aws-sdk-kms 1.43.0 → 1.44.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms.rb +1 -1
- data/lib/aws-sdk-kms/client.rb +1055 -385
- data/lib/aws-sdk-kms/client_api.rb +76 -0
- data/lib/aws-sdk-kms/customizations.rb +1 -1
- data/lib/aws-sdk-kms/types.rb +686 -157
- metadata +5 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 665dc12ff757ea9a86e3ccc0a5cd47a765995c244f26a3d8f80f5957d2e3b5b4
|
4
|
+
data.tar.gz: 3092a6af153e84241145fb3e194b946fa73afb714ad60437c586268a1725b2bd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7b7bd88e8eb8f74c97c7a524c0cf0012e1855cb434c2264a470881fe49ee497d40fe291cd2e7bcabac8e7b137ff2c8f3630c31c6c1f78ecff3c88f7259bb7486
|
7
|
+
data.tar.gz: 7e358e400fb315128c5b596e5455804ff2a2d23cbf80e33cc8fb520b71f3f401c19b6164abec74a7e06e2d7b7c38c60497d6dfddaa64bee2c7ed6ce17c0e6c74
|
data/CHANGELOG.md
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.44.0
|
data/lib/aws-sdk-kms.rb
CHANGED
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -346,8 +346,8 @@ module Aws::KMS
|
|
346
346
|
# Service Developer Guide*.
|
347
347
|
#
|
348
348
|
# The CMK that you use for this operation must be in a compatible key
|
349
|
-
# state. For details, see [
|
350
|
-
#
|
349
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
350
|
+
# Key Management Service Developer Guide*.
|
351
351
|
#
|
352
352
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
353
353
|
# in a different AWS account.
|
@@ -363,10 +363,10 @@ module Aws::KMS
|
|
363
363
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
364
364
|
#
|
365
365
|
# @option params [required, String] :key_id
|
366
|
-
#
|
367
|
-
#
|
366
|
+
# Identifies the customer master key (CMK) whose deletion is being
|
367
|
+
# canceled.
|
368
368
|
#
|
369
|
-
# Specify the key ID or
|
369
|
+
# Specify the key ID or key ARN of the CMK.
|
370
370
|
#
|
371
371
|
# For example:
|
372
372
|
#
|
@@ -503,42 +503,48 @@ module Aws::KMS
|
|
503
503
|
req.send_request(options)
|
504
504
|
end
|
505
505
|
|
506
|
-
# Creates a friendly name for a customer master key (CMK).
|
507
|
-
# an alias to identify a CMK in the AWS KMS console, in the DescribeKey
|
508
|
-
# operation and in [cryptographic operations][1], such as Encrypt and
|
509
|
-
# GenerateDataKey.
|
506
|
+
# Creates a friendly name for a customer master key (CMK).
|
510
507
|
#
|
511
|
-
#
|
512
|
-
#
|
513
|
-
#
|
508
|
+
# <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
|
509
|
+
# the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
510
|
+
# Management Service Developer Guide*.
|
511
|
+
#
|
512
|
+
# </note>
|
513
|
+
#
|
514
|
+
# You can use an alias to identify a CMK in the AWS KMS console, in the
|
515
|
+
# DescribeKey operation and in [cryptographic operations][2], such as
|
516
|
+
# Encrypt and GenerateDataKey. You can also change the CMK that's
|
517
|
+
# associated with the alias (UpdateAlias) or delete the alias
|
518
|
+
# (DeleteAlias) at any time. These operations don't affect the
|
519
|
+
# underlying CMK.
|
514
520
|
#
|
515
521
|
# You can associate the alias with any customer managed CMK in the same
|
516
|
-
# AWS Region. Each alias is associated with only
|
517
|
-
# CMK can have multiple aliases. A valid CMK is required. You can't
|
522
|
+
# AWS Region. Each alias is associated with only one CMK at a time, but
|
523
|
+
# a CMK can have multiple aliases. A valid CMK is required. You can't
|
518
524
|
# create an alias without a CMK.
|
519
525
|
#
|
520
526
|
# The alias must be unique in the account and Region, but you can have
|
521
527
|
# aliases with the same name in different Regions. For detailed
|
522
|
-
# information about aliases, see [Using aliases][
|
528
|
+
# information about aliases, see [Using aliases][3] in the *AWS Key
|
523
529
|
# Management Service Developer Guide*.
|
524
530
|
#
|
525
531
|
# This operation does not return a response. To get the alias that you
|
526
532
|
# created, use the ListAliases operation.
|
527
533
|
#
|
528
534
|
# The CMK that you use for this operation must be in a compatible key
|
529
|
-
# state. For details, see [
|
530
|
-
#
|
535
|
+
# state. For details, see [Key state: Effect on your CMK][4] in the *AWS
|
536
|
+
# Key Management Service Developer Guide*.
|
531
537
|
#
|
532
538
|
# **Cross-account use**\: No. You cannot perform this operation on an
|
533
539
|
# alias in a different AWS account.
|
534
540
|
#
|
535
541
|
# **Required permissions**
|
536
542
|
#
|
537
|
-
# * [kms:CreateAlias][
|
543
|
+
# * [kms:CreateAlias][5] on the alias (IAM policy).
|
538
544
|
#
|
539
|
-
# * [kms:CreateAlias][
|
545
|
+
# * [kms:CreateAlias][5] on the CMK (key policy).
|
540
546
|
#
|
541
|
-
# For details, see [Controlling access to aliases][
|
547
|
+
# For details, see [Controlling access to aliases][6] in the *AWS Key
|
542
548
|
# Management Service Developer Guide*.
|
543
549
|
#
|
544
550
|
# **Related operations:**
|
@@ -551,11 +557,12 @@ module Aws::KMS
|
|
551
557
|
#
|
552
558
|
#
|
553
559
|
#
|
554
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
555
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
556
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
557
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
558
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-
|
560
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
561
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
562
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
|
563
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
564
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
565
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
559
566
|
#
|
560
567
|
# @option params [required, String] :alias_name
|
561
568
|
# Specifies the alias name. This value must begin with `alias/` followed
|
@@ -580,7 +587,7 @@ module Aws::KMS
|
|
580
587
|
# For help finding the key ID and ARN, see [Finding the Key ID and
|
581
588
|
# ARN][2] in the *AWS Key Management Service Developer Guide*.
|
582
589
|
#
|
583
|
-
# Specify the key ID or
|
590
|
+
# Specify the key ID or key ARN of the CMK.
|
584
591
|
#
|
585
592
|
# For example:
|
586
593
|
#
|
@@ -737,54 +744,54 @@ module Aws::KMS
|
|
737
744
|
req.send_request(options)
|
738
745
|
end
|
739
746
|
|
740
|
-
# Adds a grant to a customer master key (CMK).
|
741
|
-
#
|
742
|
-
# grant
|
743
|
-
#
|
744
|
-
#
|
745
|
-
#
|
746
|
-
#
|
747
|
-
#
|
748
|
-
#
|
749
|
-
#
|
750
|
-
#
|
751
|
-
#
|
752
|
-
#
|
753
|
-
#
|
754
|
-
#
|
755
|
-
#
|
756
|
-
#
|
757
|
-
#
|
758
|
-
#
|
759
|
-
#
|
760
|
-
#
|
761
|
-
#
|
762
|
-
#
|
763
|
-
#
|
764
|
-
#
|
765
|
-
#
|
766
|
-
#
|
767
|
-
#
|
768
|
-
#
|
769
|
-
#
|
770
|
-
#
|
771
|
-
#
|
772
|
-
#
|
747
|
+
# Adds a grant to a customer master key (CMK).
|
748
|
+
#
|
749
|
+
# A *grant* is a policy instrument that allows AWS principals to use AWS
|
750
|
+
# KMS customer master keys (CMKs) in cryptographic operations. It also
|
751
|
+
# can allow them to view a CMK (DescribeKey) and create and manage
|
752
|
+
# grants. When authorizing access to a CMK, grants are considered along
|
753
|
+
# with key policies and IAM policies. Grants are often used for
|
754
|
+
# temporary permissions because you can create one, use its permissions,
|
755
|
+
# and delete it without changing your key policies or IAM policies.
|
756
|
+
#
|
757
|
+
# For detailed information about grants, including grant terminology,
|
758
|
+
# see [Using grants][1] in the <i> <i>AWS Key Management Service
|
759
|
+
# Developer Guide</i> </i>. For examples of working with grants in
|
760
|
+
# several programming languages, see [Programming grants][2].
|
761
|
+
#
|
762
|
+
# The `CreateGrant` operation returns a `GrantToken` and a `GrantId`.
|
763
|
+
#
|
764
|
+
# * When you create, retire, or revoke a grant, there might be a brief
|
765
|
+
# delay, usually less than five minutes, until the grant is available
|
766
|
+
# throughout AWS KMS. This state is known as *eventual consistency*.
|
767
|
+
# Once the grant has achieved eventual consistency, the grantee
|
768
|
+
# principal can use the permissions in the grant without identifying
|
769
|
+
# the grant.
|
770
|
+
#
|
771
|
+
# However, to use the permissions in the grant immediately, use the
|
772
|
+
# `GrantToken` that `CreateGrant` returns. For details, see [Using a
|
773
|
+
# grant token][3] in the <i> <i>AWS Key Management Service Developer
|
774
|
+
# Guide</i> </i>.
|
775
|
+
#
|
776
|
+
# * The `CreateGrant` operation also returns a `GrantId`. You can use
|
777
|
+
# the `GrantId` and a key identifier to identify the grant in the
|
778
|
+
# RetireGrant and RevokeGrant operations. To find the grant ID, use
|
779
|
+
# the ListGrants or ListRetirableGrants operations.
|
773
780
|
#
|
774
781
|
# For information about symmetric and asymmetric CMKs, see [Using
|
775
|
-
# Symmetric and Asymmetric CMKs][
|
776
|
-
# Developer Guide*. For more information about grants, see [Grants][
|
782
|
+
# Symmetric and Asymmetric CMKs][4] in the *AWS Key Management Service
|
783
|
+
# Developer Guide*. For more information about grants, see [Grants][1]
|
777
784
|
# in the <i> <i>AWS Key Management Service Developer Guide</i> </i>.
|
778
785
|
#
|
779
786
|
# The CMK that you use for this operation must be in a compatible key
|
780
|
-
# state. For details, see [
|
781
|
-
#
|
787
|
+
# state. For details, see [Key state: Effect on your CMK][5] in the *AWS
|
788
|
+
# Key Management Service Developer Guide*.
|
782
789
|
#
|
783
790
|
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
784
791
|
# different AWS account, specify the key ARN in the value of the `KeyId`
|
785
792
|
# parameter.
|
786
793
|
#
|
787
|
-
# **Required permissions**\: [kms:CreateGrant][
|
794
|
+
# **Required permissions**\: [kms:CreateGrant][6] (key policy)
|
788
795
|
#
|
789
796
|
# **Related operations:**
|
790
797
|
#
|
@@ -798,24 +805,19 @@ module Aws::KMS
|
|
798
805
|
#
|
799
806
|
#
|
800
807
|
#
|
801
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
802
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
803
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/
|
804
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/
|
805
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
806
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
807
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
808
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
809
|
-
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
810
|
-
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
811
|
-
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
808
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
809
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
|
810
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
|
811
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
812
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
813
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
812
814
|
#
|
813
815
|
# @option params [required, String] :key_id
|
814
|
-
#
|
815
|
-
#
|
816
|
+
# Identifies the customer master key (CMK) for the grant. The grant
|
817
|
+
# gives principals permission to use this CMK.
|
816
818
|
#
|
817
|
-
# Specify the key ID or
|
818
|
-
#
|
819
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
820
|
+
# different AWS account, you must use the key ARN.
|
819
821
|
#
|
820
822
|
# For example:
|
821
823
|
#
|
@@ -827,8 +829,7 @@ module Aws::KMS
|
|
827
829
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
828
830
|
#
|
829
831
|
# @option params [required, String] :grantee_principal
|
830
|
-
# The
|
831
|
-
# the grant permits.
|
832
|
+
# The identity that gets the permissions specified in the grant.
|
832
833
|
#
|
833
834
|
# To specify the principal, use the [Amazon Resource Name (ARN)][1] of
|
834
835
|
# an AWS principal. Valid AWS principals include AWS accounts (root),
|
@@ -861,26 +862,52 @@ module Aws::KMS
|
|
861
862
|
# @option params [required, Array<String>] :operations
|
862
863
|
# A list of operations that the grant permits.
|
863
864
|
#
|
865
|
+
# The operation must be supported on the CMK. For example, you cannot
|
866
|
+
# create a grant for a symmetric CMK that allows the Sign operation, or
|
867
|
+
# a grant for an asymmetric CMK that allows the GenerateDataKey
|
868
|
+
# operation. If you try, AWS KMS returns a `ValidationError` exception.
|
869
|
+
# For details, see [Grant operations][1] in the *AWS Key Management
|
870
|
+
# Service Developer Guide*.
|
871
|
+
#
|
872
|
+
#
|
873
|
+
#
|
874
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
875
|
+
#
|
864
876
|
# @option params [Types::GrantConstraints] :constraints
|
865
|
-
#
|
866
|
-
#
|
867
|
-
#
|
868
|
-
#
|
869
|
-
#
|
877
|
+
# Specifies a grant constraint.
|
878
|
+
#
|
879
|
+
# AWS KMS supports the `EncryptionContextEquals` and
|
880
|
+
# `EncryptionContextSubset` grant constraints. Each constraint value can
|
881
|
+
# include up to 8 encryption context pairs. The encryption context value
|
882
|
+
# in each constraint cannot exceed 384 characters.
|
883
|
+
#
|
884
|
+
# These grant constraints allow a [cryptographic operation][1] only when
|
885
|
+
# the encryption context in the request matches
|
886
|
+
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
887
|
+
# the encryption context specified in this structure. For more
|
888
|
+
# information about encryption context, see [Encryption Context][2] in
|
889
|
+
# the <i> <i>AWS Key Management Service Developer Guide</i> </i>. For
|
890
|
+
# information about grant constraints, see [Using grant constraints][3]
|
891
|
+
# in the *AWS Key Management Service Developer Guide*.
|
870
892
|
#
|
871
|
-
#
|
872
|
-
# encryption context
|
873
|
-
#
|
893
|
+
# The encryption context grant constraints are supported only on
|
894
|
+
# operations that include an encryption context. You cannot use an
|
895
|
+
# encryption context grant constraint for cryptographic operations with
|
896
|
+
# asymmetric CMKs or for management operations, such as DescribeKey or
|
897
|
+
# RetireGrant.
|
874
898
|
#
|
875
899
|
#
|
876
900
|
#
|
877
901
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
878
902
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
903
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
879
904
|
#
|
880
905
|
# @option params [Array<String>] :grant_tokens
|
881
906
|
# A list of grant tokens.
|
882
907
|
#
|
883
|
-
#
|
908
|
+
# Use a grant token when your permission to call this operation comes
|
909
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
910
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
884
911
|
# Service Developer Guide*.
|
885
912
|
#
|
886
913
|
#
|
@@ -1009,7 +1036,31 @@ module Aws::KMS
|
|
1009
1036
|
#
|
1010
1037
|
#
|
1011
1038
|
#
|
1012
|
-
#
|
1039
|
+
# Multi-Region primary keys
|
1040
|
+
# Imported key material
|
1041
|
+
#
|
1042
|
+
# : To create a multi-Region *primary key* in the local AWS Region, use
|
1043
|
+
# the `MultiRegion` parameter with a value of `True`. To create a
|
1044
|
+
# multi-Region *replica key*, that is, a CMK with the same key ID and
|
1045
|
+
# key material as a primary key, but in a different AWS Region, use
|
1046
|
+
# the ReplicateKey operation. To change a replica key to a primary
|
1047
|
+
# key, and its primary key to a replica key, use the
|
1048
|
+
# UpdatePrimaryRegion operation.
|
1049
|
+
#
|
1050
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
1051
|
+
# lets you create multiple interoperable CMKs in different AWS
|
1052
|
+
# Regions. Because these CMKs have the same key ID, key material, and
|
1053
|
+
# other metadata, you can use them to encrypt data in one AWS Region
|
1054
|
+
# and decrypt it in a different AWS Region without making a
|
1055
|
+
# cross-Region call or exposing the plaintext data. For more
|
1056
|
+
# information about multi-Region keys, see [Using multi-Region
|
1057
|
+
# keys][5] in the *AWS Key Management Service Developer Guide*.
|
1058
|
+
#
|
1059
|
+
# You can create symmetric and asymmetric multi-Region keys and
|
1060
|
+
# multi-Region keys with imported key material. You cannot create
|
1061
|
+
# multi-Region keys in a custom key store.
|
1062
|
+
#
|
1063
|
+
#
|
1013
1064
|
#
|
1014
1065
|
# : To import your own key material, begin by creating a symmetric CMK
|
1015
1066
|
# with no key material. To do this, use the `Origin` parameter of
|
@@ -1018,33 +1069,41 @@ module Aws::KMS
|
|
1018
1069
|
# token, and use the public key to encrypt your key material. Then,
|
1019
1070
|
# use ImportKeyMaterial with your import token to import the key
|
1020
1071
|
# material. For step-by-step instructions, see [Importing Key
|
1021
|
-
# Material][
|
1072
|
+
# Material][6] in the <i> <i>AWS Key Management Service Developer
|
1022
1073
|
# Guide</i> </i>. You cannot import the key material into an
|
1023
1074
|
# asymmetric CMK.
|
1024
1075
|
#
|
1076
|
+
# To create a multi-Region primary key with imported key material, use
|
1077
|
+
# the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
|
1078
|
+
# the `MultiRegion` parameter with a value of `True`. To create
|
1079
|
+
# replicas of the multi-Region primary key, use the ReplicateKey
|
1080
|
+
# operation. For more information about multi-Region keys, see [Using
|
1081
|
+
# multi-Region keys][5] in the *AWS Key Management Service Developer
|
1082
|
+
# Guide*.
|
1083
|
+
#
|
1025
1084
|
#
|
1026
1085
|
#
|
1027
|
-
# Custom
|
1086
|
+
# Custom key store
|
1028
1087
|
#
|
1029
|
-
# : To create a symmetric CMK in a [custom key store][
|
1088
|
+
# : To create a symmetric CMK in a [custom key store][7], use the
|
1030
1089
|
# `CustomKeyStoreId` parameter to specify the custom key store. You
|
1031
1090
|
# must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
|
1032
1091
|
# The AWS CloudHSM cluster that is associated with the custom key
|
1033
1092
|
# store must have at least two active HSMs in different Availability
|
1034
1093
|
# Zones in the AWS Region.
|
1035
1094
|
#
|
1036
|
-
# You cannot create an asymmetric CMK
|
1037
|
-
# information about custom key stores in AWS KMS
|
1038
|
-
# Stores][
|
1039
|
-
# Guide</i> </i>.
|
1095
|
+
# You cannot create an asymmetric CMK or a multi-Region CMK in a
|
1096
|
+
# custom key store. For information about custom key stores in AWS KMS
|
1097
|
+
# see [Using Custom Key Stores][7] in the <i> <i>AWS Key Management
|
1098
|
+
# Service Developer Guide</i> </i>.
|
1040
1099
|
#
|
1041
1100
|
# **Cross-account use**\: No. You cannot use this operation to create a
|
1042
1101
|
# CMK in a different AWS account.
|
1043
1102
|
#
|
1044
|
-
# **Required permissions**\: [kms:CreateKey][
|
1045
|
-
# `Tags` parameter, [kms:TagResource][
|
1103
|
+
# **Required permissions**\: [kms:CreateKey][8] (IAM policy). To use the
|
1104
|
+
# `Tags` parameter, [kms:TagResource][8] (IAM policy). For examples and
|
1046
1105
|
# information about related permissions, see [Allow a user to create
|
1047
|
-
# CMKs][
|
1106
|
+
# CMKs][9] in the *AWS Key Management Service Developer Guide*.
|
1048
1107
|
#
|
1049
1108
|
# **Related operations:**
|
1050
1109
|
#
|
@@ -1060,10 +1119,11 @@ module Aws::KMS
|
|
1060
1119
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
|
1061
1120
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs
|
1062
1121
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
1063
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1064
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1065
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1066
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1122
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
1123
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1124
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1125
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1126
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
1067
1127
|
#
|
1068
1128
|
# @option params [String] :policy
|
1069
1129
|
# The key policy to attach to the CMK.
|
@@ -1107,7 +1167,7 @@ module Aws::KMS
|
|
1107
1167
|
# A description of the CMK.
|
1108
1168
|
#
|
1109
1169
|
# Use a description that helps you decide whether the CMK is appropriate
|
1110
|
-
# for a task.
|
1170
|
+
# for a task. The default value is an empty string (no description).
|
1111
1171
|
#
|
1112
1172
|
# @option params [String] :key_usage
|
1113
1173
|
# Determines the [cryptographic operations][1] for which you can use the
|
@@ -1191,20 +1251,19 @@ module Aws::KMS
|
|
1191
1251
|
# @option params [String] :origin
|
1192
1252
|
# The source of the key material for the CMK. You cannot change the
|
1193
1253
|
# origin after you create the CMK. The default is `AWS_KMS`, which means
|
1194
|
-
# AWS KMS creates the key material.
|
1254
|
+
# that AWS KMS creates the key material.
|
1195
1255
|
#
|
1196
|
-
#
|
1197
|
-
#
|
1198
|
-
#
|
1199
|
-
#
|
1200
|
-
# Key Management Service Developer Guide*. This value is valid only for
|
1256
|
+
# To create a CMK with no key material (for imported key material), set
|
1257
|
+
# the value to `EXTERNAL`. For more information about importing key
|
1258
|
+
# material into AWS KMS, see [Importing Key Material][1] in the *AWS Key
|
1259
|
+
# Management Service Developer Guide*. This value is valid only for
|
1201
1260
|
# symmetric CMKs.
|
1202
1261
|
#
|
1203
|
-
#
|
1204
|
-
#
|
1205
|
-
#
|
1206
|
-
#
|
1207
|
-
#
|
1262
|
+
# To create a CMK in an AWS KMS [custom key store][2] and create its key
|
1263
|
+
# material in the associated AWS CloudHSM cluster, set this value to
|
1264
|
+
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter to
|
1265
|
+
# identify the custom key store. This value is valid only for symmetric
|
1266
|
+
# CMKs.
|
1208
1267
|
#
|
1209
1268
|
#
|
1210
1269
|
#
|
@@ -1219,8 +1278,9 @@ module Aws::KMS
|
|
1219
1278
|
# with the custom key store must have at least two active HSMs, each in
|
1220
1279
|
# a different Availability Zone in the Region.
|
1221
1280
|
#
|
1222
|
-
# This parameter is valid only for symmetric CMKs
|
1223
|
-
# asymmetric CMK in a custom key
|
1281
|
+
# This parameter is valid only for symmetric CMKs and regional CMKs. You
|
1282
|
+
# cannot create an asymmetric CMK or a multi-Region CMK in a custom key
|
1283
|
+
# store.
|
1224
1284
|
#
|
1225
1285
|
# To find the ID of a custom key store, use the DescribeCustomKeyStores
|
1226
1286
|
# operation.
|
@@ -1258,25 +1318,63 @@ module Aws::KMS
|
|
1258
1318
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
1259
1319
|
#
|
1260
1320
|
# @option params [Array<Types::Tag>] :tags
|
1261
|
-
#
|
1262
|
-
#
|
1263
|
-
#
|
1321
|
+
# Assigns one or more tags to the CMK. Use this parameter to tag the CMK
|
1322
|
+
# when it is created. To tag an existing CMK, use the TagResource
|
1323
|
+
# operation.
|
1264
1324
|
#
|
1265
|
-
#
|
1266
|
-
#
|
1267
|
-
#
|
1268
|
-
# Keys][1].
|
1325
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
1326
|
+
# For details, see [Using ABAC in AWS KMS][1] in the *AWS Key Management
|
1327
|
+
# Service Developer Guide*.
|
1269
1328
|
#
|
1270
|
-
#
|
1271
|
-
# an existing CMK, use the TagResource operation.
|
1329
|
+
# </note>
|
1272
1330
|
#
|
1273
1331
|
# To use this parameter, you must have [kms:TagResource][2] permission
|
1274
1332
|
# in an IAM policy.
|
1275
1333
|
#
|
1334
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
1335
|
+
# the tag value are required, but the tag value can be an empty (null)
|
1336
|
+
# string. You cannot have more than one tag on a CMK with the same tag
|
1337
|
+
# key. If you specify an existing tag key with a different tag value,
|
1338
|
+
# AWS KMS replaces the current tag value with the specified one.
|
1276
1339
|
#
|
1340
|
+
# When you assign tags to an AWS resource, AWS generates a cost
|
1341
|
+
# allocation report with usage and costs aggregated by tags. Tags can
|
1342
|
+
# also be used to control access to a CMK. For details, see [Tagging
|
1343
|
+
# Keys][3].
|
1277
1344
|
#
|
1278
|
-
#
|
1345
|
+
#
|
1346
|
+
#
|
1347
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
1279
1348
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1349
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
1350
|
+
#
|
1351
|
+
# @option params [Boolean] :multi_region
|
1352
|
+
# Creates a multi-Region primary key that you can replicate into other
|
1353
|
+
# AWS Regions. You cannot change this value after you create the CMK.
|
1354
|
+
#
|
1355
|
+
# For a multi-Region key, set this parameter to `True`. For a
|
1356
|
+
# single-Region CMK, omit this parameter or set it to `False`. The
|
1357
|
+
# default value is `False`.
|
1358
|
+
#
|
1359
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
1360
|
+
# lets you create multiple interoperable CMKs in different AWS Regions.
|
1361
|
+
# Because these CMKs have the same key ID, key material, and other
|
1362
|
+
# metadata, you can use them to encrypt data in one AWS Region and
|
1363
|
+
# decrypt it in a different AWS Region without making a cross-Region
|
1364
|
+
# call or exposing the plaintext data. For more information about
|
1365
|
+
# multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
|
1366
|
+
# Management Service Developer Guide*.
|
1367
|
+
#
|
1368
|
+
# This value creates a *primary key*, not a replica. To create a
|
1369
|
+
# *replica key*, use the ReplicateKey operation.
|
1370
|
+
#
|
1371
|
+
# You can create a symmetric or asymmetric multi-Region CMK, and you can
|
1372
|
+
# create a multi-Region CMK with imported key material. However, you
|
1373
|
+
# cannot create a multi-Region CMK in a custom key store.
|
1374
|
+
#
|
1375
|
+
#
|
1376
|
+
#
|
1377
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
1280
1378
|
#
|
1281
1379
|
# @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1282
1380
|
#
|
@@ -1328,6 +1426,7 @@ module Aws::KMS
|
|
1328
1426
|
# tag_value: "TagValueType", # required
|
1329
1427
|
# },
|
1330
1428
|
# ],
|
1429
|
+
# multi_region: false,
|
1331
1430
|
# })
|
1332
1431
|
#
|
1333
1432
|
# @example Response structure
|
@@ -1339,7 +1438,7 @@ module Aws::KMS
|
|
1339
1438
|
# resp.key_metadata.enabled #=> Boolean
|
1340
1439
|
# resp.key_metadata.description #=> String
|
1341
1440
|
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
1342
|
-
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
1441
|
+
# resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
1343
1442
|
# resp.key_metadata.deletion_date #=> Time
|
1344
1443
|
# resp.key_metadata.valid_to #=> Time
|
1345
1444
|
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
@@ -1352,6 +1451,14 @@ module Aws::KMS
|
|
1352
1451
|
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
1353
1452
|
# resp.key_metadata.signing_algorithms #=> Array
|
1354
1453
|
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
1454
|
+
# resp.key_metadata.multi_region #=> Boolean
|
1455
|
+
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
1456
|
+
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
1457
|
+
# resp.key_metadata.multi_region_configuration.primary_key.region #=> String
|
1458
|
+
# resp.key_metadata.multi_region_configuration.replica_keys #=> Array
|
1459
|
+
# resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
|
1460
|
+
# resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
|
1461
|
+
# resp.key_metadata.pending_deletion_window_in_days #=> Integer
|
1355
1462
|
#
|
1356
1463
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey AWS API Documentation
|
1357
1464
|
#
|
@@ -1412,8 +1519,8 @@ module Aws::KMS
|
|
1412
1519
|
# policies][4] in the *AWS Key Management Service Developer Guide*.
|
1413
1520
|
#
|
1414
1521
|
# The CMK that you use for this operation must be in a compatible key
|
1415
|
-
# state. For details, see [
|
1416
|
-
#
|
1522
|
+
# state. For details, see [Key state: Effect on your CMK][5] in the *AWS
|
1523
|
+
# Key Management Service Developer Guide*.
|
1417
1524
|
#
|
1418
1525
|
# **Cross-account use**\: Yes. You can decrypt a ciphertext using a CMK
|
1419
1526
|
# in a different AWS account.
|
@@ -1466,8 +1573,12 @@ module Aws::KMS
|
|
1466
1573
|
# @option params [Array<String>] :grant_tokens
|
1467
1574
|
# A list of grant tokens.
|
1468
1575
|
#
|
1469
|
-
#
|
1470
|
-
#
|
1576
|
+
# Use a grant token when your permission to call this operation comes
|
1577
|
+
# from a newly created grant that has not yet achieved eventual
|
1578
|
+
# consistency. Use a grant token when your permission to call this
|
1579
|
+
# operation comes from a new grant that has not yet achieved *eventual
|
1580
|
+
# consistency*. For more information, see [Grant token][1] in the *AWS
|
1581
|
+
# Key Management Service Developer Guide*.
|
1471
1582
|
#
|
1472
1583
|
#
|
1473
1584
|
#
|
@@ -1484,10 +1595,9 @@ module Aws::KMS
|
|
1484
1595
|
# However, it is always recommended as a best practice. This practice
|
1485
1596
|
# ensures that you use the CMK that you intend.
|
1486
1597
|
#
|
1487
|
-
# To specify a CMK, use its key ID,
|
1488
|
-
#
|
1489
|
-
#
|
1490
|
-
# the key ARN or alias ARN.
|
1598
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
1599
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
1600
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
1491
1601
|
#
|
1492
1602
|
# For example:
|
1493
1603
|
#
|
@@ -1565,6 +1675,12 @@ module Aws::KMS
|
|
1565
1675
|
|
1566
1676
|
# Deletes the specified alias.
|
1567
1677
|
#
|
1678
|
+
# <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
|
1679
|
+
# the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
1680
|
+
# Management Service Developer Guide*.
|
1681
|
+
#
|
1682
|
+
# </note>
|
1683
|
+
#
|
1568
1684
|
# Because an alias is not a property of a CMK, you can delete and change
|
1569
1685
|
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
1570
1686
|
# appear in the response from the DescribeKey operation. To get the
|
@@ -1580,11 +1696,11 @@ module Aws::KMS
|
|
1580
1696
|
#
|
1581
1697
|
# **Required permissions**
|
1582
1698
|
#
|
1583
|
-
# * [kms:DeleteAlias][
|
1699
|
+
# * [kms:DeleteAlias][2] on the alias (IAM policy).
|
1584
1700
|
#
|
1585
|
-
# * [kms:DeleteAlias][
|
1701
|
+
# * [kms:DeleteAlias][2] on the CMK (key policy).
|
1586
1702
|
#
|
1587
|
-
# For details, see [Controlling access to aliases][
|
1703
|
+
# For details, see [Controlling access to aliases][3] in the *AWS Key
|
1588
1704
|
# Management Service Developer Guide*.
|
1589
1705
|
#
|
1590
1706
|
# **Related operations:**
|
@@ -1597,8 +1713,9 @@ module Aws::KMS
|
|
1597
1713
|
#
|
1598
1714
|
#
|
1599
1715
|
#
|
1600
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1601
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-
|
1716
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
1717
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1718
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
1602
1719
|
#
|
1603
1720
|
# @option params [required, String] :alias_name
|
1604
1721
|
# The alias to be deleted. The alias name must begin with `alias/`
|
@@ -1721,8 +1838,8 @@ module Aws::KMS
|
|
1721
1838
|
# reimport the same key material into the CMK.
|
1722
1839
|
#
|
1723
1840
|
# The CMK that you use for this operation must be in a compatible key
|
1724
|
-
# state. For details, see [
|
1725
|
-
#
|
1841
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
1842
|
+
# Key Management Service Developer Guide*.
|
1726
1843
|
#
|
1727
1844
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
1728
1845
|
# in a different AWS account.
|
@@ -1746,7 +1863,7 @@ module Aws::KMS
|
|
1746
1863
|
# Identifies the CMK from which you are deleting imported key material.
|
1747
1864
|
# The `Origin` of the CMK must be `EXTERNAL`.
|
1748
1865
|
#
|
1749
|
-
# Specify the key ID or
|
1866
|
+
# Specify the key ID or key ARN of the CMK.
|
1750
1867
|
#
|
1751
1868
|
# For example:
|
1752
1869
|
#
|
@@ -1784,14 +1901,14 @@ module Aws::KMS
|
|
1784
1901
|
end
|
1785
1902
|
|
1786
1903
|
# Gets information about [custom key stores][1] in the account and
|
1787
|
-
#
|
1904
|
+
# Region.
|
1788
1905
|
#
|
1789
1906
|
# This operation is part of the [Custom Key Store feature][1] feature in
|
1790
1907
|
# AWS KMS, which combines the convenience and extensive integration of
|
1791
1908
|
# AWS KMS with the isolation and control of a single-tenant key store.
|
1792
1909
|
#
|
1793
1910
|
# By default, this operation returns information about all custom key
|
1794
|
-
# stores in the account and
|
1911
|
+
# stores in the account and Region. To get only information about a
|
1795
1912
|
# particular custom key store, use either the `CustomKeyStoreName` or
|
1796
1913
|
# `CustomKeyStoreId` parameter (but not both).
|
1797
1914
|
#
|
@@ -1842,7 +1959,7 @@ module Aws::KMS
|
|
1842
1959
|
# key store ID.
|
1843
1960
|
#
|
1844
1961
|
# By default, this operation gets information about all custom key
|
1845
|
-
# stores in the account and
|
1962
|
+
# stores in the account and Region. To limit the output to a particular
|
1846
1963
|
# custom key store, you can use either the `CustomKeyStoreId` or
|
1847
1964
|
# `CustomKeyStoreName` parameter, but not both.
|
1848
1965
|
#
|
@@ -1851,7 +1968,7 @@ module Aws::KMS
|
|
1851
1968
|
# friendly name of the custom key store.
|
1852
1969
|
#
|
1853
1970
|
# By default, this operation gets information about all custom key
|
1854
|
-
# stores in the account and
|
1971
|
+
# stores in the account and Region. To limit the output to a particular
|
1855
1972
|
# custom key store, you can use either the `CustomKeyStoreId` or
|
1856
1973
|
# `CustomKeyStoreName` parameter, but not both.
|
1857
1974
|
#
|
@@ -1974,10 +2091,9 @@ module Aws::KMS
|
|
1974
2091
|
# KMS associates the alias with an [AWS managed CMK][1] and returns its
|
1975
2092
|
# `KeyId` and `Arn` in the response.
|
1976
2093
|
#
|
1977
|
-
# To specify a CMK, use its key ID,
|
1978
|
-
#
|
1979
|
-
#
|
1980
|
-
# the key ARN or alias ARN.
|
2094
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2095
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
2096
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
1981
2097
|
#
|
1982
2098
|
# For example:
|
1983
2099
|
#
|
@@ -2000,7 +2116,9 @@ module Aws::KMS
|
|
2000
2116
|
# @option params [Array<String>] :grant_tokens
|
2001
2117
|
# A list of grant tokens.
|
2002
2118
|
#
|
2003
|
-
#
|
2119
|
+
# Use a grant token when your permission to call this operation comes
|
2120
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
2121
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
2004
2122
|
# Service Developer Guide*.
|
2005
2123
|
#
|
2006
2124
|
#
|
@@ -2012,9 +2130,9 @@ module Aws::KMS
|
|
2012
2130
|
# * {Types::DescribeKeyResponse#key_metadata #key_metadata} => Types::KeyMetadata
|
2013
2131
|
#
|
2014
2132
|
#
|
2015
|
-
# @example Example: To
|
2133
|
+
# @example Example: To get details about a customer master key (CMK)
|
2016
2134
|
#
|
2017
|
-
# # The following example
|
2135
|
+
# # The following example gets metadata about a symmetric CMK.
|
2018
2136
|
#
|
2019
2137
|
# resp = client.describe_key({
|
2020
2138
|
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the CMK that you want information about. You can use the key ID or the Amazon Resource Name (ARN) of the CMK.
|
@@ -2026,12 +2144,17 @@ module Aws::KMS
|
|
2026
2144
|
# aws_account_id: "111122223333",
|
2027
2145
|
# arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
|
2028
2146
|
# creation_date: Time.parse("2017-07-05T14:04:55-07:00"),
|
2147
|
+
# customer_master_key_spec: "SYMMETRIC_DEFAULT",
|
2029
2148
|
# description: "",
|
2030
2149
|
# enabled: true,
|
2150
|
+
# encryption_algorithms: [
|
2151
|
+
# "SYMMETRIC_DEFAULT",
|
2152
|
+
# ],
|
2031
2153
|
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
|
2032
2154
|
# key_manager: "CUSTOMER",
|
2033
2155
|
# key_state: "Enabled",
|
2034
2156
|
# key_usage: "ENCRYPT_DECRYPT",
|
2157
|
+
# multi_region: false,
|
2035
2158
|
# origin: "AWS_KMS",
|
2036
2159
|
# }, # An object that contains information about the specified CMK.
|
2037
2160
|
# }
|
@@ -2052,7 +2175,7 @@ module Aws::KMS
|
|
2052
2175
|
# resp.key_metadata.enabled #=> Boolean
|
2053
2176
|
# resp.key_metadata.description #=> String
|
2054
2177
|
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
2055
|
-
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
2178
|
+
# resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
2056
2179
|
# resp.key_metadata.deletion_date #=> Time
|
2057
2180
|
# resp.key_metadata.valid_to #=> Time
|
2058
2181
|
# resp.key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
@@ -2065,6 +2188,14 @@ module Aws::KMS
|
|
2065
2188
|
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
2066
2189
|
# resp.key_metadata.signing_algorithms #=> Array
|
2067
2190
|
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
2191
|
+
# resp.key_metadata.multi_region #=> Boolean
|
2192
|
+
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
2193
|
+
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
2194
|
+
# resp.key_metadata.multi_region_configuration.primary_key.region #=> String
|
2195
|
+
# resp.key_metadata.multi_region_configuration.replica_keys #=> Array
|
2196
|
+
# resp.key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
|
2197
|
+
# resp.key_metadata.multi_region_configuration.replica_keys[0].region #=> String
|
2198
|
+
# resp.key_metadata.pending_deletion_window_in_days #=> Integer
|
2068
2199
|
#
|
2069
2200
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey AWS API Documentation
|
2070
2201
|
#
|
@@ -2079,12 +2210,12 @@ module Aws::KMS
|
|
2079
2210
|
# temporarily prevents use of the CMK for [cryptographic operations][1].
|
2080
2211
|
#
|
2081
2212
|
# For more information about how key state affects the use of a CMK, see
|
2082
|
-
# [
|
2083
|
-
#
|
2213
|
+
# [Key state: Effect on your CMK][2] in the <i> <i>AWS Key Management
|
2214
|
+
# Service Developer Guide</i> </i>.
|
2084
2215
|
#
|
2085
2216
|
# The CMK that you use for this operation must be in a compatible key
|
2086
|
-
# state. For details, see [
|
2087
|
-
#
|
2217
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
2218
|
+
# Key Management Service Developer Guide*.
|
2088
2219
|
#
|
2089
2220
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2090
2221
|
# in a different AWS account.
|
@@ -2100,9 +2231,9 @@ module Aws::KMS
|
|
2100
2231
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2101
2232
|
#
|
2102
2233
|
# @option params [required, String] :key_id
|
2103
|
-
#
|
2234
|
+
# Identifies the customer master key (CMK) to disable.
|
2104
2235
|
#
|
2105
|
-
# Specify the key ID or
|
2236
|
+
# Specify the key ID or key ARN of the CMK.
|
2106
2237
|
#
|
2107
2238
|
# For example:
|
2108
2239
|
#
|
@@ -2142,17 +2273,19 @@ module Aws::KMS
|
|
2142
2273
|
# Disables [automatic rotation of the key material][1] for the specified
|
2143
2274
|
# symmetric customer master key (CMK).
|
2144
2275
|
#
|
2145
|
-
# You cannot enable automatic rotation of asymmetric CMKs, CMKs
|
2146
|
-
# imported key material, or CMKs in a [custom key store][
|
2276
|
+
# You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
|
2277
|
+
# with [imported key material][3], or CMKs in a [custom key store][4].
|
2278
|
+
# To enable or disable automatic rotation of a set of related
|
2279
|
+
# [multi-Region keys][5], set the property on the primary key.
|
2147
2280
|
#
|
2148
2281
|
# The CMK that you use for this operation must be in a compatible key
|
2149
|
-
# state. For details, see [
|
2150
|
-
#
|
2282
|
+
# state. For details, see [Key state: Effect on your CMK][6] in the *AWS
|
2283
|
+
# Key Management Service Developer Guide*.
|
2151
2284
|
#
|
2152
2285
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2153
2286
|
# in a different AWS account.
|
2154
2287
|
#
|
2155
|
-
# **Required permissions**\: [kms:DisableKeyRotation][
|
2288
|
+
# **Required permissions**\: [kms:DisableKeyRotation][7] (key policy)
|
2156
2289
|
#
|
2157
2290
|
# **Related operations:**
|
2158
2291
|
#
|
@@ -2163,16 +2296,19 @@ module Aws::KMS
|
|
2163
2296
|
#
|
2164
2297
|
#
|
2165
2298
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
2166
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2167
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2168
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2299
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
2300
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
2301
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2302
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
2303
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2304
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2169
2305
|
#
|
2170
2306
|
# @option params [required, String] :key_id
|
2171
2307
|
# Identifies a symmetric customer master key (CMK). You cannot enable or
|
2172
2308
|
# disable automatic rotation of [asymmetric CMKs][1], CMKs with
|
2173
2309
|
# [imported key material][2], or CMKs in a [custom key store][3].
|
2174
2310
|
#
|
2175
|
-
# Specify the key ID or
|
2311
|
+
# Specify the key ID or key ARN of the CMK.
|
2176
2312
|
#
|
2177
2313
|
# For example:
|
2178
2314
|
#
|
@@ -2291,8 +2427,8 @@ module Aws::KMS
|
|
2291
2427
|
# allows you to use the CMK for [cryptographic operations][1].
|
2292
2428
|
#
|
2293
2429
|
# The CMK that you use for this operation must be in a compatible key
|
2294
|
-
# state. For details, see [
|
2295
|
-
#
|
2430
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
2431
|
+
# Key Management Service Developer Guide*.
|
2296
2432
|
#
|
2297
2433
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2298
2434
|
# in a different AWS account.
|
@@ -2308,9 +2444,9 @@ module Aws::KMS
|
|
2308
2444
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2309
2445
|
#
|
2310
2446
|
# @option params [required, String] :key_id
|
2311
|
-
#
|
2447
|
+
# Identifies the customer master key (CMK) to enable.
|
2312
2448
|
#
|
2313
|
-
# Specify the key ID or
|
2449
|
+
# Specify the key ID or key ARN of the CMK.
|
2314
2450
|
#
|
2315
2451
|
# For example:
|
2316
2452
|
#
|
@@ -2350,17 +2486,19 @@ module Aws::KMS
|
|
2350
2486
|
# Enables [automatic rotation of the key material][1] for the specified
|
2351
2487
|
# symmetric customer master key (CMK).
|
2352
2488
|
#
|
2353
|
-
# You cannot enable automatic rotation of asymmetric CMKs, CMKs
|
2354
|
-
# imported key material, or CMKs in a [custom key store][
|
2489
|
+
# You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
|
2490
|
+
# with [imported key material][3], or CMKs in a [custom key store][4].
|
2491
|
+
# To enable or disable automatic rotation of a set of related
|
2492
|
+
# [multi-Region keys][5], set the property on the primary key.
|
2355
2493
|
#
|
2356
2494
|
# The CMK that you use for this operation must be in a compatible key
|
2357
|
-
# state. For details, see [
|
2358
|
-
#
|
2495
|
+
# state. For details, see [Key state: Effect on your CMK][6] in the *AWS
|
2496
|
+
# Key Management Service Developer Guide*.
|
2359
2497
|
#
|
2360
2498
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
2361
2499
|
# in a different AWS account.
|
2362
2500
|
#
|
2363
|
-
# **Required permissions**\: [kms:EnableKeyRotation][
|
2501
|
+
# **Required permissions**\: [kms:EnableKeyRotation][7] (key policy)
|
2364
2502
|
#
|
2365
2503
|
# **Related operations:**
|
2366
2504
|
#
|
@@ -2371,16 +2509,21 @@ module Aws::KMS
|
|
2371
2509
|
#
|
2372
2510
|
#
|
2373
2511
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
2374
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2375
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2376
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2512
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
2513
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
2514
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2515
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
2516
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2517
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2377
2518
|
#
|
2378
2519
|
# @option params [required, String] :key_id
|
2379
2520
|
# Identifies a symmetric customer master key (CMK). You cannot enable
|
2380
|
-
# automatic rotation of asymmetric CMKs, CMKs with imported key
|
2381
|
-
# material, or CMKs in a [custom key store][
|
2521
|
+
# automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
|
2522
|
+
# material][2], or CMKs in a [custom key store][3]. To enable or disable
|
2523
|
+
# automatic rotation of a set of related [multi-Region keys][4], set the
|
2524
|
+
# property on the primary key.
|
2382
2525
|
#
|
2383
|
-
# Specify the key ID or
|
2526
|
+
# Specify the key ID or key ARN of the CMK.
|
2384
2527
|
#
|
2385
2528
|
# For example:
|
2386
2529
|
#
|
@@ -2393,7 +2536,10 @@ module Aws::KMS
|
|
2393
2536
|
#
|
2394
2537
|
#
|
2395
2538
|
#
|
2396
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2539
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
2540
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
2541
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2542
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
2397
2543
|
#
|
2398
2544
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
2399
2545
|
#
|
@@ -2496,8 +2642,8 @@ module Aws::KMS
|
|
2496
2642
|
# * `RSAES_OAEP_SHA_256`\: 446 bytes
|
2497
2643
|
#
|
2498
2644
|
# The CMK that you use for this operation must be in a compatible key
|
2499
|
-
# state. For details, see [
|
2500
|
-
#
|
2645
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
2646
|
+
# Key Management Service Developer Guide*.
|
2501
2647
|
#
|
2502
2648
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2503
2649
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -2520,12 +2666,12 @@ module Aws::KMS
|
|
2520
2666
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
2521
2667
|
#
|
2522
2668
|
# @option params [required, String] :key_id
|
2523
|
-
#
|
2669
|
+
# Identifies the customer master key (CMK) to use in the encryption
|
2670
|
+
# operation.
|
2524
2671
|
#
|
2525
|
-
# To specify a CMK, use its key ID,
|
2526
|
-
#
|
2527
|
-
#
|
2528
|
-
# the key ARN or alias ARN.
|
2672
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2673
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
2674
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
2529
2675
|
#
|
2530
2676
|
# For example:
|
2531
2677
|
#
|
@@ -2569,7 +2715,9 @@ module Aws::KMS
|
|
2569
2715
|
# @option params [Array<String>] :grant_tokens
|
2570
2716
|
# A list of grant tokens.
|
2571
2717
|
#
|
2572
|
-
#
|
2718
|
+
# Use a grant token when your permission to call this operation comes
|
2719
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
2720
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
2573
2721
|
# Service Developer Guide*.
|
2574
2722
|
#
|
2575
2723
|
#
|
@@ -2666,8 +2814,8 @@ module Aws::KMS
|
|
2666
2814
|
# Service Developer Guide*.
|
2667
2815
|
#
|
2668
2816
|
# The CMK that you use for this operation must be in a compatible key
|
2669
|
-
# state. For details, see [
|
2670
|
-
#
|
2817
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
2818
|
+
# Key Management Service Developer Guide*.
|
2671
2819
|
#
|
2672
2820
|
# **How to use your data key**
|
2673
2821
|
#
|
@@ -2726,10 +2874,9 @@ module Aws::KMS
|
|
2726
2874
|
# @option params [required, String] :key_id
|
2727
2875
|
# Identifies the symmetric CMK that encrypts the data key.
|
2728
2876
|
#
|
2729
|
-
# To specify a CMK, use its key ID,
|
2730
|
-
#
|
2731
|
-
#
|
2732
|
-
# the key ARN or alias ARN.
|
2877
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2878
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
2879
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
2733
2880
|
#
|
2734
2881
|
# For example:
|
2735
2882
|
#
|
@@ -2783,7 +2930,9 @@ module Aws::KMS
|
|
2783
2930
|
# @option params [Array<String>] :grant_tokens
|
2784
2931
|
# A list of grant tokens.
|
2785
2932
|
#
|
2786
|
-
#
|
2933
|
+
# Use a grant token when your permission to call this operation comes
|
2934
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
2935
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
2787
2936
|
# Service Developer Guide*.
|
2788
2937
|
#
|
2789
2938
|
#
|
@@ -2880,8 +3029,8 @@ module Aws::KMS
|
|
2880
3029
|
# Service Developer Guide*.
|
2881
3030
|
#
|
2882
3031
|
# The CMK that you use for this operation must be in a compatible key
|
2883
|
-
# state. For details, see [
|
2884
|
-
#
|
3032
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
3033
|
+
# Key Management Service Developer Guide*.
|
2885
3034
|
#
|
2886
3035
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
2887
3036
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -2931,10 +3080,9 @@ module Aws::KMS
|
|
2931
3080
|
# key store. To get the type and origin of your CMK, use the DescribeKey
|
2932
3081
|
# operation.
|
2933
3082
|
#
|
2934
|
-
# To specify a CMK, use its key ID,
|
2935
|
-
#
|
2936
|
-
#
|
2937
|
-
# the key ARN or alias ARN.
|
3083
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
3084
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
3085
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
2938
3086
|
#
|
2939
3087
|
# For example:
|
2940
3088
|
#
|
@@ -2961,7 +3109,9 @@ module Aws::KMS
|
|
2961
3109
|
# @option params [Array<String>] :grant_tokens
|
2962
3110
|
# A list of grant tokens.
|
2963
3111
|
#
|
2964
|
-
#
|
3112
|
+
# Use a grant token when your permission to call this operation comes
|
3113
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3114
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
2965
3115
|
# Service Developer Guide*.
|
2966
3116
|
#
|
2967
3117
|
#
|
@@ -3035,8 +3185,8 @@ module Aws::KMS
|
|
3035
3185
|
# Service Developer Guide*.
|
3036
3186
|
#
|
3037
3187
|
# The CMK that you use for this operation must be in a compatible key
|
3038
|
-
# state. For details, see [
|
3039
|
-
#
|
3188
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
3189
|
+
# Key Management Service Developer Guide*.
|
3040
3190
|
#
|
3041
3191
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3042
3192
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -3087,10 +3237,9 @@ module Aws::KMS
|
|
3087
3237
|
# a CMK in a custom key store. To get the type and origin of your CMK,
|
3088
3238
|
# use the DescribeKey operation.
|
3089
3239
|
#
|
3090
|
-
# To specify a CMK, use its key ID,
|
3091
|
-
#
|
3092
|
-
#
|
3093
|
-
# the key ARN or alias ARN.
|
3240
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
3241
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
3242
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
3094
3243
|
#
|
3095
3244
|
# For example:
|
3096
3245
|
#
|
@@ -3117,7 +3266,9 @@ module Aws::KMS
|
|
3117
3266
|
# @option params [Array<String>] :grant_tokens
|
3118
3267
|
# A list of grant tokens.
|
3119
3268
|
#
|
3120
|
-
#
|
3269
|
+
# Use a grant token when your permission to call this operation comes
|
3270
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3271
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
3121
3272
|
# Service Developer Guide*.
|
3122
3273
|
#
|
3123
3274
|
#
|
@@ -3200,8 +3351,8 @@ module Aws::KMS
|
|
3200
3351
|
# Service Developer Guide*.
|
3201
3352
|
#
|
3202
3353
|
# The CMK that you use for this operation must be in a compatible key
|
3203
|
-
# state. For details, see [
|
3204
|
-
#
|
3354
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
3355
|
+
# Key Management Service Developer Guide*.
|
3205
3356
|
#
|
3206
3357
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3207
3358
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -3232,10 +3383,9 @@ module Aws::KMS
|
|
3232
3383
|
# The identifier of the symmetric customer master key (CMK) that
|
3233
3384
|
# encrypts the data key.
|
3234
3385
|
#
|
3235
|
-
# To specify a CMK, use its key ID,
|
3236
|
-
#
|
3237
|
-
#
|
3238
|
-
# the key ARN or alias ARN.
|
3386
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
3387
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
3388
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
3239
3389
|
#
|
3240
3390
|
# For example:
|
3241
3391
|
#
|
@@ -3282,7 +3432,9 @@ module Aws::KMS
|
|
3282
3432
|
# @option params [Array<String>] :grant_tokens
|
3283
3433
|
# A list of grant tokens.
|
3284
3434
|
#
|
3285
|
-
#
|
3435
|
+
# Use a grant token when your permission to call this operation comes
|
3436
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3437
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
3286
3438
|
# Service Developer Guide*.
|
3287
3439
|
#
|
3288
3440
|
#
|
@@ -3345,14 +3497,14 @@ module Aws::KMS
|
|
3345
3497
|
# ID.
|
3346
3498
|
#
|
3347
3499
|
# For more information about entropy and random number generation, see
|
3348
|
-
#
|
3500
|
+
# [AWS Key Management Service Cryptographic Details][2].
|
3349
3501
|
#
|
3350
3502
|
# **Required permissions**\: [kms:GenerateRandom][3] (IAM policy)
|
3351
3503
|
#
|
3352
3504
|
#
|
3353
3505
|
#
|
3354
3506
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3355
|
-
# [2]: https://
|
3507
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
|
3356
3508
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3357
3509
|
#
|
3358
3510
|
# @option params [Integer] :number_of_bytes
|
@@ -3419,9 +3571,9 @@ module Aws::KMS
|
|
3419
3571
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3420
3572
|
#
|
3421
3573
|
# @option params [required, String] :key_id
|
3422
|
-
#
|
3574
|
+
# Gets the key policy for the specified customer master key (CMK).
|
3423
3575
|
#
|
3424
|
-
# Specify the key ID or
|
3576
|
+
# Specify the key ID or key ARN of the CMK.
|
3425
3577
|
#
|
3426
3578
|
# For example:
|
3427
3579
|
#
|
@@ -3479,13 +3631,15 @@ module Aws::KMS
|
|
3479
3631
|
# key material][1] is enabled for the specified customer master key
|
3480
3632
|
# (CMK).
|
3481
3633
|
#
|
3482
|
-
# You cannot enable automatic rotation of asymmetric CMKs, CMKs
|
3483
|
-
# imported key material, or CMKs in a [custom key store][
|
3634
|
+
# You cannot enable automatic rotation of [asymmetric CMKs][2], CMKs
|
3635
|
+
# with [imported key material][3], or CMKs in a [custom key store][4].
|
3636
|
+
# To enable or disable automatic rotation of a set of related
|
3637
|
+
# [multi-Region keys][5], set the property on the primary key. The key
|
3484
3638
|
# rotation status for these CMKs is always `false`.
|
3485
3639
|
#
|
3486
3640
|
# The CMK that you use for this operation must be in a compatible key
|
3487
|
-
# state. For details, see [
|
3488
|
-
#
|
3641
|
+
# state. For details, see [Key state: Effect on your CMK][6] in the *AWS
|
3642
|
+
# Key Management Service Developer Guide*.
|
3489
3643
|
#
|
3490
3644
|
# * Disabled: The key rotation status does not change when you disable a
|
3491
3645
|
# CMK. However, while the CMK is disabled, AWS KMS does not rotate the
|
@@ -3500,7 +3654,7 @@ module Aws::KMS
|
|
3500
3654
|
# different AWS account, specify the key ARN in the value of the `KeyId`
|
3501
3655
|
# parameter.
|
3502
3656
|
#
|
3503
|
-
# **Required permissions**\: [kms:GetKeyRotationStatus][
|
3657
|
+
# **Required permissions**\: [kms:GetKeyRotationStatus][7] (key policy)
|
3504
3658
|
#
|
3505
3659
|
# **Related operations:**
|
3506
3660
|
#
|
@@ -3511,15 +3665,18 @@ module Aws::KMS
|
|
3511
3665
|
#
|
3512
3666
|
#
|
3513
3667
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
3514
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
3515
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
3516
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
3668
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
3669
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
3670
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3671
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
3672
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3673
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3517
3674
|
#
|
3518
3675
|
# @option params [required, String] :key_id
|
3519
|
-
#
|
3676
|
+
# Gets the rotation status for the specified customer master key (CMK).
|
3520
3677
|
#
|
3521
|
-
# Specify the key ID or
|
3522
|
-
#
|
3678
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
3679
|
+
# different AWS account, you must use the key ARN.
|
3523
3680
|
#
|
3524
3681
|
# For example:
|
3525
3682
|
#
|
@@ -3591,8 +3748,8 @@ module Aws::KMS
|
|
3591
3748
|
# `GetParametersForImport` request.
|
3592
3749
|
#
|
3593
3750
|
# The CMK that you use for this operation must be in a compatible key
|
3594
|
-
# state. For details, see [
|
3595
|
-
#
|
3751
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
3752
|
+
# Key Management Service Developer Guide*.
|
3596
3753
|
#
|
3597
3754
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3598
3755
|
# in a different AWS account.
|
@@ -3616,7 +3773,7 @@ module Aws::KMS
|
|
3616
3773
|
# The identifier of the symmetric CMK into which you will import key
|
3617
3774
|
# material. The `Origin` of the CMK must be `EXTERNAL`.
|
3618
3775
|
#
|
3619
|
-
# Specify the key ID or
|
3776
|
+
# Specify the key ID or key ARN of the CMK.
|
3620
3777
|
#
|
3621
3778
|
# For example:
|
3622
3779
|
#
|
@@ -3730,8 +3887,8 @@ module Aws::KMS
|
|
3730
3887
|
# algorithm in a verification operation.
|
3731
3888
|
#
|
3732
3889
|
# The CMK that you use for this operation must be in a compatible key
|
3733
|
-
# state. For details, see [
|
3734
|
-
#
|
3890
|
+
# state. For details, see [Key state: Effect on your CMK][7] in the *AWS
|
3891
|
+
# Key Management Service Developer Guide*.
|
3735
3892
|
#
|
3736
3893
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
3737
3894
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -3755,10 +3912,9 @@ module Aws::KMS
|
|
3755
3912
|
# @option params [required, String] :key_id
|
3756
3913
|
# Identifies the asymmetric CMK that includes the public key.
|
3757
3914
|
#
|
3758
|
-
# To specify a CMK, use its key ID,
|
3759
|
-
#
|
3760
|
-
#
|
3761
|
-
# the key ARN or alias ARN.
|
3915
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
3916
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
3917
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
3762
3918
|
#
|
3763
3919
|
# For example:
|
3764
3920
|
#
|
@@ -3777,7 +3933,9 @@ module Aws::KMS
|
|
3777
3933
|
# @option params [Array<String>] :grant_tokens
|
3778
3934
|
# A list of grant tokens.
|
3779
3935
|
#
|
3780
|
-
#
|
3936
|
+
# Use a grant token when your permission to call this operation comes
|
3937
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3938
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
3781
3939
|
# Service Developer Guide*.
|
3782
3940
|
#
|
3783
3941
|
#
|
@@ -3870,8 +4028,8 @@ module Aws::KMS
|
|
3870
4028
|
# Service Developer Guide*.
|
3871
4029
|
#
|
3872
4030
|
# The CMK that you use for this operation must be in a compatible key
|
3873
|
-
# state. For details, see [
|
3874
|
-
#
|
4031
|
+
# state. For details, see [Key state: Effect on your CMK][4] in the *AWS
|
4032
|
+
# Key Management Service Developer Guide*.
|
3875
4033
|
#
|
3876
4034
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
3877
4035
|
# in a different AWS account.
|
@@ -3898,7 +4056,7 @@ module Aws::KMS
|
|
3898
4056
|
# same CMK specified in the `KeyID` parameter of the corresponding
|
3899
4057
|
# GetParametersForImport request.
|
3900
4058
|
#
|
3901
|
-
# Specify the key ID or
|
4059
|
+
# Specify the key ID or key ARN of the CMK.
|
3902
4060
|
#
|
3903
4061
|
# For example:
|
3904
4062
|
#
|
@@ -4014,7 +4172,7 @@ module Aws::KMS
|
|
4014
4172
|
# This parameter is optional. If you omit it, `ListAliases` returns all
|
4015
4173
|
# aliases in the account and Region.
|
4016
4174
|
#
|
4017
|
-
# Specify the key ID or
|
4175
|
+
# Specify the key ID or key ARN of the CMK.
|
4018
4176
|
#
|
4019
4177
|
# For example:
|
4020
4178
|
#
|
@@ -4181,8 +4339,8 @@ module Aws::KMS
|
|
4181
4339
|
# Returns only grants for the specified customer master key (CMK). This
|
4182
4340
|
# parameter is required.
|
4183
4341
|
#
|
4184
|
-
# Specify the key ID or
|
4185
|
-
#
|
4342
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
4343
|
+
# different AWS account, you must use the key ARN.
|
4186
4344
|
#
|
4187
4345
|
# For example:
|
4188
4346
|
#
|
@@ -4335,9 +4493,10 @@ module Aws::KMS
|
|
4335
4493
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4336
4494
|
#
|
4337
4495
|
# @option params [required, String] :key_id
|
4338
|
-
#
|
4496
|
+
# Gets the names of key policies for the specified customer master key
|
4497
|
+
# (CMK).
|
4339
4498
|
#
|
4340
|
-
# Specify the key ID or
|
4499
|
+
# Specify the key ID or key ARN of the CMK.
|
4341
4500
|
#
|
4342
4501
|
# For example:
|
4343
4502
|
#
|
@@ -4538,6 +4697,10 @@ module Aws::KMS
|
|
4538
4697
|
#
|
4539
4698
|
# **Related operations:**
|
4540
4699
|
#
|
4700
|
+
# * CreateKey
|
4701
|
+
#
|
4702
|
+
# * ReplicateKey
|
4703
|
+
#
|
4541
4704
|
# * TagResource
|
4542
4705
|
#
|
4543
4706
|
# * UntagResource
|
@@ -4549,9 +4712,9 @@ module Aws::KMS
|
|
4549
4712
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4550
4713
|
#
|
4551
4714
|
# @option params [required, String] :key_id
|
4552
|
-
#
|
4715
|
+
# Gets tags on the specified customer master key (CMK).
|
4553
4716
|
#
|
4554
|
-
# Specify the key ID or
|
4717
|
+
# Specify the key ID or key ARN of the CMK.
|
4555
4718
|
#
|
4556
4719
|
# For example:
|
4557
4720
|
#
|
@@ -4637,8 +4800,10 @@ module Aws::KMS
|
|
4637
4800
|
req.send_request(options)
|
4638
4801
|
end
|
4639
4802
|
|
4640
|
-
# Returns all grants in
|
4641
|
-
#
|
4803
|
+
# Returns information about all grants in the AWS account and Region
|
4804
|
+
# that have the specified retiring principal. For more information about
|
4805
|
+
# grants, see [Grants][1] in the <i> <i>AWS Key Management Service
|
4806
|
+
# Developer Guide</i> </i>.
|
4642
4807
|
#
|
4643
4808
|
# You can specify any principal in your AWS account. The grants that are
|
4644
4809
|
# returned include grants for CMKs in your AWS account and other AWS
|
@@ -4652,7 +4817,7 @@ module Aws::KMS
|
|
4652
4817
|
# You do not need `kms:ListRetirableGrants` permission (or any other
|
4653
4818
|
# additional permission) in any AWS account other than your own.
|
4654
4819
|
#
|
4655
|
-
# **Required permissions**\: [kms:ListRetirableGrants][
|
4820
|
+
# **Required permissions**\: [kms:ListRetirableGrants][2] (IAM policy)
|
4656
4821
|
# in your AWS account.
|
4657
4822
|
#
|
4658
4823
|
# **Related operations:**
|
@@ -4667,7 +4832,8 @@ module Aws::KMS
|
|
4667
4832
|
#
|
4668
4833
|
#
|
4669
4834
|
#
|
4670
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4835
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
4836
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4671
4837
|
#
|
4672
4838
|
# @option params [Integer] :limit
|
4673
4839
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -4792,9 +4958,9 @@ module Aws::KMS
|
|
4792
4958
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4793
4959
|
#
|
4794
4960
|
# @option params [required, String] :key_id
|
4795
|
-
#
|
4961
|
+
# Sets the key policy on the specified customer master key (CMK).
|
4796
4962
|
#
|
4797
|
-
# Specify the key ID or
|
4963
|
+
# Specify the key ID or key ARN of the CMK.
|
4798
4964
|
#
|
4799
4965
|
# For example:
|
4800
4966
|
#
|
@@ -4947,8 +5113,8 @@ module Aws::KMS
|
|
4947
5113
|
# asymmetric key ciphertext does not include configurable fields.
|
4948
5114
|
#
|
4949
5115
|
# The CMK that you use for this operation must be in a compatible key
|
4950
|
-
# state. For details, see [
|
4951
|
-
#
|
5116
|
+
# state. For details, see [Key state: Effect on your CMK][6] in the *AWS
|
5117
|
+
# Key Management Service Developer Guide*.
|
4952
5118
|
#
|
4953
5119
|
# **Cross-account use**\: Yes. The source CMK and destination CMK can be
|
4954
5120
|
# in different AWS accounts. Either or both CMKs can be in a different
|
@@ -5021,10 +5187,9 @@ module Aws::KMS
|
|
5021
5187
|
# However, it is always recommended as a best practice. This practice
|
5022
5188
|
# ensures that you use the CMK that you intend.
|
5023
5189
|
#
|
5024
|
-
# To specify a CMK, use its key ID,
|
5025
|
-
#
|
5026
|
-
#
|
5027
|
-
# the key ARN or alias ARN.
|
5190
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
5191
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
5192
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
5028
5193
|
#
|
5029
5194
|
# For example:
|
5030
5195
|
#
|
@@ -5046,10 +5211,9 @@ module Aws::KMS
|
|
5046
5211
|
# `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
|
5047
5212
|
# DescribeKey operation.
|
5048
5213
|
#
|
5049
|
-
# To specify a CMK, use its key ID,
|
5050
|
-
#
|
5051
|
-
#
|
5052
|
-
# the key ARN or alias ARN.
|
5214
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
5215
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
5216
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
5053
5217
|
#
|
5054
5218
|
# For example:
|
5055
5219
|
#
|
@@ -5110,7 +5274,9 @@ module Aws::KMS
|
|
5110
5274
|
# @option params [Array<String>] :grant_tokens
|
5111
5275
|
# A list of grant tokens.
|
5112
5276
|
#
|
5113
|
-
#
|
5277
|
+
# Use a grant token when your permission to call this operation comes
|
5278
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
5279
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
5114
5280
|
# Service Developer Guide*.
|
5115
5281
|
#
|
5116
5282
|
#
|
@@ -5176,31 +5342,331 @@ module Aws::KMS
|
|
5176
5342
|
req.send_request(options)
|
5177
5343
|
end
|
5178
5344
|
|
5179
|
-
#
|
5180
|
-
#
|
5181
|
-
#
|
5182
|
-
#
|
5345
|
+
# Replicates a multi-Region key into the specified Region. This
|
5346
|
+
# operation creates a multi-Region replica key based on a multi-Region
|
5347
|
+
# primary key in a different Region of the same AWS partition. You can
|
5348
|
+
# create multiple replicas of a primary key, but each must be in a
|
5349
|
+
# different Region. To create a multi-Region primary key, use the
|
5350
|
+
# CreateKey operation.
|
5351
|
+
#
|
5352
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
5353
|
+
# lets you create multiple interoperable CMKs in different AWS Regions.
|
5354
|
+
# Because these CMKs have the same key ID, key material, and other
|
5355
|
+
# metadata, you can use them to encrypt data in one AWS Region and
|
5356
|
+
# decrypt it in a different AWS Region without making a cross-Region
|
5357
|
+
# call or exposing the plaintext data. For more information about
|
5358
|
+
# multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
|
5359
|
+
# Management Service Developer Guide*.
|
5360
|
+
#
|
5361
|
+
# A *replica key* is a fully-functional CMK that can be used
|
5362
|
+
# independently of its primary and peer replica keys. A primary key and
|
5363
|
+
# its replica keys share properties that make them interoperable. They
|
5364
|
+
# have the same [key ID][2] and key material. They also have the same
|
5365
|
+
# [key spec][3], [key usage][4], [key material origin][5], and
|
5366
|
+
# [automatic key rotation status][6]. AWS KMS automatically synchronizes
|
5367
|
+
# these shared properties among related multi-Region keys. All other
|
5368
|
+
# properties of a replica key can differ, including its [key policy][7],
|
5369
|
+
# [tags][8], [aliases][9], and [key state][10]. AWS KMS pricing and
|
5370
|
+
# quotas for CMKs apply to each primary key and replica key.
|
5371
|
+
#
|
5372
|
+
# When this operation completes, the new replica key has a transient key
|
5373
|
+
# state of `Creating`. This key state changes to `Enabled` (or
|
5374
|
+
# `PendingImport`) after a few seconds when the process of creating the
|
5375
|
+
# new replica key is complete. While the key state is `Creating`, you
|
5376
|
+
# can manage key, but you cannot yet use it in cryptographic operations.
|
5377
|
+
# If you are creating and using the replica key programmatically, retry
|
5378
|
+
# on `KMSInvalidStateException` or call `DescribeKey` to check its
|
5379
|
+
# `KeyState` value before using it. For details about the `Creating` key
|
5380
|
+
# state, see [Key state: Effect on your
|
5381
|
+
# CMK](kms/latest/developerguide/key-state.html) in the *AWS Key
|
5382
|
+
# Management Service Developer Guide*.
|
5383
|
+
#
|
5384
|
+
# The AWS CloudTrail log of a `ReplicateKey` operation records a
|
5385
|
+
# `ReplicateKey` operation in the primary key's Region and a CreateKey
|
5386
|
+
# operation in the replica key's Region.
|
5387
|
+
#
|
5388
|
+
# If you replicate a multi-Region primary key with imported key
|
5389
|
+
# material, the replica key is created with no key material. You must
|
5390
|
+
# import the same key material that you imported into the primary key.
|
5391
|
+
# For details, see [Importing key material into multi-Region
|
5392
|
+
# keys](kms/latest/developerguide/multi-region-keys-import.html) in the
|
5393
|
+
# *AWS Key Management Service Developer Guide*.
|
5394
|
+
#
|
5395
|
+
# To convert a replica key to a primary key, use the UpdatePrimaryRegion
|
5396
|
+
# operation.
|
5397
|
+
#
|
5398
|
+
# <note markdown="1"> `ReplicateKey` uses different default values for the `KeyPolicy` and
|
5399
|
+
# `Tags` parameters than those used in the AWS KMS console. For details,
|
5400
|
+
# see the parameter descriptions.
|
5401
|
+
#
|
5402
|
+
# </note>
|
5403
|
+
#
|
5404
|
+
# **Cross-account use**\: No. You cannot use this operation to create a
|
5405
|
+
# CMK in a different AWS account.
|
5406
|
+
#
|
5407
|
+
# **Required permissions**\:
|
5408
|
+
#
|
5409
|
+
# * `kms:ReplicateKey` on the primary CMK (in the primary CMK's
|
5410
|
+
# Region). Include this permission in the primary CMK's key policy.
|
5411
|
+
#
|
5412
|
+
# * `kms:CreateKey` in an IAM policy in the replica Region.
|
5413
|
+
#
|
5414
|
+
# * To use the `Tags` parameter, `kms:TagResource` in an IAM policy in
|
5415
|
+
# the replica Region.
|
5416
|
+
#
|
5417
|
+
# **Related operations**
|
5418
|
+
#
|
5419
|
+
# * CreateKey
|
5420
|
+
#
|
5421
|
+
# * UpdatePrimaryRegion
|
5422
|
+
#
|
5423
|
+
#
|
5424
|
+
#
|
5425
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
5426
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
|
5427
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec
|
5428
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage
|
5429
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
|
5430
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
5431
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
5432
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5433
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
|
5434
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5435
|
+
#
|
5436
|
+
# @option params [required, String] :key_id
|
5437
|
+
# Identifies the multi-Region primary key that is being replicated. To
|
5438
|
+
# determine whether a CMK is a multi-Region primary key, use the
|
5439
|
+
# DescribeKey operation to check the value of the `MultiRegionKeyType`
|
5440
|
+
# property.
|
5441
|
+
#
|
5442
|
+
# Specify the key ID or key ARN of a multi-Region primary key.
|
5443
|
+
#
|
5444
|
+
# For example:
|
5445
|
+
#
|
5446
|
+
# * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
|
5447
|
+
#
|
5448
|
+
# * Key ARN:
|
5449
|
+
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
5450
|
+
#
|
5451
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
5452
|
+
#
|
5453
|
+
# @option params [required, String] :replica_region
|
5454
|
+
# The Region ID of the AWS Region for this replica key.
|
5455
|
+
#
|
5456
|
+
# Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
|
5457
|
+
# list of AWS Regions in which AWS KMS is supported, see [AWS KMS
|
5458
|
+
# service endpoints][1] in the *Amazon Web Services General Reference*.
|
5459
|
+
#
|
5460
|
+
# The replica must be in a different AWS Region than its primary key and
|
5461
|
+
# other replicas of that primary key, but in the same AWS partition. AWS
|
5462
|
+
# KMS must be available in the replica Region. If the Region is not
|
5463
|
+
# enabled by default, the AWS account must be enabled in the Region.
|
5464
|
+
#
|
5465
|
+
# For information about AWS partitions, see [Amazon Resource Names
|
5466
|
+
# (ARNs) in the *Amazon Web Services General Reference*.][2] For
|
5467
|
+
# information about enabling and disabling Regions, see [Enabling a
|
5468
|
+
# Region][3] and [Disabling a Region][4] in the *Amazon Web Services
|
5469
|
+
# General Reference*.
|
5470
|
+
#
|
5471
|
+
#
|
5472
|
+
#
|
5473
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
5474
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
5475
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
5476
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
5477
|
+
#
|
5478
|
+
# @option params [String] :policy
|
5479
|
+
# The key policy to attach to the CMK. This parameter is optional. If
|
5480
|
+
# you do not provide a key policy, AWS KMS attaches the [default key
|
5481
|
+
# policy][1] to the CMK.
|
5482
|
+
#
|
5483
|
+
# The key policy is not a shared property of multi-Region keys. You can
|
5484
|
+
# specify the same key policy or a different key policy for each key in
|
5485
|
+
# a set of related multi-Region keys. AWS KMS does not synchronize this
|
5486
|
+
# property.
|
5487
|
+
#
|
5488
|
+
# If you provide a key policy, it must meet the following criteria:
|
5489
|
+
#
|
5490
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the key
|
5491
|
+
# policy must give the caller `kms:PutKeyPolicy` permission on the
|
5492
|
+
# replica CMK. This reduces the risk that the CMK becomes
|
5493
|
+
# unmanageable. For more information, refer to the scenario in the
|
5494
|
+
# [Default Key Policy][2] section of the <i> <i>AWS Key Management
|
5495
|
+
# Service Developer Guide</i> </i>.
|
5496
|
+
#
|
5497
|
+
# * Each statement in the key policy must contain one or more
|
5498
|
+
# principals. The principals in the key policy must exist and be
|
5499
|
+
# visible to AWS KMS. When you create a new AWS principal (for
|
5500
|
+
# example, an IAM user or role), you might need to enforce a delay
|
5501
|
+
# before including the new principal in a key policy because the new
|
5502
|
+
# principal might not be immediately visible to AWS KMS. For more
|
5503
|
+
# information, see [Changes that I make are not always immediately
|
5504
|
+
# visible][3] in the *AWS Identity and Access Management User Guide*.
|
5505
|
+
#
|
5506
|
+
# * The key policy size quota is 32 kilobytes (32768 bytes).
|
5507
|
+
#
|
5508
|
+
#
|
5509
|
+
#
|
5510
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
5511
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
5512
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
5513
|
+
#
|
5514
|
+
# @option params [Boolean] :bypass_policy_lockout_safety_check
|
5515
|
+
# A flag to indicate whether to bypass the key policy lockout safety
|
5516
|
+
# check.
|
5517
|
+
#
|
5518
|
+
# Setting this value to true increases the risk that the CMK becomes
|
5519
|
+
# unmanageable. Do not set this value to true indiscriminately.
|
5520
|
+
#
|
5521
|
+
# For more information, refer to the scenario in the [Default Key
|
5522
|
+
# Policy][1] section in the *AWS Key Management Service Developer
|
5523
|
+
# Guide*.
|
5524
|
+
#
|
5525
|
+
# Use this parameter only when you intend to prevent the principal that
|
5526
|
+
# is making the request from making a subsequent `PutKeyPolicy` request
|
5527
|
+
# on the CMK.
|
5528
|
+
#
|
5529
|
+
# The default value is false.
|
5183
5530
|
#
|
5184
|
-
# * The AWS account (root user) under which the grant was created
|
5185
5531
|
#
|
5186
|
-
# * The `RetiringPrincipal`, if present in the grant
|
5187
5532
|
#
|
5188
|
-
#
|
5189
|
-
#
|
5533
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
5534
|
+
#
|
5535
|
+
# @option params [String] :description
|
5536
|
+
# A description of the CMK. Use a description that helps you decide
|
5537
|
+
# whether the CMK is appropriate for a task. The default value is an
|
5538
|
+
# empty string (no description).
|
5539
|
+
#
|
5540
|
+
# The description is not a shared property of multi-Region keys. You can
|
5541
|
+
# specify the same description or a different description for each key
|
5542
|
+
# in a set of related multi-Region keys. AWS KMS does not synchronize
|
5543
|
+
# this property.
|
5544
|
+
#
|
5545
|
+
# @option params [Array<Types::Tag>] :tags
|
5546
|
+
# Assigns one or more tags to the replica key. Use this parameter to tag
|
5547
|
+
# the CMK when it is created. To tag an existing CMK, use the
|
5548
|
+
# TagResource operation.
|
5549
|
+
#
|
5550
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
5551
|
+
# For details, see [Using ABAC in AWS KMS][1] in the *AWS Key Management
|
5552
|
+
# Service Developer Guide*.
|
5190
5553
|
#
|
5191
|
-
#
|
5192
|
-
#
|
5193
|
-
#
|
5194
|
-
#
|
5195
|
-
#
|
5554
|
+
# </note>
|
5555
|
+
#
|
5556
|
+
# To use this parameter, you must have [kms:TagResource][2] permission
|
5557
|
+
# in an IAM policy.
|
5558
|
+
#
|
5559
|
+
# Tags are not a shared property of multi-Region keys. You can specify
|
5560
|
+
# the same tags or different tags for each key in a set of related
|
5561
|
+
# multi-Region keys. AWS KMS does not synchronize this property.
|
5562
|
+
#
|
5563
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
5564
|
+
# the tag value are required, but the tag value can be an empty (null)
|
5565
|
+
# string. You cannot have more than one tag on a CMK with the same tag
|
5566
|
+
# key. If you specify an existing tag key with a different tag value,
|
5567
|
+
# AWS KMS replaces the current tag value with the specified one.
|
5568
|
+
#
|
5569
|
+
# When you assign tags to an AWS resource, AWS generates a cost
|
5570
|
+
# allocation report with usage and costs aggregated by tags. Tags can
|
5571
|
+
# also be used to control access to a CMK. For details, see [Tagging
|
5572
|
+
# Keys][3].
|
5573
|
+
#
|
5574
|
+
#
|
5575
|
+
#
|
5576
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
5577
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5578
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5579
|
+
#
|
5580
|
+
# @return [Types::ReplicateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
5581
|
+
#
|
5582
|
+
# * {Types::ReplicateKeyResponse#replica_key_metadata #replica_key_metadata} => Types::KeyMetadata
|
5583
|
+
# * {Types::ReplicateKeyResponse#replica_policy #replica_policy} => String
|
5584
|
+
# * {Types::ReplicateKeyResponse#replica_tags #replica_tags} => Array<Types::Tag>
|
5585
|
+
#
|
5586
|
+
# @example Request syntax with placeholder values
|
5587
|
+
#
|
5588
|
+
# resp = client.replicate_key({
|
5589
|
+
# key_id: "KeyIdType", # required
|
5590
|
+
# replica_region: "RegionType", # required
|
5591
|
+
# policy: "PolicyType",
|
5592
|
+
# bypass_policy_lockout_safety_check: false,
|
5593
|
+
# description: "DescriptionType",
|
5594
|
+
# tags: [
|
5595
|
+
# {
|
5596
|
+
# tag_key: "TagKeyType", # required
|
5597
|
+
# tag_value: "TagValueType", # required
|
5598
|
+
# },
|
5599
|
+
# ],
|
5600
|
+
# })
|
5601
|
+
#
|
5602
|
+
# @example Response structure
|
5603
|
+
#
|
5604
|
+
# resp.replica_key_metadata.aws_account_id #=> String
|
5605
|
+
# resp.replica_key_metadata.key_id #=> String
|
5606
|
+
# resp.replica_key_metadata.arn #=> String
|
5607
|
+
# resp.replica_key_metadata.creation_date #=> Time
|
5608
|
+
# resp.replica_key_metadata.enabled #=> Boolean
|
5609
|
+
# resp.replica_key_metadata.description #=> String
|
5610
|
+
# resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
5611
|
+
# resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
5612
|
+
# resp.replica_key_metadata.deletion_date #=> Time
|
5613
|
+
# resp.replica_key_metadata.valid_to #=> Time
|
5614
|
+
# resp.replica_key_metadata.origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM"
|
5615
|
+
# resp.replica_key_metadata.custom_key_store_id #=> String
|
5616
|
+
# resp.replica_key_metadata.cloud_hsm_cluster_id #=> String
|
5617
|
+
# resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
5618
|
+
# resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
5619
|
+
# resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
|
5620
|
+
# resp.replica_key_metadata.encryption_algorithms #=> Array
|
5621
|
+
# resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
5622
|
+
# resp.replica_key_metadata.signing_algorithms #=> Array
|
5623
|
+
# resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
5624
|
+
# resp.replica_key_metadata.multi_region #=> Boolean
|
5625
|
+
# resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
5626
|
+
# resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
|
5627
|
+
# resp.replica_key_metadata.multi_region_configuration.primary_key.region #=> String
|
5628
|
+
# resp.replica_key_metadata.multi_region_configuration.replica_keys #=> Array
|
5629
|
+
# resp.replica_key_metadata.multi_region_configuration.replica_keys[0].arn #=> String
|
5630
|
+
# resp.replica_key_metadata.multi_region_configuration.replica_keys[0].region #=> String
|
5631
|
+
# resp.replica_key_metadata.pending_deletion_window_in_days #=> Integer
|
5632
|
+
# resp.replica_policy #=> String
|
5633
|
+
# resp.replica_tags #=> Array
|
5634
|
+
# resp.replica_tags[0].tag_key #=> String
|
5635
|
+
# resp.replica_tags[0].tag_value #=> String
|
5636
|
+
#
|
5637
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey AWS API Documentation
|
5638
|
+
#
|
5639
|
+
# @overload replicate_key(params = {})
|
5640
|
+
# @param [Hash] params ({})
|
5641
|
+
def replicate_key(params = {}, options = {})
|
5642
|
+
req = build_request(:replicate_key, params)
|
5643
|
+
req.send_request(options)
|
5644
|
+
end
|
5645
|
+
|
5646
|
+
# Deletes a grant. Typically, you retire a grant when you no longer need
|
5647
|
+
# its permissions. To identify the grant to retire, use a [grant
|
5648
|
+
# token][1], or both the grant ID and a key identifier (key ID or key
|
5649
|
+
# ARN) of the customer master key (CMK). The CreateGrant operation
|
5650
|
+
# returns both values.
|
5651
|
+
#
|
5652
|
+
# This operation can be called by the *retiring principal* for a grant,
|
5653
|
+
# by the *grantee principal* if the grant allows the `RetireGrant`
|
5654
|
+
# operation, and by the AWS account (root user) in which the grant is
|
5655
|
+
# created. It can also be called by principals to whom permission for
|
5656
|
+
# retiring a grant is delegated. For details, see [Retiring and revoking
|
5657
|
+
# grants][2] in the *AWS Key Management Service Developer Guide*.
|
5658
|
+
#
|
5659
|
+
# For detailed information about grants, including grant terminology,
|
5660
|
+
# see [Using grants][3] in the <i> <i>AWS Key Management Service
|
5661
|
+
# Developer Guide</i> </i>. For examples of working with grants in
|
5662
|
+
# several programming languages, see [Programming grants][4].
|
5196
5663
|
#
|
5197
5664
|
# **Cross-account use**\: Yes. You can retire a grant on a CMK in a
|
5198
5665
|
# different AWS account.
|
5199
5666
|
#
|
5200
|
-
# **Required permissions:**\:
|
5201
|
-
#
|
5202
|
-
#
|
5203
|
-
# Service Developer Guide*.
|
5667
|
+
# **Required permissions:**\:Permission to retire a grant is determined
|
5668
|
+
# primarily by the grant. For details, see [Retiring and revoking
|
5669
|
+
# grants][2] in the *AWS Key Management Service Developer Guide*.
|
5204
5670
|
#
|
5205
5671
|
# **Related operations:**
|
5206
5672
|
#
|
@@ -5214,20 +5680,34 @@ module Aws::KMS
|
|
5214
5680
|
#
|
5215
5681
|
#
|
5216
5682
|
#
|
5217
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
5683
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
5684
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
|
5685
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
5686
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
|
5218
5687
|
#
|
5219
5688
|
# @option params [String] :grant_token
|
5220
|
-
#
|
5689
|
+
# Identifies the grant to be retired. You can use a grant token to
|
5690
|
+
# identify a new grant even before it has achieved eventual consistency.
|
5691
|
+
#
|
5692
|
+
# Only the CreateGrant operation returns a grant token. For details, see
|
5693
|
+
# [Grant token][1] and [Eventual consistency][2] in the *AWS Key
|
5694
|
+
# Management Service Developer Guide*.
|
5695
|
+
#
|
5696
|
+
#
|
5697
|
+
#
|
5698
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
5699
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
|
5221
5700
|
#
|
5222
5701
|
# @option params [String] :key_id
|
5223
|
-
# The
|
5702
|
+
# The key ARN CMK associated with the grant. To find the key ARN, use
|
5703
|
+
# the ListKeys operation.
|
5224
5704
|
#
|
5225
5705
|
# For example:
|
5226
5706
|
# `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
5227
5707
|
#
|
5228
5708
|
# @option params [String] :grant_id
|
5229
|
-
#
|
5230
|
-
#
|
5709
|
+
# Identifies the grant to retire. To get the grant ID, use CreateGrant,
|
5710
|
+
# ListGrants, or ListRetirableGrants.
|
5231
5711
|
#
|
5232
5712
|
# * Grant ID Example -
|
5233
5713
|
# 0123456789012345678901234567890123456789012345678901234567890123
|
@@ -5263,15 +5743,22 @@ module Aws::KMS
|
|
5263
5743
|
req.send_request(options)
|
5264
5744
|
end
|
5265
5745
|
|
5266
|
-
#
|
5267
|
-
#
|
5268
|
-
#
|
5746
|
+
# Deletes the specified grant. You revoke a grant to terminate the
|
5747
|
+
# permissions that the grant allows. For more information, see [Retiring
|
5748
|
+
# and revoking grants][1] in the <i> <i>AWS Key Management Service
|
5749
|
+
# Developer Guide</i> </i>.
|
5750
|
+
#
|
5751
|
+
# When you create, retire, or revoke a grant, there might be a brief
|
5752
|
+
# delay, usually less than five minutes, until the grant is available
|
5753
|
+
# throughout AWS KMS. This state is known as *eventual consistency*. For
|
5754
|
+
# details, see [Eventual consistency][2] in the <i> <i>AWS Key
|
5755
|
+
# Management Service Developer Guide</i> </i>.
|
5269
5756
|
#
|
5270
5757
|
# **Cross-account use**\: Yes. To perform this operation on a CMK in a
|
5271
5758
|
# different AWS account, specify the key ARN in the value of the `KeyId`
|
5272
5759
|
# parameter.
|
5273
5760
|
#
|
5274
|
-
# **Required permissions**\: [kms:RevokeGrant][
|
5761
|
+
# **Required permissions**\: [kms:RevokeGrant][3] (key policy).
|
5275
5762
|
#
|
5276
5763
|
# **Related operations:**
|
5277
5764
|
#
|
@@ -5285,14 +5772,17 @@ module Aws::KMS
|
|
5285
5772
|
#
|
5286
5773
|
#
|
5287
5774
|
#
|
5288
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5775
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete
|
5776
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
|
5777
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5289
5778
|
#
|
5290
5779
|
# @option params [required, String] :key_id
|
5291
|
-
# A unique identifier for the customer master key associated with
|
5292
|
-
# grant.
|
5780
|
+
# A unique identifier for the customer master key (CMK) associated with
|
5781
|
+
# the grant. To get the key ID and key ARN for a CMK, use ListKeys or
|
5782
|
+
# DescribeKey.
|
5293
5783
|
#
|
5294
|
-
# Specify the key ID or
|
5295
|
-
#
|
5784
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
5785
|
+
# different AWS account, you must use the key ARN.
|
5296
5786
|
#
|
5297
5787
|
# For example:
|
5298
5788
|
#
|
@@ -5304,7 +5794,8 @@ module Aws::KMS
|
|
5304
5794
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
5305
5795
|
#
|
5306
5796
|
# @option params [required, String] :grant_id
|
5307
|
-
#
|
5797
|
+
# Identifies the grant to revoke. To get the grant ID, use CreateGrant,
|
5798
|
+
# ListGrants, or ListRetirableGrants.
|
5308
5799
|
#
|
5309
5800
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
5310
5801
|
#
|
@@ -5334,19 +5825,21 @@ module Aws::KMS
|
|
5334
5825
|
req.send_request(options)
|
5335
5826
|
end
|
5336
5827
|
|
5337
|
-
# Schedules the deletion of a customer master key (CMK).
|
5338
|
-
# a waiting period
|
5339
|
-
#
|
5340
|
-
#
|
5341
|
-
#
|
5342
|
-
#
|
5343
|
-
#
|
5344
|
-
#
|
5828
|
+
# Schedules the deletion of a customer master key (CMK). By default, AWS
|
5829
|
+
# KMS applies a waiting period of 30 days, but you can specify a waiting
|
5830
|
+
# period of 7-30 days. When this operation is successful, the key state
|
5831
|
+
# of the CMK changes to `PendingDeletion` and the key can't be used in
|
5832
|
+
# any cryptographic operations. It remains in this state for the
|
5833
|
+
# duration of the waiting period. Before the waiting period ends, you
|
5834
|
+
# can use CancelKeyDeletion to cancel the deletion of the CMK. After the
|
5835
|
+
# waiting period ends, AWS KMS deletes the CMK, its key material, and
|
5836
|
+
# all AWS KMS data associated with it, including all aliases that refer
|
5837
|
+
# to it.
|
5345
5838
|
#
|
5346
5839
|
# Deleting a CMK is a destructive and potentially dangerous operation.
|
5347
5840
|
# When a CMK is deleted, all data that was encrypted under the CMK is
|
5348
|
-
# unrecoverable.
|
5349
|
-
# DisableKey.
|
5841
|
+
# unrecoverable. (The only exception is a multi-Region replica key.) To
|
5842
|
+
# prevent the use of a CMK without deleting it, use DisableKey.
|
5350
5843
|
#
|
5351
5844
|
# If you schedule deletion of a CMK from a [custom key store][1], when
|
5352
5845
|
# the waiting period expires, `ScheduleKeyDeletion` deletes the CMK from
|
@@ -5355,18 +5848,30 @@ module Aws::KMS
|
|
5355
5848
|
# manually [delete the orphaned key material][2] from the cluster and
|
5356
5849
|
# its backups.
|
5357
5850
|
#
|
5851
|
+
# You can schedule the deletion of a multi-Region primary key and its
|
5852
|
+
# replica keys at any time. However, AWS KMS will not delete a
|
5853
|
+
# multi-Region primary key with existing replica keys. If you schedule
|
5854
|
+
# the deletion of a primary key with replicas, its key state changes to
|
5855
|
+
# `PendingReplicaDeletion` and it cannot be replicated or used in
|
5856
|
+
# cryptographic operations. This status can continue indefinitely. When
|
5857
|
+
# the last of its replicas keys is deleted (not just scheduled), the key
|
5858
|
+
# state of the primary key changes to `PendingDeletion` and its waiting
|
5859
|
+
# period (`PendingWindowInDays`) begins. For details, see [Deleting
|
5860
|
+
# multi-Region keys][3] in the *AWS Key Management Service Developer
|
5861
|
+
# Guide*.
|
5862
|
+
#
|
5358
5863
|
# For more information about scheduling a CMK for deletion, see
|
5359
|
-
# [Deleting Customer Master Keys][
|
5864
|
+
# [Deleting Customer Master Keys][4] in the *AWS Key Management Service
|
5360
5865
|
# Developer Guide*.
|
5361
5866
|
#
|
5362
5867
|
# The CMK that you use for this operation must be in a compatible key
|
5363
|
-
# state. For details, see [
|
5364
|
-
#
|
5868
|
+
# state. For details, see [Key state: Effect on your CMK][5] in the *AWS
|
5869
|
+
# Key Management Service Developer Guide*.
|
5365
5870
|
#
|
5366
5871
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5367
5872
|
# in a different AWS account.
|
5368
5873
|
#
|
5369
|
-
# **Required permissions**\:
|
5874
|
+
# **Required permissions**\: kms:ScheduleKeyDeletion (key policy)
|
5370
5875
|
#
|
5371
5876
|
# **Related operations**
|
5372
5877
|
#
|
@@ -5378,14 +5883,14 @@ module Aws::KMS
|
|
5378
5883
|
#
|
5379
5884
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
5380
5885
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key
|
5381
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5382
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5383
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5886
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html
|
5887
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
|
5888
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5384
5889
|
#
|
5385
5890
|
# @option params [required, String] :key_id
|
5386
5891
|
# The unique identifier of the customer master key (CMK) to delete.
|
5387
5892
|
#
|
5388
|
-
# Specify the key ID or
|
5893
|
+
# Specify the key ID or key ARN of the CMK.
|
5389
5894
|
#
|
5390
5895
|
# For example:
|
5391
5896
|
#
|
@@ -5400,6 +5905,10 @@ module Aws::KMS
|
|
5400
5905
|
# The waiting period, specified in number of days. After the waiting
|
5401
5906
|
# period ends, AWS KMS deletes the customer master key (CMK).
|
5402
5907
|
#
|
5908
|
+
# If the CMK is a multi-Region primary key with replicas, the waiting
|
5909
|
+
# period begins when the last of its replica keys is deleted. Otherwise,
|
5910
|
+
# the waiting period begins immediately.
|
5911
|
+
#
|
5403
5912
|
# This value is optional. If you include a value, it must be between 7
|
5404
5913
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
5405
5914
|
#
|
@@ -5407,6 +5916,8 @@ module Aws::KMS
|
|
5407
5916
|
#
|
5408
5917
|
# * {Types::ScheduleKeyDeletionResponse#key_id #key_id} => String
|
5409
5918
|
# * {Types::ScheduleKeyDeletionResponse#deletion_date #deletion_date} => Time
|
5919
|
+
# * {Types::ScheduleKeyDeletionResponse#key_state #key_state} => String
|
5920
|
+
# * {Types::ScheduleKeyDeletionResponse#pending_window_in_days #pending_window_in_days} => Integer
|
5410
5921
|
#
|
5411
5922
|
#
|
5412
5923
|
# @example Example: To schedule a customer master key (CMK) for deletion
|
@@ -5435,6 +5946,8 @@ module Aws::KMS
|
|
5435
5946
|
#
|
5436
5947
|
# resp.key_id #=> String
|
5437
5948
|
# resp.deletion_date #=> Time
|
5949
|
+
# resp.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
5950
|
+
# resp.pending_window_in_days #=> Integer
|
5438
5951
|
#
|
5439
5952
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion AWS API Documentation
|
5440
5953
|
#
|
@@ -5484,8 +5997,8 @@ module Aws::KMS
|
|
5484
5997
|
# KMS.
|
5485
5998
|
#
|
5486
5999
|
# The CMK that you use for this operation must be in a compatible key
|
5487
|
-
# state. For details, see [
|
5488
|
-
#
|
6000
|
+
# state. For details, see [Key state: Effect on your CMK][3] in the *AWS
|
6001
|
+
# Key Management Service Developer Guide*.
|
5489
6002
|
#
|
5490
6003
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
5491
6004
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -5508,10 +6021,9 @@ module Aws::KMS
|
|
5508
6021
|
# must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
|
5509
6022
|
# DescribeKey operation.
|
5510
6023
|
#
|
5511
|
-
# To specify a CMK, use its key ID,
|
5512
|
-
#
|
5513
|
-
#
|
5514
|
-
# the key ARN or alias ARN.
|
6024
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
6025
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
6026
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
5515
6027
|
#
|
5516
6028
|
# For example:
|
5517
6029
|
#
|
@@ -5542,7 +6054,9 @@ module Aws::KMS
|
|
5542
6054
|
# @option params [Array<String>] :grant_tokens
|
5543
6055
|
# A list of grant tokens.
|
5544
6056
|
#
|
5545
|
-
#
|
6057
|
+
# Use a grant token when your permission to call this operation comes
|
6058
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
6059
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
5546
6060
|
# Service Developer Guide*.
|
5547
6061
|
#
|
5548
6062
|
#
|
@@ -5588,50 +6102,65 @@ module Aws::KMS
|
|
5588
6102
|
|
5589
6103
|
# Adds or edits tags on a [customer managed CMK][1].
|
5590
6104
|
#
|
6105
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
6106
|
+
# For details, see [Using ABAC in AWS KMS][2] in the *AWS Key Management
|
6107
|
+
# Service Developer Guide*.
|
6108
|
+
#
|
6109
|
+
# </note>
|
6110
|
+
#
|
5591
6111
|
# Each tag consists of a tag key and a tag value, both of which are
|
5592
6112
|
# case-sensitive strings. The tag value can be an empty (null) string.
|
5593
|
-
#
|
5594
6113
|
# To add a tag, specify a new tag key and a tag value. To edit a tag,
|
5595
6114
|
# specify an existing tag key and a new tag value.
|
5596
6115
|
#
|
5597
6116
|
# You can use this operation to tag a [customer managed CMK][1], but you
|
5598
|
-
# cannot tag an [AWS managed CMK][
|
5599
|
-
# alias.
|
6117
|
+
# cannot tag an [AWS managed CMK][3], an [AWS owned CMK][4], a [custom
|
6118
|
+
# key store][5], or an [alias][6].
|
5600
6119
|
#
|
6120
|
+
# You can also add tags to a CMK while creating it (CreateKey) or
|
6121
|
+
# replicating it (ReplicateKey).
|
6122
|
+
#
|
6123
|
+
# For information about using tags in AWS KMS, see [Tagging keys][7].
|
5601
6124
|
# For general information about tags, including the format and syntax,
|
5602
|
-
# see [Tagging AWS resources][
|
5603
|
-
# Reference*.
|
5604
|
-
# keys][5].
|
6125
|
+
# see [Tagging AWS resources][8] in the *Amazon Web Services General
|
6126
|
+
# Reference*.
|
5605
6127
|
#
|
5606
6128
|
# The CMK that you use for this operation must be in a compatible key
|
5607
|
-
# state. For details, see [
|
5608
|
-
#
|
6129
|
+
# state. For details, see [Key state: Effect on your CMK][9] in the *AWS
|
6130
|
+
# Key Management Service Developer Guide*.
|
5609
6131
|
#
|
5610
6132
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5611
6133
|
# in a different AWS account.
|
5612
6134
|
#
|
5613
|
-
# **Required permissions**\: [kms:TagResource][
|
6135
|
+
# **Required permissions**\: [kms:TagResource][10] (key policy)
|
5614
6136
|
#
|
5615
6137
|
# **Related operations**
|
5616
6138
|
#
|
5617
|
-
# *
|
6139
|
+
# * CreateKey
|
5618
6140
|
#
|
5619
6141
|
# * ListResourceTags
|
5620
6142
|
#
|
6143
|
+
# * ReplicateKey
|
6144
|
+
#
|
6145
|
+
# * UntagResource
|
6146
|
+
#
|
5621
6147
|
#
|
5622
6148
|
#
|
5623
6149
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5624
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5625
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-
|
5626
|
-
# [4]: https://docs.aws.amazon.com/
|
5627
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5628
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5629
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
6150
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
6151
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
6152
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
6153
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept
|
6154
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept
|
6155
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
6156
|
+
# [8]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
6157
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6158
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5630
6159
|
#
|
5631
6160
|
# @option params [required, String] :key_id
|
5632
6161
|
# Identifies a customer managed CMK in the account and Region.
|
5633
6162
|
#
|
5634
|
-
# Specify the key ID or
|
6163
|
+
# Specify the key ID or key ARN of the CMK.
|
5635
6164
|
#
|
5636
6165
|
# For example:
|
5637
6166
|
#
|
@@ -5693,43 +6222,54 @@ module Aws::KMS
|
|
5693
6222
|
# Deletes tags from a [customer managed CMK][1]. To delete a tag,
|
5694
6223
|
# specify the tag key and the CMK.
|
5695
6224
|
#
|
6225
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
6226
|
+
# For details, see [Using ABAC in AWS KMS][2] in the *AWS Key Management
|
6227
|
+
# Service Developer Guide*.
|
6228
|
+
#
|
6229
|
+
# </note>
|
6230
|
+
#
|
5696
6231
|
# When it succeeds, the `UntagResource` operation doesn't return any
|
5697
6232
|
# output. Also, if the specified tag key isn't found on the CMK, it
|
5698
6233
|
# doesn't throw an exception or return a response. To confirm that the
|
5699
6234
|
# operation worked, use the ListResourceTags operation.
|
5700
6235
|
#
|
6236
|
+
# For information about using tags in AWS KMS, see [Tagging keys][3].
|
5701
6237
|
# For general information about tags, including the format and syntax,
|
5702
|
-
# see [Tagging AWS resources][
|
5703
|
-
# Reference*.
|
5704
|
-
# keys][3].
|
6238
|
+
# see [Tagging AWS resources][4] in the *Amazon Web Services General
|
6239
|
+
# Reference*.
|
5705
6240
|
#
|
5706
6241
|
# The CMK that you use for this operation must be in a compatible key
|
5707
|
-
# state. For details, see [
|
5708
|
-
#
|
6242
|
+
# state. For details, see [Key state: Effect on your CMK][5] in the *AWS
|
6243
|
+
# Key Management Service Developer Guide*.
|
5709
6244
|
#
|
5710
6245
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5711
6246
|
# in a different AWS account.
|
5712
6247
|
#
|
5713
|
-
# **Required permissions**\: [kms:UntagResource][
|
6248
|
+
# **Required permissions**\: [kms:UntagResource][6] (key policy)
|
5714
6249
|
#
|
5715
6250
|
# **Related operations**
|
5716
6251
|
#
|
5717
|
-
# *
|
6252
|
+
# * CreateKey
|
5718
6253
|
#
|
5719
6254
|
# * ListResourceTags
|
5720
6255
|
#
|
6256
|
+
# * ReplicateKey
|
6257
|
+
#
|
6258
|
+
# * TagResource
|
6259
|
+
#
|
5721
6260
|
#
|
5722
6261
|
#
|
5723
6262
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
5724
|
-
# [2]: https://docs.aws.amazon.com/
|
6263
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
5725
6264
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
5726
|
-
# [4]: https://docs.aws.amazon.com/
|
5727
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
6265
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
|
6266
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6267
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5728
6268
|
#
|
5729
6269
|
# @option params [required, String] :key_id
|
5730
6270
|
# Identifies the CMK from which you are removing tags.
|
5731
6271
|
#
|
5732
|
-
# Specify the key ID or
|
6272
|
+
# Specify the key ID or key ARN of the CMK.
|
5733
6273
|
#
|
5734
6274
|
# For example:
|
5735
6275
|
#
|
@@ -5777,7 +6317,13 @@ module Aws::KMS
|
|
5777
6317
|
# Associates an existing AWS KMS alias with a different customer master
|
5778
6318
|
# key (CMK). Each alias is associated with only one CMK at a time,
|
5779
6319
|
# although a CMK can have multiple aliases. The alias and the CMK must
|
5780
|
-
# be in the same AWS account and
|
6320
|
+
# be in the same AWS account and Region.
|
6321
|
+
#
|
6322
|
+
# <note markdown="1"> Adding, deleting, or updating an alias can allow or deny permission to
|
6323
|
+
# the CMK. For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
6324
|
+
# Management Service Developer Guide*.
|
6325
|
+
#
|
6326
|
+
# </note>
|
5781
6327
|
#
|
5782
6328
|
# The current and new CMK must be the same type (both symmetric or both
|
5783
6329
|
# asymmetric), and they must have the same key usage (`ENCRYPT_DECRYPT`
|
@@ -5797,21 +6343,21 @@ module Aws::KMS
|
|
5797
6343
|
# operation.
|
5798
6344
|
#
|
5799
6345
|
# The CMK that you use for this operation must be in a compatible key
|
5800
|
-
# state. For details, see [
|
5801
|
-
#
|
6346
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
6347
|
+
# Key Management Service Developer Guide*.
|
5802
6348
|
#
|
5803
6349
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
5804
6350
|
# in a different AWS account.
|
5805
6351
|
#
|
5806
6352
|
# **Required permissions**
|
5807
6353
|
#
|
5808
|
-
# * [kms:UpdateAlias][
|
6354
|
+
# * [kms:UpdateAlias][3] on the alias (IAM policy).
|
5809
6355
|
#
|
5810
|
-
# * [kms:UpdateAlias][
|
6356
|
+
# * [kms:UpdateAlias][3] on the current CMK (key policy).
|
5811
6357
|
#
|
5812
|
-
# * [kms:UpdateAlias][
|
6358
|
+
# * [kms:UpdateAlias][3] on the new CMK (key policy).
|
5813
6359
|
#
|
5814
|
-
# For details, see [Controlling access to aliases][
|
6360
|
+
# For details, see [Controlling access to aliases][4] in the *AWS Key
|
5815
6361
|
# Management Service Developer Guide*.
|
5816
6362
|
#
|
5817
6363
|
# **Related operations:**
|
@@ -5824,9 +6370,10 @@ module Aws::KMS
|
|
5824
6370
|
#
|
5825
6371
|
#
|
5826
6372
|
#
|
5827
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5828
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5829
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-
|
6373
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
6374
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6375
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
6376
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access
|
5830
6377
|
#
|
5831
6378
|
# @option params [required, String] :alias_name
|
5832
6379
|
# Identifies the alias that is changing its CMK. This value must begin
|
@@ -5844,7 +6391,7 @@ module Aws::KMS
|
|
5844
6391
|
# (both symmetric or both asymmetric) and they must have the same key
|
5845
6392
|
# usage.
|
5846
6393
|
#
|
5847
|
-
# Specify the key ID or
|
6394
|
+
# Specify the key ID or key ARN of the CMK.
|
5848
6395
|
#
|
5849
6396
|
# For example:
|
5850
6397
|
#
|
@@ -6015,8 +6562,8 @@ module Aws::KMS
|
|
6015
6562
|
# description of a CMK, use DescribeKey.
|
6016
6563
|
#
|
6017
6564
|
# The CMK that you use for this operation must be in a compatible key
|
6018
|
-
# state. For details, see [
|
6019
|
-
#
|
6565
|
+
# state. For details, see [Key state: Effect on your CMK][1] in the *AWS
|
6566
|
+
# Key Management Service Developer Guide*.
|
6020
6567
|
#
|
6021
6568
|
# **Cross-account use**\: No. You cannot perform this operation on a CMK
|
6022
6569
|
# in a different AWS account.
|
@@ -6035,9 +6582,9 @@ module Aws::KMS
|
|
6035
6582
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
6036
6583
|
#
|
6037
6584
|
# @option params [required, String] :key_id
|
6038
|
-
#
|
6585
|
+
# Updates the description of the specified customer master key (CMK).
|
6039
6586
|
#
|
6040
|
-
# Specify the key ID or
|
6587
|
+
# Specify the key ID or key ARN of the CMK.
|
6041
6588
|
#
|
6042
6589
|
# For example:
|
6043
6590
|
#
|
@@ -6079,6 +6626,128 @@ module Aws::KMS
|
|
6079
6626
|
req.send_request(options)
|
6080
6627
|
end
|
6081
6628
|
|
6629
|
+
# Changes the primary key of a multi-Region key.
|
6630
|
+
#
|
6631
|
+
# This operation changes the replica key in the specified Region to a
|
6632
|
+
# primary key and changes the former primary key to a replica key. For
|
6633
|
+
# example, suppose you have a primary key in `us-east-1` and a replica
|
6634
|
+
# key in `eu-west-2`. If you run `UpdatePrimaryRegion` with a
|
6635
|
+
# `PrimaryRegion` value of `eu-west-2`, the primary key is now the key
|
6636
|
+
# in `eu-west-2`, and the key in `us-east-1` becomes a replica key. For
|
6637
|
+
# details, see
|
6638
|
+
#
|
6639
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
6640
|
+
# lets you create multiple interoperable CMKs in different AWS Regions.
|
6641
|
+
# Because these CMKs have the same key ID, key material, and other
|
6642
|
+
# metadata, you can use them to encrypt data in one AWS Region and
|
6643
|
+
# decrypt it in a different AWS Region without making a cross-Region
|
6644
|
+
# call or exposing the plaintext data. For more information about
|
6645
|
+
# multi-Region keys, see [Using multi-Region keys][1] in the *AWS Key
|
6646
|
+
# Management Service Developer Guide*.
|
6647
|
+
#
|
6648
|
+
# The *primary key* of a multi-Region key is the source for properties
|
6649
|
+
# that are always shared by primary and replica keys, including the key
|
6650
|
+
# material, [key ID][2], [key spec][3], [key usage][4], [key material
|
6651
|
+
# origin][5], and [automatic key rotation][6]. It's the only key that
|
6652
|
+
# can be replicated. You cannot [delete the primary key][7] until all
|
6653
|
+
# replicas are deleted.
|
6654
|
+
#
|
6655
|
+
# The key ID and primary Region that you specify uniquely identify the
|
6656
|
+
# replica key that will become the primary key. The primary Region must
|
6657
|
+
# already have a replica key. This operation does not create a CMK in
|
6658
|
+
# the specified Region. To find the replica keys, use the DescribeKey
|
6659
|
+
# operation on the primary key or any replica key. To create a replica
|
6660
|
+
# key, use the ReplicateKey operation.
|
6661
|
+
#
|
6662
|
+
# You can run this operation while using the affected multi-Region keys
|
6663
|
+
# in cryptographic operations. This operation should not delay,
|
6664
|
+
# interrupt, or cause failures in cryptographic operations.
|
6665
|
+
#
|
6666
|
+
# Even after this operation completes, the process of updating the
|
6667
|
+
# primary Region might still be in progress for a few more seconds.
|
6668
|
+
# Operations such as `DescribeKey` might display both the old and new
|
6669
|
+
# primary keys as replicas. The old and new primary keys have a
|
6670
|
+
# transient key state of `Updating`. The original key state is restored
|
6671
|
+
# when the update is complete. While the key state is `Updating`, you
|
6672
|
+
# can use the keys in cryptographic operations, but you cannot replicate
|
6673
|
+
# the new primary key or perform certain management operations, such as
|
6674
|
+
# enabling or disabling these keys. For details about the `Updating` key
|
6675
|
+
# state, see [Key state: Effect on your
|
6676
|
+
# CMK](kms/latest/developerguide/key-state.html) in the *AWS Key
|
6677
|
+
# Management Service Developer Guide*.
|
6678
|
+
#
|
6679
|
+
# This operation does not return any output. To verify that primary key
|
6680
|
+
# is changed, use the DescribeKey operation.
|
6681
|
+
#
|
6682
|
+
# **Cross-account use**\: No. You cannot use this operation in a
|
6683
|
+
# different AWS account.
|
6684
|
+
#
|
6685
|
+
# **Required permissions**\:
|
6686
|
+
#
|
6687
|
+
# * `kms:UpdatePrimaryRegion` on the current primary CMK (in the primary
|
6688
|
+
# CMK's Region). Include this permission primary CMK's key policy.
|
6689
|
+
#
|
6690
|
+
# * `kms:UpdatePrimaryRegion` on the current replica CMK (in the replica
|
6691
|
+
# CMK's Region). Include this permission in the replica CMK's key
|
6692
|
+
# policy.
|
6693
|
+
#
|
6694
|
+
# **Related operations**
|
6695
|
+
#
|
6696
|
+
# * CreateKey
|
6697
|
+
#
|
6698
|
+
# * ReplicateKey
|
6699
|
+
#
|
6700
|
+
#
|
6701
|
+
#
|
6702
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
6703
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id
|
6704
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec
|
6705
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage
|
6706
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin
|
6707
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
6708
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html
|
6709
|
+
#
|
6710
|
+
# @option params [required, String] :key_id
|
6711
|
+
# Identifies the current primary key. When the operation completes, this
|
6712
|
+
# CMK will be a replica key.
|
6713
|
+
#
|
6714
|
+
# Specify the key ID or key ARN of a multi-Region primary key.
|
6715
|
+
#
|
6716
|
+
# For example:
|
6717
|
+
#
|
6718
|
+
# * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
|
6719
|
+
#
|
6720
|
+
# * Key ARN:
|
6721
|
+
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
6722
|
+
#
|
6723
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
6724
|
+
#
|
6725
|
+
# @option params [required, String] :primary_region
|
6726
|
+
# The AWS Region of the new primary key. Enter the Region ID, such as
|
6727
|
+
# `us-east-1` or `ap-southeast-2`. There must be an existing replica key
|
6728
|
+
# in this Region.
|
6729
|
+
#
|
6730
|
+
# When the operation completes, the multi-Region key in this Region will
|
6731
|
+
# be the primary key.
|
6732
|
+
#
|
6733
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
6734
|
+
#
|
6735
|
+
# @example Request syntax with placeholder values
|
6736
|
+
#
|
6737
|
+
# resp = client.update_primary_region({
|
6738
|
+
# key_id: "KeyIdType", # required
|
6739
|
+
# primary_region: "RegionType", # required
|
6740
|
+
# })
|
6741
|
+
#
|
6742
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion AWS API Documentation
|
6743
|
+
#
|
6744
|
+
# @overload update_primary_region(params = {})
|
6745
|
+
# @param [Hash] params ({})
|
6746
|
+
def update_primary_region(params = {}, options = {})
|
6747
|
+
req = build_request(:update_primary_region, params)
|
6748
|
+
req.send_request(options)
|
6749
|
+
end
|
6750
|
+
|
6082
6751
|
# Verifies a digital signature that was generated by the Sign operation.
|
6083
6752
|
#
|
6084
6753
|
#
|
@@ -6111,8 +6780,8 @@ module Aws::KMS
|
|
6111
6780
|
# signatures.
|
6112
6781
|
#
|
6113
6782
|
# The CMK that you use for this operation must be in a compatible key
|
6114
|
-
# state. For details, see [
|
6115
|
-
#
|
6783
|
+
# state. For details, see [Key state: Effect on your CMK][2] in the *AWS
|
6784
|
+
# Key Management Service Developer Guide*.
|
6116
6785
|
#
|
6117
6786
|
# **Cross-account use**\: Yes. To perform this operation with a CMK in a
|
6118
6787
|
# different AWS account, specify the key ARN or alias ARN in the value
|
@@ -6134,10 +6803,9 @@ module Aws::KMS
|
|
6134
6803
|
# signature. If you specify a different CMK, the signature verification
|
6135
6804
|
# fails.
|
6136
6805
|
#
|
6137
|
-
# To specify a CMK, use its key ID,
|
6138
|
-
#
|
6139
|
-
#
|
6140
|
-
# the key ARN or alias ARN.
|
6806
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
6807
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a CMK
|
6808
|
+
# in a different AWS account, you must use the key ARN or alias ARN.
|
6141
6809
|
#
|
6142
6810
|
# For example:
|
6143
6811
|
#
|
@@ -6181,7 +6849,9 @@ module Aws::KMS
|
|
6181
6849
|
# @option params [Array<String>] :grant_tokens
|
6182
6850
|
# A list of grant tokens.
|
6183
6851
|
#
|
6184
|
-
#
|
6852
|
+
# Use a grant token when your permission to call this operation comes
|
6853
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
6854
|
+
# more information, see [Grant token][1] in the *AWS Key Management
|
6185
6855
|
# Service Developer Guide*.
|
6186
6856
|
#
|
6187
6857
|
#
|
@@ -6233,7 +6903,7 @@ module Aws::KMS
|
|
6233
6903
|
params: params,
|
6234
6904
|
config: config)
|
6235
6905
|
context[:gem_name] = 'aws-sdk-kms'
|
6236
|
-
context[:gem_version] = '1.
|
6906
|
+
context[:gem_version] = '1.44.0'
|
6237
6907
|
Seahorse::Client::Request.new(handlers, context)
|
6238
6908
|
end
|
6239
6909
|
|