aws-sdk-kms 1.43.0 → 1.47.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +2287 -1460
- data/lib/aws-sdk-kms/client_api.rb +83 -3
- data/lib/aws-sdk-kms/customizations.rb +1 -1
- data/lib/aws-sdk-kms/types.rb +1289 -699
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +7 -8
@@ -130,6 +130,7 @@ module Aws::KMS
|
|
130
130
|
KeyListEntry = Shapes::StructureShape.new(name: 'KeyListEntry')
|
131
131
|
KeyManagerType = Shapes::StringShape.new(name: 'KeyManagerType')
|
132
132
|
KeyMetadata = Shapes::StructureShape.new(name: 'KeyMetadata')
|
133
|
+
KeySpec = Shapes::StringShape.new(name: 'KeySpec')
|
133
134
|
KeyState = Shapes::StringShape.new(name: 'KeyState')
|
134
135
|
KeyStorePasswordType = Shapes::StringShape.new(name: 'KeyStorePasswordType')
|
135
136
|
KeyUnavailableException = Shapes::StructureShape.new(name: 'KeyUnavailableException')
|
@@ -150,7 +151,12 @@ module Aws::KMS
|
|
150
151
|
MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
|
151
152
|
MarkerType = Shapes::StringShape.new(name: 'MarkerType')
|
152
153
|
MessageType = Shapes::StringShape.new(name: 'MessageType')
|
154
|
+
MultiRegionConfiguration = Shapes::StructureShape.new(name: 'MultiRegionConfiguration')
|
155
|
+
MultiRegionKey = Shapes::StructureShape.new(name: 'MultiRegionKey')
|
156
|
+
MultiRegionKeyList = Shapes::ListShape.new(name: 'MultiRegionKeyList')
|
157
|
+
MultiRegionKeyType = Shapes::StringShape.new(name: 'MultiRegionKeyType')
|
153
158
|
NotFoundException = Shapes::StructureShape.new(name: 'NotFoundException')
|
159
|
+
NullableBooleanType = Shapes::BooleanShape.new(name: 'NullableBooleanType')
|
154
160
|
NumberOfBytesType = Shapes::IntegerShape.new(name: 'NumberOfBytesType')
|
155
161
|
OriginType = Shapes::StringShape.new(name: 'OriginType')
|
156
162
|
PendingWindowInDaysType = Shapes::IntegerShape.new(name: 'PendingWindowInDaysType')
|
@@ -163,6 +169,9 @@ module Aws::KMS
|
|
163
169
|
PutKeyPolicyRequest = Shapes::StructureShape.new(name: 'PutKeyPolicyRequest')
|
164
170
|
ReEncryptRequest = Shapes::StructureShape.new(name: 'ReEncryptRequest')
|
165
171
|
ReEncryptResponse = Shapes::StructureShape.new(name: 'ReEncryptResponse')
|
172
|
+
RegionType = Shapes::StringShape.new(name: 'RegionType')
|
173
|
+
ReplicateKeyRequest = Shapes::StructureShape.new(name: 'ReplicateKeyRequest')
|
174
|
+
ReplicateKeyResponse = Shapes::StructureShape.new(name: 'ReplicateKeyResponse')
|
166
175
|
RetireGrantRequest = Shapes::StructureShape.new(name: 'RetireGrantRequest')
|
167
176
|
RevokeGrantRequest = Shapes::StructureShape.new(name: 'RevokeGrantRequest')
|
168
177
|
ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
|
@@ -185,6 +194,7 @@ module Aws::KMS
|
|
185
194
|
UpdateCustomKeyStoreRequest = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreRequest')
|
186
195
|
UpdateCustomKeyStoreResponse = Shapes::StructureShape.new(name: 'UpdateCustomKeyStoreResponse')
|
187
196
|
UpdateKeyDescriptionRequest = Shapes::StructureShape.new(name: 'UpdateKeyDescriptionRequest')
|
197
|
+
UpdatePrimaryRegionRequest = Shapes::StructureShape.new(name: 'UpdatePrimaryRegionRequest')
|
188
198
|
VerifyRequest = Shapes::StructureShape.new(name: 'VerifyRequest')
|
189
199
|
VerifyResponse = Shapes::StructureShape.new(name: 'VerifyResponse')
|
190
200
|
WrappingKeySpec = Shapes::StringShape.new(name: 'WrappingKeySpec')
|
@@ -256,11 +266,13 @@ module Aws::KMS
|
|
256
266
|
CreateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
|
257
267
|
CreateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
|
258
268
|
CreateKeyRequest.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
|
259
|
-
CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
269
|
+
CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This parameter has been deprecated. Instead, use the KeySpec parameter."}))
|
270
|
+
CreateKeyRequest.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
|
260
271
|
CreateKeyRequest.add_member(:origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "Origin"))
|
261
272
|
CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
|
262
273
|
CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
|
263
274
|
CreateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
|
275
|
+
CreateKeyRequest.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
|
264
276
|
CreateKeyRequest.struct_class = Types::CreateKeyRequest
|
265
277
|
|
266
278
|
CreateKeyResponse.add_member(:key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "KeyMetadata"))
|
@@ -458,7 +470,8 @@ module Aws::KMS
|
|
458
470
|
|
459
471
|
GetPublicKeyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
460
472
|
GetPublicKeyResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
|
461
|
-
GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
473
|
+
GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This field has been deprecated. Instead, use the KeySpec field."}))
|
474
|
+
GetPublicKeyResponse.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
|
462
475
|
GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
|
463
476
|
GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
464
477
|
GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
@@ -557,9 +570,13 @@ module Aws::KMS
|
|
557
570
|
KeyMetadata.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
|
558
571
|
KeyMetadata.add_member(:expiration_model, Shapes::ShapeRef.new(shape: ExpirationModelType, location_name: "ExpirationModel"))
|
559
572
|
KeyMetadata.add_member(:key_manager, Shapes::ShapeRef.new(shape: KeyManagerType, location_name: "KeyManager"))
|
560
|
-
KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
573
|
+
KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This field has been deprecated. Instead, use the KeySpec field."}))
|
574
|
+
KeyMetadata.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
|
561
575
|
KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
562
576
|
KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
577
|
+
KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
|
578
|
+
KeyMetadata.add_member(:multi_region_configuration, Shapes::ShapeRef.new(shape: MultiRegionConfiguration, location_name: "MultiRegionConfiguration"))
|
579
|
+
KeyMetadata.add_member(:pending_deletion_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingDeletionWindowInDays"))
|
563
580
|
KeyMetadata.struct_class = Types::KeyMetadata
|
564
581
|
|
565
582
|
KeyUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
@@ -627,6 +644,17 @@ module Aws::KMS
|
|
627
644
|
MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
628
645
|
MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
|
629
646
|
|
647
|
+
MultiRegionConfiguration.add_member(:multi_region_key_type, Shapes::ShapeRef.new(shape: MultiRegionKeyType, location_name: "MultiRegionKeyType"))
|
648
|
+
MultiRegionConfiguration.add_member(:primary_key, Shapes::ShapeRef.new(shape: MultiRegionKey, location_name: "PrimaryKey"))
|
649
|
+
MultiRegionConfiguration.add_member(:replica_keys, Shapes::ShapeRef.new(shape: MultiRegionKeyList, location_name: "ReplicaKeys"))
|
650
|
+
MultiRegionConfiguration.struct_class = Types::MultiRegionConfiguration
|
651
|
+
|
652
|
+
MultiRegionKey.add_member(:arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "Arn"))
|
653
|
+
MultiRegionKey.add_member(:region, Shapes::ShapeRef.new(shape: RegionType, location_name: "Region"))
|
654
|
+
MultiRegionKey.struct_class = Types::MultiRegionKey
|
655
|
+
|
656
|
+
MultiRegionKeyList.member = Shapes::ShapeRef.new(shape: MultiRegionKey)
|
657
|
+
|
630
658
|
NotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessageType, location_name: "message"))
|
631
659
|
NotFoundException.struct_class = Types::NotFoundException
|
632
660
|
|
@@ -655,6 +683,19 @@ module Aws::KMS
|
|
655
683
|
ReEncryptResponse.add_member(:destination_encryption_algorithm, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpec, location_name: "DestinationEncryptionAlgorithm"))
|
656
684
|
ReEncryptResponse.struct_class = Types::ReEncryptResponse
|
657
685
|
|
686
|
+
ReplicateKeyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
687
|
+
ReplicateKeyRequest.add_member(:replica_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "ReplicaRegion"))
|
688
|
+
ReplicateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
|
689
|
+
ReplicateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
|
690
|
+
ReplicateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
|
691
|
+
ReplicateKeyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, location_name: "Tags"))
|
692
|
+
ReplicateKeyRequest.struct_class = Types::ReplicateKeyRequest
|
693
|
+
|
694
|
+
ReplicateKeyResponse.add_member(:replica_key_metadata, Shapes::ShapeRef.new(shape: KeyMetadata, location_name: "ReplicaKeyMetadata"))
|
695
|
+
ReplicateKeyResponse.add_member(:replica_policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "ReplicaPolicy"))
|
696
|
+
ReplicateKeyResponse.add_member(:replica_tags, Shapes::ShapeRef.new(shape: TagList, location_name: "ReplicaTags"))
|
697
|
+
ReplicateKeyResponse.struct_class = Types::ReplicateKeyResponse
|
698
|
+
|
658
699
|
RetireGrantRequest.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
|
659
700
|
RetireGrantRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
660
701
|
RetireGrantRequest.add_member(:grant_id, Shapes::ShapeRef.new(shape: GrantIdType, location_name: "GrantId"))
|
@@ -670,6 +711,8 @@ module Aws::KMS
|
|
670
711
|
|
671
712
|
ScheduleKeyDeletionResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
672
713
|
ScheduleKeyDeletionResponse.add_member(:deletion_date, Shapes::ShapeRef.new(shape: DateType, location_name: "DeletionDate"))
|
714
|
+
ScheduleKeyDeletionResponse.add_member(:key_state, Shapes::ShapeRef.new(shape: KeyState, location_name: "KeyState"))
|
715
|
+
ScheduleKeyDeletionResponse.add_member(:pending_window_in_days, Shapes::ShapeRef.new(shape: PendingWindowInDaysType, location_name: "PendingWindowInDays"))
|
673
716
|
ScheduleKeyDeletionResponse.struct_class = Types::ScheduleKeyDeletionResponse
|
674
717
|
|
675
718
|
SignRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
@@ -724,6 +767,10 @@ module Aws::KMS
|
|
724
767
|
UpdateKeyDescriptionRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, required: true, location_name: "Description"))
|
725
768
|
UpdateKeyDescriptionRequest.struct_class = Types::UpdateKeyDescriptionRequest
|
726
769
|
|
770
|
+
UpdatePrimaryRegionRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
771
|
+
UpdatePrimaryRegionRequest.add_member(:primary_region, Shapes::ShapeRef.new(shape: RegionType, required: true, location_name: "PrimaryRegion"))
|
772
|
+
UpdatePrimaryRegionRequest.struct_class = Types::UpdatePrimaryRegionRequest
|
773
|
+
|
727
774
|
VerifyRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
|
728
775
|
VerifyRequest.add_member(:message, Shapes::ShapeRef.new(shape: PlaintextType, required: true, location_name: "Message"))
|
729
776
|
VerifyRequest.add_member(:message_type, Shapes::ShapeRef.new(shape: MessageType, location_name: "MessageType"))
|
@@ -909,6 +956,7 @@ module Aws::KMS
|
|
909
956
|
o.input = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresRequest)
|
910
957
|
o.output = Shapes::ShapeRef.new(shape: DescribeCustomKeyStoresResponse)
|
911
958
|
o.errors << Shapes::ShapeRef.new(shape: CustomKeyStoreNotFoundException)
|
959
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidMarkerException)
|
912
960
|
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
913
961
|
end)
|
914
962
|
|
@@ -1302,6 +1350,24 @@ module Aws::KMS
|
|
1302
1350
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1303
1351
|
end)
|
1304
1352
|
|
1353
|
+
api.add_operation(:replicate_key, Seahorse::Model::Operation.new.tap do |o|
|
1354
|
+
o.name = "ReplicateKey"
|
1355
|
+
o.http_method = "POST"
|
1356
|
+
o.http_request_uri = "/"
|
1357
|
+
o.input = Shapes::ShapeRef.new(shape: ReplicateKeyRequest)
|
1358
|
+
o.output = Shapes::ShapeRef.new(shape: ReplicateKeyResponse)
|
1359
|
+
o.errors << Shapes::ShapeRef.new(shape: AlreadyExistsException)
|
1360
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
1361
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
|
1362
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1363
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1364
|
+
o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
|
1365
|
+
o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
|
1366
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
1367
|
+
o.errors << Shapes::ShapeRef.new(shape: TagException)
|
1368
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
1369
|
+
end)
|
1370
|
+
|
1305
1371
|
api.add_operation(:retire_grant, Seahorse::Model::Operation.new.tap do |o|
|
1306
1372
|
o.name = "RetireGrant"
|
1307
1373
|
o.http_method = "POST"
|
@@ -1429,6 +1495,20 @@ module Aws::KMS
|
|
1429
1495
|
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1430
1496
|
end)
|
1431
1497
|
|
1498
|
+
api.add_operation(:update_primary_region, Seahorse::Model::Operation.new.tap do |o|
|
1499
|
+
o.name = "UpdatePrimaryRegion"
|
1500
|
+
o.http_method = "POST"
|
1501
|
+
o.http_request_uri = "/"
|
1502
|
+
o.input = Shapes::ShapeRef.new(shape: UpdatePrimaryRegionRequest)
|
1503
|
+
o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
|
1504
|
+
o.errors << Shapes::ShapeRef.new(shape: DisabledException)
|
1505
|
+
o.errors << Shapes::ShapeRef.new(shape: InvalidArnException)
|
1506
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInvalidStateException)
|
1507
|
+
o.errors << Shapes::ShapeRef.new(shape: KMSInternalException)
|
1508
|
+
o.errors << Shapes::ShapeRef.new(shape: NotFoundException)
|
1509
|
+
o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
|
1510
|
+
end)
|
1511
|
+
|
1432
1512
|
api.add_operation(:verify, Seahorse::Model::Operation.new.tap do |o|
|
1433
1513
|
o.name = "Verify"
|
1434
1514
|
o.http_method = "POST"
|
@@ -2,7 +2,7 @@
|
|
2
2
|
# WARNING ABOUT GENERATED CODE
|
3
3
|
#
|
4
4
|
# This file is generated. See the contributing for info on making contributions:
|
5
|
-
# https://github.com/aws/aws-sdk-ruby/blob/
|
5
|
+
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
|
6
6
|
#
|
7
7
|
# WARNING ABOUT GENERATED CODE
|
8
8
|
|
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -21,13 +21,18 @@ module Aws::KMS
|
|
21
21
|
# @return [String]
|
22
22
|
#
|
23
23
|
# @!attribute [rw] target_key_id
|
24
|
-
# String that contains the key identifier
|
24
|
+
# String that contains the key identifier of the KMS key associated
|
25
|
+
# with the alias.
|
25
26
|
# @return [String]
|
26
27
|
#
|
27
28
|
# @!attribute [rw] creation_date
|
29
|
+
# Date and time that the alias was most recently created in the
|
30
|
+
# account and Region. Formatted as Unix time.
|
28
31
|
# @return [Time]
|
29
32
|
#
|
30
33
|
# @!attribute [rw] last_updated_date
|
34
|
+
# Date and time that the alias was most recently associated with a KMS
|
35
|
+
# key in the account and Region. Formatted as Unix time.
|
31
36
|
# @return [Time]
|
32
37
|
#
|
33
38
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/AliasListEntry AWS API Documentation
|
@@ -64,10 +69,9 @@ module Aws::KMS
|
|
64
69
|
# }
|
65
70
|
#
|
66
71
|
# @!attribute [rw] key_id
|
67
|
-
#
|
68
|
-
# cancel deletion.
|
72
|
+
# Identifies the KMS key whose deletion is being canceled.
|
69
73
|
#
|
70
|
-
# Specify the key ID or
|
74
|
+
# Specify the key ID or key ARN of the KMS key.
|
71
75
|
#
|
72
76
|
# For example:
|
73
77
|
#
|
@@ -76,7 +80,7 @@ module Aws::KMS
|
|
76
80
|
# * Key ARN:
|
77
81
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
78
82
|
#
|
79
|
-
# To get the key ID and key ARN for a
|
83
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
80
84
|
# DescribeKey.
|
81
85
|
# @return [String]
|
82
86
|
#
|
@@ -89,8 +93,8 @@ module Aws::KMS
|
|
89
93
|
end
|
90
94
|
|
91
95
|
# @!attribute [rw] key_id
|
92
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
93
|
-
# canceled.
|
96
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key whose
|
97
|
+
# deletion is canceled.
|
94
98
|
#
|
95
99
|
#
|
96
100
|
#
|
@@ -105,10 +109,10 @@ module Aws::KMS
|
|
105
109
|
include Aws::Structure
|
106
110
|
end
|
107
111
|
|
108
|
-
# The request was rejected because the specified
|
112
|
+
# The request was rejected because the specified CloudHSM cluster is
|
109
113
|
# already associated with a custom key store or it shares a backup
|
110
114
|
# history with a cluster that is associated with a custom key store.
|
111
|
-
# Each custom key store must be associated with a different
|
115
|
+
# Each custom key store must be associated with a different CloudHSM
|
112
116
|
# cluster.
|
113
117
|
#
|
114
118
|
# Clusters that share a backup history have the same cluster
|
@@ -130,8 +134,8 @@ module Aws::KMS
|
|
130
134
|
include Aws::Structure
|
131
135
|
end
|
132
136
|
|
133
|
-
# The request was rejected because the associated
|
134
|
-
#
|
137
|
+
# The request was rejected because the associated CloudHSM cluster did
|
138
|
+
# not meet the configuration requirements for a custom key store.
|
135
139
|
#
|
136
140
|
# * The cluster must be configured with private subnets in at least two
|
137
141
|
# different Availability Zones in the Region.
|
@@ -146,23 +150,20 @@ module Aws::KMS
|
|
146
150
|
# [DescribeSecurityGroups][2] operation.
|
147
151
|
#
|
148
152
|
# * The cluster must contain at least as many HSMs as the operation
|
149
|
-
# requires. To add HSMs, use the
|
150
|
-
# operation.
|
153
|
+
# requires. To add HSMs, use the CloudHSM [CreateHsm][3] operation.
|
151
154
|
#
|
152
155
|
# For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
|
153
|
-
# operations, the
|
154
|
-
#
|
155
|
-
#
|
156
|
-
# least one active HSM.
|
156
|
+
# operations, the CloudHSM cluster must have at least two active HSMs,
|
157
|
+
# each in a different Availability Zone. For the ConnectCustomKeyStore
|
158
|
+
# operation, the CloudHSM must contain at least one active HSM.
|
157
159
|
#
|
158
|
-
# For information about the requirements for an
|
159
|
-
#
|
160
|
-
# Prerequisites][4] in the *
|
161
|
-
#
|
162
|
-
#
|
163
|
-
#
|
164
|
-
#
|
165
|
-
# </i>.
|
160
|
+
# For information about the requirements for an CloudHSM cluster that is
|
161
|
+
# associated with a custom key store, see [Assemble the
|
162
|
+
# Prerequisites][4] in the *Key Management Service Developer Guide*. For
|
163
|
+
# information about creating a private subnet for an CloudHSM cluster,
|
164
|
+
# see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
|
165
|
+
# information about cluster security groups, see [Configure a Default
|
166
|
+
# Security Group][1] in the <i> <i>CloudHSM User Guide</i> </i>.
|
166
167
|
#
|
167
168
|
#
|
168
169
|
#
|
@@ -183,11 +184,10 @@ module Aws::KMS
|
|
183
184
|
include Aws::Structure
|
184
185
|
end
|
185
186
|
|
186
|
-
# The request was rejected because the
|
187
|
+
# The request was rejected because the CloudHSM cluster that is
|
187
188
|
# associated with the custom key store is not active. Initialize and
|
188
189
|
# activate the cluster and try the command again. For detailed
|
189
|
-
# instructions, see [Getting Started][1] in the *
|
190
|
-
# Guide*.
|
190
|
+
# instructions, see [Getting Started][1] in the *CloudHSM User Guide*.
|
191
191
|
#
|
192
192
|
#
|
193
193
|
#
|
@@ -204,9 +204,9 @@ module Aws::KMS
|
|
204
204
|
include Aws::Structure
|
205
205
|
end
|
206
206
|
|
207
|
-
# The request was rejected because
|
208
|
-
#
|
209
|
-
#
|
207
|
+
# The request was rejected because KMS cannot find the CloudHSM cluster
|
208
|
+
# with the specified cluster ID. Retry the request with a different
|
209
|
+
# cluster ID.
|
210
210
|
#
|
211
211
|
# @!attribute [rw] message
|
212
212
|
# @return [String]
|
@@ -219,9 +219,9 @@ module Aws::KMS
|
|
219
219
|
include Aws::Structure
|
220
220
|
end
|
221
221
|
|
222
|
-
# The request was rejected because the specified
|
223
|
-
#
|
224
|
-
#
|
222
|
+
# The request was rejected because the specified CloudHSM cluster has a
|
223
|
+
# different cluster certificate than the original cluster. You cannot
|
224
|
+
# use the operation to specify an unrelated cluster.
|
225
225
|
#
|
226
226
|
# Specify a cluster that shares a backup history with the original
|
227
227
|
# cluster. This includes clusters that were created from a backup of the
|
@@ -287,8 +287,8 @@ module Aws::KMS
|
|
287
287
|
# The `AliasName` value must be string of 1-256 characters. It can
|
288
288
|
# contain only alphanumeric characters, forward slashes (/),
|
289
289
|
# underscores (\_), and dashes (-). The alias name cannot begin with
|
290
|
-
# `alias/aws/`. The `alias/aws/` prefix is reserved for [
|
291
|
-
#
|
290
|
+
# `alias/aws/`. The `alias/aws/` prefix is reserved for [Amazon Web
|
291
|
+
# Services managed keys][1].
|
292
292
|
#
|
293
293
|
#
|
294
294
|
#
|
@@ -296,16 +296,17 @@ module Aws::KMS
|
|
296
296
|
# @return [String]
|
297
297
|
#
|
298
298
|
# @!attribute [rw] target_key_id
|
299
|
-
# Associates the alias with the specified [customer managed
|
300
|
-
# The
|
299
|
+
# Associates the alias with the specified [customer managed key][1].
|
300
|
+
# The KMS key must be in the same Amazon Web Services Region.
|
301
301
|
#
|
302
|
-
# A valid
|
302
|
+
# A valid key ID is required. If you supply a null or empty string
|
303
303
|
# value, this operation returns an error.
|
304
304
|
#
|
305
305
|
# For help finding the key ID and ARN, see [Finding the Key ID and
|
306
|
-
# ARN][2] in the
|
306
|
+
# ARN][2] in the <i> <i>Key Management Service Developer Guide</i>
|
307
|
+
# </i>.
|
307
308
|
#
|
308
|
-
# Specify the key ID or
|
309
|
+
# Specify the key ID or key ARN of the KMS key.
|
309
310
|
#
|
310
311
|
# For example:
|
311
312
|
#
|
@@ -314,7 +315,7 @@ module Aws::KMS
|
|
314
315
|
# * Key ARN:
|
315
316
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
316
317
|
#
|
317
|
-
# To get the key ID and key ARN for a
|
318
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
318
319
|
# DescribeKey.
|
319
320
|
#
|
320
321
|
#
|
@@ -344,14 +345,14 @@ module Aws::KMS
|
|
344
345
|
#
|
345
346
|
# @!attribute [rw] custom_key_store_name
|
346
347
|
# Specifies a friendly name for the custom key store. The name must be
|
347
|
-
# unique in your
|
348
|
+
# unique in your Amazon Web Services account.
|
348
349
|
# @return [String]
|
349
350
|
#
|
350
351
|
# @!attribute [rw] cloud_hsm_cluster_id
|
351
|
-
# Identifies the
|
352
|
-
#
|
353
|
-
#
|
354
|
-
#
|
352
|
+
# Identifies the CloudHSM cluster for the custom key store. Enter the
|
353
|
+
# cluster ID of any active CloudHSM cluster that is not already
|
354
|
+
# associated with a custom key store. To find the cluster ID, use the
|
355
|
+
# [DescribeClusters][1] operation.
|
355
356
|
#
|
356
357
|
#
|
357
358
|
#
|
@@ -370,14 +371,14 @@ module Aws::KMS
|
|
370
371
|
#
|
371
372
|
# @!attribute [rw] key_store_password
|
372
373
|
# Enter the password of the [ `kmsuser` crypto user (CU) account][1]
|
373
|
-
# in the specified
|
374
|
-
#
|
374
|
+
# in the specified CloudHSM cluster. KMS logs into the cluster as this
|
375
|
+
# user to manage key material on your behalf.
|
375
376
|
#
|
376
377
|
# The password must be a string of 7 to 32 characters. Its value is
|
377
378
|
# case sensitive.
|
378
379
|
#
|
379
|
-
# This parameter tells
|
380
|
-
#
|
380
|
+
# This parameter tells KMS the `kmsuser` account password; it does not
|
381
|
+
# change the password in the CloudHSM cluster.
|
381
382
|
#
|
382
383
|
#
|
383
384
|
#
|
@@ -428,11 +429,12 @@ module Aws::KMS
|
|
428
429
|
# }
|
429
430
|
#
|
430
431
|
# @!attribute [rw] key_id
|
431
|
-
#
|
432
|
-
#
|
432
|
+
# Identifies the KMS key for the grant. The grant gives principals
|
433
|
+
# permission to use this KMS key.
|
433
434
|
#
|
434
|
-
# Specify the key ID or
|
435
|
-
#
|
435
|
+
# Specify the key ID or key ARN of the KMS key. To specify a KMS key
|
436
|
+
# in a different Amazon Web Services account, you must use the key
|
437
|
+
# ARN.
|
436
438
|
#
|
437
439
|
# For example:
|
438
440
|
#
|
@@ -441,20 +443,20 @@ module Aws::KMS
|
|
441
443
|
# * Key ARN:
|
442
444
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
443
445
|
#
|
444
|
-
# To get the key ID and key ARN for a
|
446
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
445
447
|
# DescribeKey.
|
446
448
|
# @return [String]
|
447
449
|
#
|
448
450
|
# @!attribute [rw] grantee_principal
|
449
|
-
# The
|
450
|
-
# that the grant permits.
|
451
|
+
# The identity that gets the permissions specified in the grant.
|
451
452
|
#
|
452
453
|
# To specify the principal, use the [Amazon Resource Name (ARN)][1] of
|
453
|
-
# an
|
454
|
-
#
|
455
|
-
#
|
456
|
-
#
|
457
|
-
#
|
454
|
+
# an Amazon Web Services principal. Valid Amazon Web Services
|
455
|
+
# principals include Amazon Web Services accounts (root), IAM users,
|
456
|
+
# IAM roles, federated users, and assumed role users. For examples of
|
457
|
+
# the ARN syntax to use for specifying a principal, see [Amazon Web
|
458
|
+
# Services Identity and Access Management (IAM)][2] in the Example
|
459
|
+
# ARNs section of the *Amazon Web Services General Reference*.
|
458
460
|
#
|
459
461
|
#
|
460
462
|
#
|
@@ -463,53 +465,85 @@ module Aws::KMS
|
|
463
465
|
# @return [String]
|
464
466
|
#
|
465
467
|
# @!attribute [rw] retiring_principal
|
466
|
-
# The principal that
|
467
|
-
#
|
468
|
+
# The principal that has permission to use the RetireGrant operation
|
469
|
+
# to retire the grant.
|
468
470
|
#
|
469
471
|
# To specify the principal, use the [Amazon Resource Name (ARN)][1] of
|
470
|
-
# an
|
471
|
-
#
|
472
|
-
#
|
473
|
-
#
|
474
|
-
#
|
472
|
+
# an Amazon Web Services principal. Valid Amazon Web Services
|
473
|
+
# principals include Amazon Web Services accounts (root), IAM users,
|
474
|
+
# federated users, and assumed role users. For examples of the ARN
|
475
|
+
# syntax to use for specifying a principal, see [Amazon Web Services
|
476
|
+
# Identity and Access Management (IAM)][2] in the Example ARNs section
|
477
|
+
# of the *Amazon Web Services General Reference*.
|
478
|
+
#
|
479
|
+
# The grant determines the retiring principal. Other principals might
|
480
|
+
# have permission to retire the grant or revoke the grant. For
|
481
|
+
# details, see RevokeGrant and [Retiring and revoking grants][3] in
|
482
|
+
# the *Key Management Service Developer Guide*.
|
475
483
|
#
|
476
484
|
#
|
477
485
|
#
|
478
486
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
479
487
|
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
|
488
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
|
480
489
|
# @return [String]
|
481
490
|
#
|
482
491
|
# @!attribute [rw] operations
|
483
492
|
# A list of operations that the grant permits.
|
493
|
+
#
|
494
|
+
# The operation must be supported on the KMS key. For example, you
|
495
|
+
# cannot create a grant for a symmetric KMS key that allows the Sign
|
496
|
+
# operation, or a grant for an asymmetric KMS key that allows the
|
497
|
+
# GenerateDataKey operation. If you try, KMS returns a
|
498
|
+
# `ValidationError` exception. For details, see [Grant operations][1]
|
499
|
+
# in the *Key Management Service Developer Guide*.
|
500
|
+
#
|
501
|
+
#
|
502
|
+
#
|
503
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
484
504
|
# @return [Array<String>]
|
485
505
|
#
|
486
506
|
# @!attribute [rw] constraints
|
487
|
-
#
|
488
|
-
# context matches or includes the encryption context specified in this
|
489
|
-
# structure. For more information about encryption context, see
|
490
|
-
# [Encryption Context][2] in the <i> <i>AWS Key Management Service
|
491
|
-
# Developer Guide</i> </i>.
|
507
|
+
# Specifies a grant constraint.
|
492
508
|
#
|
493
|
-
#
|
494
|
-
#
|
495
|
-
#
|
496
|
-
#
|
509
|
+
# KMS supports the `EncryptionContextEquals` and
|
510
|
+
# `EncryptionContextSubset` grant constraints. Each constraint value
|
511
|
+
# can include up to 8 encryption context pairs. The encryption context
|
512
|
+
# value in each constraint cannot exceed 384 characters.
|
497
513
|
#
|
514
|
+
# These grant constraints allow the permissions in the grant only when
|
515
|
+
# the encryption context in the request matches
|
516
|
+
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
517
|
+
# the encryption context specified in this structure. For information
|
518
|
+
# about grant constraints, see [Using grant constraints][1] in the
|
519
|
+
# *Key Management Service Developer Guide*. For more information about
|
520
|
+
# encryption context, see [Encryption Context][2] in the <i> <i>Key
|
521
|
+
# Management Service Developer Guide</i> </i>.
|
498
522
|
#
|
523
|
+
# The encryption context grant constraints are supported only on
|
524
|
+
# operations that include an encryption context. You cannot use an
|
525
|
+
# encryption context grant constraint for cryptographic operations
|
526
|
+
# with asymmetric KMS keys or for management operations, such as
|
527
|
+
# DescribeKey or RetireGrant.
|
499
528
|
#
|
500
|
-
#
|
529
|
+
#
|
530
|
+
#
|
531
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
501
532
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
502
533
|
# @return [Types::GrantConstraints]
|
503
534
|
#
|
504
535
|
# @!attribute [rw] grant_tokens
|
505
536
|
# A list of grant tokens.
|
506
537
|
#
|
507
|
-
#
|
508
|
-
#
|
538
|
+
# Use a grant token when your permission to call this operation comes
|
539
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
540
|
+
# For more information, see [Grant token][1] and [Using a grant
|
541
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
509
542
|
#
|
510
543
|
#
|
511
544
|
#
|
512
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
545
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
546
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
513
547
|
# @return [Array<String>]
|
514
548
|
#
|
515
549
|
# @!attribute [rw] name
|
@@ -546,12 +580,15 @@ module Aws::KMS
|
|
546
580
|
# @!attribute [rw] grant_token
|
547
581
|
# The grant token.
|
548
582
|
#
|
549
|
-
#
|
550
|
-
#
|
583
|
+
# Use a grant token when your permission to call this operation comes
|
584
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
585
|
+
# For more information, see [Grant token][1] and [Using a grant
|
586
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
551
587
|
#
|
552
588
|
#
|
553
589
|
#
|
554
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
590
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
591
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
555
592
|
# @return [String]
|
556
593
|
#
|
557
594
|
# @!attribute [rw] grant_id
|
@@ -578,6 +615,7 @@ module Aws::KMS
|
|
578
615
|
# description: "DescriptionType",
|
579
616
|
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
580
617
|
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
618
|
+
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
581
619
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
582
620
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
583
621
|
# bypass_policy_lockout_safety_check: false,
|
@@ -587,39 +625,41 @@ module Aws::KMS
|
|
587
625
|
# tag_value: "TagValueType", # required
|
588
626
|
# },
|
589
627
|
# ],
|
628
|
+
# multi_region: false,
|
590
629
|
# }
|
591
630
|
#
|
592
631
|
# @!attribute [rw] policy
|
593
|
-
# The key policy to attach to the
|
632
|
+
# The key policy to attach to the KMS key.
|
594
633
|
#
|
595
634
|
# If you provide a key policy, it must meet the following criteria:
|
596
635
|
#
|
597
636
|
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
598
637
|
# key policy must allow the principal that is making the `CreateKey`
|
599
|
-
# request to make a subsequent PutKeyPolicy request on the
|
600
|
-
# reduces the risk that the
|
601
|
-
# information, refer to the scenario in the [Default Key
|
602
|
-
# section of the <i> <i>
|
638
|
+
# request to make a subsequent PutKeyPolicy request on the KMS key.
|
639
|
+
# This reduces the risk that the KMS key becomes unmanageable. For
|
640
|
+
# more information, refer to the scenario in the [Default Key
|
641
|
+
# Policy][1] section of the <i> <i>Key Management Service Developer
|
603
642
|
# Guide</i> </i>.
|
604
643
|
#
|
605
644
|
# * Each statement in the key policy must contain one or more
|
606
645
|
# principals. The principals in the key policy must exist and be
|
607
|
-
# visible to
|
608
|
-
# example, an IAM user or role), you might need to
|
609
|
-
# before including the new principal in a key policy
|
610
|
-
# principal might not be immediately visible to
|
611
|
-
# information, see [Changes that I make are not always
|
612
|
-
# visible][2] in the *
|
613
|
-
# Guide*.
|
614
|
-
#
|
615
|
-
# If you do not provide a key policy,
|
616
|
-
# policy to the
|
617
|
-
# in the *
|
646
|
+
# visible to KMS. When you create a new Amazon Web Services
|
647
|
+
# principal (for example, an IAM user or role), you might need to
|
648
|
+
# enforce a delay before including the new principal in a key policy
|
649
|
+
# because the new principal might not be immediately visible to KMS.
|
650
|
+
# For more information, see [Changes that I make are not always
|
651
|
+
# immediately visible][2] in the *Amazon Web Services Identity and
|
652
|
+
# Access Management User Guide*.
|
653
|
+
#
|
654
|
+
# If you do not provide a key policy, KMS attaches a default key
|
655
|
+
# policy to the KMS key. For more information, see [Default Key
|
656
|
+
# Policy][3] in the *Key Management Service Developer Guide*.
|
618
657
|
#
|
619
658
|
# The key policy size quota is 32 kilobytes (32768 bytes).
|
620
659
|
#
|
621
660
|
# For help writing and formatting a JSON policy document, see the [IAM
|
622
|
-
# JSON Policy Reference][4] in the <i> <i>
|
661
|
+
# JSON Policy Reference][4] in the <i> <i>Identity and Access
|
662
|
+
# Management User Guide</i> </i>.
|
623
663
|
#
|
624
664
|
#
|
625
665
|
#
|
@@ -630,27 +670,32 @@ module Aws::KMS
|
|
630
670
|
# @return [String]
|
631
671
|
#
|
632
672
|
# @!attribute [rw] description
|
633
|
-
# A description of the
|
673
|
+
# A description of the KMS key.
|
674
|
+
#
|
675
|
+
# Use a description that helps you decide whether the KMS key is
|
676
|
+
# appropriate for a task. The default value is an empty string (no
|
677
|
+
# description).
|
634
678
|
#
|
635
|
-
#
|
636
|
-
#
|
679
|
+
# To set or change the description after the key is created, use
|
680
|
+
# UpdateKeyDescription.
|
637
681
|
# @return [String]
|
638
682
|
#
|
639
683
|
# @!attribute [rw] key_usage
|
640
684
|
# Determines the [cryptographic operations][1] for which you can use
|
641
|
-
# the
|
642
|
-
# required only for asymmetric
|
643
|
-
# value after the
|
685
|
+
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
686
|
+
# is required only for asymmetric KMS keys. You can't change the
|
687
|
+
# `KeyUsage` value after the KMS key is created.
|
644
688
|
#
|
645
689
|
# Select only one valid value.
|
646
690
|
#
|
647
|
-
# * For symmetric
|
691
|
+
# * For symmetric KMS keys, omit the parameter or specify
|
648
692
|
# `ENCRYPT_DECRYPT`.
|
649
693
|
#
|
650
|
-
# * For asymmetric
|
694
|
+
# * For asymmetric KMS keys with RSA key material, specify
|
651
695
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
652
696
|
#
|
653
|
-
# * For asymmetric
|
697
|
+
# * For asymmetric KMS keys with ECC key material, specify
|
698
|
+
# `SIGN_VERIFY`.
|
654
699
|
#
|
655
700
|
#
|
656
701
|
#
|
@@ -658,28 +703,38 @@ module Aws::KMS
|
|
658
703
|
# @return [String]
|
659
704
|
#
|
660
705
|
# @!attribute [rw] customer_master_key_spec
|
661
|
-
#
|
662
|
-
# `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
|
663
|
-
# encryption and decryption. For help choosing a key spec for your
|
664
|
-
# CMK, see [How to Choose Your CMK Configuration][1] in the *AWS Key
|
665
|
-
# Management Service Developer Guide*.
|
706
|
+
# Instead, use the `KeySpec` parameter.
|
666
707
|
#
|
667
|
-
# The `CustomerMasterKeySpec`
|
668
|
-
#
|
669
|
-
#
|
670
|
-
#
|
671
|
-
#
|
672
|
-
# the CMK, use a condition key in its key policy or IAM policy. For
|
673
|
-
# more information, see [kms:EncryptionAlgorithm][2] or [kms:Signing
|
674
|
-
# Algorithm][3] in the *AWS Key Management Service Developer Guide*.
|
675
|
-
#
|
676
|
-
# [AWS services that are integrated with AWS KMS][4] use symmetric
|
677
|
-
# CMKs to protect your data. These services do not support asymmetric
|
678
|
-
# CMKs. For help determining whether a CMK is symmetric or asymmetric,
|
679
|
-
# see [Identifying Symmetric and Asymmetric CMKs][5] in the *AWS Key
|
680
|
-
# Management Service Developer Guide*.
|
708
|
+
# The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
|
709
|
+
# way. Only the names differ. We recommend that you use `KeySpec`
|
710
|
+
# parameter in your code. However, to avoid breaking changes, KMS will
|
711
|
+
# support both parameters.
|
712
|
+
# @return [String]
|
681
713
|
#
|
682
|
-
#
|
714
|
+
# @!attribute [rw] key_spec
|
715
|
+
# Specifies the type of KMS key to create. The default value,
|
716
|
+
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
|
717
|
+
# for encryption and decryption. For help choosing a key spec for your
|
718
|
+
# KMS key, see [How to Choose Your KMS key Configuration][1] in the
|
719
|
+
# <i> <i>Key Management Service Developer Guide</i> </i>.
|
720
|
+
#
|
721
|
+
# The `KeySpec` determines whether the KMS key contains a symmetric
|
722
|
+
# key or an asymmetric key pair. It also determines the encryption
|
723
|
+
# algorithms or signing algorithms that the KMS key supports. You
|
724
|
+
# can't change the `KeySpec` after the KMS key is created. To further
|
725
|
+
# restrict the algorithms that can be used with the KMS key, use a
|
726
|
+
# condition key in its key policy or IAM policy. For more information,
|
727
|
+
# see [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in
|
728
|
+
# the <i> <i>Key Management Service Developer Guide</i> </i>.
|
729
|
+
#
|
730
|
+
# [Amazon Web Services services that are integrated with KMS][4] use
|
731
|
+
# symmetric KMS keys to protect your data. These services do not
|
732
|
+
# support asymmetric KMS keys. For help determining whether a KMS key
|
733
|
+
# is symmetric or asymmetric, see [Identifying Symmetric and
|
734
|
+
# Asymmetric KMS keys][5] in the *Key Management Service Developer
|
735
|
+
# Guide*.
|
736
|
+
#
|
737
|
+
# KMS supports the following key specs for KMS keys:
|
683
738
|
#
|
684
739
|
# * Symmetric key (default)
|
685
740
|
#
|
@@ -720,22 +775,21 @@ module Aws::KMS
|
|
720
775
|
# @return [String]
|
721
776
|
#
|
722
777
|
# @!attribute [rw] origin
|
723
|
-
# The source of the key material for the
|
724
|
-
# origin after you create the
|
725
|
-
# means
|
778
|
+
# The source of the key material for the KMS key. You cannot change
|
779
|
+
# the origin after you create the KMS key. The default is `AWS_KMS`,
|
780
|
+
# which means that KMS creates the key material.
|
726
781
|
#
|
727
|
-
#
|
728
|
-
#
|
729
|
-
#
|
730
|
-
#
|
731
|
-
#
|
732
|
-
# valid only for symmetric CMKs.
|
782
|
+
# To create a KMS key with no key material (for imported key
|
783
|
+
# material), set the value to `EXTERNAL`. For more information about
|
784
|
+
# importing key material into KMS, see [Importing Key Material][1] in
|
785
|
+
# the *Key Management Service Developer Guide*. This value is valid
|
786
|
+
# only for symmetric KMS keys.
|
733
787
|
#
|
734
|
-
#
|
735
|
-
#
|
736
|
-
#
|
737
|
-
#
|
738
|
-
#
|
788
|
+
# To create a KMS key in an KMS [custom key store][2] and create its
|
789
|
+
# key material in the associated CloudHSM cluster, set this value to
|
790
|
+
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
791
|
+
# to identify the custom key store. This value is valid only for
|
792
|
+
# symmetric KMS keys.
|
739
793
|
#
|
740
794
|
#
|
741
795
|
#
|
@@ -744,26 +798,26 @@ module Aws::KMS
|
|
744
798
|
# @return [String]
|
745
799
|
#
|
746
800
|
# @!attribute [rw] custom_key_store_id
|
747
|
-
# Creates the
|
748
|
-
# material in its associated
|
749
|
-
# a custom key store, you must also specify the `Origin` parameter
|
750
|
-
# with a value of `AWS_CLOUDHSM`. The
|
801
|
+
# Creates the KMS key in the specified [custom key store][1] and the
|
802
|
+
# key material in its associated CloudHSM cluster. To create a KMS key
|
803
|
+
# in a custom key store, you must also specify the `Origin` parameter
|
804
|
+
# with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that is
|
751
805
|
# associated with the custom key store must have at least two active
|
752
806
|
# HSMs, each in a different Availability Zone in the Region.
|
753
807
|
#
|
754
|
-
# This parameter is valid only for symmetric
|
755
|
-
# an asymmetric
|
808
|
+
# This parameter is valid only for symmetric KMS keys and regional KMS
|
809
|
+
# keys. You cannot create an asymmetric KMS key or a multi-Region key
|
810
|
+
# in a custom key store.
|
756
811
|
#
|
757
812
|
# To find the ID of a custom key store, use the
|
758
813
|
# DescribeCustomKeyStores operation.
|
759
814
|
#
|
760
|
-
# The response includes the custom key store ID and the ID of the
|
815
|
+
# The response includes the custom key store ID and the ID of the
|
761
816
|
# CloudHSM cluster.
|
762
817
|
#
|
763
818
|
# This operation is part of the [Custom Key Store feature][1] feature
|
764
|
-
# in
|
765
|
-
#
|
766
|
-
# store.
|
819
|
+
# in KMS, which combines the convenience and extensive integration of
|
820
|
+
# KMS with the isolation and control of a single-tenant key store.
|
767
821
|
#
|
768
822
|
#
|
769
823
|
#
|
@@ -774,16 +828,17 @@ module Aws::KMS
|
|
774
828
|
# A flag to indicate whether to bypass the key policy lockout safety
|
775
829
|
# check.
|
776
830
|
#
|
777
|
-
# Setting this value to true increases the risk that the
|
778
|
-
# unmanageable. Do not set this value to true
|
831
|
+
# Setting this value to true increases the risk that the KMS key
|
832
|
+
# becomes unmanageable. Do not set this value to true
|
833
|
+
# indiscriminately.
|
779
834
|
#
|
780
835
|
# For more information, refer to the scenario in the [Default Key
|
781
|
-
# Policy][1] section in the <i> <i>
|
782
|
-
#
|
836
|
+
# Policy][1] section in the <i> <i>Key Management Service Developer
|
837
|
+
# Guide</i> </i>.
|
783
838
|
#
|
784
839
|
# Use this parameter only when you include a policy in the request and
|
785
840
|
# you intend to prevent the principal that is making the request from
|
786
|
-
# making a subsequent PutKeyPolicy request on the
|
841
|
+
# making a subsequent PutKeyPolicy request on the KMS key.
|
787
842
|
#
|
788
843
|
# The default value is false.
|
789
844
|
#
|
@@ -793,27 +848,68 @@ module Aws::KMS
|
|
793
848
|
# @return [Boolean]
|
794
849
|
#
|
795
850
|
# @!attribute [rw] tags
|
796
|
-
#
|
797
|
-
#
|
798
|
-
#
|
851
|
+
# Assigns one or more tags to the KMS key. Use this parameter to tag
|
852
|
+
# the KMS key when it is created. To tag an existing KMS key, use the
|
853
|
+
# TagResource operation.
|
799
854
|
#
|
800
|
-
#
|
801
|
-
#
|
802
|
-
#
|
803
|
-
# CMKs, see [Tagging Keys][1].
|
855
|
+
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
856
|
+
# KMS key. For details, see [Using ABAC in KMS][1] in the *Key
|
857
|
+
# Management Service Developer Guide*.
|
804
858
|
#
|
805
|
-
#
|
806
|
-
# an existing CMK, use the TagResource operation.
|
859
|
+
# </note>
|
807
860
|
#
|
808
861
|
# To use this parameter, you must have [kms:TagResource][2] permission
|
809
862
|
# in an IAM policy.
|
810
863
|
#
|
864
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
865
|
+
# the tag value are required, but the tag value can be an empty (null)
|
866
|
+
# string. You cannot have more than one tag on a KMS key with the same
|
867
|
+
# tag key. If you specify an existing tag key with a different tag
|
868
|
+
# value, KMS replaces the current tag value with the specified one.
|
811
869
|
#
|
870
|
+
# When you add tags to an Amazon Web Services resource, Amazon Web
|
871
|
+
# Services generates a cost allocation report with usage and costs
|
872
|
+
# aggregated by tags. Tags can also be used to control access to a KMS
|
873
|
+
# key. For details, see [Tagging Keys][3].
|
812
874
|
#
|
813
|
-
#
|
875
|
+
#
|
876
|
+
#
|
877
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
814
878
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
879
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
815
880
|
# @return [Array<Types::Tag>]
|
816
881
|
#
|
882
|
+
# @!attribute [rw] multi_region
|
883
|
+
# Creates a multi-Region primary key that you can replicate into other
|
884
|
+
# Amazon Web Services Regions. You cannot change this value after you
|
885
|
+
# create the KMS key.
|
886
|
+
#
|
887
|
+
# For a multi-Region key, set this parameter to `True`. For a
|
888
|
+
# single-Region KMS key, omit this parameter or set it to `False`. The
|
889
|
+
# default value is `False`.
|
890
|
+
#
|
891
|
+
# This operation supports *multi-Region keys*, an KMS feature that
|
892
|
+
# lets you create multiple interoperable KMS keys in different Amazon
|
893
|
+
# Web Services Regions. Because these KMS keys have the same key ID,
|
894
|
+
# key material, and other metadata, you can use them interchangeably
|
895
|
+
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
896
|
+
# a different Amazon Web Services Region without re-encrypting the
|
897
|
+
# data or making a cross-Region call. For more information about
|
898
|
+
# multi-Region keys, see [Using multi-Region keys][1] in the *Key
|
899
|
+
# Management Service Developer Guide*.
|
900
|
+
#
|
901
|
+
# This value creates a *primary key*, not a replica. To create a
|
902
|
+
# *replica key*, use the ReplicateKey operation.
|
903
|
+
#
|
904
|
+
# You can create a symmetric or asymmetric multi-Region key, and you
|
905
|
+
# can create a multi-Region key with imported key material. However,
|
906
|
+
# you cannot create a multi-Region key in a custom key store.
|
907
|
+
#
|
908
|
+
#
|
909
|
+
#
|
910
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
911
|
+
# @return [Boolean]
|
912
|
+
#
|
817
913
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
|
818
914
|
#
|
819
915
|
class CreateKeyRequest < Struct.new(
|
@@ -821,16 +917,18 @@ module Aws::KMS
|
|
821
917
|
:description,
|
822
918
|
:key_usage,
|
823
919
|
:customer_master_key_spec,
|
920
|
+
:key_spec,
|
824
921
|
:origin,
|
825
922
|
:custom_key_store_id,
|
826
923
|
:bypass_policy_lockout_safety_check,
|
827
|
-
:tags
|
924
|
+
:tags,
|
925
|
+
:multi_region)
|
828
926
|
SENSITIVE = []
|
829
927
|
include Aws::Structure
|
830
928
|
end
|
831
929
|
|
832
930
|
# @!attribute [rw] key_metadata
|
833
|
-
# Metadata associated with the
|
931
|
+
# Metadata associated with the KMS key.
|
834
932
|
# @return [Types::KeyMetadata]
|
835
933
|
#
|
836
934
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyResponse AWS API Documentation
|
@@ -841,10 +939,10 @@ module Aws::KMS
|
|
841
939
|
include Aws::Structure
|
842
940
|
end
|
843
941
|
|
844
|
-
# The request was rejected because the custom key store contains
|
845
|
-
#
|
846
|
-
#
|
847
|
-
#
|
942
|
+
# The request was rejected because the custom key store contains KMS
|
943
|
+
# keys. After verifying that you do not need to use the KMS keys, use
|
944
|
+
# the ScheduleKeyDeletion operation to delete the KMS keys. After they
|
945
|
+
# are deleted, you can delete the custom key store.
|
848
946
|
#
|
849
947
|
# @!attribute [rw] message
|
850
948
|
# @return [String]
|
@@ -902,8 +1000,8 @@ module Aws::KMS
|
|
902
1000
|
include Aws::Structure
|
903
1001
|
end
|
904
1002
|
|
905
|
-
# The request was rejected because
|
906
|
-
#
|
1003
|
+
# The request was rejected because KMS cannot find a custom key store
|
1004
|
+
# with the specified key store name or ID.
|
907
1005
|
#
|
908
1006
|
# @!attribute [rw] message
|
909
1007
|
# @return [String]
|
@@ -928,12 +1026,12 @@ module Aws::KMS
|
|
928
1026
|
# @return [String]
|
929
1027
|
#
|
930
1028
|
# @!attribute [rw] cloud_hsm_cluster_id
|
931
|
-
# A unique identifier for the
|
932
|
-
#
|
1029
|
+
# A unique identifier for the CloudHSM cluster that is associated with
|
1030
|
+
# the custom key store.
|
933
1031
|
# @return [String]
|
934
1032
|
#
|
935
1033
|
# @!attribute [rw] trust_anchor_certificate
|
936
|
-
# The trust anchor certificate of the associated
|
1034
|
+
# The trust anchor certificate of the associated CloudHSM cluster.
|
937
1035
|
# When you [initialize the cluster][1], you create this certificate
|
938
1036
|
# and save it in the `customerCA.crt` file.
|
939
1037
|
#
|
@@ -943,22 +1041,22 @@ module Aws::KMS
|
|
943
1041
|
# @return [String]
|
944
1042
|
#
|
945
1043
|
# @!attribute [rw] connection_state
|
946
|
-
# Indicates whether the custom key store is connected to its
|
947
|
-
#
|
1044
|
+
# Indicates whether the custom key store is connected to its CloudHSM
|
1045
|
+
# cluster.
|
948
1046
|
#
|
949
|
-
# You can create and use
|
950
|
-
# connection state is `CONNECTED`.
|
1047
|
+
# You can create and use KMS keys in your custom key stores only when
|
1048
|
+
# its connection state is `CONNECTED`.
|
951
1049
|
#
|
952
1050
|
# The value is `DISCONNECTED` if the key store has never been
|
953
1051
|
# connected or you use the DisconnectCustomKeyStore operation to
|
954
1052
|
# disconnect it. If the value is `CONNECTED` but you are having
|
955
1053
|
# trouble using the custom key store, make sure that its associated
|
956
|
-
#
|
1054
|
+
# CloudHSM cluster is active and contains at least one active HSM.
|
957
1055
|
#
|
958
1056
|
# A value of `FAILED` indicates that an attempt to connect was
|
959
1057
|
# unsuccessful. The `ConnectionErrorCode` field in the response
|
960
1058
|
# indicates the cause of the failure. For help resolving a connection
|
961
|
-
# failure, see [Troubleshooting a Custom Key Store][1] in the *
|
1059
|
+
# failure, see [Troubleshooting a Custom Key Store][1] in the *Key
|
962
1060
|
# Management Service Developer Guide*.
|
963
1061
|
#
|
964
1062
|
#
|
@@ -969,64 +1067,64 @@ module Aws::KMS
|
|
969
1067
|
# @!attribute [rw] connection_error_code
|
970
1068
|
# Describes the connection error. This field appears in the response
|
971
1069
|
# only when the `ConnectionState` is `FAILED`. For help resolving
|
972
|
-
# these errors, see [How to Fix a Connection Failure][1] in *
|
1070
|
+
# these errors, see [How to Fix a Connection Failure][1] in *Key
|
973
1071
|
# Management Service Developer Guide*.
|
974
1072
|
#
|
975
1073
|
# Valid values are:
|
976
1074
|
#
|
977
|
-
# * `CLUSTER_NOT_FOUND` -
|
978
|
-
#
|
1075
|
+
# * `CLUSTER_NOT_FOUND` - KMS cannot find the CloudHSM cluster with
|
1076
|
+
# the specified cluster ID.
|
979
1077
|
#
|
980
|
-
# * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated
|
1078
|
+
# * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated CloudHSM cluster
|
981
1079
|
# does not contain any active HSMs. To connect a custom key store to
|
982
|
-
# its
|
983
|
-
#
|
1080
|
+
# its CloudHSM cluster, the cluster must contain at least one active
|
1081
|
+
# HSM.
|
984
1082
|
#
|
985
|
-
# * `INTERNAL_ERROR` -
|
986
|
-
#
|
1083
|
+
# * `INTERNAL_ERROR` - KMS could not complete the request due to an
|
1084
|
+
# internal error. Retry the request. For `ConnectCustomKeyStore`
|
987
1085
|
# requests, disconnect the custom key store before trying to connect
|
988
1086
|
# again.
|
989
1087
|
#
|
990
|
-
# * `INVALID_CREDENTIALS` -
|
991
|
-
#
|
992
|
-
#
|
993
|
-
#
|
994
|
-
#
|
1088
|
+
# * `INVALID_CREDENTIALS` - KMS does not have the correct password for
|
1089
|
+
# the `kmsuser` crypto user in the CloudHSM cluster. Before you can
|
1090
|
+
# connect your custom key store to its CloudHSM cluster, you must
|
1091
|
+
# change the `kmsuser` account password and update the key store
|
1092
|
+
# password value for the custom key store.
|
995
1093
|
#
|
996
|
-
# * `NETWORK_ERRORS` - Network errors are preventing
|
1094
|
+
# * `NETWORK_ERRORS` - Network errors are preventing KMS from
|
997
1095
|
# connecting to the custom key store.
|
998
1096
|
#
|
999
|
-
# * `SUBNET_NOT_FOUND` - A subnet in the
|
1000
|
-
# configuration was deleted. If
|
1001
|
-
#
|
1002
|
-
#
|
1003
|
-
#
|
1004
|
-
#
|
1005
|
-
#
|
1006
|
-
#
|
1007
|
-
#
|
1097
|
+
# * `SUBNET_NOT_FOUND` - A subnet in the CloudHSM cluster
|
1098
|
+
# configuration was deleted. If KMS cannot find all of the subnets
|
1099
|
+
# in the cluster configuration, attempts to connect the custom key
|
1100
|
+
# store to the CloudHSM cluster fail. To fix this error, create a
|
1101
|
+
# cluster from a recent backup and associate it with your custom key
|
1102
|
+
# store. (This process creates a new cluster configuration with a
|
1103
|
+
# VPC and private subnets.) For details, see [How to Fix a
|
1104
|
+
# Connection Failure][1] in the *Key Management Service Developer
|
1105
|
+
# Guide*.
|
1008
1106
|
#
|
1009
1107
|
# * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
|
1010
|
-
# associated
|
1011
|
-
# attempts. Before you can connect your custom key store to its
|
1108
|
+
# associated CloudHSM cluster due to too many failed password
|
1109
|
+
# attempts. Before you can connect your custom key store to its
|
1012
1110
|
# CloudHSM cluster, you must change the `kmsuser` account password
|
1013
1111
|
# and update the key store password value for the custom key store.
|
1014
1112
|
#
|
1015
1113
|
# * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
|
1016
|
-
# associated
|
1017
|
-
#
|
1018
|
-
#
|
1019
|
-
#
|
1020
|
-
#
|
1021
|
-
#
|
1022
|
-
#
|
1023
|
-
#
|
1024
|
-
#
|
1025
|
-
# * `USER_NOT_FOUND` -
|
1026
|
-
#
|
1027
|
-
#
|
1028
|
-
#
|
1029
|
-
#
|
1114
|
+
# associated CloudHSM cluster. This prevents KMS from rotating the
|
1115
|
+
# `kmsuser` account password and logging into the cluster. Before
|
1116
|
+
# you can connect your custom key store to its CloudHSM cluster, you
|
1117
|
+
# must log the `kmsuser` CU out of the cluster. If you changed the
|
1118
|
+
# `kmsuser` password to log into the cluster, you must also and
|
1119
|
+
# update the key store password value for the custom key store. For
|
1120
|
+
# help, see [How to Log Out and Reconnect][2] in the *Key Management
|
1121
|
+
# Service Developer Guide*.
|
1122
|
+
#
|
1123
|
+
# * `USER_NOT_FOUND` - KMS cannot find a `kmsuser` CU account in the
|
1124
|
+
# associated CloudHSM cluster. Before you can connect your custom
|
1125
|
+
# key store to its CloudHSM cluster, you must create a `kmsuser` CU
|
1126
|
+
# account in the cluster, and then update the key store password
|
1127
|
+
# value for the custom key store.
|
1030
1128
|
#
|
1031
1129
|
#
|
1032
1130
|
#
|
@@ -1072,17 +1170,17 @@ module Aws::KMS
|
|
1072
1170
|
# @!attribute [rw] encryption_context
|
1073
1171
|
# Specifies the encryption context to use when decrypting the data. An
|
1074
1172
|
# encryption context is valid only for [cryptographic operations][1]
|
1075
|
-
# with a symmetric
|
1076
|
-
# that
|
1173
|
+
# with a symmetric KMS key. The standard asymmetric encryption
|
1174
|
+
# algorithms that KMS uses do not support an encryption context.
|
1077
1175
|
#
|
1078
1176
|
# An *encryption context* is a collection of non-secret key-value
|
1079
1177
|
# pairs that represents additional authenticated data. When you use an
|
1080
1178
|
# encryption context to encrypt data, you must specify the same (an
|
1081
1179
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1082
1180
|
# An encryption context is optional when encrypting with a symmetric
|
1083
|
-
#
|
1181
|
+
# KMS key, but it is highly recommended.
|
1084
1182
|
#
|
1085
|
-
# For more information, see [Encryption Context][2] in the *
|
1183
|
+
# For more information, see [Encryption Context][2] in the *Key
|
1086
1184
|
# Management Service Developer Guide*.
|
1087
1185
|
#
|
1088
1186
|
#
|
@@ -1094,29 +1192,32 @@ module Aws::KMS
|
|
1094
1192
|
# @!attribute [rw] grant_tokens
|
1095
1193
|
# A list of grant tokens.
|
1096
1194
|
#
|
1097
|
-
#
|
1098
|
-
#
|
1195
|
+
# Use a grant token when your permission to call this operation comes
|
1196
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1197
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1198
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1099
1199
|
#
|
1100
1200
|
#
|
1101
1201
|
#
|
1102
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1202
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1203
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1103
1204
|
# @return [Array<String>]
|
1104
1205
|
#
|
1105
1206
|
# @!attribute [rw] key_id
|
1106
|
-
# Specifies the
|
1107
|
-
#
|
1108
|
-
# the ciphertext.
|
1207
|
+
# Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter
|
1208
|
+
# a key ID of the KMS key that was used to encrypt the ciphertext.
|
1109
1209
|
#
|
1110
1210
|
# This parameter is required only when the ciphertext was encrypted
|
1111
|
-
# under an asymmetric
|
1112
|
-
# get the
|
1113
|
-
# blob. However, it is always recommended as a best
|
1114
|
-
# practice ensures that you use the
|
1211
|
+
# under an asymmetric KMS key. If you used a symmetric KMS key, KMS
|
1212
|
+
# can get the KMS key from metadata that it adds to the symmetric
|
1213
|
+
# ciphertext blob. However, it is always recommended as a best
|
1214
|
+
# practice. This practice ensures that you use the KMS key that you
|
1215
|
+
# intend.
|
1115
1216
|
#
|
1116
|
-
# To specify a
|
1117
|
-
#
|
1118
|
-
#
|
1119
|
-
#
|
1217
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1218
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1219
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1220
|
+
# the key ARN or alias ARN.
|
1120
1221
|
#
|
1121
1222
|
# For example:
|
1122
1223
|
#
|
@@ -1129,7 +1230,7 @@ module Aws::KMS
|
|
1129
1230
|
#
|
1130
1231
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1131
1232
|
#
|
1132
|
-
# To get the key ID and key ARN for a
|
1233
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1133
1234
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1134
1235
|
# @return [String]
|
1135
1236
|
#
|
@@ -1140,9 +1241,9 @@ module Aws::KMS
|
|
1140
1241
|
# fails.
|
1141
1242
|
#
|
1142
1243
|
# This parameter is required only when the ciphertext was encrypted
|
1143
|
-
# under an asymmetric
|
1244
|
+
# under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
|
1144
1245
|
# represents the only supported algorithm that is valid for symmetric
|
1145
|
-
#
|
1246
|
+
# KMS keys.
|
1146
1247
|
# @return [String]
|
1147
1248
|
#
|
1148
1249
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
@@ -1158,8 +1259,8 @@ module Aws::KMS
|
|
1158
1259
|
end
|
1159
1260
|
|
1160
1261
|
# @!attribute [rw] key_id
|
1161
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
1162
|
-
# decrypt the ciphertext.
|
1262
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
|
1263
|
+
# to decrypt the ciphertext.
|
1163
1264
|
#
|
1164
1265
|
#
|
1165
1266
|
#
|
@@ -1167,8 +1268,9 @@ module Aws::KMS
|
|
1167
1268
|
# @return [String]
|
1168
1269
|
#
|
1169
1270
|
# @!attribute [rw] plaintext
|
1170
|
-
# Decrypted plaintext data. When you use the HTTP API or the
|
1171
|
-
# the value is Base64-encoded. Otherwise, it is not
|
1271
|
+
# Decrypted plaintext data. When you use the HTTP API or the Amazon
|
1272
|
+
# Web Services CLI, the value is Base64-encoded. Otherwise, it is not
|
1273
|
+
# Base64-encoded.
|
1172
1274
|
# @return [String]
|
1173
1275
|
#
|
1174
1276
|
# @!attribute [rw] encryption_algorithm
|
@@ -1237,10 +1339,10 @@ module Aws::KMS
|
|
1237
1339
|
# }
|
1238
1340
|
#
|
1239
1341
|
# @!attribute [rw] key_id
|
1240
|
-
# Identifies the
|
1241
|
-
# material. The `Origin` of the
|
1342
|
+
# Identifies the KMS key from which you are deleting imported key
|
1343
|
+
# material. The `Origin` of the KMS key must be `EXTERNAL`.
|
1242
1344
|
#
|
1243
|
-
# Specify the key ID or
|
1345
|
+
# Specify the key ID or key ARN of the KMS key.
|
1244
1346
|
#
|
1245
1347
|
# For example:
|
1246
1348
|
#
|
@@ -1249,7 +1351,7 @@ module Aws::KMS
|
|
1249
1351
|
# * Key ARN:
|
1250
1352
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1251
1353
|
#
|
1252
|
-
# To get the key ID and key ARN for a
|
1354
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1253
1355
|
# DescribeKey.
|
1254
1356
|
# @return [String]
|
1255
1357
|
#
|
@@ -1290,7 +1392,7 @@ module Aws::KMS
|
|
1290
1392
|
# the key store ID.
|
1291
1393
|
#
|
1292
1394
|
# By default, this operation gets information about all custom key
|
1293
|
-
# stores in the account and
|
1395
|
+
# stores in the account and Region. To limit the output to a
|
1294
1396
|
# particular custom key store, you can use either the
|
1295
1397
|
# `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
|
1296
1398
|
# @return [String]
|
@@ -1300,14 +1402,14 @@ module Aws::KMS
|
|
1300
1402
|
# the friendly name of the custom key store.
|
1301
1403
|
#
|
1302
1404
|
# By default, this operation gets information about all custom key
|
1303
|
-
# stores in the account and
|
1405
|
+
# stores in the account and Region. To limit the output to a
|
1304
1406
|
# particular custom key store, you can use either the
|
1305
1407
|
# `CustomKeyStoreId` or `CustomKeyStoreName` parameter, but not both.
|
1306
1408
|
# @return [String]
|
1307
1409
|
#
|
1308
1410
|
# @!attribute [rw] limit
|
1309
1411
|
# Use this parameter to specify the maximum number of items to return.
|
1310
|
-
# When this value is present,
|
1412
|
+
# When this value is present, KMS does not return more than the
|
1311
1413
|
# specified number of items, but it might return fewer.
|
1312
1414
|
# @return [Integer]
|
1313
1415
|
#
|
@@ -1363,16 +1465,17 @@ module Aws::KMS
|
|
1363
1465
|
# }
|
1364
1466
|
#
|
1365
1467
|
# @!attribute [rw] key_id
|
1366
|
-
# Describes the specified
|
1468
|
+
# Describes the specified KMS key.
|
1367
1469
|
#
|
1368
|
-
# If you specify a predefined
|
1369
|
-
# KMS associates the alias with an
|
1370
|
-
# its `KeyId` and
|
1470
|
+
# If you specify a predefined Amazon Web Services alias (an Amazon Web
|
1471
|
+
# Services alias with no key ID), KMS associates the alias with an
|
1472
|
+
# [Amazon Web Services managed key][1] and returns its `KeyId` and
|
1473
|
+
# `Arn` in the response.
|
1371
1474
|
#
|
1372
|
-
# To specify a
|
1373
|
-
#
|
1374
|
-
#
|
1375
|
-
#
|
1475
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1476
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1477
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1478
|
+
# the key ARN or alias ARN.
|
1376
1479
|
#
|
1377
1480
|
# For example:
|
1378
1481
|
#
|
@@ -1385,23 +1488,26 @@ module Aws::KMS
|
|
1385
1488
|
#
|
1386
1489
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1387
1490
|
#
|
1388
|
-
# To get the key ID and key ARN for a
|
1491
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1389
1492
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1390
1493
|
#
|
1391
1494
|
#
|
1392
1495
|
#
|
1393
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
|
1496
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmk
|
1394
1497
|
# @return [String]
|
1395
1498
|
#
|
1396
1499
|
# @!attribute [rw] grant_tokens
|
1397
1500
|
# A list of grant tokens.
|
1398
1501
|
#
|
1399
|
-
#
|
1400
|
-
#
|
1502
|
+
# Use a grant token when your permission to call this operation comes
|
1503
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1504
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1505
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1401
1506
|
#
|
1402
1507
|
#
|
1403
1508
|
#
|
1404
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1509
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1510
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1405
1511
|
# @return [Array<String>]
|
1406
1512
|
#
|
1407
1513
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKeyRequest AWS API Documentation
|
@@ -1433,9 +1539,9 @@ module Aws::KMS
|
|
1433
1539
|
# }
|
1434
1540
|
#
|
1435
1541
|
# @!attribute [rw] key_id
|
1436
|
-
#
|
1542
|
+
# Identifies the KMS key to disable.
|
1437
1543
|
#
|
1438
|
-
# Specify the key ID or
|
1544
|
+
# Specify the key ID or key ARN of the KMS key.
|
1439
1545
|
#
|
1440
1546
|
# For example:
|
1441
1547
|
#
|
@@ -1444,7 +1550,7 @@ module Aws::KMS
|
|
1444
1550
|
# * Key ARN:
|
1445
1551
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1446
1552
|
#
|
1447
|
-
# To get the key ID and key ARN for a
|
1553
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1448
1554
|
# DescribeKey.
|
1449
1555
|
# @return [String]
|
1450
1556
|
#
|
@@ -1464,11 +1570,11 @@ module Aws::KMS
|
|
1464
1570
|
# }
|
1465
1571
|
#
|
1466
1572
|
# @!attribute [rw] key_id
|
1467
|
-
# Identifies a symmetric
|
1468
|
-
#
|
1469
|
-
# [imported key material][2], or
|
1573
|
+
# Identifies a symmetric KMS key. You cannot enable or disable
|
1574
|
+
# automatic rotation of [asymmetric KMS keys][1], KMS keys with
|
1575
|
+
# [imported key material][2], or KMS keys in a [custom key store][3].
|
1470
1576
|
#
|
1471
|
-
# Specify the key ID or
|
1577
|
+
# Specify the key ID or key ARN of the KMS key.
|
1472
1578
|
#
|
1473
1579
|
# For example:
|
1474
1580
|
#
|
@@ -1477,7 +1583,7 @@ module Aws::KMS
|
|
1477
1583
|
# * Key ARN:
|
1478
1584
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1479
1585
|
#
|
1480
|
-
# To get the key ID and key ARN for a
|
1586
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1481
1587
|
# DescribeKey.
|
1482
1588
|
#
|
1483
1589
|
#
|
@@ -1495,7 +1601,7 @@ module Aws::KMS
|
|
1495
1601
|
include Aws::Structure
|
1496
1602
|
end
|
1497
1603
|
|
1498
|
-
# The request was rejected because the specified
|
1604
|
+
# The request was rejected because the specified KMS key is not enabled.
|
1499
1605
|
#
|
1500
1606
|
# @!attribute [rw] message
|
1501
1607
|
# @return [String]
|
@@ -1541,9 +1647,9 @@ module Aws::KMS
|
|
1541
1647
|
# }
|
1542
1648
|
#
|
1543
1649
|
# @!attribute [rw] key_id
|
1544
|
-
#
|
1650
|
+
# Identifies the KMS key to enable.
|
1545
1651
|
#
|
1546
|
-
# Specify the key ID or
|
1652
|
+
# Specify the key ID or key ARN of the KMS key.
|
1547
1653
|
#
|
1548
1654
|
# For example:
|
1549
1655
|
#
|
@@ -1552,7 +1658,7 @@ module Aws::KMS
|
|
1552
1658
|
# * Key ARN:
|
1553
1659
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1554
1660
|
#
|
1555
|
-
# To get the key ID and key ARN for a
|
1661
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1556
1662
|
# DescribeKey.
|
1557
1663
|
# @return [String]
|
1558
1664
|
#
|
@@ -1572,11 +1678,13 @@ module Aws::KMS
|
|
1572
1678
|
# }
|
1573
1679
|
#
|
1574
1680
|
# @!attribute [rw] key_id
|
1575
|
-
# Identifies a symmetric
|
1576
|
-
#
|
1577
|
-
# material, or
|
1681
|
+
# Identifies a symmetric KMS key. You cannot enable automatic rotation
|
1682
|
+
# of [asymmetric KMS keys][1], KMS keys with [imported key
|
1683
|
+
# material][2], or KMS keys in a [custom key store][3]. To enable or
|
1684
|
+
# disable automatic rotation of a set of related [multi-Region
|
1685
|
+
# keys][4], set the property on the primary key.
|
1578
1686
|
#
|
1579
|
-
# Specify the key ID or
|
1687
|
+
# Specify the key ID or key ARN of the KMS key.
|
1580
1688
|
#
|
1581
1689
|
# For example:
|
1582
1690
|
#
|
@@ -1585,12 +1693,15 @@ module Aws::KMS
|
|
1585
1693
|
# * Key ARN:
|
1586
1694
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1587
1695
|
#
|
1588
|
-
# To get the key ID and key ARN for a
|
1696
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1589
1697
|
# DescribeKey.
|
1590
1698
|
#
|
1591
1699
|
#
|
1592
1700
|
#
|
1593
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1701
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
|
1702
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1703
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1704
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key
|
1594
1705
|
# @return [String]
|
1595
1706
|
#
|
1596
1707
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
@@ -1615,12 +1726,12 @@ module Aws::KMS
|
|
1615
1726
|
# }
|
1616
1727
|
#
|
1617
1728
|
# @!attribute [rw] key_id
|
1618
|
-
#
|
1729
|
+
# Identifies the KMS key to use in the encryption operation.
|
1619
1730
|
#
|
1620
|
-
# To specify a
|
1621
|
-
#
|
1622
|
-
#
|
1623
|
-
#
|
1731
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1732
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1733
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1734
|
+
# the key ARN or alias ARN.
|
1624
1735
|
#
|
1625
1736
|
# For example:
|
1626
1737
|
#
|
@@ -1633,7 +1744,7 @@ module Aws::KMS
|
|
1633
1744
|
#
|
1634
1745
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1635
1746
|
#
|
1636
|
-
# To get the key ID and key ARN for a
|
1747
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1637
1748
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1638
1749
|
# @return [String]
|
1639
1750
|
#
|
@@ -1644,8 +1755,8 @@ module Aws::KMS
|
|
1644
1755
|
# @!attribute [rw] encryption_context
|
1645
1756
|
# Specifies the encryption context that will be used to encrypt the
|
1646
1757
|
# data. An encryption context is valid only for [cryptographic
|
1647
|
-
# operations][1] with a symmetric
|
1648
|
-
# encryption algorithms that
|
1758
|
+
# operations][1] with a symmetric KMS key. The standard asymmetric
|
1759
|
+
# encryption algorithms that KMS uses do not support an encryption
|
1649
1760
|
# context.
|
1650
1761
|
#
|
1651
1762
|
# An *encryption context* is a collection of non-secret key-value
|
@@ -1653,9 +1764,9 @@ module Aws::KMS
|
|
1653
1764
|
# encryption context to encrypt data, you must specify the same (an
|
1654
1765
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1655
1766
|
# An encryption context is optional when encrypting with a symmetric
|
1656
|
-
#
|
1767
|
+
# KMS key, but it is highly recommended.
|
1657
1768
|
#
|
1658
|
-
# For more information, see [Encryption Context][2] in the *
|
1769
|
+
# For more information, see [Encryption Context][2] in the *Key
|
1659
1770
|
# Management Service Developer Guide*.
|
1660
1771
|
#
|
1661
1772
|
#
|
@@ -1667,22 +1778,25 @@ module Aws::KMS
|
|
1667
1778
|
# @!attribute [rw] grant_tokens
|
1668
1779
|
# A list of grant tokens.
|
1669
1780
|
#
|
1670
|
-
#
|
1671
|
-
#
|
1781
|
+
# Use a grant token when your permission to call this operation comes
|
1782
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1783
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1784
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1672
1785
|
#
|
1673
1786
|
#
|
1674
1787
|
#
|
1675
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1788
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1789
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1676
1790
|
# @return [Array<String>]
|
1677
1791
|
#
|
1678
1792
|
# @!attribute [rw] encryption_algorithm
|
1679
|
-
# Specifies the encryption algorithm that
|
1680
|
-
#
|
1793
|
+
# Specifies the encryption algorithm that KMS will use to encrypt the
|
1794
|
+
# plaintext message. The algorithm must be compatible with the KMS key
|
1681
1795
|
# that you specify.
|
1682
1796
|
#
|
1683
|
-
# This parameter is required only for asymmetric
|
1684
|
-
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
1685
|
-
#
|
1797
|
+
# This parameter is required only for asymmetric KMS keys. The default
|
1798
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric KMS
|
1799
|
+
# keys. If you are using an asymmetric KMS key, we recommend
|
1686
1800
|
# RSAES\_OAEP\_SHA\_256.
|
1687
1801
|
# @return [String]
|
1688
1802
|
#
|
@@ -1699,13 +1813,14 @@ module Aws::KMS
|
|
1699
1813
|
end
|
1700
1814
|
|
1701
1815
|
# @!attribute [rw] ciphertext_blob
|
1702
|
-
# The encrypted plaintext. When you use the HTTP API or the
|
1703
|
-
# the value is Base64-encoded. Otherwise, it is not
|
1816
|
+
# The encrypted plaintext. When you use the HTTP API or the Amazon Web
|
1817
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
1818
|
+
# Base64-encoded.
|
1704
1819
|
# @return [String]
|
1705
1820
|
#
|
1706
1821
|
# @!attribute [rw] key_id
|
1707
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
1708
|
-
# encrypt the plaintext.
|
1822
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
|
1823
|
+
# to encrypt the plaintext.
|
1709
1824
|
#
|
1710
1825
|
#
|
1711
1826
|
#
|
@@ -1763,9 +1878,9 @@ module Aws::KMS
|
|
1763
1878
|
# encryption context to encrypt data, you must specify the same (an
|
1764
1879
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1765
1880
|
# An encryption context is optional when encrypting with a symmetric
|
1766
|
-
#
|
1881
|
+
# KMS key, but it is highly recommended.
|
1767
1882
|
#
|
1768
|
-
# For more information, see [Encryption Context][1] in the *
|
1883
|
+
# For more information, see [Encryption Context][1] in the *Key
|
1769
1884
|
# Management Service Developer Guide*.
|
1770
1885
|
#
|
1771
1886
|
#
|
@@ -1774,15 +1889,15 @@ module Aws::KMS
|
|
1774
1889
|
# @return [Hash<String,String>]
|
1775
1890
|
#
|
1776
1891
|
# @!attribute [rw] key_id
|
1777
|
-
# Specifies the symmetric
|
1778
|
-
# data key pair. You cannot specify an asymmetric
|
1779
|
-
# custom key store. To get the type and origin of your
|
1780
|
-
# DescribeKey operation.
|
1892
|
+
# Specifies the symmetric KMS key that encrypts the private key in the
|
1893
|
+
# data key pair. You cannot specify an asymmetric KMS key or a KMS key
|
1894
|
+
# in a custom key store. To get the type and origin of your KMS key,
|
1895
|
+
# use the DescribeKey operation.
|
1781
1896
|
#
|
1782
|
-
# To specify a
|
1783
|
-
#
|
1784
|
-
#
|
1785
|
-
#
|
1897
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1898
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1899
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1900
|
+
# the key ARN or alias ARN.
|
1786
1901
|
#
|
1787
1902
|
# For example:
|
1788
1903
|
#
|
@@ -1795,28 +1910,31 @@ module Aws::KMS
|
|
1795
1910
|
#
|
1796
1911
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1797
1912
|
#
|
1798
|
-
# To get the key ID and key ARN for a
|
1913
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1799
1914
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1800
1915
|
# @return [String]
|
1801
1916
|
#
|
1802
1917
|
# @!attribute [rw] key_pair_spec
|
1803
1918
|
# Determines the type of data key pair that is generated.
|
1804
1919
|
#
|
1805
|
-
# The
|
1920
|
+
# The KMS rule that restricts the use of asymmetric RSA KMS keys to
|
1806
1921
|
# encrypt and decrypt or to sign and verify (but not both), and the
|
1807
|
-
# rule that permits you to use ECC
|
1808
|
-
# not effective outside of
|
1922
|
+
# rule that permits you to use ECC KMS keys only to sign and verify,
|
1923
|
+
# are not effective on data key pairs, which are used outside of KMS.
|
1809
1924
|
# @return [String]
|
1810
1925
|
#
|
1811
1926
|
# @!attribute [rw] grant_tokens
|
1812
1927
|
# A list of grant tokens.
|
1813
1928
|
#
|
1814
|
-
#
|
1815
|
-
#
|
1929
|
+
# Use a grant token when your permission to call this operation comes
|
1930
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1931
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1932
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1816
1933
|
#
|
1817
1934
|
#
|
1818
1935
|
#
|
1819
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1936
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1937
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1820
1938
|
# @return [Array<String>]
|
1821
1939
|
#
|
1822
1940
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
|
@@ -1832,14 +1950,14 @@ module Aws::KMS
|
|
1832
1950
|
|
1833
1951
|
# @!attribute [rw] private_key_ciphertext_blob
|
1834
1952
|
# The encrypted copy of the private key. When you use the HTTP API or
|
1835
|
-
# the
|
1836
|
-
# Base64-encoded.
|
1953
|
+
# the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
|
1954
|
+
# it is not Base64-encoded.
|
1837
1955
|
# @return [String]
|
1838
1956
|
#
|
1839
1957
|
# @!attribute [rw] private_key_plaintext
|
1840
1958
|
# The plaintext copy of the private key. When you use the HTTP API or
|
1841
|
-
# the
|
1842
|
-
# Base64-encoded.
|
1959
|
+
# the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
|
1960
|
+
# it is not Base64-encoded.
|
1843
1961
|
# @return [String]
|
1844
1962
|
#
|
1845
1963
|
# @!attribute [rw] public_key
|
@@ -1847,8 +1965,8 @@ module Aws::KMS
|
|
1847
1965
|
# @return [String]
|
1848
1966
|
#
|
1849
1967
|
# @!attribute [rw] key_id
|
1850
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
1851
|
-
# the private key.
|
1968
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that
|
1969
|
+
# encrypted the private key.
|
1852
1970
|
#
|
1853
1971
|
#
|
1854
1972
|
#
|
@@ -1892,9 +2010,9 @@ module Aws::KMS
|
|
1892
2010
|
# encryption context to encrypt data, you must specify the same (an
|
1893
2011
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1894
2012
|
# An encryption context is optional when encrypting with a symmetric
|
1895
|
-
#
|
2013
|
+
# KMS key, but it is highly recommended.
|
1896
2014
|
#
|
1897
|
-
# For more information, see [Encryption Context][1] in the *
|
2015
|
+
# For more information, see [Encryption Context][1] in the *Key
|
1898
2016
|
# Management Service Developer Guide*.
|
1899
2017
|
#
|
1900
2018
|
#
|
@@ -1903,15 +2021,15 @@ module Aws::KMS
|
|
1903
2021
|
# @return [Hash<String,String>]
|
1904
2022
|
#
|
1905
2023
|
# @!attribute [rw] key_id
|
1906
|
-
# Specifies the
|
1907
|
-
# pair. You must specify a symmetric
|
1908
|
-
#
|
1909
|
-
# your
|
2024
|
+
# Specifies the KMS key that encrypts the private key in the data key
|
2025
|
+
# pair. You must specify a symmetric KMS key. You cannot use an
|
2026
|
+
# asymmetric KMS key or a KMS key in a custom key store. To get the
|
2027
|
+
# type and origin of your KMS key, use the DescribeKey operation.
|
1910
2028
|
#
|
1911
|
-
# To specify a
|
1912
|
-
#
|
1913
|
-
#
|
1914
|
-
#
|
2029
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2030
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
2031
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
2032
|
+
# the key ARN or alias ARN.
|
1915
2033
|
#
|
1916
2034
|
# For example:
|
1917
2035
|
#
|
@@ -1924,28 +2042,31 @@ module Aws::KMS
|
|
1924
2042
|
#
|
1925
2043
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1926
2044
|
#
|
1927
|
-
# To get the key ID and key ARN for a
|
2045
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1928
2046
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1929
2047
|
# @return [String]
|
1930
2048
|
#
|
1931
2049
|
# @!attribute [rw] key_pair_spec
|
1932
2050
|
# Determines the type of data key pair that is generated.
|
1933
2051
|
#
|
1934
|
-
# The
|
2052
|
+
# The KMS rule that restricts the use of asymmetric RSA KMS keys to
|
1935
2053
|
# encrypt and decrypt or to sign and verify (but not both), and the
|
1936
|
-
# rule that permits you to use ECC
|
1937
|
-
# not effective outside of
|
2054
|
+
# rule that permits you to use ECC KMS keys only to sign and verify,
|
2055
|
+
# are not effective on data key pairs, which are used outside of KMS.
|
1938
2056
|
# @return [String]
|
1939
2057
|
#
|
1940
2058
|
# @!attribute [rw] grant_tokens
|
1941
2059
|
# A list of grant tokens.
|
1942
2060
|
#
|
1943
|
-
#
|
1944
|
-
#
|
2061
|
+
# Use a grant token when your permission to call this operation comes
|
2062
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2063
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2064
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1945
2065
|
#
|
1946
2066
|
#
|
1947
2067
|
#
|
1948
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2068
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2069
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1949
2070
|
# @return [Array<String>]
|
1950
2071
|
#
|
1951
2072
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
|
@@ -1961,8 +2082,8 @@ module Aws::KMS
|
|
1961
2082
|
|
1962
2083
|
# @!attribute [rw] private_key_ciphertext_blob
|
1963
2084
|
# The encrypted copy of the private key. When you use the HTTP API or
|
1964
|
-
# the
|
1965
|
-
# Base64-encoded.
|
2085
|
+
# the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
|
2086
|
+
# it is not Base64-encoded.
|
1966
2087
|
# @return [String]
|
1967
2088
|
#
|
1968
2089
|
# @!attribute [rw] public_key
|
@@ -1970,8 +2091,8 @@ module Aws::KMS
|
|
1970
2091
|
# @return [String]
|
1971
2092
|
#
|
1972
2093
|
# @!attribute [rw] key_id
|
1973
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
1974
|
-
# the private key.
|
2094
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that
|
2095
|
+
# encrypted the private key.
|
1975
2096
|
#
|
1976
2097
|
#
|
1977
2098
|
#
|
@@ -2007,12 +2128,12 @@ module Aws::KMS
|
|
2007
2128
|
# }
|
2008
2129
|
#
|
2009
2130
|
# @!attribute [rw] key_id
|
2010
|
-
# Identifies the symmetric
|
2131
|
+
# Identifies the symmetric KMS key that encrypts the data key.
|
2011
2132
|
#
|
2012
|
-
# To specify a
|
2013
|
-
#
|
2014
|
-
#
|
2015
|
-
#
|
2133
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2134
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
2135
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
2136
|
+
# the key ARN or alias ARN.
|
2016
2137
|
#
|
2017
2138
|
# For example:
|
2018
2139
|
#
|
@@ -2025,7 +2146,7 @@ module Aws::KMS
|
|
2025
2146
|
#
|
2026
2147
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2027
2148
|
#
|
2028
|
-
# To get the key ID and key ARN for a
|
2149
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2029
2150
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
2030
2151
|
# @return [String]
|
2031
2152
|
#
|
@@ -2038,9 +2159,9 @@ module Aws::KMS
|
|
2038
2159
|
# encryption context to encrypt data, you must specify the same (an
|
2039
2160
|
# exact case-sensitive match) encryption context to decrypt the data.
|
2040
2161
|
# An encryption context is optional when encrypting with a symmetric
|
2041
|
-
#
|
2162
|
+
# KMS key, but it is highly recommended.
|
2042
2163
|
#
|
2043
|
-
# For more information, see [Encryption Context][1] in the *
|
2164
|
+
# For more information, see [Encryption Context][1] in the *Key
|
2044
2165
|
# Management Service Developer Guide*.
|
2045
2166
|
#
|
2046
2167
|
#
|
@@ -2070,12 +2191,15 @@ module Aws::KMS
|
|
2070
2191
|
# @!attribute [rw] grant_tokens
|
2071
2192
|
# A list of grant tokens.
|
2072
2193
|
#
|
2073
|
-
#
|
2074
|
-
#
|
2194
|
+
# Use a grant token when your permission to call this operation comes
|
2195
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2196
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2197
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
2075
2198
|
#
|
2076
2199
|
#
|
2077
2200
|
#
|
2078
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2201
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2202
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2079
2203
|
# @return [Array<String>]
|
2080
2204
|
#
|
2081
2205
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
|
@@ -2092,20 +2216,20 @@ module Aws::KMS
|
|
2092
2216
|
|
2093
2217
|
# @!attribute [rw] ciphertext_blob
|
2094
2218
|
# The encrypted copy of the data key. When you use the HTTP API or the
|
2095
|
-
#
|
2096
|
-
# Base64-encoded.
|
2219
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
2220
|
+
# is not Base64-encoded.
|
2097
2221
|
# @return [String]
|
2098
2222
|
#
|
2099
2223
|
# @!attribute [rw] plaintext
|
2100
|
-
# The plaintext data key. When you use the HTTP API or the
|
2101
|
-
# the value is Base64-encoded. Otherwise, it is not
|
2102
|
-
# Use this data key to encrypt your data outside of
|
2103
|
-
# it from memory as soon as possible.
|
2224
|
+
# The plaintext data key. When you use the HTTP API or the Amazon Web
|
2225
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2226
|
+
# Base64-encoded. Use this data key to encrypt your data outside of
|
2227
|
+
# KMS. Then, remove it from memory as soon as possible.
|
2104
2228
|
# @return [String]
|
2105
2229
|
#
|
2106
2230
|
# @!attribute [rw] key_id
|
2107
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
2108
|
-
# the data key.
|
2231
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that
|
2232
|
+
# encrypted the data key.
|
2109
2233
|
#
|
2110
2234
|
#
|
2111
2235
|
#
|
@@ -2136,13 +2260,12 @@ module Aws::KMS
|
|
2136
2260
|
# }
|
2137
2261
|
#
|
2138
2262
|
# @!attribute [rw] key_id
|
2139
|
-
# The identifier of the symmetric
|
2140
|
-
# encrypts the data key.
|
2263
|
+
# The identifier of the symmetric KMS key that encrypts the data key.
|
2141
2264
|
#
|
2142
|
-
# To specify a
|
2143
|
-
#
|
2144
|
-
#
|
2145
|
-
#
|
2265
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2266
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
2267
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
2268
|
+
# the key ARN or alias ARN.
|
2146
2269
|
#
|
2147
2270
|
# For example:
|
2148
2271
|
#
|
@@ -2155,7 +2278,7 @@ module Aws::KMS
|
|
2155
2278
|
#
|
2156
2279
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2157
2280
|
#
|
2158
|
-
# To get the key ID and key ARN for a
|
2281
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2159
2282
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
2160
2283
|
# @return [String]
|
2161
2284
|
#
|
@@ -2168,9 +2291,9 @@ module Aws::KMS
|
|
2168
2291
|
# encryption context to encrypt data, you must specify the same (an
|
2169
2292
|
# exact case-sensitive match) encryption context to decrypt the data.
|
2170
2293
|
# An encryption context is optional when encrypting with a symmetric
|
2171
|
-
#
|
2294
|
+
# KMS key, but it is highly recommended.
|
2172
2295
|
#
|
2173
|
-
# For more information, see [Encryption Context][1] in the *
|
2296
|
+
# For more information, see [Encryption Context][1] in the *Key
|
2174
2297
|
# Management Service Developer Guide*.
|
2175
2298
|
#
|
2176
2299
|
#
|
@@ -2193,12 +2316,15 @@ module Aws::KMS
|
|
2193
2316
|
# @!attribute [rw] grant_tokens
|
2194
2317
|
# A list of grant tokens.
|
2195
2318
|
#
|
2196
|
-
#
|
2197
|
-
#
|
2319
|
+
# Use a grant token when your permission to call this operation comes
|
2320
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2321
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2322
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
2198
2323
|
#
|
2199
2324
|
#
|
2200
2325
|
#
|
2201
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2326
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2327
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2202
2328
|
# @return [Array<String>]
|
2203
2329
|
#
|
2204
2330
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
|
@@ -2214,13 +2340,14 @@ module Aws::KMS
|
|
2214
2340
|
end
|
2215
2341
|
|
2216
2342
|
# @!attribute [rw] ciphertext_blob
|
2217
|
-
# The encrypted data key. When you use the HTTP API or the
|
2218
|
-
# the value is Base64-encoded. Otherwise, it is not
|
2343
|
+
# The encrypted data key. When you use the HTTP API or the Amazon Web
|
2344
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2345
|
+
# Base64-encoded.
|
2219
2346
|
# @return [String]
|
2220
2347
|
#
|
2221
2348
|
# @!attribute [rw] key_id
|
2222
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
2223
|
-
# the data key.
|
2349
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that
|
2350
|
+
# encrypted the data key.
|
2224
2351
|
#
|
2225
2352
|
#
|
2226
2353
|
#
|
@@ -2249,7 +2376,7 @@ module Aws::KMS
|
|
2249
2376
|
# @return [Integer]
|
2250
2377
|
#
|
2251
2378
|
# @!attribute [rw] custom_key_store_id
|
2252
|
-
# Generates the random byte string in the
|
2379
|
+
# Generates the random byte string in the CloudHSM cluster that is
|
2253
2380
|
# associated with the specified [custom key store][1]. To find the ID
|
2254
2381
|
# of a custom key store, use the DescribeCustomKeyStores operation.
|
2255
2382
|
#
|
@@ -2268,8 +2395,9 @@ module Aws::KMS
|
|
2268
2395
|
end
|
2269
2396
|
|
2270
2397
|
# @!attribute [rw] plaintext
|
2271
|
-
# The random byte string. When you use the HTTP API or the
|
2272
|
-
# the value is Base64-encoded. Otherwise, it is not
|
2398
|
+
# The random byte string. When you use the HTTP API or the Amazon Web
|
2399
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2400
|
+
# Base64-encoded.
|
2273
2401
|
# @return [String]
|
2274
2402
|
#
|
2275
2403
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
|
@@ -2289,9 +2417,9 @@ module Aws::KMS
|
|
2289
2417
|
# }
|
2290
2418
|
#
|
2291
2419
|
# @!attribute [rw] key_id
|
2292
|
-
#
|
2420
|
+
# Gets the key policy for the specified KMS key.
|
2293
2421
|
#
|
2294
|
-
# Specify the key ID or
|
2422
|
+
# Specify the key ID or key ARN of the KMS key.
|
2295
2423
|
#
|
2296
2424
|
# For example:
|
2297
2425
|
#
|
@@ -2300,7 +2428,7 @@ module Aws::KMS
|
|
2300
2428
|
# * Key ARN:
|
2301
2429
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2302
2430
|
#
|
2303
|
-
# To get the key ID and key ARN for a
|
2431
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2304
2432
|
# DescribeKey.
|
2305
2433
|
# @return [String]
|
2306
2434
|
#
|
@@ -2338,10 +2466,11 @@ module Aws::KMS
|
|
2338
2466
|
# }
|
2339
2467
|
#
|
2340
2468
|
# @!attribute [rw] key_id
|
2341
|
-
#
|
2469
|
+
# Gets the rotation status for the specified KMS key.
|
2342
2470
|
#
|
2343
|
-
# Specify the key ID or
|
2344
|
-
#
|
2471
|
+
# Specify the key ID or key ARN of the KMS key. To specify a KMS key
|
2472
|
+
# in a different Amazon Web Services account, you must use the key
|
2473
|
+
# ARN.
|
2345
2474
|
#
|
2346
2475
|
# For example:
|
2347
2476
|
#
|
@@ -2350,7 +2479,7 @@ module Aws::KMS
|
|
2350
2479
|
# * Key ARN:
|
2351
2480
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2352
2481
|
#
|
2353
|
-
# To get the key ID and key ARN for a
|
2482
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2354
2483
|
# DescribeKey.
|
2355
2484
|
# @return [String]
|
2356
2485
|
#
|
@@ -2384,10 +2513,10 @@ module Aws::KMS
|
|
2384
2513
|
# }
|
2385
2514
|
#
|
2386
2515
|
# @!attribute [rw] key_id
|
2387
|
-
# The identifier of the symmetric
|
2388
|
-
# material. The `Origin` of the
|
2516
|
+
# The identifier of the symmetric KMS key into which you will import
|
2517
|
+
# key material. The `Origin` of the KMS key must be `EXTERNAL`.
|
2389
2518
|
#
|
2390
|
-
# Specify the key ID or
|
2519
|
+
# Specify the key ID or key ARN of the KMS key.
|
2391
2520
|
#
|
2392
2521
|
# For example:
|
2393
2522
|
#
|
@@ -2396,14 +2525,14 @@ module Aws::KMS
|
|
2396
2525
|
# * Key ARN:
|
2397
2526
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2398
2527
|
#
|
2399
|
-
# To get the key ID and key ARN for a
|
2528
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2400
2529
|
# DescribeKey.
|
2401
2530
|
# @return [String]
|
2402
2531
|
#
|
2403
2532
|
# @!attribute [rw] wrapping_algorithm
|
2404
2533
|
# The algorithm you will use to encrypt the key material before
|
2405
2534
|
# importing it with ImportKeyMaterial. For more information, see
|
2406
|
-
# [Encrypt the Key Material][1] in the *
|
2535
|
+
# [Encrypt the Key Material][1] in the *Key Management Service
|
2407
2536
|
# Developer Guide*.
|
2408
2537
|
#
|
2409
2538
|
#
|
@@ -2427,9 +2556,9 @@ module Aws::KMS
|
|
2427
2556
|
end
|
2428
2557
|
|
2429
2558
|
# @!attribute [rw] key_id
|
2430
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
2431
|
-
# subsequent ImportKeyMaterial request. This is the same
|
2432
|
-
# in the `GetParametersForImport` request.
|
2559
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key to use in a
|
2560
|
+
# subsequent ImportKeyMaterial request. This is the same KMS key
|
2561
|
+
# specified in the `GetParametersForImport` request.
|
2433
2562
|
#
|
2434
2563
|
#
|
2435
2564
|
#
|
@@ -2472,12 +2601,12 @@ module Aws::KMS
|
|
2472
2601
|
# }
|
2473
2602
|
#
|
2474
2603
|
# @!attribute [rw] key_id
|
2475
|
-
# Identifies the asymmetric
|
2604
|
+
# Identifies the asymmetric KMS key that includes the public key.
|
2476
2605
|
#
|
2477
|
-
# To specify a
|
2478
|
-
#
|
2479
|
-
#
|
2480
|
-
#
|
2606
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2607
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
2608
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
2609
|
+
# the key ARN or alias ARN.
|
2481
2610
|
#
|
2482
2611
|
# For example:
|
2483
2612
|
#
|
@@ -2490,19 +2619,22 @@ module Aws::KMS
|
|
2490
2619
|
#
|
2491
2620
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2492
2621
|
#
|
2493
|
-
# To get the key ID and key ARN for a
|
2622
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2494
2623
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
2495
2624
|
# @return [String]
|
2496
2625
|
#
|
2497
2626
|
# @!attribute [rw] grant_tokens
|
2498
2627
|
# A list of grant tokens.
|
2499
2628
|
#
|
2500
|
-
#
|
2501
|
-
#
|
2629
|
+
# Use a grant token when your permission to call this operation comes
|
2630
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2631
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2632
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
2502
2633
|
#
|
2503
2634
|
#
|
2504
2635
|
#
|
2505
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2636
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2637
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2506
2638
|
# @return [Array<String>]
|
2507
2639
|
#
|
2508
2640
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
|
@@ -2515,8 +2647,8 @@ module Aws::KMS
|
|
2515
2647
|
end
|
2516
2648
|
|
2517
2649
|
# @!attribute [rw] key_id
|
2518
|
-
# The Amazon Resource Name ([key ARN][1]) of the asymmetric
|
2519
|
-
# which the public key was downloaded.
|
2650
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
|
2651
|
+
# from which the public key was downloaded.
|
2520
2652
|
#
|
2521
2653
|
#
|
2522
2654
|
#
|
@@ -2528,8 +2660,8 @@ module Aws::KMS
|
|
2528
2660
|
#
|
2529
2661
|
# The value is a DER-encoded X.509 public key, also known as
|
2530
2662
|
# `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1]. When you
|
2531
|
-
# use the HTTP API or the
|
2532
|
-
# Otherwise, it is not Base64-encoded.
|
2663
|
+
# use the HTTP API or the Amazon Web Services CLI, the value is
|
2664
|
+
# Base64-encoded. Otherwise, it is not Base64-encoded.
|
2533
2665
|
#
|
2534
2666
|
#
|
2535
2667
|
#
|
@@ -2539,6 +2671,14 @@ module Aws::KMS
|
|
2539
2671
|
# @return [String]
|
2540
2672
|
#
|
2541
2673
|
# @!attribute [rw] customer_master_key_spec
|
2674
|
+
# Instead, use the `KeySpec` field in the `GetPublicKey` response.
|
2675
|
+
#
|
2676
|
+
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
2677
|
+
# value. We recommend that you use the `KeySpec` field in your code.
|
2678
|
+
# However, to avoid breaking changes, KMS will support both fields.
|
2679
|
+
# @return [String]
|
2680
|
+
#
|
2681
|
+
# @!attribute [rw] key_spec
|
2542
2682
|
# The type of the of the public key that was downloaded.
|
2543
2683
|
# @return [String]
|
2544
2684
|
#
|
@@ -2547,23 +2687,23 @@ module Aws::KMS
|
|
2547
2687
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
2548
2688
|
#
|
2549
2689
|
# This information is critical. If a public key with `SIGN_VERIFY` key
|
2550
|
-
# usage encrypts data outside of
|
2690
|
+
# usage encrypts data outside of KMS, the ciphertext cannot be
|
2551
2691
|
# decrypted.
|
2552
2692
|
# @return [String]
|
2553
2693
|
#
|
2554
2694
|
# @!attribute [rw] encryption_algorithms
|
2555
|
-
# The encryption algorithms that
|
2695
|
+
# The encryption algorithms that KMS supports for this key.
|
2556
2696
|
#
|
2557
2697
|
# This information is critical. If a public key encrypts data outside
|
2558
|
-
# of
|
2559
|
-
#
|
2698
|
+
# of KMS by using an unsupported encryption algorithm, the ciphertext
|
2699
|
+
# cannot be decrypted.
|
2560
2700
|
#
|
2561
2701
|
# This field appears in the response only when the `KeyUsage` of the
|
2562
2702
|
# public key is `ENCRYPT_DECRYPT`.
|
2563
2703
|
# @return [Array<String>]
|
2564
2704
|
#
|
2565
2705
|
# @!attribute [rw] signing_algorithms
|
2566
|
-
# The signing algorithms that
|
2706
|
+
# The signing algorithms that KMS supports for this key.
|
2567
2707
|
#
|
2568
2708
|
# This field appears in the response only when the `KeyUsage` of the
|
2569
2709
|
# public key is `SIGN_VERIFY`.
|
@@ -2575,6 +2715,7 @@ module Aws::KMS
|
|
2575
2715
|
:key_id,
|
2576
2716
|
:public_key,
|
2577
2717
|
:customer_master_key_spec,
|
2718
|
+
:key_spec,
|
2578
2719
|
:key_usage,
|
2579
2720
|
:encryption_algorithms,
|
2580
2721
|
:signing_algorithms)
|
@@ -2586,11 +2727,11 @@ module Aws::KMS
|
|
2586
2727
|
# only when the operation request includes the specified [encryption
|
2587
2728
|
# context][2].
|
2588
2729
|
#
|
2589
|
-
#
|
2730
|
+
# KMS applies the grant constraints only to cryptographic operations
|
2590
2731
|
# that support an encryption context, that is, all cryptographic
|
2591
|
-
# operations with a [symmetric
|
2732
|
+
# operations with a [symmetric KMS key][3]. Grant constraints are not
|
2592
2733
|
# applied to operations that do not support an encryption context, such
|
2593
|
-
# as cryptographic operations with asymmetric
|
2734
|
+
# as cryptographic operations with asymmetric KMS keys and management
|
2594
2735
|
# operations, such as DescribeKey or RetireGrant.
|
2595
2736
|
#
|
2596
2737
|
# In a cryptographic operation, the encryption context in the decryption
|
@@ -2605,8 +2746,8 @@ module Aws::KMS
|
|
2605
2746
|
# differ only by case. To require a fully case-sensitive encryption
|
2606
2747
|
# context, use the `kms:EncryptionContext:` and
|
2607
2748
|
# `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
|
2608
|
-
# details, see [kms:EncryptionContext:][4] in the <i> <i>
|
2609
|
-
#
|
2749
|
+
# details, see [kms:EncryptionContext:][4] in the <i> <i>Key Management
|
2750
|
+
# Service Developer Guide</i> </i>.
|
2610
2751
|
#
|
2611
2752
|
#
|
2612
2753
|
#
|
@@ -2662,8 +2803,7 @@ module Aws::KMS
|
|
2662
2803
|
# Contains information about a grant.
|
2663
2804
|
#
|
2664
2805
|
# @!attribute [rw] key_id
|
2665
|
-
# The unique identifier for the
|
2666
|
-
# grant applies.
|
2806
|
+
# The unique identifier for the KMS key to which the grant applies.
|
2667
2807
|
# @return [String]
|
2668
2808
|
#
|
2669
2809
|
# @!attribute [rw] grant_id
|
@@ -2685,10 +2825,10 @@ module Aws::KMS
|
|
2685
2825
|
#
|
2686
2826
|
# The `GranteePrincipal` field in the `ListGrants` response usually
|
2687
2827
|
# contains the user or role designated as the grantee principal in the
|
2688
|
-
# grant. However, when the grantee principal in the grant is an
|
2689
|
-
# service, the `GranteePrincipal` field contains the
|
2690
|
-
# principal][1], which might represent several different
|
2691
|
-
# principals.
|
2828
|
+
# grant. However, when the grantee principal in the grant is an Amazon
|
2829
|
+
# Web Services service, the `GranteePrincipal` field contains the
|
2830
|
+
# [service principal][1], which might represent several different
|
2831
|
+
# grantee principals.
|
2692
2832
|
#
|
2693
2833
|
#
|
2694
2834
|
#
|
@@ -2700,7 +2840,7 @@ module Aws::KMS
|
|
2700
2840
|
# @return [String]
|
2701
2841
|
#
|
2702
2842
|
# @!attribute [rw] issuing_account
|
2703
|
-
# The
|
2843
|
+
# The Amazon Web Services account under which the grant was issued.
|
2704
2844
|
# @return [String]
|
2705
2845
|
#
|
2706
2846
|
# @!attribute [rw] operations
|
@@ -2740,12 +2880,12 @@ module Aws::KMS
|
|
2740
2880
|
# }
|
2741
2881
|
#
|
2742
2882
|
# @!attribute [rw] key_id
|
2743
|
-
# The identifier of the symmetric
|
2744
|
-
# material. The
|
2745
|
-
# same
|
2746
|
-
# GetParametersForImport request.
|
2883
|
+
# The identifier of the symmetric KMS key that receives the imported
|
2884
|
+
# key material. The KMS key's `Origin` must be `EXTERNAL`. This must
|
2885
|
+
# be the same KMS key specified in the `KeyID` parameter of the
|
2886
|
+
# corresponding GetParametersForImport request.
|
2747
2887
|
#
|
2748
|
-
# Specify the key ID or
|
2888
|
+
# Specify the key ID or key ARN of the KMS key.
|
2749
2889
|
#
|
2750
2890
|
# For example:
|
2751
2891
|
#
|
@@ -2754,7 +2894,7 @@ module Aws::KMS
|
|
2754
2894
|
# * Key ARN:
|
2755
2895
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2756
2896
|
#
|
2757
|
-
# To get the key ID and key ARN for a
|
2897
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2758
2898
|
# DescribeKey.
|
2759
2899
|
# @return [String]
|
2760
2900
|
#
|
@@ -2774,7 +2914,7 @@ module Aws::KMS
|
|
2774
2914
|
#
|
2775
2915
|
# @!attribute [rw] valid_to
|
2776
2916
|
# The time at which the imported key material expires. When the key
|
2777
|
-
# material expires,
|
2917
|
+
# material expires, KMS deletes the key material and the KMS key
|
2778
2918
|
# becomes unusable. You must omit this parameter when the
|
2779
2919
|
# `ExpirationModel` parameter is set to
|
2780
2920
|
# `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is required.
|
@@ -2804,10 +2944,10 @@ module Aws::KMS
|
|
2804
2944
|
#
|
2805
2945
|
class ImportKeyMaterialResponse < Aws::EmptyStructure; end
|
2806
2946
|
|
2807
|
-
# The request was rejected because the specified
|
2808
|
-
# data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
|
2809
|
-
# ReEncrypt request must identify the same
|
2810
|
-
# the ciphertext.
|
2947
|
+
# The request was rejected because the specified KMS key cannot decrypt
|
2948
|
+
# the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
|
2949
|
+
# ReEncrypt request must identify the same KMS key that was used to
|
2950
|
+
# encrypt the ciphertext.
|
2811
2951
|
#
|
2812
2952
|
# @!attribute [rw] message
|
2813
2953
|
# @return [String]
|
@@ -2822,7 +2962,7 @@ module Aws::KMS
|
|
2822
2962
|
|
2823
2963
|
# The request was rejected because the key material in the request is,
|
2824
2964
|
# expired, invalid, or is not the same key material that was previously
|
2825
|
-
# imported into this
|
2965
|
+
# imported into this KMS key.
|
2826
2966
|
#
|
2827
2967
|
# @!attribute [rw] message
|
2828
2968
|
# @return [String]
|
@@ -2836,8 +2976,8 @@ module Aws::KMS
|
|
2836
2976
|
end
|
2837
2977
|
|
2838
2978
|
# The request was rejected because the trust anchor certificate in the
|
2839
|
-
# request is not the trust anchor certificate for the specified
|
2840
|
-
#
|
2979
|
+
# request is not the trust anchor certificate for the specified CloudHSM
|
2980
|
+
# cluster.
|
2841
2981
|
#
|
2842
2982
|
# When you [initialize the cluster][1], you create the trust anchor
|
2843
2983
|
# certificate and save it in the `customerCA.crt` file.
|
@@ -2891,7 +3031,7 @@ module Aws::KMS
|
|
2891
3031
|
# corrupted, missing, or otherwise invalid.
|
2892
3032
|
#
|
2893
3033
|
# From the ImportKeyMaterial operation, the request was rejected because
|
2894
|
-
#
|
3034
|
+
# KMS could not decrypt the encrypted (wrapped) key material.
|
2895
3035
|
#
|
2896
3036
|
# @!attribute [rw] message
|
2897
3037
|
# @return [String]
|
@@ -2932,7 +3072,7 @@ module Aws::KMS
|
|
2932
3072
|
end
|
2933
3073
|
|
2934
3074
|
# The request was rejected because the provided import token is invalid
|
2935
|
-
# or is associated with a different
|
3075
|
+
# or is associated with a different KMS key.
|
2936
3076
|
#
|
2937
3077
|
# @!attribute [rw] message
|
2938
3078
|
# @return [String]
|
@@ -2947,20 +3087,20 @@ module Aws::KMS
|
|
2947
3087
|
|
2948
3088
|
# The request was rejected for one of the following reasons:
|
2949
3089
|
#
|
2950
|
-
# * The `KeyUsage` value of the
|
3090
|
+
# * The `KeyUsage` value of the KMS key is incompatible with the API
|
2951
3091
|
# operation.
|
2952
3092
|
#
|
2953
3093
|
# * The encryption algorithm or signing algorithm specified for the
|
2954
|
-
# operation is incompatible with the type of key material in the
|
2955
|
-
# `(
|
3094
|
+
# operation is incompatible with the type of key material in the KMS
|
3095
|
+
# key `(KeySpec`).
|
2956
3096
|
#
|
2957
3097
|
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
2958
3098
|
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
|
2959
|
-
# the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a
|
2960
|
-
# use the DescribeKey operation.
|
3099
|
+
# the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS
|
3100
|
+
# key, use the DescribeKey operation.
|
2961
3101
|
#
|
2962
3102
|
# To find the encryption or signing algorithms supported for a
|
2963
|
-
# particular
|
3103
|
+
# particular KMS key, use the DescribeKey operation.
|
2964
3104
|
#
|
2965
3105
|
# @!attribute [rw] message
|
2966
3106
|
# @return [String]
|
@@ -3003,8 +3143,8 @@ module Aws::KMS
|
|
3003
3143
|
|
3004
3144
|
# The request was rejected because the signature verification failed.
|
3005
3145
|
# Signature verification fails when it cannot confirm that signature was
|
3006
|
-
# produced by signing the specified message with the specified
|
3007
|
-
# signing algorithm.
|
3146
|
+
# produced by signing the specified message with the specified KMS key
|
3147
|
+
# and signing algorithm.
|
3008
3148
|
#
|
3009
3149
|
# @!attribute [rw] message
|
3010
3150
|
# @return [String]
|
@@ -3020,9 +3160,9 @@ module Aws::KMS
|
|
3020
3160
|
# The request was rejected because the state of the specified resource
|
3021
3161
|
# is not valid for this request.
|
3022
3162
|
#
|
3023
|
-
# For more information about how key state affects the use of a
|
3024
|
-
# [
|
3025
|
-
#
|
3163
|
+
# For more information about how key state affects the use of a KMS key,
|
3164
|
+
# see [Key state: Effect on your KMS key][1] in the <i> <i>Key
|
3165
|
+
# Management Service Developer Guide</i> </i>.
|
3026
3166
|
#
|
3027
3167
|
#
|
3028
3168
|
#
|
@@ -3058,23 +3198,24 @@ module Aws::KMS
|
|
3058
3198
|
include Aws::Structure
|
3059
3199
|
end
|
3060
3200
|
|
3061
|
-
# Contains metadata about a
|
3201
|
+
# Contains metadata about a KMS key.
|
3062
3202
|
#
|
3063
3203
|
# This data type is used as a response element for the CreateKey and
|
3064
3204
|
# DescribeKey operations.
|
3065
3205
|
#
|
3066
3206
|
# @!attribute [rw] aws_account_id
|
3067
|
-
# The twelve-digit account ID of the
|
3207
|
+
# The twelve-digit account ID of the Amazon Web Services account that
|
3208
|
+
# owns the KMS key.
|
3068
3209
|
# @return [String]
|
3069
3210
|
#
|
3070
3211
|
# @!attribute [rw] key_id
|
3071
|
-
# The globally unique identifier for the
|
3212
|
+
# The globally unique identifier for the KMS key.
|
3072
3213
|
# @return [String]
|
3073
3214
|
#
|
3074
3215
|
# @!attribute [rw] arn
|
3075
|
-
# The Amazon Resource Name (ARN) of the
|
3076
|
-
# Key Management Service (
|
3077
|
-
#
|
3216
|
+
# The Amazon Resource Name (ARN) of the KMS key. For examples, see
|
3217
|
+
# [Key Management Service (KMS)][1] in the Example ARNs section of the
|
3218
|
+
# *Amazon Web Services General Reference*.
|
3078
3219
|
#
|
3079
3220
|
#
|
3080
3221
|
#
|
@@ -3082,20 +3223,20 @@ module Aws::KMS
|
|
3082
3223
|
# @return [String]
|
3083
3224
|
#
|
3084
3225
|
# @!attribute [rw] creation_date
|
3085
|
-
# The date and time when the
|
3226
|
+
# The date and time when the KMS key was created.
|
3086
3227
|
# @return [Time]
|
3087
3228
|
#
|
3088
3229
|
# @!attribute [rw] enabled
|
3089
|
-
# Specifies whether the
|
3090
|
-
# this value is true, otherwise it is false.
|
3230
|
+
# Specifies whether the KMS key is enabled. When `KeyState` is
|
3231
|
+
# `Enabled` this value is true, otherwise it is false.
|
3091
3232
|
# @return [Boolean]
|
3092
3233
|
#
|
3093
3234
|
# @!attribute [rw] description
|
3094
|
-
# The description of the
|
3235
|
+
# The description of the KMS key.
|
3095
3236
|
# @return [String]
|
3096
3237
|
#
|
3097
3238
|
# @!attribute [rw] key_usage
|
3098
|
-
# The [cryptographic operations][1] for which you can use the
|
3239
|
+
# The [cryptographic operations][1] for which you can use the KMS key.
|
3099
3240
|
#
|
3100
3241
|
#
|
3101
3242
|
#
|
@@ -3103,11 +3244,11 @@ module Aws::KMS
|
|
3103
3244
|
# @return [String]
|
3104
3245
|
#
|
3105
3246
|
# @!attribute [rw] key_state
|
3106
|
-
# The current status of the
|
3247
|
+
# The current status of the KMS key.
|
3107
3248
|
#
|
3108
|
-
# For more information about how key state affects the use of a
|
3109
|
-
# see [Key state: Effect on your
|
3110
|
-
# Service Developer Guide*.
|
3249
|
+
# For more information about how key state affects the use of a KMS
|
3250
|
+
# key, see [Key state: Effect on your KMS key][1] in the *Key
|
3251
|
+
# Management Service Developer Guide*.
|
3111
3252
|
#
|
3112
3253
|
#
|
3113
3254
|
#
|
@@ -3115,31 +3256,37 @@ module Aws::KMS
|
|
3115
3256
|
# @return [String]
|
3116
3257
|
#
|
3117
3258
|
# @!attribute [rw] deletion_date
|
3118
|
-
# The date and time after which
|
3119
|
-
# present only when
|
3259
|
+
# The date and time after which KMS deletes this KMS key. This value
|
3260
|
+
# is present only when the KMS key is scheduled for deletion, that is,
|
3261
|
+
# when its `KeyState` is `PendingDeletion`.
|
3262
|
+
#
|
3263
|
+
# When the primary key in a multi-Region key is scheduled for deletion
|
3264
|
+
# but still has replica keys, its key state is
|
3265
|
+
# `PendingReplicaDeletion` and the length of its waiting period is
|
3266
|
+
# displayed in the `PendingDeletionWindowInDays` field.
|
3120
3267
|
# @return [Time]
|
3121
3268
|
#
|
3122
3269
|
# @!attribute [rw] valid_to
|
3123
3270
|
# The time at which the imported key material expires. When the key
|
3124
|
-
# material expires,
|
3125
|
-
# becomes unusable. This value is present only for
|
3126
|
-
# is `EXTERNAL` and whose `ExpirationModel` is
|
3127
|
-
# otherwise this value is omitted.
|
3271
|
+
# material expires, KMS deletes the key material and the KMS key
|
3272
|
+
# becomes unusable. This value is present only for KMS keys whose
|
3273
|
+
# `Origin` is `EXTERNAL` and whose `ExpirationModel` is
|
3274
|
+
# `KEY_MATERIAL_EXPIRES`, otherwise this value is omitted.
|
3128
3275
|
# @return [Time]
|
3129
3276
|
#
|
3130
3277
|
# @!attribute [rw] origin
|
3131
|
-
# The source of the
|
3132
|
-
#
|
3133
|
-
# key material was imported
|
3134
|
-
#
|
3135
|
-
#
|
3136
|
-
#
|
3278
|
+
# The source of the key material for the KMS key. When this value is
|
3279
|
+
# `AWS_KMS`, KMS created the key material. When this value is
|
3280
|
+
# `EXTERNAL`, the key material was imported or the KMS key doesn't
|
3281
|
+
# have any key material. When this value is `AWS_CLOUDHSM`, the key
|
3282
|
+
# material was created in the CloudHSM cluster associated with a
|
3283
|
+
# custom key store.
|
3137
3284
|
# @return [String]
|
3138
3285
|
#
|
3139
3286
|
# @!attribute [rw] custom_key_store_id
|
3140
3287
|
# A unique identifier for the [custom key store][1] that contains the
|
3141
|
-
#
|
3142
|
-
# key store.
|
3288
|
+
# KMS key. This value is present only when the KMS key is created in a
|
3289
|
+
# custom key store.
|
3143
3290
|
#
|
3144
3291
|
#
|
3145
3292
|
#
|
@@ -3147,11 +3294,11 @@ module Aws::KMS
|
|
3147
3294
|
# @return [String]
|
3148
3295
|
#
|
3149
3296
|
# @!attribute [rw] cloud_hsm_cluster_id
|
3150
|
-
# The cluster ID of the
|
3151
|
-
# material for the
|
3152
|
-
# store][1],
|
3153
|
-
# associated
|
3154
|
-
#
|
3297
|
+
# The cluster ID of the CloudHSM cluster that contains the key
|
3298
|
+
# material for the KMS key. When you create a KMS key in a [custom key
|
3299
|
+
# store][1], KMS creates the key material for the KMS key in the
|
3300
|
+
# associated CloudHSM cluster. This value is present only when the KMS
|
3301
|
+
# key is created in a custom key store.
|
3155
3302
|
#
|
3156
3303
|
#
|
3157
3304
|
#
|
@@ -3159,42 +3306,102 @@ module Aws::KMS
|
|
3159
3306
|
# @return [String]
|
3160
3307
|
#
|
3161
3308
|
# @!attribute [rw] expiration_model
|
3162
|
-
# Specifies whether the
|
3309
|
+
# Specifies whether the KMS key's key material expires. This value is
|
3163
3310
|
# present only when `Origin` is `EXTERNAL`, otherwise this value is
|
3164
3311
|
# omitted.
|
3165
3312
|
# @return [String]
|
3166
3313
|
#
|
3167
3314
|
# @!attribute [rw] key_manager
|
3168
|
-
# The manager of the
|
3169
|
-
#
|
3170
|
-
# see [
|
3171
|
-
# Developer Guide*.
|
3315
|
+
# The manager of the KMS key. KMS keys in your Amazon Web Services
|
3316
|
+
# account are either customer managed or Amazon Web Services managed.
|
3317
|
+
# For more information about the difference, see [KMS keys][1] in the
|
3318
|
+
# *Key Management Service Developer Guide*.
|
3172
3319
|
#
|
3173
3320
|
#
|
3174
3321
|
#
|
3175
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
3322
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys
|
3176
3323
|
# @return [String]
|
3177
3324
|
#
|
3178
3325
|
# @!attribute [rw] customer_master_key_spec
|
3179
|
-
#
|
3326
|
+
# Instead, use the `KeySpec` field.
|
3327
|
+
#
|
3328
|
+
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
3329
|
+
# value. We recommend that you use the `KeySpec` field in your code.
|
3330
|
+
# However, to avoid breaking changes, KMS will support both fields.
|
3331
|
+
# @return [String]
|
3332
|
+
#
|
3333
|
+
# @!attribute [rw] key_spec
|
3334
|
+
# Describes the type of key material in the KMS key.
|
3180
3335
|
# @return [String]
|
3181
3336
|
#
|
3182
3337
|
# @!attribute [rw] encryption_algorithms
|
3183
|
-
# The encryption algorithms that the
|
3184
|
-
#
|
3338
|
+
# The encryption algorithms that the KMS key supports. You cannot use
|
3339
|
+
# the KMS key with other encryption algorithms within KMS.
|
3185
3340
|
#
|
3186
|
-
# This
|
3341
|
+
# This value is present only when the `KeyUsage` of the KMS key is
|
3187
3342
|
# `ENCRYPT_DECRYPT`.
|
3188
3343
|
# @return [Array<String>]
|
3189
3344
|
#
|
3190
3345
|
# @!attribute [rw] signing_algorithms
|
3191
|
-
# The signing algorithms that the
|
3192
|
-
# with other signing algorithms within
|
3346
|
+
# The signing algorithms that the KMS key supports. You cannot use the
|
3347
|
+
# KMS key with other signing algorithms within KMS.
|
3193
3348
|
#
|
3194
|
-
# This field appears only when the `KeyUsage` of the
|
3349
|
+
# This field appears only when the `KeyUsage` of the KMS key is
|
3195
3350
|
# `SIGN_VERIFY`.
|
3196
3351
|
# @return [Array<String>]
|
3197
3352
|
#
|
3353
|
+
# @!attribute [rw] multi_region
|
3354
|
+
# Indicates whether the KMS key is a multi-Region (`True`) or regional
|
3355
|
+
# (`False`) key. This value is `True` for multi-Region primary and
|
3356
|
+
# replica keys and `False` for regional KMS keys.
|
3357
|
+
#
|
3358
|
+
# For more information about multi-Region keys, see [Using
|
3359
|
+
# multi-Region keys][1] in the *Key Management Service Developer
|
3360
|
+
# Guide*.
|
3361
|
+
#
|
3362
|
+
#
|
3363
|
+
#
|
3364
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
3365
|
+
# @return [Boolean]
|
3366
|
+
#
|
3367
|
+
# @!attribute [rw] multi_region_configuration
|
3368
|
+
# Lists the primary and replica keys in same multi-Region key. This
|
3369
|
+
# field is present only when the value of the `MultiRegion` field is
|
3370
|
+
# `True`.
|
3371
|
+
#
|
3372
|
+
# For more information about any listed KMS key, use the DescribeKey
|
3373
|
+
# operation.
|
3374
|
+
#
|
3375
|
+
# * `MultiRegionKeyType` indicates whether the KMS key is a `PRIMARY`
|
3376
|
+
# or `REPLICA` key.
|
3377
|
+
#
|
3378
|
+
# * `PrimaryKey` displays the key ARN and Region of the primary key.
|
3379
|
+
# This field displays the current KMS key if it is the primary key.
|
3380
|
+
#
|
3381
|
+
# * `ReplicaKeys` displays the key ARNs and Regions of all replica
|
3382
|
+
# keys. This field includes the current KMS key if it is a replica
|
3383
|
+
# key.
|
3384
|
+
# @return [Types::MultiRegionConfiguration]
|
3385
|
+
#
|
3386
|
+
# @!attribute [rw] pending_deletion_window_in_days
|
3387
|
+
# The waiting period before the primary key in a multi-Region key is
|
3388
|
+
# deleted. This waiting period begins when the last of its replica
|
3389
|
+
# keys is deleted. This value is present only when the `KeyState` of
|
3390
|
+
# the KMS key is `PendingReplicaDeletion`. That indicates that the KMS
|
3391
|
+
# key is the primary key in a multi-Region key, it is scheduled for
|
3392
|
+
# deletion, and it still has existing replica keys.
|
3393
|
+
#
|
3394
|
+
# When a single-Region KMS key or a multi-Region replica key is
|
3395
|
+
# scheduled for deletion, its deletion date is displayed in the
|
3396
|
+
# `DeletionDate` field. However, when the primary key in a
|
3397
|
+
# multi-Region key is scheduled for deletion, its waiting period
|
3398
|
+
# doesn't begin until all of its replica keys are deleted. This value
|
3399
|
+
# displays that waiting period. When the last replica key in the
|
3400
|
+
# multi-Region key is deleted, the `KeyState` of the scheduled primary
|
3401
|
+
# key changes from `PendingReplicaDeletion` to `PendingDeletion` and
|
3402
|
+
# the deletion date appears in the `DeletionDate` field.
|
3403
|
+
# @return [Integer]
|
3404
|
+
#
|
3198
3405
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
3199
3406
|
#
|
3200
3407
|
class KeyMetadata < Struct.new(
|
@@ -3214,14 +3421,18 @@ module Aws::KMS
|
|
3214
3421
|
:expiration_model,
|
3215
3422
|
:key_manager,
|
3216
3423
|
:customer_master_key_spec,
|
3424
|
+
:key_spec,
|
3217
3425
|
:encryption_algorithms,
|
3218
|
-
:signing_algorithms
|
3426
|
+
:signing_algorithms,
|
3427
|
+
:multi_region,
|
3428
|
+
:multi_region_configuration,
|
3429
|
+
:pending_deletion_window_in_days)
|
3219
3430
|
SENSITIVE = []
|
3220
3431
|
include Aws::Structure
|
3221
3432
|
end
|
3222
3433
|
|
3223
|
-
# The request was rejected because the specified
|
3224
|
-
# You can retry the request.
|
3434
|
+
# The request was rejected because the specified KMS key was not
|
3435
|
+
# available. You can retry the request.
|
3225
3436
|
#
|
3226
3437
|
# @!attribute [rw] message
|
3227
3438
|
# @return [String]
|
@@ -3235,8 +3446,8 @@ module Aws::KMS
|
|
3235
3446
|
end
|
3236
3447
|
|
3237
3448
|
# The request was rejected because a quota was exceeded. For more
|
3238
|
-
# information, see [Quotas][1] in the *
|
3239
|
-
#
|
3449
|
+
# information, see [Quotas][1] in the *Key Management Service Developer
|
3450
|
+
# Guide*.
|
3240
3451
|
#
|
3241
3452
|
#
|
3242
3453
|
#
|
@@ -3263,13 +3474,13 @@ module Aws::KMS
|
|
3263
3474
|
# }
|
3264
3475
|
#
|
3265
3476
|
# @!attribute [rw] key_id
|
3266
|
-
# Lists only aliases that are associated with the specified
|
3267
|
-
# a
|
3477
|
+
# Lists only aliases that are associated with the specified KMS key.
|
3478
|
+
# Enter a KMS key in your Amazon Web Services account.
|
3268
3479
|
#
|
3269
3480
|
# This parameter is optional. If you omit it, `ListAliases` returns
|
3270
3481
|
# all aliases in the account and Region.
|
3271
3482
|
#
|
3272
|
-
# Specify the key ID or
|
3483
|
+
# Specify the key ID or key ARN of the KMS key.
|
3273
3484
|
#
|
3274
3485
|
# For example:
|
3275
3486
|
#
|
@@ -3278,13 +3489,13 @@ module Aws::KMS
|
|
3278
3489
|
# * Key ARN:
|
3279
3490
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3280
3491
|
#
|
3281
|
-
# To get the key ID and key ARN for a
|
3492
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3282
3493
|
# DescribeKey.
|
3283
3494
|
# @return [String]
|
3284
3495
|
#
|
3285
3496
|
# @!attribute [rw] limit
|
3286
3497
|
# Use this parameter to specify the maximum number of items to return.
|
3287
|
-
# When this value is present,
|
3498
|
+
# When this value is present, KMS does not return more than the
|
3288
3499
|
# specified number of items, but it might return fewer.
|
3289
3500
|
#
|
3290
3501
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3347,7 +3558,7 @@ module Aws::KMS
|
|
3347
3558
|
#
|
3348
3559
|
# @!attribute [rw] limit
|
3349
3560
|
# Use this parameter to specify the maximum number of items to return.
|
3350
|
-
# When this value is present,
|
3561
|
+
# When this value is present, KMS does not return more than the
|
3351
3562
|
# specified number of items, but it might return fewer.
|
3352
3563
|
#
|
3353
3564
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3362,11 +3573,12 @@ module Aws::KMS
|
|
3362
3573
|
# @return [String]
|
3363
3574
|
#
|
3364
3575
|
# @!attribute [rw] key_id
|
3365
|
-
# Returns only grants for the specified
|
3366
|
-
#
|
3576
|
+
# Returns only grants for the specified KMS key. This parameter is
|
3577
|
+
# required.
|
3367
3578
|
#
|
3368
|
-
# Specify the key ID or
|
3369
|
-
#
|
3579
|
+
# Specify the key ID or key ARN of the KMS key. To specify a KMS key
|
3580
|
+
# in a different Amazon Web Services account, you must use the key
|
3581
|
+
# ARN.
|
3370
3582
|
#
|
3371
3583
|
# For example:
|
3372
3584
|
#
|
@@ -3375,7 +3587,7 @@ module Aws::KMS
|
|
3375
3587
|
# * Key ARN:
|
3376
3588
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3377
3589
|
#
|
3378
|
-
# To get the key ID and key ARN for a
|
3590
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3379
3591
|
# DescribeKey.
|
3380
3592
|
# @return [String]
|
3381
3593
|
#
|
@@ -3437,9 +3649,9 @@ module Aws::KMS
|
|
3437
3649
|
# }
|
3438
3650
|
#
|
3439
3651
|
# @!attribute [rw] key_id
|
3440
|
-
#
|
3652
|
+
# Gets the names of key policies for the specified KMS key.
|
3441
3653
|
#
|
3442
|
-
# Specify the key ID or
|
3654
|
+
# Specify the key ID or key ARN of the KMS key.
|
3443
3655
|
#
|
3444
3656
|
# For example:
|
3445
3657
|
#
|
@@ -3448,13 +3660,13 @@ module Aws::KMS
|
|
3448
3660
|
# * Key ARN:
|
3449
3661
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3450
3662
|
#
|
3451
|
-
# To get the key ID and key ARN for a
|
3663
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3452
3664
|
# DescribeKey.
|
3453
3665
|
# @return [String]
|
3454
3666
|
#
|
3455
3667
|
# @!attribute [rw] limit
|
3456
3668
|
# Use this parameter to specify the maximum number of items to return.
|
3457
|
-
# When this value is present,
|
3669
|
+
# When this value is present, KMS does not return more than the
|
3458
3670
|
# specified number of items, but it might return fewer.
|
3459
3671
|
#
|
3460
3672
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3516,7 +3728,7 @@ module Aws::KMS
|
|
3516
3728
|
#
|
3517
3729
|
# @!attribute [rw] limit
|
3518
3730
|
# Use this parameter to specify the maximum number of items to return.
|
3519
|
-
# When this value is present,
|
3731
|
+
# When this value is present, KMS does not return more than the
|
3520
3732
|
# specified number of items, but it might return fewer.
|
3521
3733
|
#
|
3522
3734
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3540,7 +3752,7 @@ module Aws::KMS
|
|
3540
3752
|
end
|
3541
3753
|
|
3542
3754
|
# @!attribute [rw] keys
|
3543
|
-
# A list of
|
3755
|
+
# A list of KMS keys.
|
3544
3756
|
# @return [Array<Types::KeyListEntry>]
|
3545
3757
|
#
|
3546
3758
|
# @!attribute [rw] next_marker
|
@@ -3575,9 +3787,9 @@ module Aws::KMS
|
|
3575
3787
|
# }
|
3576
3788
|
#
|
3577
3789
|
# @!attribute [rw] key_id
|
3578
|
-
#
|
3790
|
+
# Gets tags on the specified KMS key.
|
3579
3791
|
#
|
3580
|
-
# Specify the key ID or
|
3792
|
+
# Specify the key ID or key ARN of the KMS key.
|
3581
3793
|
#
|
3582
3794
|
# For example:
|
3583
3795
|
#
|
@@ -3586,13 +3798,13 @@ module Aws::KMS
|
|
3586
3798
|
# * Key ARN:
|
3587
3799
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3588
3800
|
#
|
3589
|
-
# To get the key ID and key ARN for a
|
3801
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3590
3802
|
# DescribeKey.
|
3591
3803
|
# @return [String]
|
3592
3804
|
#
|
3593
3805
|
# @!attribute [rw] limit
|
3594
3806
|
# Use this parameter to specify the maximum number of items to return.
|
3595
|
-
# When this value is present,
|
3807
|
+
# When this value is present, KMS does not return more than the
|
3596
3808
|
# specified number of items, but it might return fewer.
|
3597
3809
|
#
|
3598
3810
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3620,6 +3832,16 @@ module Aws::KMS
|
|
3620
3832
|
|
3621
3833
|
# @!attribute [rw] tags
|
3622
3834
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
3835
|
+
#
|
3836
|
+
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
3837
|
+
# KMS key. For details, see [Using ABAC in KMS][1] in the *Key
|
3838
|
+
# Management Service Developer Guide*.
|
3839
|
+
#
|
3840
|
+
# </note>
|
3841
|
+
#
|
3842
|
+
#
|
3843
|
+
#
|
3844
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
3623
3845
|
# @return [Array<Types::Tag>]
|
3624
3846
|
#
|
3625
3847
|
# @!attribute [rw] next_marker
|
@@ -3657,7 +3879,7 @@ module Aws::KMS
|
|
3657
3879
|
#
|
3658
3880
|
# @!attribute [rw] limit
|
3659
3881
|
# Use this parameter to specify the maximum number of items to return.
|
3660
|
-
# When this value is present,
|
3882
|
+
# When this value is present, KMS does not return more than the
|
3661
3883
|
# specified number of items, but it might return fewer.
|
3662
3884
|
#
|
3663
3885
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3673,12 +3895,13 @@ module Aws::KMS
|
|
3673
3895
|
#
|
3674
3896
|
# @!attribute [rw] retiring_principal
|
3675
3897
|
# The retiring principal for which to list grants. Enter a principal
|
3676
|
-
# in your
|
3898
|
+
# in your Amazon Web Services account.
|
3677
3899
|
#
|
3678
3900
|
# To specify the retiring principal, use the [Amazon Resource Name
|
3679
|
-
# (ARN)][1] of an
|
3680
|
-
# accounts (root), IAM
|
3681
|
-
#
|
3901
|
+
# (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
|
3902
|
+
# Services principals include Amazon Web Services accounts (root), IAM
|
3903
|
+
# users, federated users, and assumed role users. For examples of the
|
3904
|
+
# ARN syntax for specifying a principal, see [Amazon Web Services
|
3682
3905
|
# Identity and Access Management (IAM)][2] in the Example ARNs section
|
3683
3906
|
# of the *Amazon Web Services General Reference*.
|
3684
3907
|
#
|
@@ -3712,6 +3935,58 @@ module Aws::KMS
|
|
3712
3935
|
include Aws::Structure
|
3713
3936
|
end
|
3714
3937
|
|
3938
|
+
# Describes the configuration of this multi-Region key. This field
|
3939
|
+
# appears only when the KMS key is a primary or replica of a
|
3940
|
+
# multi-Region key.
|
3941
|
+
#
|
3942
|
+
# For more information about any listed KMS key, use the DescribeKey
|
3943
|
+
# operation.
|
3944
|
+
#
|
3945
|
+
# @!attribute [rw] multi_region_key_type
|
3946
|
+
# Indicates whether the KMS key is a `PRIMARY` or `REPLICA` key.
|
3947
|
+
# @return [String]
|
3948
|
+
#
|
3949
|
+
# @!attribute [rw] primary_key
|
3950
|
+
# Displays the key ARN and Region of the primary key. This field
|
3951
|
+
# includes the current KMS key if it is the primary key.
|
3952
|
+
# @return [Types::MultiRegionKey]
|
3953
|
+
#
|
3954
|
+
# @!attribute [rw] replica_keys
|
3955
|
+
# displays the key ARNs and Regions of all replica keys. This field
|
3956
|
+
# includes the current KMS key if it is a replica key.
|
3957
|
+
# @return [Array<Types::MultiRegionKey>]
|
3958
|
+
#
|
3959
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionConfiguration AWS API Documentation
|
3960
|
+
#
|
3961
|
+
class MultiRegionConfiguration < Struct.new(
|
3962
|
+
:multi_region_key_type,
|
3963
|
+
:primary_key,
|
3964
|
+
:replica_keys)
|
3965
|
+
SENSITIVE = []
|
3966
|
+
include Aws::Structure
|
3967
|
+
end
|
3968
|
+
|
3969
|
+
# Describes the primary or replica key in a multi-Region key.
|
3970
|
+
#
|
3971
|
+
# @!attribute [rw] arn
|
3972
|
+
# Displays the key ARN of a primary or replica key of a multi-Region
|
3973
|
+
# key.
|
3974
|
+
# @return [String]
|
3975
|
+
#
|
3976
|
+
# @!attribute [rw] region
|
3977
|
+
# Displays the Amazon Web Services Region of a primary or replica key
|
3978
|
+
# in a multi-Region key.
|
3979
|
+
# @return [String]
|
3980
|
+
#
|
3981
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionKey AWS API Documentation
|
3982
|
+
#
|
3983
|
+
class MultiRegionKey < Struct.new(
|
3984
|
+
:arn,
|
3985
|
+
:region)
|
3986
|
+
SENSITIVE = []
|
3987
|
+
include Aws::Structure
|
3988
|
+
end
|
3989
|
+
|
3715
3990
|
# The request was rejected because the specified entity or resource
|
3716
3991
|
# could not be found.
|
3717
3992
|
#
|
@@ -3737,9 +4012,9 @@ module Aws::KMS
|
|
3737
4012
|
# }
|
3738
4013
|
#
|
3739
4014
|
# @!attribute [rw] key_id
|
3740
|
-
#
|
4015
|
+
# Sets the key policy on the specified KMS key.
|
3741
4016
|
#
|
3742
|
-
# Specify the key ID or
|
4017
|
+
# Specify the key ID or key ARN of the KMS key.
|
3743
4018
|
#
|
3744
4019
|
# For example:
|
3745
4020
|
#
|
@@ -3748,7 +4023,7 @@ module Aws::KMS
|
|
3748
4023
|
# * Key ARN:
|
3749
4024
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3750
4025
|
#
|
3751
|
-
# To get the key ID and key ARN for a
|
4026
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3752
4027
|
# DescribeKey.
|
3753
4028
|
# @return [String]
|
3754
4029
|
#
|
@@ -3757,31 +4032,31 @@ module Aws::KMS
|
|
3757
4032
|
# @return [String]
|
3758
4033
|
#
|
3759
4034
|
# @!attribute [rw] policy
|
3760
|
-
# The key policy to attach to the
|
4035
|
+
# The key policy to attach to the KMS key.
|
3761
4036
|
#
|
3762
4037
|
# The key policy must meet the following criteria:
|
3763
4038
|
#
|
3764
4039
|
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
3765
4040
|
# key policy must allow the principal that is making the
|
3766
4041
|
# `PutKeyPolicy` request to make a subsequent `PutKeyPolicy` request
|
3767
|
-
# on the
|
4042
|
+
# on the KMS key. This reduces the risk that the KMS key becomes
|
3768
4043
|
# unmanageable. For more information, refer to the scenario in the
|
3769
|
-
# [Default Key Policy][1] section of the *
|
4044
|
+
# [Default Key Policy][1] section of the *Key Management Service
|
3770
4045
|
# Developer Guide*.
|
3771
4046
|
#
|
3772
4047
|
# * Each statement in the key policy must contain one or more
|
3773
4048
|
# principals. The principals in the key policy must exist and be
|
3774
|
-
# visible to
|
3775
|
-
# example, an IAM user or role), you might need to
|
3776
|
-
# before including the new principal in a key policy
|
3777
|
-
# principal might not be immediately visible to
|
3778
|
-
# information, see [Changes that I make are not always
|
3779
|
-
# visible][2] in the *
|
3780
|
-
# Guide*.
|
4049
|
+
# visible to KMS. When you create a new Amazon Web Services
|
4050
|
+
# principal (for example, an IAM user or role), you might need to
|
4051
|
+
# enforce a delay before including the new principal in a key policy
|
4052
|
+
# because the new principal might not be immediately visible to KMS.
|
4053
|
+
# For more information, see [Changes that I make are not always
|
4054
|
+
# immediately visible][2] in the *Amazon Web Services Identity and
|
4055
|
+
# Access Management User Guide*.
|
3781
4056
|
#
|
3782
4057
|
# The key policy cannot exceed 32 kilobytes (32768 bytes). For more
|
3783
|
-
# information, see [Resource Quotas][3] in the *
|
3784
|
-
#
|
4058
|
+
# information, see [Resource Quotas][3] in the *Key Management Service
|
4059
|
+
# Developer Guide*.
|
3785
4060
|
#
|
3786
4061
|
#
|
3787
4062
|
#
|
@@ -3794,16 +4069,16 @@ module Aws::KMS
|
|
3794
4069
|
# A flag to indicate whether to bypass the key policy lockout safety
|
3795
4070
|
# check.
|
3796
4071
|
#
|
3797
|
-
# Setting this value to true increases the risk that the
|
3798
|
-
# unmanageable. Do not set this value to true
|
4072
|
+
# Setting this value to true increases the risk that the KMS key
|
4073
|
+
# becomes unmanageable. Do not set this value to true
|
4074
|
+
# indiscriminately.
|
3799
4075
|
#
|
3800
4076
|
# For more information, refer to the scenario in the [Default Key
|
3801
|
-
# Policy][1] section in the *
|
3802
|
-
# Guide*.
|
4077
|
+
# Policy][1] section in the *Key Management Service Developer Guide*.
|
3803
4078
|
#
|
3804
4079
|
# Use this parameter only when you intend to prevent the principal
|
3805
4080
|
# that is making the request from making a subsequent `PutKeyPolicy`
|
3806
|
-
# request on the
|
4081
|
+
# request on the KMS key.
|
3807
4082
|
#
|
3808
4083
|
# The default value is false.
|
3809
4084
|
#
|
@@ -3855,9 +4130,9 @@ module Aws::KMS
|
|
3855
4130
|
# encryption context to encrypt data, you must specify the same (an
|
3856
4131
|
# exact case-sensitive match) encryption context to decrypt the data.
|
3857
4132
|
# An encryption context is optional when encrypting with a symmetric
|
3858
|
-
#
|
4133
|
+
# KMS key, but it is highly recommended.
|
3859
4134
|
#
|
3860
|
-
# For more information, see [Encryption Context][1] in the *
|
4135
|
+
# For more information, see [Encryption Context][1] in the *Key
|
3861
4136
|
# Management Service Developer Guide*.
|
3862
4137
|
#
|
3863
4138
|
#
|
@@ -3866,20 +4141,21 @@ module Aws::KMS
|
|
3866
4141
|
# @return [Hash<String,String>]
|
3867
4142
|
#
|
3868
4143
|
# @!attribute [rw] source_key_id
|
3869
|
-
# Specifies the
|
3870
|
-
#
|
3871
|
-
#
|
4144
|
+
# Specifies the KMS key that KMS will use to decrypt the ciphertext
|
4145
|
+
# before it is re-encrypted. Enter a key ID of the KMS key that was
|
4146
|
+
# used to encrypt the ciphertext.
|
3872
4147
|
#
|
3873
4148
|
# This parameter is required only when the ciphertext was encrypted
|
3874
|
-
# under an asymmetric
|
3875
|
-
# get the
|
3876
|
-
# blob. However, it is always recommended as a best
|
3877
|
-
# practice ensures that you use the
|
4149
|
+
# under an asymmetric KMS key. If you used a symmetric KMS key, KMS
|
4150
|
+
# can get the KMS key from metadata that it adds to the symmetric
|
4151
|
+
# ciphertext blob. However, it is always recommended as a best
|
4152
|
+
# practice. This practice ensures that you use the KMS key that you
|
4153
|
+
# intend.
|
3878
4154
|
#
|
3879
|
-
# To specify a
|
3880
|
-
#
|
3881
|
-
#
|
3882
|
-
#
|
4155
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
4156
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
4157
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
4158
|
+
# the key ARN or alias ARN.
|
3883
4159
|
#
|
3884
4160
|
# For example:
|
3885
4161
|
#
|
@@ -3892,20 +4168,20 @@ module Aws::KMS
|
|
3892
4168
|
#
|
3893
4169
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
3894
4170
|
#
|
3895
|
-
# To get the key ID and key ARN for a
|
4171
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3896
4172
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
3897
4173
|
# @return [String]
|
3898
4174
|
#
|
3899
4175
|
# @!attribute [rw] destination_key_id
|
3900
|
-
# A unique identifier for the
|
3901
|
-
# Specify a symmetric or asymmetric
|
3902
|
-
# `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a
|
3903
|
-
# DescribeKey operation.
|
4176
|
+
# A unique identifier for the KMS key that is used to reencrypt the
|
4177
|
+
# data. Specify a symmetric or asymmetric KMS key with a `KeyUsage`
|
4178
|
+
# value of `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a KMS
|
4179
|
+
# key, use the DescribeKey operation.
|
3904
4180
|
#
|
3905
|
-
# To specify a
|
3906
|
-
#
|
3907
|
-
#
|
3908
|
-
#
|
4181
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
4182
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
4183
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
4184
|
+
# the key ARN or alias ARN.
|
3909
4185
|
#
|
3910
4186
|
# For example:
|
3911
4187
|
#
|
@@ -3918,7 +4194,7 @@ module Aws::KMS
|
|
3918
4194
|
#
|
3919
4195
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
3920
4196
|
#
|
3921
|
-
# To get the key ID and key ARN for a
|
4197
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3922
4198
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
3923
4199
|
# @return [String]
|
3924
4200
|
#
|
@@ -3927,17 +4203,17 @@ module Aws::KMS
|
|
3927
4203
|
# data.
|
3928
4204
|
#
|
3929
4205
|
# A destination encryption context is valid only when the destination
|
3930
|
-
#
|
3931
|
-
# asymmetric
|
4206
|
+
# KMS key is a symmetric KMS key. The standard ciphertext format for
|
4207
|
+
# asymmetric KMS keys does not include fields for metadata.
|
3932
4208
|
#
|
3933
4209
|
# An *encryption context* is a collection of non-secret key-value
|
3934
4210
|
# pairs that represents additional authenticated data. When you use an
|
3935
4211
|
# encryption context to encrypt data, you must specify the same (an
|
3936
4212
|
# exact case-sensitive match) encryption context to decrypt the data.
|
3937
4213
|
# An encryption context is optional when encrypting with a symmetric
|
3938
|
-
#
|
4214
|
+
# KMS key, but it is highly recommended.
|
3939
4215
|
#
|
3940
|
-
# For more information, see [Encryption Context][1] in the *
|
4216
|
+
# For more information, see [Encryption Context][1] in the *Key
|
3941
4217
|
# Management Service Developer Guide*.
|
3942
4218
|
#
|
3943
4219
|
#
|
@@ -3946,37 +4222,40 @@ module Aws::KMS
|
|
3946
4222
|
# @return [Hash<String,String>]
|
3947
4223
|
#
|
3948
4224
|
# @!attribute [rw] source_encryption_algorithm
|
3949
|
-
# Specifies the encryption algorithm that
|
3950
|
-
#
|
3951
|
-
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
3952
|
-
#
|
4225
|
+
# Specifies the encryption algorithm that KMS will use to decrypt the
|
4226
|
+
# ciphertext before it is reencrypted. The default value,
|
4227
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric KMS
|
4228
|
+
# keys.
|
3953
4229
|
#
|
3954
4230
|
# Specify the same algorithm that was used to encrypt the ciphertext.
|
3955
4231
|
# If you specify a different algorithm, the decrypt attempt fails.
|
3956
4232
|
#
|
3957
4233
|
# This parameter is required only when the ciphertext was encrypted
|
3958
|
-
# under an asymmetric
|
4234
|
+
# under an asymmetric KMS key.
|
3959
4235
|
# @return [String]
|
3960
4236
|
#
|
3961
4237
|
# @!attribute [rw] destination_encryption_algorithm
|
3962
|
-
# Specifies the encryption algorithm that
|
3963
|
-
#
|
4238
|
+
# Specifies the encryption algorithm that KMS will use to reecrypt the
|
4239
|
+
# data after it has decrypted it. The default value,
|
3964
4240
|
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
3965
|
-
# symmetric
|
4241
|
+
# symmetric KMS keys.
|
3966
4242
|
#
|
3967
|
-
# This parameter is required only when the destination
|
3968
|
-
# asymmetric
|
4243
|
+
# This parameter is required only when the destination KMS key is an
|
4244
|
+
# asymmetric KMS key.
|
3969
4245
|
# @return [String]
|
3970
4246
|
#
|
3971
4247
|
# @!attribute [rw] grant_tokens
|
3972
4248
|
# A list of grant tokens.
|
3973
4249
|
#
|
3974
|
-
#
|
3975
|
-
#
|
4250
|
+
# Use a grant token when your permission to call this operation comes
|
4251
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
4252
|
+
# For more information, see [Grant token][1] and [Using a grant
|
4253
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
3976
4254
|
#
|
3977
4255
|
#
|
3978
4256
|
#
|
3979
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4257
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
4258
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
3980
4259
|
# @return [Array<String>]
|
3981
4260
|
#
|
3982
4261
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
|
@@ -3995,17 +4274,19 @@ module Aws::KMS
|
|
3995
4274
|
end
|
3996
4275
|
|
3997
4276
|
# @!attribute [rw] ciphertext_blob
|
3998
|
-
# The reencrypted data. When you use the HTTP API or the
|
3999
|
-
# value is Base64-encoded. Otherwise, it is not
|
4277
|
+
# The reencrypted data. When you use the HTTP API or the Amazon Web
|
4278
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
4279
|
+
# Base64-encoded.
|
4000
4280
|
# @return [String]
|
4001
4281
|
#
|
4002
4282
|
# @!attribute [rw] source_key_id
|
4003
|
-
# Unique identifier of the
|
4283
|
+
# Unique identifier of the KMS key used to originally encrypt the
|
4284
|
+
# data.
|
4004
4285
|
# @return [String]
|
4005
4286
|
#
|
4006
4287
|
# @!attribute [rw] key_id
|
4007
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
4008
|
-
# reencrypt the data.
|
4288
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
|
4289
|
+
# to reencrypt the data.
|
4009
4290
|
#
|
4010
4291
|
#
|
4011
4292
|
#
|
@@ -4033,6 +4314,222 @@ module Aws::KMS
|
|
4033
4314
|
include Aws::Structure
|
4034
4315
|
end
|
4035
4316
|
|
4317
|
+
# @note When making an API call, you may pass ReplicateKeyRequest
|
4318
|
+
# data as a hash:
|
4319
|
+
#
|
4320
|
+
# {
|
4321
|
+
# key_id: "KeyIdType", # required
|
4322
|
+
# replica_region: "RegionType", # required
|
4323
|
+
# policy: "PolicyType",
|
4324
|
+
# bypass_policy_lockout_safety_check: false,
|
4325
|
+
# description: "DescriptionType",
|
4326
|
+
# tags: [
|
4327
|
+
# {
|
4328
|
+
# tag_key: "TagKeyType", # required
|
4329
|
+
# tag_value: "TagValueType", # required
|
4330
|
+
# },
|
4331
|
+
# ],
|
4332
|
+
# }
|
4333
|
+
#
|
4334
|
+
# @!attribute [rw] key_id
|
4335
|
+
# Identifies the multi-Region primary key that is being replicated. To
|
4336
|
+
# determine whether a KMS key is a multi-Region primary key, use the
|
4337
|
+
# DescribeKey operation to check the value of the `MultiRegionKeyType`
|
4338
|
+
# property.
|
4339
|
+
#
|
4340
|
+
# Specify the key ID or key ARN of a multi-Region primary key.
|
4341
|
+
#
|
4342
|
+
# For example:
|
4343
|
+
#
|
4344
|
+
# * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
|
4345
|
+
#
|
4346
|
+
# * Key ARN:
|
4347
|
+
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
4348
|
+
#
|
4349
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4350
|
+
# DescribeKey.
|
4351
|
+
# @return [String]
|
4352
|
+
#
|
4353
|
+
# @!attribute [rw] replica_region
|
4354
|
+
# The Region ID of the Amazon Web Services Region for this replica
|
4355
|
+
# key.
|
4356
|
+
#
|
4357
|
+
# Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
|
4358
|
+
# list of Amazon Web Services Regions in which KMS is supported, see
|
4359
|
+
# [KMS service endpoints][1] in the *Amazon Web Services General
|
4360
|
+
# Reference*.
|
4361
|
+
#
|
4362
|
+
# The replica must be in a different Amazon Web Services Region than
|
4363
|
+
# its primary key and other replicas of that primary key, but in the
|
4364
|
+
# same Amazon Web Services partition. KMS must be available in the
|
4365
|
+
# replica Region. If the Region is not enabled by default, the Amazon
|
4366
|
+
# Web Services account must be enabled in the Region.
|
4367
|
+
#
|
4368
|
+
# For information about Amazon Web Services partitions, see [Amazon
|
4369
|
+
# Resource Names (ARNs) in the *Amazon Web Services General
|
4370
|
+
# Reference*.][2] For information about enabling and disabling
|
4371
|
+
# Regions, see [Enabling a Region][3] and [Disabling a Region][4] in
|
4372
|
+
# the *Amazon Web Services General Reference*.
|
4373
|
+
#
|
4374
|
+
#
|
4375
|
+
#
|
4376
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
4377
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
4378
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
4379
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
4380
|
+
# @return [String]
|
4381
|
+
#
|
4382
|
+
# @!attribute [rw] policy
|
4383
|
+
# The key policy to attach to the KMS key. This parameter is optional.
|
4384
|
+
# If you do not provide a key policy, KMS attaches the [default key
|
4385
|
+
# policy][1] to the KMS key.
|
4386
|
+
#
|
4387
|
+
# The key policy is not a shared property of multi-Region keys. You
|
4388
|
+
# can specify the same key policy or a different key policy for each
|
4389
|
+
# key in a set of related multi-Region keys. KMS does not synchronize
|
4390
|
+
# this property.
|
4391
|
+
#
|
4392
|
+
# If you provide a key policy, it must meet the following criteria:
|
4393
|
+
#
|
4394
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
4395
|
+
# key policy must give the caller `kms:PutKeyPolicy` permission on
|
4396
|
+
# the replica key. This reduces the risk that the KMS key becomes
|
4397
|
+
# unmanageable. For more information, refer to the scenario in the
|
4398
|
+
# [Default Key Policy][2] section of the <i> <i>Key Management
|
4399
|
+
# Service Developer Guide</i> </i>.
|
4400
|
+
#
|
4401
|
+
# * Each statement in the key policy must contain one or more
|
4402
|
+
# principals. The principals in the key policy must exist and be
|
4403
|
+
# visible to KMS. When you create a new Amazon Web Services
|
4404
|
+
# principal (for example, an IAM user or role), you might need to
|
4405
|
+
# enforce a delay before including the new principal in a key policy
|
4406
|
+
# because the new principal might not be immediately visible to KMS.
|
4407
|
+
# For more information, see [Changes that I make are not always
|
4408
|
+
# immediately visible][3] in the <i> <i>Identity and Access
|
4409
|
+
# Management User Guide</i> </i>.
|
4410
|
+
#
|
4411
|
+
# * The key policy size quota is 32 kilobytes (32768 bytes).
|
4412
|
+
#
|
4413
|
+
#
|
4414
|
+
#
|
4415
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
4416
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
4417
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
4418
|
+
# @return [String]
|
4419
|
+
#
|
4420
|
+
# @!attribute [rw] bypass_policy_lockout_safety_check
|
4421
|
+
# A flag to indicate whether to bypass the key policy lockout safety
|
4422
|
+
# check.
|
4423
|
+
#
|
4424
|
+
# Setting this value to true increases the risk that the KMS key
|
4425
|
+
# becomes unmanageable. Do not set this value to true
|
4426
|
+
# indiscriminately.
|
4427
|
+
#
|
4428
|
+
# For more information, refer to the scenario in the [Default Key
|
4429
|
+
# Policy][1] section in the *Key Management Service Developer Guide*.
|
4430
|
+
#
|
4431
|
+
# Use this parameter only when you intend to prevent the principal
|
4432
|
+
# that is making the request from making a subsequent `PutKeyPolicy`
|
4433
|
+
# request on the KMS key.
|
4434
|
+
#
|
4435
|
+
# The default value is false.
|
4436
|
+
#
|
4437
|
+
#
|
4438
|
+
#
|
4439
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
4440
|
+
# @return [Boolean]
|
4441
|
+
#
|
4442
|
+
# @!attribute [rw] description
|
4443
|
+
# A description of the KMS key. The default value is an empty string
|
4444
|
+
# (no description).
|
4445
|
+
#
|
4446
|
+
# The description is not a shared property of multi-Region keys. You
|
4447
|
+
# can specify the same description or a different description for each
|
4448
|
+
# key in a set of related multi-Region keys. KMS does not synchronize
|
4449
|
+
# this property.
|
4450
|
+
# @return [String]
|
4451
|
+
#
|
4452
|
+
# @!attribute [rw] tags
|
4453
|
+
# Assigns one or more tags to the replica key. Use this parameter to
|
4454
|
+
# tag the KMS key when it is created. To tag an existing KMS key, use
|
4455
|
+
# the TagResource operation.
|
4456
|
+
#
|
4457
|
+
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
4458
|
+
# KMS key. For details, see [Using ABAC in KMS][1] in the *Key
|
4459
|
+
# Management Service Developer Guide*.
|
4460
|
+
#
|
4461
|
+
# </note>
|
4462
|
+
#
|
4463
|
+
# To use this parameter, you must have [kms:TagResource][2] permission
|
4464
|
+
# in an IAM policy.
|
4465
|
+
#
|
4466
|
+
# Tags are not a shared property of multi-Region keys. You can specify
|
4467
|
+
# the same tags or different tags for each key in a set of related
|
4468
|
+
# multi-Region keys. KMS does not synchronize this property.
|
4469
|
+
#
|
4470
|
+
# Each tag consists of a tag key and a tag value. Both the tag key and
|
4471
|
+
# the tag value are required, but the tag value can be an empty (null)
|
4472
|
+
# string. You cannot have more than one tag on a KMS key with the same
|
4473
|
+
# tag key. If you specify an existing tag key with a different tag
|
4474
|
+
# value, KMS replaces the current tag value with the specified one.
|
4475
|
+
#
|
4476
|
+
# When you add tags to an Amazon Web Services resource, Amazon Web
|
4477
|
+
# Services generates a cost allocation report with usage and costs
|
4478
|
+
# aggregated by tags. Tags can also be used to control access to a KMS
|
4479
|
+
# key. For details, see [Tagging Keys][3].
|
4480
|
+
#
|
4481
|
+
#
|
4482
|
+
#
|
4483
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
|
4484
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
4485
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
4486
|
+
# @return [Array<Types::Tag>]
|
4487
|
+
#
|
4488
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyRequest AWS API Documentation
|
4489
|
+
#
|
4490
|
+
class ReplicateKeyRequest < Struct.new(
|
4491
|
+
:key_id,
|
4492
|
+
:replica_region,
|
4493
|
+
:policy,
|
4494
|
+
:bypass_policy_lockout_safety_check,
|
4495
|
+
:description,
|
4496
|
+
:tags)
|
4497
|
+
SENSITIVE = []
|
4498
|
+
include Aws::Structure
|
4499
|
+
end
|
4500
|
+
|
4501
|
+
# @!attribute [rw] replica_key_metadata
|
4502
|
+
# Displays details about the new replica key, including its Amazon
|
4503
|
+
# Resource Name ([key ARN][1]) and [key state][2]. It also includes
|
4504
|
+
# the ARN and Amazon Web Services Region of its primary key and other
|
4505
|
+
# replica keys.
|
4506
|
+
#
|
4507
|
+
#
|
4508
|
+
#
|
4509
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
4510
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4511
|
+
# @return [Types::KeyMetadata]
|
4512
|
+
#
|
4513
|
+
# @!attribute [rw] replica_policy
|
4514
|
+
# The key policy of the new replica key. The value is a key policy
|
4515
|
+
# document in JSON format.
|
4516
|
+
# @return [String]
|
4517
|
+
#
|
4518
|
+
# @!attribute [rw] replica_tags
|
4519
|
+
# The tags on the new replica key. The value is a list of tag key and
|
4520
|
+
# tag value pairs.
|
4521
|
+
# @return [Array<Types::Tag>]
|
4522
|
+
#
|
4523
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyResponse AWS API Documentation
|
4524
|
+
#
|
4525
|
+
class ReplicateKeyResponse < Struct.new(
|
4526
|
+
:replica_key_metadata,
|
4527
|
+
:replica_policy,
|
4528
|
+
:replica_tags)
|
4529
|
+
SENSITIVE = []
|
4530
|
+
include Aws::Structure
|
4531
|
+
end
|
4532
|
+
|
4036
4533
|
# @note When making an API call, you may pass RetireGrantRequest
|
4037
4534
|
# data as a hash:
|
4038
4535
|
#
|
@@ -4043,19 +4540,31 @@ module Aws::KMS
|
|
4043
4540
|
# }
|
4044
4541
|
#
|
4045
4542
|
# @!attribute [rw] grant_token
|
4046
|
-
#
|
4543
|
+
# Identifies the grant to be retired. You can use a grant token to
|
4544
|
+
# identify a new grant even before it has achieved eventual
|
4545
|
+
# consistency.
|
4546
|
+
#
|
4547
|
+
# Only the CreateGrant operation returns a grant token. For details,
|
4548
|
+
# see [Grant token][1] and [Eventual consistency][2] in the *Key
|
4549
|
+
# Management Service Developer Guide*.
|
4550
|
+
#
|
4551
|
+
#
|
4552
|
+
#
|
4553
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
4554
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
|
4047
4555
|
# @return [String]
|
4048
4556
|
#
|
4049
4557
|
# @!attribute [rw] key_id
|
4050
|
-
# The
|
4558
|
+
# The key ARN KMS key associated with the grant. To find the key ARN,
|
4559
|
+
# use the ListKeys operation.
|
4051
4560
|
#
|
4052
4561
|
# For example:
|
4053
4562
|
# `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4054
4563
|
# @return [String]
|
4055
4564
|
#
|
4056
4565
|
# @!attribute [rw] grant_id
|
4057
|
-
#
|
4058
|
-
#
|
4566
|
+
# Identifies the grant to retire. To get the grant ID, use
|
4567
|
+
# CreateGrant, ListGrants, or ListRetirableGrants.
|
4059
4568
|
#
|
4060
4569
|
# * Grant ID Example -
|
4061
4570
|
# 0123456789012345678901234567890123456789012345678901234567890123
|
@@ -4082,11 +4591,13 @@ module Aws::KMS
|
|
4082
4591
|
# }
|
4083
4592
|
#
|
4084
4593
|
# @!attribute [rw] key_id
|
4085
|
-
# A unique identifier for the
|
4086
|
-
#
|
4594
|
+
# A unique identifier for the KMS key associated with the grant. To
|
4595
|
+
# get the key ID and key ARN for a KMS key, use ListKeys or
|
4596
|
+
# DescribeKey.
|
4087
4597
|
#
|
4088
|
-
# Specify the key ID or
|
4089
|
-
#
|
4598
|
+
# Specify the key ID or key ARN of the KMS key. To specify a KMS key
|
4599
|
+
# in a different Amazon Web Services account, you must use the key
|
4600
|
+
# ARN.
|
4090
4601
|
#
|
4091
4602
|
# For example:
|
4092
4603
|
#
|
@@ -4095,12 +4606,13 @@ module Aws::KMS
|
|
4095
4606
|
# * Key ARN:
|
4096
4607
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4097
4608
|
#
|
4098
|
-
# To get the key ID and key ARN for a
|
4609
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4099
4610
|
# DescribeKey.
|
4100
4611
|
# @return [String]
|
4101
4612
|
#
|
4102
4613
|
# @!attribute [rw] grant_id
|
4103
|
-
#
|
4614
|
+
# Identifies the grant to revoke. To get the grant ID, use
|
4615
|
+
# CreateGrant, ListGrants, or ListRetirableGrants.
|
4104
4616
|
# @return [String]
|
4105
4617
|
#
|
4106
4618
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
|
@@ -4121,9 +4633,9 @@ module Aws::KMS
|
|
4121
4633
|
# }
|
4122
4634
|
#
|
4123
4635
|
# @!attribute [rw] key_id
|
4124
|
-
# The unique identifier of the
|
4636
|
+
# The unique identifier of the KMS key to delete.
|
4125
4637
|
#
|
4126
|
-
# Specify the key ID or
|
4638
|
+
# Specify the key ID or key ARN of the KMS key.
|
4127
4639
|
#
|
4128
4640
|
# For example:
|
4129
4641
|
#
|
@@ -4132,13 +4644,17 @@ module Aws::KMS
|
|
4132
4644
|
# * Key ARN:
|
4133
4645
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4134
4646
|
#
|
4135
|
-
# To get the key ID and key ARN for a
|
4647
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4136
4648
|
# DescribeKey.
|
4137
4649
|
# @return [String]
|
4138
4650
|
#
|
4139
4651
|
# @!attribute [rw] pending_window_in_days
|
4140
4652
|
# The waiting period, specified in number of days. After the waiting
|
4141
|
-
# period ends,
|
4653
|
+
# period ends, KMS deletes the KMS key.
|
4654
|
+
#
|
4655
|
+
# If the KMS key is a multi-Region primary key with replicas, the
|
4656
|
+
# waiting period begins when the last of its replica keys is deleted.
|
4657
|
+
# Otherwise, the waiting period begins immediately.
|
4142
4658
|
#
|
4143
4659
|
# This value is optional. If you include a value, it must be between 7
|
4144
4660
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
@@ -4154,8 +4670,8 @@ module Aws::KMS
|
|
4154
4670
|
end
|
4155
4671
|
|
4156
4672
|
# @!attribute [rw] key_id
|
4157
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
4158
|
-
# scheduled.
|
4673
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key whose
|
4674
|
+
# deletion is scheduled.
|
4159
4675
|
#
|
4160
4676
|
#
|
4161
4677
|
#
|
@@ -4163,15 +4679,40 @@ module Aws::KMS
|
|
4163
4679
|
# @return [String]
|
4164
4680
|
#
|
4165
4681
|
# @!attribute [rw] deletion_date
|
4166
|
-
# The date and time after which
|
4167
|
-
#
|
4682
|
+
# The date and time after which KMS deletes the KMS key.
|
4683
|
+
#
|
4684
|
+
# If the KMS key is a multi-Region primary key with replica keys, this
|
4685
|
+
# field does not appear. The deletion date for the primary key isn't
|
4686
|
+
# known until its last replica key is deleted.
|
4168
4687
|
# @return [Time]
|
4169
4688
|
#
|
4689
|
+
# @!attribute [rw] key_state
|
4690
|
+
# The current status of the KMS key.
|
4691
|
+
#
|
4692
|
+
# For more information about how key state affects the use of a KMS
|
4693
|
+
# key, see [Key state: Effect on your KMS key][1] in the *Key
|
4694
|
+
# Management Service Developer Guide*.
|
4695
|
+
#
|
4696
|
+
#
|
4697
|
+
#
|
4698
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4699
|
+
# @return [String]
|
4700
|
+
#
|
4701
|
+
# @!attribute [rw] pending_window_in_days
|
4702
|
+
# The waiting period before the KMS key is deleted.
|
4703
|
+
#
|
4704
|
+
# If the KMS key is a multi-Region primary key with replicas, the
|
4705
|
+
# waiting period begins when the last of its replica keys is deleted.
|
4706
|
+
# Otherwise, the waiting period begins immediately.
|
4707
|
+
# @return [Integer]
|
4708
|
+
#
|
4170
4709
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionResponse AWS API Documentation
|
4171
4710
|
#
|
4172
4711
|
class ScheduleKeyDeletionResponse < Struct.new(
|
4173
4712
|
:key_id,
|
4174
|
-
:deletion_date
|
4713
|
+
:deletion_date,
|
4714
|
+
:key_state,
|
4715
|
+
:pending_window_in_days)
|
4175
4716
|
SENSITIVE = []
|
4176
4717
|
include Aws::Structure
|
4177
4718
|
end
|
@@ -4188,15 +4729,15 @@ module Aws::KMS
|
|
4188
4729
|
# }
|
4189
4730
|
#
|
4190
4731
|
# @!attribute [rw] key_id
|
4191
|
-
# Identifies an asymmetric
|
4192
|
-
# asymmetric
|
4193
|
-
# must be `SIGN_VERIFY`. To find the `KeyUsage` of a
|
4194
|
-
# DescribeKey operation.
|
4732
|
+
# Identifies an asymmetric KMS key. KMS uses the private key in the
|
4733
|
+
# asymmetric KMS key to sign the message. The `KeyUsage` type of the
|
4734
|
+
# KMS key must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS key,
|
4735
|
+
# use the DescribeKey operation.
|
4195
4736
|
#
|
4196
|
-
# To specify a
|
4197
|
-
#
|
4198
|
-
#
|
4199
|
-
#
|
4737
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
4738
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
4739
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
4740
|
+
# the key ARN or alias ARN.
|
4200
4741
|
#
|
4201
4742
|
# For example:
|
4202
4743
|
#
|
@@ -4209,7 +4750,7 @@ module Aws::KMS
|
|
4209
4750
|
#
|
4210
4751
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
4211
4752
|
#
|
4212
|
-
# To get the key ID and key ARN for a
|
4753
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4213
4754
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
4214
4755
|
# @return [String]
|
4215
4756
|
#
|
@@ -4217,32 +4758,35 @@ module Aws::KMS
|
|
4217
4758
|
# Specifies the message or message digest to sign. Messages can be
|
4218
4759
|
# 0-4096 bytes. To sign a larger message, provide the message digest.
|
4219
4760
|
#
|
4220
|
-
# If you provide a message,
|
4221
|
-
#
|
4761
|
+
# If you provide a message, KMS generates a hash digest of the message
|
4762
|
+
# and then signs it.
|
4222
4763
|
# @return [String]
|
4223
4764
|
#
|
4224
4765
|
# @!attribute [rw] message_type
|
4225
|
-
# Tells
|
4226
|
-
#
|
4227
|
-
#
|
4766
|
+
# Tells KMS whether the value of the `Message` parameter is a message
|
4767
|
+
# or message digest. The default value, RAW, indicates a message. To
|
4768
|
+
# indicate a message digest, enter `DIGEST`.
|
4228
4769
|
# @return [String]
|
4229
4770
|
#
|
4230
4771
|
# @!attribute [rw] grant_tokens
|
4231
4772
|
# A list of grant tokens.
|
4232
4773
|
#
|
4233
|
-
#
|
4234
|
-
#
|
4774
|
+
# Use a grant token when your permission to call this operation comes
|
4775
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
4776
|
+
# For more information, see [Grant token][1] and [Using a grant
|
4777
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
4235
4778
|
#
|
4236
4779
|
#
|
4237
4780
|
#
|
4238
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4781
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
4782
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
4239
4783
|
# @return [Array<String>]
|
4240
4784
|
#
|
4241
4785
|
# @!attribute [rw] signing_algorithm
|
4242
4786
|
# Specifies the signing algorithm to use when signing the message.
|
4243
4787
|
#
|
4244
4788
|
# Choose an algorithm that is compatible with the type and size of the
|
4245
|
-
# specified asymmetric
|
4789
|
+
# specified asymmetric KMS key.
|
4246
4790
|
# @return [String]
|
4247
4791
|
#
|
4248
4792
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
|
@@ -4258,8 +4802,8 @@ module Aws::KMS
|
|
4258
4802
|
end
|
4259
4803
|
|
4260
4804
|
# @!attribute [rw] key_id
|
4261
|
-
# The Amazon Resource Name ([key ARN][1]) of the asymmetric
|
4262
|
-
# was used to sign the message.
|
4805
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
|
4806
|
+
# that was used to sign the message.
|
4263
4807
|
#
|
4264
4808
|
#
|
4265
4809
|
#
|
@@ -4278,8 +4822,8 @@ module Aws::KMS
|
|
4278
4822
|
# 2.2.3][2]. This is the most commonly used signature format and is
|
4279
4823
|
# appropriate for most uses.
|
4280
4824
|
#
|
4281
|
-
# When you use the HTTP API or the
|
4282
|
-
# Base64-encoded. Otherwise, it is not Base64-encoded.
|
4825
|
+
# When you use the HTTP API or the Amazon Web Services CLI, the value
|
4826
|
+
# is Base64-encoded. Otherwise, it is not Base64-encoded.
|
4283
4827
|
#
|
4284
4828
|
#
|
4285
4829
|
#
|
@@ -4306,8 +4850,8 @@ module Aws::KMS
|
|
4306
4850
|
# (null) strings.
|
4307
4851
|
#
|
4308
4852
|
# For information about the rules that apply to tag keys and tag values,
|
4309
|
-
# see [User-Defined Tag Restrictions][1] in the *
|
4310
|
-
# Management User Guide*.
|
4853
|
+
# see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
|
4854
|
+
# Billing and Cost Management User Guide*.
|
4311
4855
|
#
|
4312
4856
|
#
|
4313
4857
|
#
|
@@ -4365,9 +4909,9 @@ module Aws::KMS
|
|
4365
4909
|
# }
|
4366
4910
|
#
|
4367
4911
|
# @!attribute [rw] key_id
|
4368
|
-
# Identifies a customer managed
|
4912
|
+
# Identifies a customer managed key in the account and Region.
|
4369
4913
|
#
|
4370
|
-
# Specify the key ID or
|
4914
|
+
# Specify the key ID or key ARN of the KMS key.
|
4371
4915
|
#
|
4372
4916
|
# For example:
|
4373
4917
|
#
|
@@ -4376,7 +4920,7 @@ module Aws::KMS
|
|
4376
4920
|
# * Key ARN:
|
4377
4921
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4378
4922
|
#
|
4379
|
-
# To get the key ID and key ARN for a
|
4923
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4380
4924
|
# DescribeKey.
|
4381
4925
|
# @return [String]
|
4382
4926
|
#
|
@@ -4386,9 +4930,9 @@ module Aws::KMS
|
|
4386
4930
|
# Each tag consists of a tag key and a tag value. The tag value can be
|
4387
4931
|
# an empty (null) string.
|
4388
4932
|
#
|
4389
|
-
# You cannot have more than one tag on a
|
4390
|
-
# you specify an existing tag key with a different tag value,
|
4391
|
-
# replaces the current tag value with the specified one.
|
4933
|
+
# You cannot have more than one tag on a KMS key with the same tag
|
4934
|
+
# key. If you specify an existing tag key with a different tag value,
|
4935
|
+
# KMS replaces the current tag value with the specified one.
|
4392
4936
|
# @return [Array<Types::Tag>]
|
4393
4937
|
#
|
4394
4938
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResourceRequest AWS API Documentation
|
@@ -4423,9 +4967,9 @@ module Aws::KMS
|
|
4423
4967
|
# }
|
4424
4968
|
#
|
4425
4969
|
# @!attribute [rw] key_id
|
4426
|
-
# Identifies the
|
4970
|
+
# Identifies the KMS key from which you are removing tags.
|
4427
4971
|
#
|
4428
|
-
# Specify the key ID or
|
4972
|
+
# Specify the key ID or key ARN of the KMS key.
|
4429
4973
|
#
|
4430
4974
|
# For example:
|
4431
4975
|
#
|
@@ -4434,7 +4978,7 @@ module Aws::KMS
|
|
4434
4978
|
# * Key ARN:
|
4435
4979
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4436
4980
|
#
|
4437
|
-
# To get the key ID and key ARN for a
|
4981
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4438
4982
|
# DescribeKey.
|
4439
4983
|
# @return [String]
|
4440
4984
|
#
|
@@ -4460,23 +5004,23 @@ module Aws::KMS
|
|
4460
5004
|
# }
|
4461
5005
|
#
|
4462
5006
|
# @!attribute [rw] alias_name
|
4463
|
-
# Identifies the alias that is changing its
|
4464
|
-
# with `alias/` followed by the alias name, such as
|
5007
|
+
# Identifies the alias that is changing its KMS key. This value must
|
5008
|
+
# begin with `alias/` followed by the alias name, such as
|
4465
5009
|
# `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
|
4466
5010
|
# name.
|
4467
5011
|
# @return [String]
|
4468
5012
|
#
|
4469
5013
|
# @!attribute [rw] target_key_id
|
4470
|
-
# Identifies the [customer managed
|
4471
|
-
# alias. You don't have permission to associate an alias with an
|
4472
|
-
# managed
|
5014
|
+
# Identifies the [customer managed key][1] to associate with the
|
5015
|
+
# alias. You don't have permission to associate an alias with an
|
5016
|
+
# [Amazon Web Services managed key][2].
|
4473
5017
|
#
|
4474
|
-
# The
|
4475
|
-
# Also, the new target
|
4476
|
-
#
|
4477
|
-
# key usage.
|
5018
|
+
# The KMS key must be in the same Amazon Web Services account and
|
5019
|
+
# Region as the alias. Also, the new target KMS key must be the same
|
5020
|
+
# type as the current target KMS key (both symmetric or both
|
5021
|
+
# asymmetric) and they must have the same key usage.
|
4478
5022
|
#
|
4479
|
-
# Specify the key ID or
|
5023
|
+
# Specify the key ID or key ARN of the KMS key.
|
4480
5024
|
#
|
4481
5025
|
# For example:
|
4482
5026
|
#
|
@@ -4485,10 +5029,10 @@ module Aws::KMS
|
|
4485
5029
|
# * Key ARN:
|
4486
5030
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4487
5031
|
#
|
4488
|
-
# To get the key ID and key ARN for a
|
5032
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4489
5033
|
# DescribeKey.
|
4490
5034
|
#
|
4491
|
-
# To verify that the alias is mapped to the correct
|
5035
|
+
# To verify that the alias is mapped to the correct KMS key, use
|
4492
5036
|
# ListAliases.
|
4493
5037
|
#
|
4494
5038
|
#
|
@@ -4524,21 +5068,21 @@ module Aws::KMS
|
|
4524
5068
|
#
|
4525
5069
|
# @!attribute [rw] new_custom_key_store_name
|
4526
5070
|
# Changes the friendly name of the custom key store to the value that
|
4527
|
-
# you specify. The custom key store name must be unique in the
|
4528
|
-
# account.
|
5071
|
+
# you specify. The custom key store name must be unique in the Amazon
|
5072
|
+
# Web Services account.
|
4529
5073
|
# @return [String]
|
4530
5074
|
#
|
4531
5075
|
# @!attribute [rw] key_store_password
|
4532
5076
|
# Enter the current password of the `kmsuser` crypto user (CU) in the
|
4533
|
-
#
|
5077
|
+
# CloudHSM cluster that is associated with the custom key store.
|
4534
5078
|
#
|
4535
|
-
# This parameter tells
|
5079
|
+
# This parameter tells KMS the current password of the `kmsuser`
|
4536
5080
|
# crypto user (CU). It does not set or change the password of any
|
4537
|
-
# users in the
|
5081
|
+
# users in the CloudHSM cluster.
|
4538
5082
|
# @return [String]
|
4539
5083
|
#
|
4540
5084
|
# @!attribute [rw] cloud_hsm_cluster_id
|
4541
|
-
# Associates the custom key store with a related
|
5085
|
+
# Associates the custom key store with a related CloudHSM cluster.
|
4542
5086
|
#
|
4543
5087
|
# Enter the cluster ID of the cluster that you used to create the
|
4544
5088
|
# custom key store or a cluster that shares a backup history and has
|
@@ -4579,9 +5123,9 @@ module Aws::KMS
|
|
4579
5123
|
# }
|
4580
5124
|
#
|
4581
5125
|
# @!attribute [rw] key_id
|
4582
|
-
#
|
5126
|
+
# Updates the description of the specified KMS key.
|
4583
5127
|
#
|
4584
|
-
# Specify the key ID or
|
5128
|
+
# Specify the key ID or key ARN of the KMS key.
|
4585
5129
|
#
|
4586
5130
|
# For example:
|
4587
5131
|
#
|
@@ -4590,12 +5134,12 @@ module Aws::KMS
|
|
4590
5134
|
# * Key ARN:
|
4591
5135
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4592
5136
|
#
|
4593
|
-
# To get the key ID and key ARN for a
|
5137
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4594
5138
|
# DescribeKey.
|
4595
5139
|
# @return [String]
|
4596
5140
|
#
|
4597
5141
|
# @!attribute [rw] description
|
4598
|
-
# New description for the
|
5142
|
+
# New description for the KMS key.
|
4599
5143
|
# @return [String]
|
4600
5144
|
#
|
4601
5145
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
|
@@ -4607,6 +5151,49 @@ module Aws::KMS
|
|
4607
5151
|
include Aws::Structure
|
4608
5152
|
end
|
4609
5153
|
|
5154
|
+
# @note When making an API call, you may pass UpdatePrimaryRegionRequest
|
5155
|
+
# data as a hash:
|
5156
|
+
#
|
5157
|
+
# {
|
5158
|
+
# key_id: "KeyIdType", # required
|
5159
|
+
# primary_region: "RegionType", # required
|
5160
|
+
# }
|
5161
|
+
#
|
5162
|
+
# @!attribute [rw] key_id
|
5163
|
+
# Identifies the current primary key. When the operation completes,
|
5164
|
+
# this KMS key will be a replica key.
|
5165
|
+
#
|
5166
|
+
# Specify the key ID or key ARN of a multi-Region primary key.
|
5167
|
+
#
|
5168
|
+
# For example:
|
5169
|
+
#
|
5170
|
+
# * Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`
|
5171
|
+
#
|
5172
|
+
# * Key ARN:
|
5173
|
+
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
5174
|
+
#
|
5175
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
5176
|
+
# DescribeKey.
|
5177
|
+
# @return [String]
|
5178
|
+
#
|
5179
|
+
# @!attribute [rw] primary_region
|
5180
|
+
# The Amazon Web Services Region of the new primary key. Enter the
|
5181
|
+
# Region ID, such as `us-east-1` or `ap-southeast-2`. There must be an
|
5182
|
+
# existing replica key in this Region.
|
5183
|
+
#
|
5184
|
+
# When the operation completes, the multi-Region key in this Region
|
5185
|
+
# will be the primary key.
|
5186
|
+
# @return [String]
|
5187
|
+
#
|
5188
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegionRequest AWS API Documentation
|
5189
|
+
#
|
5190
|
+
class UpdatePrimaryRegionRequest < Struct.new(
|
5191
|
+
:key_id,
|
5192
|
+
:primary_region)
|
5193
|
+
SENSITIVE = []
|
5194
|
+
include Aws::Structure
|
5195
|
+
end
|
5196
|
+
|
4610
5197
|
# @note When making an API call, you may pass VerifyRequest
|
4611
5198
|
# data as a hash:
|
4612
5199
|
#
|
@@ -4620,15 +5207,15 @@ module Aws::KMS
|
|
4620
5207
|
# }
|
4621
5208
|
#
|
4622
5209
|
# @!attribute [rw] key_id
|
4623
|
-
# Identifies the asymmetric
|
4624
|
-
# signature. This must be the same
|
4625
|
-
# signature. If you specify a different
|
5210
|
+
# Identifies the asymmetric KMS key that will be used to verify the
|
5211
|
+
# signature. This must be the same KMS key that was used to generate
|
5212
|
+
# the signature. If you specify a different KMS key, the signature
|
4626
5213
|
# verification fails.
|
4627
5214
|
#
|
4628
|
-
# To specify a
|
4629
|
-
#
|
4630
|
-
#
|
4631
|
-
#
|
5215
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
5216
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
5217
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
5218
|
+
# the key ARN or alias ARN.
|
4632
5219
|
#
|
4633
5220
|
# For example:
|
4634
5221
|
#
|
@@ -4641,7 +5228,7 @@ module Aws::KMS
|
|
4641
5228
|
#
|
4642
5229
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
4643
5230
|
#
|
4644
|
-
# To get the key ID and key ARN for a
|
5231
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4645
5232
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
4646
5233
|
# @return [String]
|
4647
5234
|
#
|
@@ -4656,9 +5243,9 @@ module Aws::KMS
|
|
4656
5243
|
# @return [String]
|
4657
5244
|
#
|
4658
5245
|
# @!attribute [rw] message_type
|
4659
|
-
# Tells
|
4660
|
-
#
|
4661
|
-
#
|
5246
|
+
# Tells KMS whether the value of the `Message` parameter is a message
|
5247
|
+
# or message digest. The default value, RAW, indicates a message. To
|
5248
|
+
# indicate a message digest, enter `DIGEST`.
|
4662
5249
|
#
|
4663
5250
|
# Use the `DIGEST` value only when the value of the `Message`
|
4664
5251
|
# parameter is a message digest. If you use the `DIGEST` value with a
|
@@ -4678,12 +5265,15 @@ module Aws::KMS
|
|
4678
5265
|
# @!attribute [rw] grant_tokens
|
4679
5266
|
# A list of grant tokens.
|
4680
5267
|
#
|
4681
|
-
#
|
4682
|
-
#
|
5268
|
+
# Use a grant token when your permission to call this operation comes
|
5269
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
5270
|
+
# For more information, see [Grant token][1] and [Using a grant
|
5271
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
4683
5272
|
#
|
4684
5273
|
#
|
4685
5274
|
#
|
4686
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5275
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
5276
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
4687
5277
|
# @return [Array<String>]
|
4688
5278
|
#
|
4689
5279
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
|
@@ -4700,8 +5290,8 @@ module Aws::KMS
|
|
4700
5290
|
end
|
4701
5291
|
|
4702
5292
|
# @!attribute [rw] key_id
|
4703
|
-
# The Amazon Resource Name ([key ARN][1]) of the asymmetric
|
4704
|
-
# was used to verify the signature.
|
5293
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
|
5294
|
+
# that was used to verify the signature.
|
4705
5295
|
#
|
4706
5296
|
#
|
4707
5297
|
#
|