+
context[:gem_version] = '1.44.0'
|
6223
6907
|
Seahorse::Client::Request.new(handlers, context)
|
6224
6908
|
end
|
6225
6909
|
|