aws-sdk-kms 1.43.0 → 1.44.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms.rb +1 -1
- data/lib/aws-sdk-kms/client.rb +1055 -385
- data/lib/aws-sdk-kms/client_api.rb +76 -0
- data/lib/aws-sdk-kms/customizations.rb +1 -1
- data/lib/aws-sdk-kms/types.rb +686 -157
- metadata +5 -6
@@ -150,7 +150,12 @@ module Aws::KMS
|
|
150
150
|
MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
|
151
151
|
MarkerType = Shapes::StringShape.new(name: 'MarkerType')
|
152
152
|
MessageType = Shapes::StringShape.new(name: 'MessageType')
|
153
|
+
MultiRegionConfiguration = Shapes::StructureShape.new(name: 'MultiRegionConfiguration')
|
154
|
+
MultiRegionKey = Shapes::StructureShape.new(name: 'MultiRegionKey')
|
155
|
+
MultiRegionKeyList = Shapes::ListShape.new(name: 'MultiRegionKeyList')
|
156
|
+
MultiRegionKeyType = Shapes::StringShape.new(name: 'MultiRegionKeyType')
|
153
157
|
NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
|
158
|
+
NullableBooleanType = Shapes::BooleanShape.new(name: 'NullableBooleanType')
|
154
159
|
NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
|
155
160
|
OriginType = Shapes::StringShape.new(name: 'OriginType')
|
156
161
|
PendingWindowInDaysType = Shapes::IntegerShape.new(name: 'PendingWindowInDaysType')
|
@@ -163,6 +168,9 @@ module Aws::KMS
|
|
163
168
|
PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
|
164
169
|
ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
|
165
170
|
ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
|
171
|
+
RegionType = Shapes::StringShape.new(name: 'RegionType')
|
172
|
+
ReplicateKeyRequest = Shapes::StructureShape.new(name: 'ReplicateKeyRequest')
|
173
|
+
ReplicateKeyResponse = Shapes::StructureShape.new(name: 'ReplicateKeyResponse')
|
166
174
|
RetireGrantRequest = Shapes::StructureShape.new(name: 'RetireGrantRequest')
|
167
175
|
RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
|
168
176
|
ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
|
@@ -185,6 +193,7 @@ module Aws::KMS
|
|
185
193
|
UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
|
186
194
|
UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
|
187
195
|
UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
|
196
|
+
UpdatePrimaryRegionRequest = Shapes::StructureShape.new(name: 'UpdatePrimaryRegionRequest')
|
188
197
|
VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
|
189
198
|
VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
|
190
199
|
WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
|
@@ -261,6 +270,7 @@ module Aws::KMS
|
|
261
270
|
CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
|
262
271
|
CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
|
263
272
|
CreateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
|
273
|
+
CreateKeyRequest.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
|
264
274
|
CreateKeyRequest.struct_class = Types::CreateKeyRequest
|
265
275
|
|
266
276
|
CreateKeyResponse.add_member(:key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "KeyMetadata"))
|
@@ -560,6 +570,9 @@ module Aws::KMS
|
|
560
570
|
KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
561
571
|
KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
562
572
|
KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
573
|
+
KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
|
574
|
+
KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
|
575
|
+
KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
|
563
576
|
KeyMetadata.struct_class = Types::KeyMetadata
|
564
577
|
|
565
578
|
KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
@@ -627,6 +640,17 @@ module Aws::KMS
|
|
627
640
|
MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
628
641
|
MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
|
629
642
|
|
643
|
+
MultiRegionConfiguration.add_member(:multi_region_key_type, Shapes::ShapeRef.new(shape: MultiRegionKeyType, location_name: "MultiRegionKeyType"))
|
644
|
+
MultiRegionConfiguration.add_member(:primary_key, Shapes::ShapeRef.new(shape: MultiRegionKey, location_name: "PrimaryKey"))
|
645
|
+
MultiRegionConfiguration.add_member(:replica_keys, Shapes::ShapeRef.new(shape: MultiRegionKeyList, location_name: "ReplicaKeys"))
|
646
|
+
MultiRegionConfiguration.struct_class = Types::MultiRegionConfiguration
|
647
|
+
|
648
|
+
MultiRegionKey.add_member(:arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "Arn"))
|
649
|
+
MultiRegionKey.add_member(:region, Shapes::ShapeRef.new(shape: RegionType, location_name: "Region"))
|
650
|
+
MultiRegionKey.struct_class = Types::MultiRegionKey
|
651
|
+
|
652
|
+
MultiRegionKeyList.member = Shapes::ShapeRef.new(shape: MultiRegionKey)
|
653
|
+
|
630
654
|
NotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
631
655
|
NotFoundException.struct_class = Types::NotFoundException
|
632
656
|
|
@@ -655,6 +679,19 @@ module Aws::KMS
|
|
655
679
|
ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
|
656
680
|
ReEncryptResponse.struct_class = Types::ReEncryptResponse
|
657
681
|
|
682
|
+
ReplicateKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
683
|
+
ReplicateKeyRequest.add_member(:replica_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "ReplicaRegion"))
|
684
|
+
ReplicateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
|
685
|
+
ReplicateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
|
686
|
+
ReplicateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
|
687
|
+
ReplicateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
|
688
|
+
ReplicateKeyRequest.struct_class = Types::ReplicateKeyRequest
|
689
|
+
|
690
|
+
ReplicateKeyResponse.add_member(:replica_key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "ReplicaKeyMetadata"))
|
691
|
+
ReplicateKeyResponse.add_member(:replica_policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "ReplicaPolicy"))
|
692
|
+
ReplicateKeyResponse.add_member(:replica_tags, Shapes::ShapeRef.new(shape: TagList, location_name: "ReplicaTags"))
|
693
|
+
ReplicateKeyResponse.struct_class = Types::ReplicateKeyResponse
|
694
|
+
|
658
695
|
RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
|
659
696
|
RetireGrantRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
660
697
|
RetireGrantRequest.add_member(:grant_id, Shapes::ShapeRef.new(shape: GrantIdType, location_name: "GrantId"))
|
@@ -670,6 +707,8 @@ module Aws::KMS
|
|
670
707
|
|
671
708
|
ScheduleKeyDeletionResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
672
709
|
ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
|
710
|
+
ScheduleKeyDeletionResponse.add_member(:key_state, Shapes::ShapeRef.new(shape: KeyState, location_name: "KeyState"))
|
711
|
+
ScheduleKeyDeletionResponse.add_member(:pending_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingWindowInDays"))
|
673
712
|
ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
|
674
713
|
|
675
714
|
SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
@@ -724,6 +763,10 @@ module Aws::KMS
|
|
724
763
|
UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
|
725
764
|
UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
|
726
765
|
|
766
|
+
UpdatePrimaryRegionRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
767
|
+
UpdatePrimaryRegionRequest.add_member(:primary_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "PrimaryRegion"))
|
768
|
+
UpdatePrimaryRegionRequest.struct_class = Types::UpdatePrimaryRegionRequest
|
769
|
+
|
727
770
|
VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
728
771
|
VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
|
729
772
|
VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
|
@@ -909,6 +952,7 @@ module Aws::KMS
|
|
909
952
|
o.input = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresRequest)
|
910
953
|
o.output = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresResponse)
|
911
954
|
o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
|
955
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidMarkerException)
|
912
956
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
913
957
|
end)
|
914
958
|
|
@@ -1302,6 +1346,24 @@ module Aws::KMS
|
|
1302
1346
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1303
1347
|
end)
|
1304
1348
|
|
1349
|
+
api.add_operation(:replicate_key, Seahorse::Model::Operation.new.tap do |o|
|
1350
|
+
o.name = "ReplicateKey"
|
1351
|
+
o.http_method = "POST"
|
1352
|
+
o.http_request_uri = "/"
|
1353
|
+
o.input = Shapes::ShapeRef.new(shape: ReplicateKeyRequest)
|
1354
|
+
o.output = Shapes::ShapeRef.new(shape: ReplicateKeyResponse)
|
1355
|
+
o.errors << Shapes::ShapeRef.new(shape: AlreadyExistsException)
|
1356
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
1357
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
|
1358
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1359
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1360
|
+
o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
|
1361
|
+
o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
|
1362
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
1363
|
+
o.errors << Shapes::ShapeRef.new(shape: TagException)
|
1364
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
1365
|
+
end)
|
1366
|
+
|
1305
1367
|
api.add_operation(:retire_grant, Seahorse::Model::Operation.new.tap do |o|
|
1306
1368
|
o.name = "RetireGrant"
|
1307
1369
|
o.http_method = "POST"
|
@@ -1429,6 +1491,20 @@ module Aws::KMS
|
|
1429
1491
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1430
1492
|
end)
|
1431
1493
|
|
1494
|
+
api.add_operation(:update_primary_region, Seahorse::Model::Operation.new.tap do |o|
|
1495
|
+
o.name = "UpdatePrimaryRegion"
|
1496
|
+
o.http_method = "POST"
|
1497
|
+
o.http_request_uri = "/"
|
1498
|
+
o.input = Shapes::ShapeRef.new(shape: UpdatePrimaryRegionRequest)
|
1499
|
+
o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
|
1500
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
1501
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
|
1502
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1503
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1504
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
1505
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
1506
|
+
end)
|
1507
|
+
|
1432
1508
|
api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
|
1433
1509
|
o.name = "Verify"
|
1434
1510
|
o.http_method = "POST"
|
@@ -2,7 +2,7 @@
|
|
2
2
|
# WARNING ABOUT GENERATED CODE
|
3
3
|
#
|
4
4
|
# This file is generated. See the contributing for info on making contributions:
|
5
|
-
# https://github.com/aws/aws-sdk-ruby/blob/
|
5
|
+
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
|
6
6
|
#
|
7
7
|
# WARNING ABOUT GENERATED CODE
|
8
8
|
|
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -21,13 +21,18 @@ module Aws::KMS
|
|
21
21
|
# @return [String]
|
22
22
|
#
|
23
23
|
# @!attribute [rw] target_key_id
|
24
|
-
# String that contains the key identifier
|
24
|
+
# String that contains the key identifier of the CMK associated with
|
25
|
+
# the alias.
|
25
26
|
# @return [String]
|
26
27
|
#
|
27
28
|
# @!attribute [rw] creation_date
|
29
|
+
# Date and time that the alias was most recently created in the
|
30
|
+
# account and Region. Formatted as Unix time.
|
28
31
|
# @return [Time]
|
29
32
|
#
|
30
33
|
# @!attribute [rw] last_updated_date
|
34
|
+
# Date and time that the alias was most recently associated with a CMK
|
35
|
+
# in the account and Region. Formatted as Unix time.
|
31
36
|
# @return [Time]
|
32
37
|
#
|
33
38
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/AliasListEntry AWS API Documentation
|
@@ -64,10 +69,10 @@ module Aws::KMS
|
|
64
69
|
# }
|
65
70
|
#
|
66
71
|
# @!attribute [rw] key_id
|
67
|
-
#
|
68
|
-
#
|
72
|
+
# Identifies the customer master key (CMK) whose deletion is being
|
73
|
+
# canceled.
|
69
74
|
#
|
70
|
-
# Specify the key ID or
|
75
|
+
# Specify the key ID or key ARN of the CMK.
|
71
76
|
#
|
72
77
|
# For example:
|
73
78
|
#
|
@@ -305,7 +310,7 @@ module Aws::KMS
|
|
305
310
|
# For help finding the key ID and ARN, see [Finding the Key ID and
|
306
311
|
# ARN][2] in the *AWS Key Management Service Developer Guide*.
|
307
312
|
#
|
308
|
-
# Specify the key ID or
|
313
|
+
# Specify the key ID or key ARN of the CMK.
|
309
314
|
#
|
310
315
|
# For example:
|
311
316
|
#
|
@@ -428,11 +433,11 @@ module Aws::KMS
|
|
428
433
|
# }
|
429
434
|
#
|
430
435
|
# @!attribute [rw] key_id
|
431
|
-
#
|
432
|
-
#
|
436
|
+
# Identifies the customer master key (CMK) for the grant. The grant
|
437
|
+
# gives principals permission to use this CMK.
|
433
438
|
#
|
434
|
-
# Specify the key ID or
|
435
|
-
#
|
439
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
440
|
+
# different AWS account, you must use the key ARN.
|
436
441
|
#
|
437
442
|
# For example:
|
438
443
|
#
|
@@ -446,8 +451,7 @@ module Aws::KMS
|
|
446
451
|
# @return [String]
|
447
452
|
#
|
448
453
|
# @!attribute [rw] grantee_principal
|
449
|
-
# The
|
450
|
-
# that the grant permits.
|
454
|
+
# The identity that gets the permissions specified in the grant.
|
451
455
|
#
|
452
456
|
# To specify the principal, use the [Amazon Resource Name (ARN)][1] of
|
453
457
|
# an AWS principal. Valid AWS principals include AWS accounts (root),
|
@@ -481,30 +485,55 @@ module Aws::KMS
|
|
481
485
|
#
|
482
486
|
# @!attribute [rw] operations
|
483
487
|
# A list of operations that the grant permits.
|
488
|
+
#
|
489
|
+
# The operation must be supported on the CMK. For example, you cannot
|
490
|
+
# create a grant for a symmetric CMK that allows the Sign operation,
|
491
|
+
# or a grant for an asymmetric CMK that allows the GenerateDataKey
|
492
|
+
# operation. If you try, AWS KMS returns a `ValidationError`
|
493
|
+
# exception. For details, see [Grant operations][1] in the *AWS Key
|
494
|
+
# Management Service Developer Guide*.
|
495
|
+
#
|
496
|
+
#
|
497
|
+
#
|
498
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
484
499
|
# @return [Array<String>]
|
485
500
|
#
|
486
501
|
# @!attribute [rw] constraints
|
487
|
-
#
|
488
|
-
#
|
489
|
-
#
|
490
|
-
#
|
491
|
-
#
|
502
|
+
# Specifies a grant constraint.
|
503
|
+
#
|
504
|
+
# AWS KMS supports the `EncryptionContextEquals` and
|
505
|
+
# `EncryptionContextSubset` grant constraints. Each constraint value
|
506
|
+
# can include up to 8 encryption context pairs. The encryption context
|
507
|
+
# value in each constraint cannot exceed 384 characters.
|
492
508
|
#
|
493
|
-
#
|
494
|
-
#
|
495
|
-
#
|
496
|
-
#
|
509
|
+
# These grant constraints allow a [cryptographic operation][1] only
|
510
|
+
# when the encryption context in the request matches
|
511
|
+
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
512
|
+
# the encryption context specified in this structure. For more
|
513
|
+
# information about encryption context, see [Encryption Context][2] in
|
514
|
+
# the <i> <i>AWS Key Management Service Developer Guide</i> </i>. For
|
515
|
+
# information about grant constraints, see [Using grant
|
516
|
+
# constraints][3] in the *AWS Key Management Service Developer Guide*.
|
517
|
+
#
|
518
|
+
# The encryption context grant constraints are supported only on
|
519
|
+
# operations that include an encryption context. You cannot use an
|
520
|
+
# encryption context grant constraint for cryptographic operations
|
521
|
+
# with asymmetric CMKs or for management operations, such as
|
522
|
+
# DescribeKey or RetireGrant.
|
497
523
|
#
|
498
524
|
#
|
499
525
|
#
|
500
526
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
501
527
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
528
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
502
529
|
# @return [Types::GrantConstraints]
|
503
530
|
#
|
504
531
|
# @!attribute [rw] grant_tokens
|
505
532
|
# A list of grant tokens.
|
506
533
|
#
|
507
|
-
#
|
534
|
+
# Use a grant token when your permission to call this operation comes
|
535
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
536
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
508
537
|
# Management Service Developer Guide*.
|
509
538
|
#
|
510
539
|
#
|
@@ -546,7 +575,9 @@ module Aws::KMS
|
|
546
575
|
# @!attribute [rw] grant_token
|
547
576
|
# The grant token.
|
548
577
|
#
|
549
|
-
#
|
578
|
+
# Use a grant token when your permission to call this operation comes
|
579
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
580
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
550
581
|
# Management Service Developer Guide*.
|
551
582
|
#
|
552
583
|
#
|
@@ -587,6 +618,7 @@ module Aws::KMS
|
|
587
618
|
# tag_value: "TagValueType", # required
|
588
619
|
# },
|
589
620
|
# ],
|
621
|
+
# multi_region: false,
|
590
622
|
# }
|
591
623
|
#
|
592
624
|
# @!attribute [rw] policy
|
@@ -633,7 +665,8 @@ module Aws::KMS
|
|
633
665
|
# A description of the CMK.
|
634
666
|
#
|
635
667
|
# Use a description that helps you decide whether the CMK is
|
636
|
-
# appropriate for a task.
|
668
|
+
# appropriate for a task. The default value is an empty string (no
|
669
|
+
# description).
|
637
670
|
# @return [String]
|
638
671
|
#
|
639
672
|
# @!attribute [rw] key_usage
|
@@ -722,20 +755,19 @@ module Aws::KMS
|
|
722
755
|
# @!attribute [rw] origin
|
723
756
|
# The source of the key material for the CMK. You cannot change the
|
724
757
|
# origin after you create the CMK. The default is `AWS_KMS`, which
|
725
|
-
# means AWS KMS creates the key material.
|
758
|
+
# means that AWS KMS creates the key material.
|
726
759
|
#
|
727
|
-
#
|
728
|
-
#
|
729
|
-
#
|
730
|
-
#
|
731
|
-
#
|
732
|
-
# valid only for symmetric CMKs.
|
760
|
+
# To create a CMK with no key material (for imported key material),
|
761
|
+
# set the value to `EXTERNAL`. For more information about importing
|
762
|
+
# key material into AWS KMS, see [Importing Key Material][1] in the
|
763
|
+
# *AWS Key Management Service Developer Guide*. This value is valid
|
764
|
+
# only for symmetric CMKs.
|
733
765
|
#
|
734
|
-
#
|
735
|
-
#
|
736
|
-
#
|
737
|
-
#
|
738
|
-
#
|
766
|
+
# To create a CMK in an AWS KMS [custom key store][2] and create its
|
767
|
+
# key material in the associated AWS CloudHSM cluster, set this value
|
768
|
+
# to `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId`
|
769
|
+
# parameter to identify the custom key store. This value is valid only
|
770
|
+
# for symmetric CMKs.
|
739
771
|
#
|
740
772
|
#
|
741
773
|
#
|
@@ -751,8 +783,9 @@ module Aws::KMS
|
|
751
783
|
# associated with the custom key store must have at least two active
|
752
784
|
# HSMs, each in a different Availability Zone in the Region.
|
753
785
|
#
|
754
|
-
# This parameter is valid only for symmetric CMKs
|
755
|
-
# an asymmetric CMK
|
786
|
+
# This parameter is valid only for symmetric CMKs and regional CMKs.
|
787
|
+
# You cannot create an asymmetric CMK or a multi-Region CMK in a
|
788
|
+
# custom key store.
|
756
789
|
#
|
757
790
|
# To find the ID of a custom key store, use the
|
758
791
|
# DescribeCustomKeyStores operation.
|
@@ -793,27 +826,66 @@ module Aws::KMS
|
|
793
826
|
# @return [Boolean]
|
794
827
|
#
|
795
828
|
# @!attribute [rw] tags
|
796
|
-
#
|
797
|
-
#
|
798
|
-
#
|
829
|
+
# Assigns one or more tags to the CMK. Use this parameter to tag the
|
830
|
+
# CMK when it is created. To tag an existing CMK, use the TagResource
|
831
|
+
# operation.
|
799
832
|
#
|
800
|
-
#
|
801
|
-
#
|
802
|
-
#
|
803
|
-
# CMKs, see [Tagging Keys][1].
|
833
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
834
|
+
# For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
835
|
+
# Management Service Developer Guide*.
|
804
836
|
#
|
805
|
-
#
|
806
|
-
# an existing CMK, use the TagResource operation.
|
837
|
+
# </note>
|
807
838
|
#
|
808
839
|
# To use this parameter, you must have [kms:TagResource][2] permission
|
809
840
|
# in an IAM policy.
|
810
841
|
#
|
842
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
843
|
+
# the tag value are required, but the tag value can be an empty (null)
|
844
|
+
# string. You cannot have more than one tag on a CMK with the same tag
|
845
|
+
# key. If you specify an existing tag key with a different tag value,
|
846
|
+
# AWS KMS replaces the current tag value with the specified one.
|
847
|
+
#
|
848
|
+
# When you assign tags to an AWS resource, AWS generates a cost
|
849
|
+
# allocation report with usage and costs aggregated by tags. Tags can
|
850
|
+
# also be used to control access to a CMK. For details, see [Tagging
|
851
|
+
# Keys][3].
|
811
852
|
#
|
812
853
|
#
|
813
|
-
#
|
854
|
+
#
|
855
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
814
856
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
857
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
815
858
|
# @return [Array<Types::Tag>]
|
816
859
|
#
|
860
|
+
# @!attribute [rw] multi_region
|
861
|
+
# Creates a multi-Region primary key that you can replicate into other
|
862
|
+
# AWS Regions. You cannot change this value after you create the CMK.
|
863
|
+
#
|
864
|
+
# For a multi-Region key, set this parameter to `True`. For a
|
865
|
+
# single-Region CMK, omit this parameter or set it to `False`. The
|
866
|
+
# default value is `False`.
|
867
|
+
#
|
868
|
+
# This operation supports *multi-Region keys*, an AWS KMS feature that
|
869
|
+
# lets you create multiple interoperable CMKs in different AWS
|
870
|
+
# Regions. Because these CMKs have the same key ID, key material, and
|
871
|
+
# other metadata, you can use them to encrypt data in one AWS Region
|
872
|
+
# and decrypt it in a different AWS Region without making a
|
873
|
+
# cross-Region call or exposing the plaintext data. For more
|
874
|
+
# information about multi-Region keys, see [Using multi-Region
|
875
|
+
# keys][1] in the *AWS Key Management Service Developer Guide*.
|
876
|
+
#
|
877
|
+
# This value creates a *primary key*, not a replica. To create a
|
878
|
+
# *replica key*, use the ReplicateKey operation.
|
879
|
+
#
|
880
|
+
# You can create a symmetric or asymmetric multi-Region CMK, and you
|
881
|
+
# can create a multi-Region CMK with imported key material. However,
|
882
|
+
# you cannot create a multi-Region CMK in a custom key store.
|
883
|
+
#
|
884
|
+
#
|
885
|
+
#
|
886
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
887
|
+
# @return [Boolean]
|
888
|
+
#
|
817
889
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
|
818
890
|
#
|
819
891
|
class CreateKeyRequest < Struct.new(
|
@@ -824,7 +896,8 @@ module Aws::KMS
|
|
824
896
|
:origin,
|
825
897
|
:custom_key_store_id,
|
826
898
|
:bypass_policy_lockout_safety_check,
|
827
|
-
:tags
|
899
|
+
:tags,
|
900
|
+
:multi_region)
|
828
901
|
SENSITIVE = []
|
829
902
|
include Aws::Structure
|
830
903
|
end
|
@@ -1094,8 +1167,12 @@ module Aws::KMS
|
|
1094
1167
|
# @!attribute [rw] grant_tokens
|
1095
1168
|
# A list of grant tokens.
|
1096
1169
|
#
|
1097
|
-
#
|
1098
|
-
#
|
1170
|
+
# Use a grant token when your permission to call this operation comes
|
1171
|
+
# from a newly created grant that has not yet achieved eventual
|
1172
|
+
# consistency. Use a grant token when your permission to call this
|
1173
|
+
# operation comes from a new grant that has not yet achieved *eventual
|
1174
|
+
# consistency*. For more information, see [Grant token][1] in the *AWS
|
1175
|
+
# Key Management Service Developer Guide*.
|
1099
1176
|
#
|
1100
1177
|
#
|
1101
1178
|
#
|
@@ -1113,10 +1190,10 @@ module Aws::KMS
|
|
1113
1190
|
# blob. However, it is always recommended as a best practice. This
|
1114
1191
|
# practice ensures that you use the CMK that you intend.
|
1115
1192
|
#
|
1116
|
-
# To specify a CMK, use its key ID,
|
1117
|
-
#
|
1118
|
-
#
|
1119
|
-
#
|
1193
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
1194
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
1195
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
1196
|
+
# ARN.
|
1120
1197
|
#
|
1121
1198
|
# For example:
|
1122
1199
|
#
|
@@ -1240,7 +1317,7 @@ module Aws::KMS
|
|
1240
1317
|
# Identifies the CMK from which you are deleting imported key
|
1241
1318
|
# material. The `Origin` of the CMK must be `EXTERNAL`.
|
1242
1319
|
#
|
1243
|
-
# Specify the key ID or
|
1320
|
+
# Specify the key ID or key ARN of the CMK.
|
1244
1321
|
#
|
1245
1322
|
# For example:
|
1246
1323
|
#
|
@@ -1290,7 +1367,7 @@ module Aws::KMS
|
|
1290
1367
|
# the key store ID.
|
1291
1368
|
#
|
1292
1369
|
# By default, this operation gets information about all custom key
|
1293
|
-
# stores in the account and
|
1370
|
+
# stores in the account and Region. To limit the output to a
|
1294
1371
|
# particular custom key store, you can use either the
|
1295
1372
|
# `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
|
1296
1373
|
# @return [String]
|
@@ -1300,7 +1377,7 @@ module Aws::KMS
|
|
1300
1377
|
# the friendly name of the custom key store.
|
1301
1378
|
#
|
1302
1379
|
# By default, this operation gets information about all custom key
|
1303
|
-
# stores in the account and
|
1380
|
+
# stores in the account and Region. To limit the output to a
|
1304
1381
|
# particular custom key store, you can use either the
|
1305
1382
|
# `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
|
1306
1383
|
# @return [String]
|
@@ -1369,10 +1446,10 @@ module Aws::KMS
|
|
1369
1446
|
# KMS associates the alias with an [AWS managed CMK][1] and returns
|
1370
1447
|
# its `KeyId` and `Arn` in the response.
|
1371
1448
|
#
|
1372
|
-
# To specify a CMK, use its key ID,
|
1373
|
-
#
|
1374
|
-
#
|
1375
|
-
#
|
1449
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
1450
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
1451
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
1452
|
+
# ARN.
|
1376
1453
|
#
|
1377
1454
|
# For example:
|
1378
1455
|
#
|
@@ -1396,7 +1473,9 @@ module Aws::KMS
|
|
1396
1473
|
# @!attribute [rw] grant_tokens
|
1397
1474
|
# A list of grant tokens.
|
1398
1475
|
#
|
1399
|
-
#
|
1476
|
+
# Use a grant token when your permission to call this operation comes
|
1477
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1478
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
1400
1479
|
# Management Service Developer Guide*.
|
1401
1480
|
#
|
1402
1481
|
#
|
@@ -1433,9 +1512,9 @@ module Aws::KMS
|
|
1433
1512
|
# }
|
1434
1513
|
#
|
1435
1514
|
# @!attribute [rw] key_id
|
1436
|
-
#
|
1515
|
+
# Identifies the customer master key (CMK) to disable.
|
1437
1516
|
#
|
1438
|
-
# Specify the key ID or
|
1517
|
+
# Specify the key ID or key ARN of the CMK.
|
1439
1518
|
#
|
1440
1519
|
# For example:
|
1441
1520
|
#
|
@@ -1468,7 +1547,7 @@ module Aws::KMS
|
|
1468
1547
|
# or disable automatic rotation of [asymmetric CMKs][1], CMKs with
|
1469
1548
|
# [imported key material][2], or CMKs in a [custom key store][3].
|
1470
1549
|
#
|
1471
|
-
# Specify the key ID or
|
1550
|
+
# Specify the key ID or key ARN of the CMK.
|
1472
1551
|
#
|
1473
1552
|
# For example:
|
1474
1553
|
#
|
@@ -1541,9 +1620,9 @@ module Aws::KMS
|
|
1541
1620
|
# }
|
1542
1621
|
#
|
1543
1622
|
# @!attribute [rw] key_id
|
1544
|
-
#
|
1623
|
+
# Identifies the customer master key (CMK) to enable.
|
1545
1624
|
#
|
1546
|
-
# Specify the key ID or
|
1625
|
+
# Specify the key ID or key ARN of the CMK.
|
1547
1626
|
#
|
1548
1627
|
# For example:
|
1549
1628
|
#
|
@@ -1573,10 +1652,12 @@ module Aws::KMS
|
|
1573
1652
|
#
|
1574
1653
|
# @!attribute [rw] key_id
|
1575
1654
|
# Identifies a symmetric customer master key (CMK). You cannot enable
|
1576
|
-
# automatic rotation of asymmetric CMKs, CMKs with imported key
|
1577
|
-
# material, or CMKs in a [custom key store][
|
1655
|
+
# automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
|
1656
|
+
# material][2], or CMKs in a [custom key store][3]. To enable or
|
1657
|
+
# disable automatic rotation of a set of related [multi-Region
|
1658
|
+
# keys][4], set the property on the primary key.
|
1578
1659
|
#
|
1579
|
-
# Specify the key ID or
|
1660
|
+
# Specify the key ID or key ARN of the CMK.
|
1580
1661
|
#
|
1581
1662
|
# For example:
|
1582
1663
|
#
|
@@ -1590,7 +1671,10 @@ module Aws::KMS
|
|
1590
1671
|
#
|
1591
1672
|
#
|
1592
1673
|
#
|
1593
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1674
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
1675
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1676
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1677
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
1594
1678
|
# @return [String]
|
1595
1679
|
#
|
1596
1680
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
@@ -1615,12 +1699,13 @@ module Aws::KMS
|
|
1615
1699
|
# }
|
1616
1700
|
#
|
1617
1701
|
# @!attribute [rw] key_id
|
1618
|
-
#
|
1702
|
+
# Identifies the customer master key (CMK) to use in the encryption
|
1703
|
+
# operation.
|
1619
1704
|
#
|
1620
|
-
# To specify a CMK, use its key ID,
|
1621
|
-
#
|
1622
|
-
#
|
1623
|
-
#
|
1705
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
1706
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
1707
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
1708
|
+
# ARN.
|
1624
1709
|
#
|
1625
1710
|
# For example:
|
1626
1711
|
#
|
@@ -1667,7 +1752,9 @@ module Aws::KMS
|
|
1667
1752
|
# @!attribute [rw] grant_tokens
|
1668
1753
|
# A list of grant tokens.
|
1669
1754
|
#
|
1670
|
-
#
|
1755
|
+
# Use a grant token when your permission to call this operation comes
|
1756
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1757
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
1671
1758
|
# Management Service Developer Guide*.
|
1672
1759
|
#
|
1673
1760
|
#
|
@@ -1779,10 +1866,10 @@ module Aws::KMS
|
|
1779
1866
|
# custom key store. To get the type and origin of your CMK, use the
|
1780
1867
|
# DescribeKey operation.
|
1781
1868
|
#
|
1782
|
-
# To specify a CMK, use its key ID,
|
1783
|
-
#
|
1784
|
-
#
|
1785
|
-
#
|
1869
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
1870
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
1871
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
1872
|
+
# ARN.
|
1786
1873
|
#
|
1787
1874
|
# For example:
|
1788
1875
|
#
|
@@ -1811,7 +1898,9 @@ module Aws::KMS
|
|
1811
1898
|
# @!attribute [rw] grant_tokens
|
1812
1899
|
# A list of grant tokens.
|
1813
1900
|
#
|
1814
|
-
#
|
1901
|
+
# Use a grant token when your permission to call this operation comes
|
1902
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1903
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
1815
1904
|
# Management Service Developer Guide*.
|
1816
1905
|
#
|
1817
1906
|
#
|
@@ -1908,10 +1997,10 @@ module Aws::KMS
|
|
1908
1997
|
# CMK or a CMK in a custom key store. To get the type and origin of
|
1909
1998
|
# your CMK, use the DescribeKey operation.
|
1910
1999
|
#
|
1911
|
-
# To specify a CMK, use its key ID,
|
1912
|
-
#
|
1913
|
-
#
|
1914
|
-
#
|
2000
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2001
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
2002
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
2003
|
+
# ARN.
|
1915
2004
|
#
|
1916
2005
|
# For example:
|
1917
2006
|
#
|
@@ -1940,7 +2029,9 @@ module Aws::KMS
|
|
1940
2029
|
# @!attribute [rw] grant_tokens
|
1941
2030
|
# A list of grant tokens.
|
1942
2031
|
#
|
1943
|
-
#
|
2032
|
+
# Use a grant token when your permission to call this operation comes
|
2033
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2034
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
1944
2035
|
# Management Service Developer Guide*.
|
1945
2036
|
#
|
1946
2037
|
#
|
@@ -2009,10 +2100,10 @@ module Aws::KMS
|
|
2009
2100
|
# @!attribute [rw] key_id
|
2010
2101
|
# Identifies the symmetric CMK that encrypts the data key.
|
2011
2102
|
#
|
2012
|
-
# To specify a CMK, use its key ID,
|
2013
|
-
#
|
2014
|
-
#
|
2015
|
-
#
|
2103
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2104
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
2105
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
2106
|
+
# ARN.
|
2016
2107
|
#
|
2017
2108
|
# For example:
|
2018
2109
|
#
|
@@ -2070,7 +2161,9 @@ module Aws::KMS
|
|
2070
2161
|
# @!attribute [rw] grant_tokens
|
2071
2162
|
# A list of grant tokens.
|
2072
2163
|
#
|
2073
|
-
#
|
2164
|
+
# Use a grant token when your permission to call this operation comes
|
2165
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2166
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
2074
2167
|
# Management Service Developer Guide*.
|
2075
2168
|
#
|
2076
2169
|
#
|
@@ -2139,10 +2232,10 @@ module Aws::KMS
|
|
2139
2232
|
# The identifier of the symmetric customer master key (CMK) that
|
2140
2233
|
# encrypts the data key.
|
2141
2234
|
#
|
2142
|
-
# To specify a CMK, use its key ID,
|
2143
|
-
#
|
2144
|
-
#
|
2145
|
-
#
|
2235
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2236
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
2237
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
2238
|
+
# ARN.
|
2146
2239
|
#
|
2147
2240
|
# For example:
|
2148
2241
|
#
|
@@ -2193,7 +2286,9 @@ module Aws::KMS
|
|
2193
2286
|
# @!attribute [rw] grant_tokens
|
2194
2287
|
# A list of grant tokens.
|
2195
2288
|
#
|
2196
|
-
#
|
2289
|
+
# Use a grant token when your permission to call this operation comes
|
2290
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2291
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
2197
2292
|
# Management Service Developer Guide*.
|
2198
2293
|
#
|
2199
2294
|
#
|
@@ -2289,9 +2384,9 @@ module Aws::KMS
|
|
2289
2384
|
# }
|
2290
2385
|
#
|
2291
2386
|
# @!attribute [rw] key_id
|
2292
|
-
#
|
2387
|
+
# Gets the key policy for the specified customer master key (CMK).
|
2293
2388
|
#
|
2294
|
-
# Specify the key ID or
|
2389
|
+
# Specify the key ID or key ARN of the CMK.
|
2295
2390
|
#
|
2296
2391
|
# For example:
|
2297
2392
|
#
|
@@ -2338,10 +2433,11 @@ module Aws::KMS
|
|
2338
2433
|
# }
|
2339
2434
|
#
|
2340
2435
|
# @!attribute [rw] key_id
|
2341
|
-
#
|
2436
|
+
# Gets the rotation status for the specified customer master key
|
2437
|
+
# (CMK).
|
2342
2438
|
#
|
2343
|
-
# Specify the key ID or
|
2344
|
-
#
|
2439
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
2440
|
+
# different AWS account, you must use the key ARN.
|
2345
2441
|
#
|
2346
2442
|
# For example:
|
2347
2443
|
#
|
@@ -2387,7 +2483,7 @@ module Aws::KMS
|
|
2387
2483
|
# The identifier of the symmetric CMK into which you will import key
|
2388
2484
|
# material. The `Origin` of the CMK must be `EXTERNAL`.
|
2389
2485
|
#
|
2390
|
-
# Specify the key ID or
|
2486
|
+
# Specify the key ID or key ARN of the CMK.
|
2391
2487
|
#
|
2392
2488
|
# For example:
|
2393
2489
|
#
|
@@ -2474,10 +2570,10 @@ module Aws::KMS
|
|
2474
2570
|
# @!attribute [rw] key_id
|
2475
2571
|
# Identifies the asymmetric CMK that includes the public key.
|
2476
2572
|
#
|
2477
|
-
# To specify a CMK, use its key ID,
|
2478
|
-
#
|
2479
|
-
#
|
2480
|
-
#
|
2573
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
2574
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
2575
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
2576
|
+
# ARN.
|
2481
2577
|
#
|
2482
2578
|
# For example:
|
2483
2579
|
#
|
@@ -2497,7 +2593,9 @@ module Aws::KMS
|
|
2497
2593
|
# @!attribute [rw] grant_tokens
|
2498
2594
|
# A list of grant tokens.
|
2499
2595
|
#
|
2500
|
-
#
|
2596
|
+
# Use a grant token when your permission to call this operation comes
|
2597
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2598
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
2501
2599
|
# Management Service Developer Guide*.
|
2502
2600
|
#
|
2503
2601
|
#
|
@@ -2745,7 +2843,7 @@ module Aws::KMS
|
|
2745
2843
|
# same CMK specified in the `KeyID` parameter of the corresponding
|
2746
2844
|
# GetParametersForImport request.
|
2747
2845
|
#
|
2748
|
-
# Specify the key ID or
|
2846
|
+
# Specify the key ID or key ARN of the CMK.
|
2749
2847
|
#
|
2750
2848
|
# For example:
|
2751
2849
|
#
|
@@ -3115,8 +3213,14 @@ module Aws::KMS
|
|
3115
3213
|
# @return [String]
|
3116
3214
|
#
|
3117
3215
|
# @!attribute [rw] deletion_date
|
3118
|
-
# The date and time after which AWS KMS deletes
|
3119
|
-
# present only when
|
3216
|
+
# The date and time after which AWS KMS deletes this CMK. This value
|
3217
|
+
# is present only when the CMK is scheduled for deletion, that is,
|
3218
|
+
# when its `KeyState` is `PendingDeletion`.
|
3219
|
+
#
|
3220
|
+
# When the primary key in a multi-Region key is scheduled for deletion
|
3221
|
+
# but still has replica keys, its key state is
|
3222
|
+
# `PendingReplicaDeletion` and the length of its waiting period is
|
3223
|
+
# displayed in the `PendingDeletionWindowInDays` field.
|
3120
3224
|
# @return [Time]
|
3121
3225
|
#
|
3122
3226
|
# @!attribute [rw] valid_to
|
@@ -3183,7 +3287,7 @@ module Aws::KMS
|
|
3183
3287
|
# The encryption algorithms that the CMK supports. You cannot use the
|
3184
3288
|
# CMK with other encryption algorithms within AWS KMS.
|
3185
3289
|
#
|
3186
|
-
# This
|
3290
|
+
# This value is present only when the `KeyUsage` of the CMK is
|
3187
3291
|
# `ENCRYPT_DECRYPT`.
|
3188
3292
|
# @return [Array<String>]
|
3189
3293
|
#
|
@@ -3195,6 +3299,57 @@ module Aws::KMS
|
|
3195
3299
|
# `SIGN_VERIFY`.
|
3196
3300
|
# @return [Array<String>]
|
3197
3301
|
#
|
3302
|
+
# @!attribute [rw] multi_region
|
3303
|
+
# Indicates whether the CMK is a multi-Region (`True`) or regional
|
3304
|
+
# (`False`) key. This value is `True` for multi-Region primary and
|
3305
|
+
# replica CMKs and `False` for regional CMKs.
|
3306
|
+
#
|
3307
|
+
# For more information about multi-Region keys, see [Using
|
3308
|
+
# multi-Region keys][1] in the *AWS Key Management Service Developer
|
3309
|
+
# Guide*.
|
3310
|
+
#
|
3311
|
+
#
|
3312
|
+
#
|
3313
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
3314
|
+
# @return [Boolean]
|
3315
|
+
#
|
3316
|
+
# @!attribute [rw] multi_region_configuration
|
3317
|
+
# Lists the primary and replica CMKs in same multi-Region CMK. This
|
3318
|
+
# field is present only when the value of the `MultiRegion` field is
|
3319
|
+
# `True`.
|
3320
|
+
#
|
3321
|
+
# For more information about any listed CMK, use the DescribeKey
|
3322
|
+
# operation.
|
3323
|
+
#
|
3324
|
+
# * `MultiRegionKeyType` indicates whether the CMK is a `PRIMARY` or
|
3325
|
+
# `REPLICA` key.
|
3326
|
+
#
|
3327
|
+
# * `PrimaryKey` displays the key ARN and Region of the primary key.
|
3328
|
+
# This field displays the current CMK if it is the primary key.
|
3329
|
+
#
|
3330
|
+
# * `ReplicaKeys` displays the key ARNs and Regions of all replica
|
3331
|
+
# keys. This field includes the current CMK if it is a replica key.
|
3332
|
+
# @return [Types::MultiRegionConfiguration]
|
3333
|
+
#
|
3334
|
+
# @!attribute [rw] pending_deletion_window_in_days
|
3335
|
+
# The waiting period before the primary key in a multi-Region key is
|
3336
|
+
# deleted. This waiting period begins when the last of its replica
|
3337
|
+
# keys is deleted. This value is present only when the `KeyState` of
|
3338
|
+
# the CMK is `PendingReplicaDeletion`. That indicates that the CMK is
|
3339
|
+
# the primary key in a multi-Region key, it is scheduled for deletion,
|
3340
|
+
# and it still has existing replica keys.
|
3341
|
+
#
|
3342
|
+
# When a regional CMK or a replica key in a multi-Region key is
|
3343
|
+
# scheduled for deletion, its deletion date is displayed in the
|
3344
|
+
# `DeletionDate` field. However, when the primary key in a
|
3345
|
+
# multi-Region key is scheduled for deletion, its waiting period
|
3346
|
+
# doesn't begin until all of its replica keys are deleted. This value
|
3347
|
+
# displays that waiting period. When the last replica key in the
|
3348
|
+
# multi-Region key is deleted, the `KeyState` of the scheduled primary
|
3349
|
+
# key changes from `PendingReplicaDeletion` to `PendingDeletion` and
|
3350
|
+
# the deletion date appears in the `DeletionDate` field.
|
3351
|
+
# @return [Integer]
|
3352
|
+
#
|
3198
3353
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
3199
3354
|
#
|
3200
3355
|
class KeyMetadata < Struct.new(
|
@@ -3215,7 +3370,10 @@ module Aws::KMS
|
|
3215
3370
|
:key_manager,
|
3216
3371
|
:customer_master_key_spec,
|
3217
3372
|
:encryption_algorithms,
|
3218
|
-
:signing_algorithms
|
3373
|
+
:signing_algorithms,
|
3374
|
+
:multi_region,
|
3375
|
+
:multi_region_configuration,
|
3376
|
+
:pending_deletion_window_in_days)
|
3219
3377
|
SENSITIVE = []
|
3220
3378
|
include Aws::Structure
|
3221
3379
|
end
|
@@ -3269,7 +3427,7 @@ module Aws::KMS
|
|
3269
3427
|
# This parameter is optional. If you omit it, `ListAliases` returns
|
3270
3428
|
# all aliases in the account and Region.
|
3271
3429
|
#
|
3272
|
-
# Specify the key ID or
|
3430
|
+
# Specify the key ID or key ARN of the CMK.
|
3273
3431
|
#
|
3274
3432
|
# For example:
|
3275
3433
|
#
|
@@ -3365,8 +3523,8 @@ module Aws::KMS
|
|
3365
3523
|
# Returns only grants for the specified customer master key (CMK).
|
3366
3524
|
# This parameter is required.
|
3367
3525
|
#
|
3368
|
-
# Specify the key ID or
|
3369
|
-
#
|
3526
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
3527
|
+
# different AWS account, you must use the key ARN.
|
3370
3528
|
#
|
3371
3529
|
# For example:
|
3372
3530
|
#
|
@@ -3437,9 +3595,10 @@ module Aws::KMS
|
|
3437
3595
|
# }
|
3438
3596
|
#
|
3439
3597
|
# @!attribute [rw] key_id
|
3440
|
-
#
|
3598
|
+
# Gets the names of key policies for the specified customer master key
|
3599
|
+
# (CMK).
|
3441
3600
|
#
|
3442
|
-
# Specify the key ID or
|
3601
|
+
# Specify the key ID or key ARN of the CMK.
|
3443
3602
|
#
|
3444
3603
|
# For example:
|
3445
3604
|
#
|
@@ -3575,9 +3734,9 @@ module Aws::KMS
|
|
3575
3734
|
# }
|
3576
3735
|
#
|
3577
3736
|
# @!attribute [rw] key_id
|
3578
|
-
#
|
3737
|
+
# Gets tags on the specified customer master key (CMK).
|
3579
3738
|
#
|
3580
|
-
# Specify the key ID or
|
3739
|
+
# Specify the key ID or key ARN of the CMK.
|
3581
3740
|
#
|
3582
3741
|
# For example:
|
3583
3742
|
#
|
@@ -3620,6 +3779,16 @@ module Aws::KMS
|
|
3620
3779
|
|
3621
3780
|
# @!attribute [rw] tags
|
3622
3781
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
3782
|
+
#
|
3783
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
3784
|
+
# For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
3785
|
+
# Management Service Developer Guide*.
|
3786
|
+
#
|
3787
|
+
# </note>
|
3788
|
+
#
|
3789
|
+
#
|
3790
|
+
#
|
3791
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
3623
3792
|
# @return [Array<Types::Tag>]
|
3624
3793
|
#
|
3625
3794
|
# @!attribute [rw] next_marker
|
@@ -3712,6 +3881,58 @@ module Aws::KMS
|
|
3712
3881
|
include Aws::Structure
|
3713
3882
|
end
|
3714
3883
|
|
3884
|
+
# Describes the configuration of this multi-Region CMK. This field
|
3885
|
+
# appears only when the CMK is a primary or replica of a multi-Region
|
3886
|
+
# CMK.
|
3887
|
+
#
|
3888
|
+
# For more information about any listed CMK, use the DescribeKey
|
3889
|
+
# operation.
|
3890
|
+
#
|
3891
|
+
# @!attribute [rw] multi_region_key_type
|
3892
|
+
# Indicates whether the CMK is a `PRIMARY` or `REPLICA` key.
|
3893
|
+
# @return [String]
|
3894
|
+
#
|
3895
|
+
# @!attribute [rw] primary_key
|
3896
|
+
# Displays the key ARN and Region of the primary key. This field
|
3897
|
+
# includes the current CMK if it is the primary key.
|
3898
|
+
# @return [Types::MultiRegionKey]
|
3899
|
+
#
|
3900
|
+
# @!attribute [rw] replica_keys
|
3901
|
+
# displays the key ARNs and Regions of all replica keys. This field
|
3902
|
+
# includes the current CMK if it is a replica key.
|
3903
|
+
# @return [Array<Types::MultiRegionKey>]
|
3904
|
+
#
|
3905
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionConfiguration AWS API Documentation
|
3906
|
+
#
|
3907
|
+
class MultiRegionConfiguration < Struct.new(
|
3908
|
+
:multi_region_key_type,
|
3909
|
+
:primary_key,
|
3910
|
+
:replica_keys)
|
3911
|
+
SENSITIVE = []
|
3912
|
+
include Aws::Structure
|
3913
|
+
end
|
3914
|
+
|
3915
|
+
# Describes the primary or replica key in a multi-Region key.
|
3916
|
+
#
|
3917
|
+
# @!attribute [rw] arn
|
3918
|
+
# Displays the key ARN of a primary or replica key of a multi-Region
|
3919
|
+
# key.
|
3920
|
+
# @return [String]
|
3921
|
+
#
|
3922
|
+
# @!attribute [rw] region
|
3923
|
+
# Displays the AWS Region of a primary or replica key in a
|
3924
|
+
# multi-Region key.
|
3925
|
+
# @return [String]
|
3926
|
+
#
|
3927
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionKey AWS API Documentation
|
3928
|
+
#
|
3929
|
+
class MultiRegionKey < Struct.new(
|
3930
|
+
:arn,
|
3931
|
+
:region)
|
3932
|
+
SENSITIVE = []
|
3933
|
+
include Aws::Structure
|
3934
|
+
end
|
3935
|
+
|
3715
3936
|
# The request was rejected because the specified entity or resource
|
3716
3937
|
# could not be found.
|
3717
3938
|
#
|
@@ -3737,9 +3958,9 @@ module Aws::KMS
|
|
3737
3958
|
# }
|
3738
3959
|
#
|
3739
3960
|
# @!attribute [rw] key_id
|
3740
|
-
#
|
3961
|
+
# Sets the key policy on the specified customer master key (CMK).
|
3741
3962
|
#
|
3742
|
-
# Specify the key ID or
|
3963
|
+
# Specify the key ID or key ARN of the CMK.
|
3743
3964
|
#
|
3744
3965
|
# For example:
|
3745
3966
|
#
|
@@ -3876,10 +4097,10 @@ module Aws::KMS
|
|
3876
4097
|
# blob. However, it is always recommended as a best practice. This
|
3877
4098
|
# practice ensures that you use the CMK that you intend.
|
3878
4099
|
#
|
3879
|
-
# To specify a CMK, use its key ID,
|
3880
|
-
#
|
3881
|
-
#
|
3882
|
-
#
|
4100
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
4101
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
4102
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
4103
|
+
# ARN.
|
3883
4104
|
#
|
3884
4105
|
# For example:
|
3885
4106
|
#
|
@@ -3902,10 +4123,10 @@ module Aws::KMS
|
|
3902
4123
|
# `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
|
3903
4124
|
# DescribeKey operation.
|
3904
4125
|
#
|
3905
|
-
# To specify a CMK, use its key ID,
|
3906
|
-
#
|
3907
|
-
#
|
3908
|
-
#
|
4126
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
4127
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
4128
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
4129
|
+
# ARN.
|
3909
4130
|
#
|
3910
4131
|
# For example:
|
3911
4132
|
#
|
@@ -3971,7 +4192,9 @@ module Aws::KMS
|
|
3971
4192
|
# @!attribute [rw] grant_tokens
|
3972
4193
|
# A list of grant tokens.
|
3973
4194
|
#
|
3974
|
-
#
|
4195
|
+
# Use a grant token when your permission to call this operation comes
|
4196
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
4197
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
3975
4198
|
# Management Service Developer Guide*.
|
3976
4199
|
#
|
3977
4200
|
#
|
@@ -4033,6 +4256,221 @@ module Aws::KMS
|
|
4033
4256
|
include Aws::Structure
|
4034
4257
|
end
|
4035
4258
|
|
4259
|
+
# @note When making an API call, you may pass ReplicateKeyRequest
|
4260
|
+
# data as a hash:
|
4261
|
+
#
|
4262
|
+
# {
|
4263
|
+
# key_id: "KeyIdType", # required
|
4264
|
+
# replica_region: "RegionType", # required
|
4265
|
+
# policy: "PolicyType",
|
4266
|
+
# bypass_policy_lockout_safety_check: false,
|
4267
|
+
# description: "DescriptionType",
|
4268
|
+
# tags: [
|
4269
|
+
# {
|
4270
|
+
# tag_key: "TagKeyType", # required
|
4271
|
+
# tag_value: "TagValueType", # required
|
4272
|
+
# },
|
4273
|
+
# ],
|
4274
|
+
# }
|
4275
|
+
#
|
4276
|
+
# @!attribute [rw] key_id
|
4277
|
+
# Identifies the multi-Region primary key that is being replicated. To
|
4278
|
+
# determine whether a CMK is a multi-Region primary key, use the
|
4279
|
+
# DescribeKey operation to check the value of the `MultiRegionKeyType`
|
4280
|
+
# property.
|
4281
|
+
#
|
4282
|
+
# Specify the key ID or key ARN of a multi-Region primary key.
|
4283
|
+
#
|
4284
|
+
# For example:
|
4285
|
+
#
|
4286
|
+
# * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
|
4287
|
+
#
|
4288
|
+
# * Key ARN:
|
4289
|
+
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
4290
|
+
#
|
4291
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
4292
|
+
# DescribeKey.
|
4293
|
+
# @return [String]
|
4294
|
+
#
|
4295
|
+
# @!attribute [rw] replica_region
|
4296
|
+
# The Region ID of the AWS Region for this replica key.
|
4297
|
+
#
|
4298
|
+
# Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
|
4299
|
+
# list of AWS Regions in which AWS KMS is supported, see [AWS KMS
|
4300
|
+
# service endpoints][1] in the *Amazon Web Services General
|
4301
|
+
# Reference*.
|
4302
|
+
#
|
4303
|
+
# The replica must be in a different AWS Region than its primary key
|
4304
|
+
# and other replicas of that primary key, but in the same AWS
|
4305
|
+
# partition. AWS KMS must be available in the replica Region. If the
|
4306
|
+
# Region is not enabled by default, the AWS account must be enabled in
|
4307
|
+
# the Region.
|
4308
|
+
#
|
4309
|
+
# For information about AWS partitions, see [Amazon Resource Names
|
4310
|
+
# (ARNs) in the *Amazon Web Services General Reference*.][2] For
|
4311
|
+
# information about enabling and disabling Regions, see [Enabling a
|
4312
|
+
# Region][3] and [Disabling a Region][4] in the *Amazon Web Services
|
4313
|
+
# General Reference*.
|
4314
|
+
#
|
4315
|
+
#
|
4316
|
+
#
|
4317
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
4318
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
4319
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
4320
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
4321
|
+
# @return [String]
|
4322
|
+
#
|
4323
|
+
# @!attribute [rw] policy
|
4324
|
+
# The key policy to attach to the CMK. This parameter is optional. If
|
4325
|
+
# you do not provide a key policy, AWS KMS attaches the [default key
|
4326
|
+
# policy][1] to the CMK.
|
4327
|
+
#
|
4328
|
+
# The key policy is not a shared property of multi-Region keys. You
|
4329
|
+
# can specify the same key policy or a different key policy for each
|
4330
|
+
# key in a set of related multi-Region keys. AWS KMS does not
|
4331
|
+
# synchronize this property.
|
4332
|
+
#
|
4333
|
+
# If you provide a key policy, it must meet the following criteria:
|
4334
|
+
#
|
4335
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
4336
|
+
# key policy must give the caller `kms:PutKeyPolicy` permission on
|
4337
|
+
# the replica CMK. This reduces the risk that the CMK becomes
|
4338
|
+
# unmanageable. For more information, refer to the scenario in the
|
4339
|
+
# [Default Key Policy][2] section of the <i> <i>AWS Key Management
|
4340
|
+
# Service Developer Guide</i> </i>.
|
4341
|
+
#
|
4342
|
+
# * Each statement in the key policy must contain one or more
|
4343
|
+
# principals. The principals in the key policy must exist and be
|
4344
|
+
# visible to AWS KMS. When you create a new AWS principal (for
|
4345
|
+
# example, an IAM user or role), you might need to enforce a delay
|
4346
|
+
# before including the new principal in a key policy because the new
|
4347
|
+
# principal might not be immediately visible to AWS KMS. For more
|
4348
|
+
# information, see [Changes that I make are not always immediately
|
4349
|
+
# visible][3] in the *AWS Identity and Access Management User
|
4350
|
+
# Guide*.
|
4351
|
+
#
|
4352
|
+
# * The key policy size quota is 32 kilobytes (32768 bytes).
|
4353
|
+
#
|
4354
|
+
#
|
4355
|
+
#
|
4356
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
4357
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
4358
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
4359
|
+
# @return [String]
|
4360
|
+
#
|
4361
|
+
# @!attribute [rw] bypass_policy_lockout_safety_check
|
4362
|
+
# A flag to indicate whether to bypass the key policy lockout safety
|
4363
|
+
# check.
|
4364
|
+
#
|
4365
|
+
# Setting this value to true increases the risk that the CMK becomes
|
4366
|
+
# unmanageable. Do not set this value to true indiscriminately.
|
4367
|
+
#
|
4368
|
+
# For more information, refer to the scenario in the [Default Key
|
4369
|
+
# Policy][1] section in the *AWS Key Management Service Developer
|
4370
|
+
# Guide*.
|
4371
|
+
#
|
4372
|
+
# Use this parameter only when you intend to prevent the principal
|
4373
|
+
# that is making the request from making a subsequent `PutKeyPolicy`
|
4374
|
+
# request on the CMK.
|
4375
|
+
#
|
4376
|
+
# The default value is false.
|
4377
|
+
#
|
4378
|
+
#
|
4379
|
+
#
|
4380
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
4381
|
+
# @return [Boolean]
|
4382
|
+
#
|
4383
|
+
# @!attribute [rw] description
|
4384
|
+
# A description of the CMK. Use a description that helps you decide
|
4385
|
+
# whether the CMK is appropriate for a task. The default value is an
|
4386
|
+
# empty string (no description).
|
4387
|
+
#
|
4388
|
+
# The description is not a shared property of multi-Region keys. You
|
4389
|
+
# can specify the same description or a different description for each
|
4390
|
+
# key in a set of related multi-Region keys. AWS KMS does not
|
4391
|
+
# synchronize this property.
|
4392
|
+
# @return [String]
|
4393
|
+
#
|
4394
|
+
# @!attribute [rw] tags
|
4395
|
+
# Assigns one or more tags to the replica key. Use this parameter to
|
4396
|
+
# tag the CMK when it is created. To tag an existing CMK, use the
|
4397
|
+
# TagResource operation.
|
4398
|
+
#
|
4399
|
+
# <note markdown="1"> Tagging or untagging a CMK can allow or deny permission to the CMK.
|
4400
|
+
# For details, see [Using ABAC in AWS KMS][1] in the *AWS Key
|
4401
|
+
# Management Service Developer Guide*.
|
4402
|
+
#
|
4403
|
+
# </note>
|
4404
|
+
#
|
4405
|
+
# To use this parameter, you must have [kms:TagResource][2] permission
|
4406
|
+
# in an IAM policy.
|
4407
|
+
#
|
4408
|
+
# Tags are not a shared property of multi-Region keys. You can specify
|
4409
|
+
# the same tags or different tags for each key in a set of related
|
4410
|
+
# multi-Region keys. AWS KMS does not synchronize this property.
|
4411
|
+
#
|
4412
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
4413
|
+
# the tag value are required, but the tag value can be an empty (null)
|
4414
|
+
# string. You cannot have more than one tag on a CMK with the same tag
|
4415
|
+
# key. If you specify an existing tag key with a different tag value,
|
4416
|
+
# AWS KMS replaces the current tag value with the specified one.
|
4417
|
+
#
|
4418
|
+
# When you assign tags to an AWS resource, AWS generates a cost
|
4419
|
+
# allocation report with usage and costs aggregated by tags. Tags can
|
4420
|
+
# also be used to control access to a CMK. For details, see [Tagging
|
4421
|
+
# Keys][3].
|
4422
|
+
#
|
4423
|
+
#
|
4424
|
+
#
|
4425
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
4426
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4427
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
4428
|
+
# @return [Array<Types::Tag>]
|
4429
|
+
#
|
4430
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyRequest AWS API Documentation
|
4431
|
+
#
|
4432
|
+
class ReplicateKeyRequest < Struct.new(
|
4433
|
+
:key_id,
|
4434
|
+
:replica_region,
|
4435
|
+
:policy,
|
4436
|
+
:bypass_policy_lockout_safety_check,
|
4437
|
+
:description,
|
4438
|
+
:tags)
|
4439
|
+
SENSITIVE = []
|
4440
|
+
include Aws::Structure
|
4441
|
+
end
|
4442
|
+
|
4443
|
+
# @!attribute [rw] replica_key_metadata
|
4444
|
+
# Displays details about the new replica CMK, including its Amazon
|
4445
|
+
# Resource Name ([key ARN][1]) and [key state][2]. It also includes
|
4446
|
+
# the ARN and AWS Region of its primary key and other replica keys.
|
4447
|
+
#
|
4448
|
+
#
|
4449
|
+
#
|
4450
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
4451
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4452
|
+
# @return [Types::KeyMetadata]
|
4453
|
+
#
|
4454
|
+
# @!attribute [rw] replica_policy
|
4455
|
+
# The key policy of the new replica key. The value is a key policy
|
4456
|
+
# document in JSON format.
|
4457
|
+
# @return [String]
|
4458
|
+
#
|
4459
|
+
# @!attribute [rw] replica_tags
|
4460
|
+
# The tags on the new replica key. The value is a list of tag key and
|
4461
|
+
# tag value pairs.
|
4462
|
+
# @return [Array<Types::Tag>]
|
4463
|
+
#
|
4464
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyResponse AWS API Documentation
|
4465
|
+
#
|
4466
|
+
class ReplicateKeyResponse < Struct.new(
|
4467
|
+
:replica_key_metadata,
|
4468
|
+
:replica_policy,
|
4469
|
+
:replica_tags)
|
4470
|
+
SENSITIVE = []
|
4471
|
+
include Aws::Structure
|
4472
|
+
end
|
4473
|
+
|
4036
4474
|
# @note When making an API call, you may pass RetireGrantRequest
|
4037
4475
|
# data as a hash:
|
4038
4476
|
#
|
@@ -4043,19 +4481,31 @@ module Aws::KMS
|
|
4043
4481
|
# }
|
4044
4482
|
#
|
4045
4483
|
# @!attribute [rw] grant_token
|
4046
|
-
#
|
4484
|
+
# Identifies the grant to be retired. You can use a grant token to
|
4485
|
+
# identify a new grant even before it has achieved eventual
|
4486
|
+
# consistency.
|
4487
|
+
#
|
4488
|
+
# Only the CreateGrant operation returns a grant token. For details,
|
4489
|
+
# see [Grant token][1] and [Eventual consistency][2] in the *AWS Key
|
4490
|
+
# Management Service Developer Guide*.
|
4491
|
+
#
|
4492
|
+
#
|
4493
|
+
#
|
4494
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
4495
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
|
4047
4496
|
# @return [String]
|
4048
4497
|
#
|
4049
4498
|
# @!attribute [rw] key_id
|
4050
|
-
# The
|
4499
|
+
# The key ARN CMK associated with the grant. To find the key ARN, use
|
4500
|
+
# the ListKeys operation.
|
4051
4501
|
#
|
4052
4502
|
# For example:
|
4053
4503
|
# `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4054
4504
|
# @return [String]
|
4055
4505
|
#
|
4056
4506
|
# @!attribute [rw] grant_id
|
4057
|
-
#
|
4058
|
-
#
|
4507
|
+
# Identifies the grant to retire. To get the grant ID, use
|
4508
|
+
# CreateGrant, ListGrants, or ListRetirableGrants.
|
4059
4509
|
#
|
4060
4510
|
# * Grant ID Example -
|
4061
4511
|
# 0123456789012345678901234567890123456789012345678901234567890123
|
@@ -4082,11 +4532,12 @@ module Aws::KMS
|
|
4082
4532
|
# }
|
4083
4533
|
#
|
4084
4534
|
# @!attribute [rw] key_id
|
4085
|
-
# A unique identifier for the customer master key associated
|
4086
|
-
# grant.
|
4535
|
+
# A unique identifier for the customer master key (CMK) associated
|
4536
|
+
# with the grant. To get the key ID and key ARN for a CMK, use
|
4537
|
+
# ListKeys or DescribeKey.
|
4087
4538
|
#
|
4088
|
-
# Specify the key ID or
|
4089
|
-
#
|
4539
|
+
# Specify the key ID or key ARN of the CMK. To specify a CMK in a
|
4540
|
+
# different AWS account, you must use the key ARN.
|
4090
4541
|
#
|
4091
4542
|
# For example:
|
4092
4543
|
#
|
@@ -4100,7 +4551,8 @@ module Aws::KMS
|
|
4100
4551
|
# @return [String]
|
4101
4552
|
#
|
4102
4553
|
# @!attribute [rw] grant_id
|
4103
|
-
#
|
4554
|
+
# Identifies the grant to revoke. To get the grant ID, use
|
4555
|
+
# CreateGrant, ListGrants, or ListRetirableGrants.
|
4104
4556
|
# @return [String]
|
4105
4557
|
#
|
4106
4558
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
|
@@ -4123,7 +4575,7 @@ module Aws::KMS
|
|
4123
4575
|
# @!attribute [rw] key_id
|
4124
4576
|
# The unique identifier of the customer master key (CMK) to delete.
|
4125
4577
|
#
|
4126
|
-
# Specify the key ID or
|
4578
|
+
# Specify the key ID or key ARN of the CMK.
|
4127
4579
|
#
|
4128
4580
|
# For example:
|
4129
4581
|
#
|
@@ -4140,6 +4592,10 @@ module Aws::KMS
|
|
4140
4592
|
# The waiting period, specified in number of days. After the waiting
|
4141
4593
|
# period ends, AWS KMS deletes the customer master key (CMK).
|
4142
4594
|
#
|
4595
|
+
# If the CMK is a multi-Region primary key with replicas, the waiting
|
4596
|
+
# period begins when the last of its replica keys is deleted.
|
4597
|
+
# Otherwise, the waiting period begins immediately.
|
4598
|
+
#
|
4143
4599
|
# This value is optional. If you include a value, it must be between 7
|
4144
4600
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
4145
4601
|
# @return [Integer]
|
@@ -4165,13 +4621,39 @@ module Aws::KMS
|
|
4165
4621
|
# @!attribute [rw] deletion_date
|
4166
4622
|
# The date and time after which AWS KMS deletes the customer master
|
4167
4623
|
# key (CMK).
|
4624
|
+
#
|
4625
|
+
# If the CMK is a multi-Region primary key with replica keys, this
|
4626
|
+
# field does not appear. The deletion date for the primary key isn't
|
4627
|
+
# known until its last replica key is deleted.
|
4168
4628
|
# @return [Time]
|
4169
4629
|
#
|
4630
|
+
# @!attribute [rw] key_state
|
4631
|
+
# The current status of the CMK.
|
4632
|
+
#
|
4633
|
+
# For more information about how key state affects the use of a CMK,
|
4634
|
+
# see [Key state: Effect on your CMK][1] in the *AWS Key Management
|
4635
|
+
# Service Developer Guide*.
|
4636
|
+
#
|
4637
|
+
#
|
4638
|
+
#
|
4639
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4640
|
+
# @return [String]
|
4641
|
+
#
|
4642
|
+
# @!attribute [rw] pending_window_in_days
|
4643
|
+
# The waiting period before the CMK is deleted.
|
4644
|
+
#
|
4645
|
+
# If the CMK is a multi-Region primary key with replicas, the waiting
|
4646
|
+
# period begins when the last of its replica keys is deleted.
|
4647
|
+
# Otherwise, the waiting period begins immediately.
|
4648
|
+
# @return [Integer]
|
4649
|
+
#
|
4170
4650
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionResponse AWS API Documentation
|
4171
4651
|
#
|
4172
4652
|
class ScheduleKeyDeletionResponse < Struct.new(
|
4173
4653
|
:key_id,
|
4174
|
-
:deletion_date
|
4654
|
+
:deletion_date,
|
4655
|
+
:key_state,
|
4656
|
+
:pending_window_in_days)
|
4175
4657
|
SENSITIVE = []
|
4176
4658
|
include Aws::Structure
|
4177
4659
|
end
|
@@ -4193,10 +4675,10 @@ module Aws::KMS
|
|
4193
4675
|
# must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
|
4194
4676
|
# DescribeKey operation.
|
4195
4677
|
#
|
4196
|
-
# To specify a CMK, use its key ID,
|
4197
|
-
#
|
4198
|
-
#
|
4199
|
-
#
|
4678
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
4679
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
4680
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
4681
|
+
# ARN.
|
4200
4682
|
#
|
4201
4683
|
# For example:
|
4202
4684
|
#
|
@@ -4230,7 +4712,9 @@ module Aws::KMS
|
|
4230
4712
|
# @!attribute [rw] grant_tokens
|
4231
4713
|
# A list of grant tokens.
|
4232
4714
|
#
|
4233
|
-
#
|
4715
|
+
# Use a grant token when your permission to call this operation comes
|
4716
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
4717
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
4234
4718
|
# Management Service Developer Guide*.
|
4235
4719
|
#
|
4236
4720
|
#
|
@@ -4367,7 +4851,7 @@ module Aws::KMS
|
|
4367
4851
|
# @!attribute [rw] key_id
|
4368
4852
|
# Identifies a customer managed CMK in the account and Region.
|
4369
4853
|
#
|
4370
|
-
# Specify the key ID or
|
4854
|
+
# Specify the key ID or key ARN of the CMK.
|
4371
4855
|
#
|
4372
4856
|
# For example:
|
4373
4857
|
#
|
@@ -4425,7 +4909,7 @@ module Aws::KMS
|
|
4425
4909
|
# @!attribute [rw] key_id
|
4426
4910
|
# Identifies the CMK from which you are removing tags.
|
4427
4911
|
#
|
4428
|
-
# Specify the key ID or
|
4912
|
+
# Specify the key ID or key ARN of the CMK.
|
4429
4913
|
#
|
4430
4914
|
# For example:
|
4431
4915
|
#
|
@@ -4476,7 +4960,7 @@ module Aws::KMS
|
|
4476
4960
|
# CMK (both symmetric or both asymmetric) and they must have the same
|
4477
4961
|
# key usage.
|
4478
4962
|
#
|
4479
|
-
# Specify the key ID or
|
4963
|
+
# Specify the key ID or key ARN of the CMK.
|
4480
4964
|
#
|
4481
4965
|
# For example:
|
4482
4966
|
#
|
@@ -4579,9 +5063,9 @@ module Aws::KMS
|
|
4579
5063
|
# }
|
4580
5064
|
#
|
4581
5065
|
# @!attribute [rw] key_id
|
4582
|
-
#
|
5066
|
+
# Updates the description of the specified customer master key (CMK).
|
4583
5067
|
#
|
4584
|
-
# Specify the key ID or
|
5068
|
+
# Specify the key ID or key ARN of the CMK.
|
4585
5069
|
#
|
4586
5070
|
# For example:
|
4587
5071
|
#
|
@@ -4607,6 +5091,49 @@ module Aws::KMS
|
|
4607
5091
|
include Aws::Structure
|
4608
5092
|
end
|
4609
5093
|
|
5094
|
+
# @note When making an API call, you may pass UpdatePrimaryRegionRequest
|
5095
|
+
# data as a hash:
|
5096
|
+
#
|
5097
|
+
# {
|
5098
|
+
# key_id: "KeyIdType", # required
|
5099
|
+
# primary_region: "RegionType", # required
|
5100
|
+
# }
|
5101
|
+
#
|
5102
|
+
# @!attribute [rw] key_id
|
5103
|
+
# Identifies the current primary key. When the operation completes,
|
5104
|
+
# this CMK will be a replica key.
|
5105
|
+
#
|
5106
|
+
# Specify the key ID or key ARN of a multi-Region primary key.
|
5107
|
+
#
|
5108
|
+
# For example:
|
5109
|
+
#
|
5110
|
+
# * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
|
5111
|
+
#
|
5112
|
+
# * Key ARN:
|
5113
|
+
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
5114
|
+
#
|
5115
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or
|
5116
|
+
# DescribeKey.
|
5117
|
+
# @return [String]
|
5118
|
+
#
|
5119
|
+
# @!attribute [rw] primary_region
|
5120
|
+
# The AWS Region of the new primary key. Enter the Region ID, such as
|
5121
|
+
# `us-east-1` or `ap-southeast-2`. There must be an existing replica
|
5122
|
+
# key in this Region.
|
5123
|
+
#
|
5124
|
+
# When the operation completes, the multi-Region key in this Region
|
5125
|
+
# will be the primary key.
|
5126
|
+
# @return [String]
|
5127
|
+
#
|
5128
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegionRequest AWS API Documentation
|
5129
|
+
#
|
5130
|
+
class UpdatePrimaryRegionRequest < Struct.new(
|
5131
|
+
:key_id,
|
5132
|
+
:primary_region)
|
5133
|
+
SENSITIVE = []
|
5134
|
+
include Aws::Structure
|
5135
|
+
end
|
5136
|
+
|
4610
5137
|
# @note When making an API call, you may pass VerifyRequest
|
4611
5138
|
# data as a hash:
|
4612
5139
|
#
|
@@ -4625,10 +5152,10 @@ module Aws::KMS
|
|
4625
5152
|
# signature. If you specify a different CMK, the signature
|
4626
5153
|
# verification fails.
|
4627
5154
|
#
|
4628
|
-
# To specify a CMK, use its key ID,
|
4629
|
-
#
|
4630
|
-
#
|
4631
|
-
#
|
5155
|
+
# To specify a CMK, use its key ID, key ARN, alias name, or alias ARN.
|
5156
|
+
# When using an alias name, prefix it with `"alias/"`. To specify a
|
5157
|
+
# CMK in a different AWS account, you must use the key ARN or alias
|
5158
|
+
# ARN.
|
4632
5159
|
#
|
4633
5160
|
# For example:
|
4634
5161
|
#
|
@@ -4678,7 +5205,9 @@ module Aws::KMS
|
|
4678
5205
|
# @!attribute [rw] grant_tokens
|
4679
5206
|
# A list of grant tokens.
|
4680
5207
|
#
|
4681
|
-
#
|
5208
|
+
# Use a grant token when your permission to call this operation comes
|
5209
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
5210
|
+
# For more information, see [Grant token][1] in the *AWS Key
|
4682
5211
|
# Management Service Developer Guide*.
|
4683
5212
|
#
|
4684
5213
|
#
|