aws-sdk-kms 1.44.0 → 1.48.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1682 -1525
- data/lib/aws-sdk-kms/client_api.rb +7 -3
- data/lib/aws-sdk-kms/types.rb +879 -818
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +5 -5
@@ -130,6 +130,7 @@ module Aws::KMS
|
|
130
130
|
KeyListEntry = Shapes::StructureShape.new(name: 'KeyListEntry')
|
131
131
|
KeyManagerType = Shapes::StringShape.new(name: 'KeyManagerType')
|
132
132
|
KeyMetadata = Shapes::StructureShape.new(name: 'KeyMetadata')
|
133
|
+
KeySpec = Shapes::StringShape.new(name: 'KeySpec')
|
133
134
|
KeyState = Shapes::StringShape.new(name: 'KeyState')
|
134
135
|
KeyStorePasswordType = Shapes::StringShape.new(name: 'KeyStorePasswordType')
|
135
136
|
KeyUnavailableException = Shapes::StructureShape.new(name: 'KeyUnavailableException')
|
@@ -265,7 +266,8 @@ module Aws::KMS
|
|
265
266
|
CreateKeyRequest.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyType, location_name: "Policy"))
|
266
267
|
CreateKeyRequest.add_member(:description, Shapes::ShapeRef.new(shape: DescriptionType, location_name: "Description"))
|
267
268
|
CreateKeyRequest.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
|
268
|
-
CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
269
|
+
CreateKeyRequest.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This parameter has been deprecated. Instead, use the KeySpec parameter."}))
|
270
|
+
CreateKeyRequest.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
|
269
271
|
CreateKeyRequest.add_member(:origin, Shapes::ShapeRef.new(shape: OriginType, location_name: "Origin"))
|
270
272
|
CreateKeyRequest.add_member(:custom_key_store_id, Shapes::ShapeRef.new(shape: CustomKeyStoreIdType, location_name: "CustomKeyStoreId"))
|
271
273
|
CreateKeyRequest.add_member(:bypass_policy_lockout_safety_check, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BypassPolicyLockoutSafetyCheck"))
|
@@ -468,7 +470,8 @@ module Aws::KMS
|
|
468
470
|
|
469
471
|
GetPublicKeyResponse.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, location_name: "KeyId"))
|
470
472
|
GetPublicKeyResponse.add_member(:public_key, Shapes::ShapeRef.new(shape: PublicKeyType, location_name: "PublicKey"))
|
471
|
-
GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
473
|
+
GetPublicKeyResponse.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This field has been deprecated. Instead, use the KeySpec field."}))
|
474
|
+
GetPublicKeyResponse.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
|
472
475
|
GetPublicKeyResponse.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsageType, location_name: "KeyUsage"))
|
473
476
|
GetPublicKeyResponse.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
474
477
|
GetPublicKeyResponse.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
@@ -567,7 +570,8 @@ module Aws::KMS
|
|
567
570
|
KeyMetadata.add_member(:cloud_hsm_cluster_id, Shapes::ShapeRef.new(shape: CloudHsmClusterIdType, location_name: "CloudHsmClusterId"))
|
568
571
|
KeyMetadata.add_member(:expiration_model, Shapes::ShapeRef.new(shape: ExpirationModelType, location_name: "ExpirationModel"))
|
569
572
|
KeyMetadata.add_member(:key_manager, Shapes::ShapeRef.new(shape: KeyManagerType, location_name: "KeyManager"))
|
570
|
-
KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, location_name: "CustomerMasterKeySpec"))
|
573
|
+
KeyMetadata.add_member(:customer_master_key_spec, Shapes::ShapeRef.new(shape: CustomerMasterKeySpec, deprecated: true, location_name: "CustomerMasterKeySpec", metadata: {"deprecatedMessage"=>"This field has been deprecated. Instead, use the KeySpec field."}))
|
574
|
+
KeyMetadata.add_member(:key_spec, Shapes::ShapeRef.new(shape: KeySpec, location_name: "KeySpec"))
|
571
575
|
KeyMetadata.add_member(:encryption_algorithms, Shapes::ShapeRef.new(shape: EncryptionAlgorithmSpecList, location_name: "EncryptionAlgorithms"))
|
572
576
|
KeyMetadata.add_member(:signing_algorithms, Shapes::ShapeRef.new(shape: SigningAlgorithmSpecList, location_name: "SigningAlgorithms"))
|
573
577
|
KeyMetadata.add_member(:multi_region, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "MultiRegion"))
|
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -21,8 +21,8 @@ module Aws::KMS
|
|
21
21
|
# @return [String]
|
22
22
|
#
|
23
23
|
# @!attribute [rw] target_key_id
|
24
|
-
# String that contains the key identifier of the
|
25
|
-
# the alias.
|
24
|
+
# String that contains the key identifier of the KMS key associated
|
25
|
+
# with the alias.
|
26
26
|
# @return [String]
|
27
27
|
#
|
28
28
|
# @!attribute [rw] creation_date
|
@@ -31,8 +31,8 @@ module Aws::KMS
|
|
31
31
|
# @return [Time]
|
32
32
|
#
|
33
33
|
# @!attribute [rw] last_updated_date
|
34
|
-
# Date and time that the alias was most recently associated with a
|
35
|
-
# in the account and Region. Formatted as Unix time.
|
34
|
+
# Date and time that the alias was most recently associated with a KMS
|
35
|
+
# key in the account and Region. Formatted as Unix time.
|
36
36
|
# @return [Time]
|
37
37
|
#
|
38
38
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/AliasListEntry AWS API Documentation
|
@@ -69,10 +69,9 @@ module Aws::KMS
|
|
69
69
|
# }
|
70
70
|
#
|
71
71
|
# @!attribute [rw] key_id
|
72
|
-
# Identifies the
|
73
|
-
# canceled.
|
72
|
+
# Identifies the KMS key whose deletion is being canceled.
|
74
73
|
#
|
75
|
-
# Specify the key ID or key ARN of the
|
74
|
+
# Specify the key ID or key ARN of the KMS key.
|
76
75
|
#
|
77
76
|
# For example:
|
78
77
|
#
|
@@ -81,7 +80,7 @@ module Aws::KMS
|
|
81
80
|
# * Key ARN:
|
82
81
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
83
82
|
#
|
84
|
-
# To get the key ID and key ARN for a
|
83
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
85
84
|
# DescribeKey.
|
86
85
|
# @return [String]
|
87
86
|
#
|
@@ -94,8 +93,8 @@ module Aws::KMS
|
|
94
93
|
end
|
95
94
|
|
96
95
|
# @!attribute [rw] key_id
|
97
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
98
|
-
# canceled.
|
96
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key whose
|
97
|
+
# deletion is canceled.
|
99
98
|
#
|
100
99
|
#
|
101
100
|
#
|
@@ -110,10 +109,10 @@ module Aws::KMS
|
|
110
109
|
include Aws::Structure
|
111
110
|
end
|
112
111
|
|
113
|
-
# The request was rejected because the specified
|
112
|
+
# The request was rejected because the specified CloudHSM cluster is
|
114
113
|
# already associated with a custom key store or it shares a backup
|
115
114
|
# history with a cluster that is associated with a custom key store.
|
116
|
-
# Each custom key store must be associated with a different
|
115
|
+
# Each custom key store must be associated with a different CloudHSM
|
117
116
|
# cluster.
|
118
117
|
#
|
119
118
|
# Clusters that share a backup history have the same cluster
|
@@ -135,8 +134,8 @@ module Aws::KMS
|
|
135
134
|
include Aws::Structure
|
136
135
|
end
|
137
136
|
|
138
|
-
# The request was rejected because the associated
|
139
|
-
#
|
137
|
+
# The request was rejected because the associated CloudHSM cluster did
|
138
|
+
# not meet the configuration requirements for a custom key store.
|
140
139
|
#
|
141
140
|
# * The cluster must be configured with private subnets in at least two
|
142
141
|
# different Availability Zones in the Region.
|
@@ -151,23 +150,20 @@ module Aws::KMS
|
|
151
150
|
# [DescribeSecurityGroups][2] operation.
|
152
151
|
#
|
153
152
|
# * The cluster must contain at least as many HSMs as the operation
|
154
|
-
# requires. To add HSMs, use the
|
155
|
-
# operation.
|
153
|
+
# requires. To add HSMs, use the CloudHSM [CreateHsm][3] operation.
|
156
154
|
#
|
157
155
|
# For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
|
158
|
-
# operations, the
|
159
|
-
#
|
160
|
-
#
|
161
|
-
# least one active HSM.
|
156
|
+
# operations, the CloudHSM cluster must have at least two active HSMs,
|
157
|
+
# each in a different Availability Zone. For the ConnectCustomKeyStore
|
158
|
+
# operation, the CloudHSM must contain at least one active HSM.
|
162
159
|
#
|
163
|
-
# For information about the requirements for an
|
164
|
-
#
|
165
|
-
# Prerequisites][4] in the *
|
166
|
-
#
|
167
|
-
#
|
168
|
-
#
|
169
|
-
#
|
170
|
-
# </i>.
|
160
|
+
# For information about the requirements for an CloudHSM cluster that is
|
161
|
+
# associated with a custom key store, see [Assemble the
|
162
|
+
# Prerequisites][4] in the *Key Management Service Developer Guide*. For
|
163
|
+
# information about creating a private subnet for an CloudHSM cluster,
|
164
|
+
# see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
|
165
|
+
# information about cluster security groups, see [Configure a Default
|
166
|
+
# Security Group][1] in the <i> <i>CloudHSM User Guide</i> </i>.
|
171
167
|
#
|
172
168
|
#
|
173
169
|
#
|
@@ -188,11 +184,10 @@ module Aws::KMS
|
|
188
184
|
include Aws::Structure
|
189
185
|
end
|
190
186
|
|
191
|
-
# The request was rejected because the
|
187
|
+
# The request was rejected because the CloudHSM cluster that is
|
192
188
|
# associated with the custom key store is not active. Initialize and
|
193
189
|
# activate the cluster and try the command again. For detailed
|
194
|
-
# instructions, see [Getting Started][1] in the *
|
195
|
-
# Guide*.
|
190
|
+
# instructions, see [Getting Started][1] in the *CloudHSM User Guide*.
|
196
191
|
#
|
197
192
|
#
|
198
193
|
#
|
@@ -209,9 +204,9 @@ module Aws::KMS
|
|
209
204
|
include Aws::Structure
|
210
205
|
end
|
211
206
|
|
212
|
-
# The request was rejected because
|
213
|
-
#
|
214
|
-
#
|
207
|
+
# The request was rejected because KMS cannot find the CloudHSM cluster
|
208
|
+
# with the specified cluster ID. Retry the request with a different
|
209
|
+
# cluster ID.
|
215
210
|
#
|
216
211
|
# @!attribute [rw] message
|
217
212
|
# @return [String]
|
@@ -224,9 +219,9 @@ module Aws::KMS
|
|
224
219
|
include Aws::Structure
|
225
220
|
end
|
226
221
|
|
227
|
-
# The request was rejected because the specified
|
228
|
-
#
|
229
|
-
#
|
222
|
+
# The request was rejected because the specified CloudHSM cluster has a
|
223
|
+
# different cluster certificate than the original cluster. You cannot
|
224
|
+
# use the operation to specify an unrelated cluster.
|
230
225
|
#
|
231
226
|
# Specify a cluster that shares a backup history with the original
|
232
227
|
# cluster. This includes clusters that were created from a backup of the
|
@@ -292,8 +287,8 @@ module Aws::KMS
|
|
292
287
|
# The `AliasName` value must be string of 1-256 characters. It can
|
293
288
|
# contain only alphanumeric characters, forward slashes (/),
|
294
289
|
# underscores (\_), and dashes (-). The alias name cannot begin with
|
295
|
-
# `alias/aws/`. The `alias/aws/` prefix is reserved for [
|
296
|
-
#
|
290
|
+
# `alias/aws/`. The `alias/aws/` prefix is reserved for [Amazon Web
|
291
|
+
# Services managed keys][1].
|
297
292
|
#
|
298
293
|
#
|
299
294
|
#
|
@@ -301,16 +296,17 @@ module Aws::KMS
|
|
301
296
|
# @return [String]
|
302
297
|
#
|
303
298
|
# @!attribute [rw] target_key_id
|
304
|
-
# Associates the alias with the specified [customer managed
|
305
|
-
# The
|
299
|
+
# Associates the alias with the specified [customer managed key][1].
|
300
|
+
# The KMS key must be in the same Amazon Web Services Region.
|
306
301
|
#
|
307
|
-
# A valid
|
302
|
+
# A valid key ID is required. If you supply a null or empty string
|
308
303
|
# value, this operation returns an error.
|
309
304
|
#
|
310
305
|
# For help finding the key ID and ARN, see [Finding the Key ID and
|
311
|
-
# ARN][2] in the
|
306
|
+
# ARN][2] in the <i> <i>Key Management Service Developer Guide</i>
|
307
|
+
# </i>.
|
312
308
|
#
|
313
|
-
# Specify the key ID or key ARN of the
|
309
|
+
# Specify the key ID or key ARN of the KMS key.
|
314
310
|
#
|
315
311
|
# For example:
|
316
312
|
#
|
@@ -319,7 +315,7 @@ module Aws::KMS
|
|
319
315
|
# * Key ARN:
|
320
316
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
321
317
|
#
|
322
|
-
# To get the key ID and key ARN for a
|
318
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
323
319
|
# DescribeKey.
|
324
320
|
#
|
325
321
|
#
|
@@ -349,14 +345,14 @@ module Aws::KMS
|
|
349
345
|
#
|
350
346
|
# @!attribute [rw] custom_key_store_name
|
351
347
|
# Specifies a friendly name for the custom key store. The name must be
|
352
|
-
# unique in your
|
348
|
+
# unique in your Amazon Web Services account.
|
353
349
|
# @return [String]
|
354
350
|
#
|
355
351
|
# @!attribute [rw] cloud_hsm_cluster_id
|
356
|
-
# Identifies the
|
357
|
-
#
|
358
|
-
#
|
359
|
-
#
|
352
|
+
# Identifies the CloudHSM cluster for the custom key store. Enter the
|
353
|
+
# cluster ID of any active CloudHSM cluster that is not already
|
354
|
+
# associated with a custom key store. To find the cluster ID, use the
|
355
|
+
# [DescribeClusters][1] operation.
|
360
356
|
#
|
361
357
|
#
|
362
358
|
#
|
@@ -375,14 +371,14 @@ module Aws::KMS
|
|
375
371
|
#
|
376
372
|
# @!attribute [rw] key_store_password
|
377
373
|
# Enter the password of the [ `kmsuser` crypto user (CU) account][1]
|
378
|
-
# in the specified
|
379
|
-
#
|
374
|
+
# in the specified CloudHSM cluster. KMS logs into the cluster as this
|
375
|
+
# user to manage key material on your behalf.
|
380
376
|
#
|
381
377
|
# The password must be a string of 7 to 32 characters. Its value is
|
382
378
|
# case sensitive.
|
383
379
|
#
|
384
|
-
# This parameter tells
|
385
|
-
#
|
380
|
+
# This parameter tells KMS the `kmsuser` account password; it does not
|
381
|
+
# change the password in the CloudHSM cluster.
|
386
382
|
#
|
387
383
|
#
|
388
384
|
#
|
@@ -433,11 +429,12 @@ module Aws::KMS
|
|
433
429
|
# }
|
434
430
|
#
|
435
431
|
# @!attribute [rw] key_id
|
436
|
-
# Identifies the
|
437
|
-
#
|
432
|
+
# Identifies the KMS key for the grant. The grant gives principals
|
433
|
+
# permission to use this KMS key.
|
438
434
|
#
|
439
|
-
# Specify the key ID or key ARN of the
|
440
|
-
# different
|
435
|
+
# Specify the key ID or key ARN of the KMS key. To specify a KMS key
|
436
|
+
# in a different Amazon Web Services account, you must use the key
|
437
|
+
# ARN.
|
441
438
|
#
|
442
439
|
# For example:
|
443
440
|
#
|
@@ -446,7 +443,7 @@ module Aws::KMS
|
|
446
443
|
# * Key ARN:
|
447
444
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
448
445
|
#
|
449
|
-
# To get the key ID and key ARN for a
|
446
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
450
447
|
# DescribeKey.
|
451
448
|
# @return [String]
|
452
449
|
#
|
@@ -454,11 +451,12 @@ module Aws::KMS
|
|
454
451
|
# The identity that gets the permissions specified in the grant.
|
455
452
|
#
|
456
453
|
# To specify the principal, use the [Amazon Resource Name (ARN)][1] of
|
457
|
-
# an
|
458
|
-
#
|
459
|
-
#
|
460
|
-
#
|
461
|
-
#
|
454
|
+
# an Amazon Web Services principal. Valid Amazon Web Services
|
455
|
+
# principals include Amazon Web Services accounts (root), IAM users,
|
456
|
+
# IAM roles, federated users, and assumed role users. For examples of
|
457
|
+
# the ARN syntax to use for specifying a principal, see [Amazon Web
|
458
|
+
# Services Identity and Access Management (IAM)][2] in the Example
|
459
|
+
# ARNs section of the *Amazon Web Services General Reference*.
|
462
460
|
#
|
463
461
|
#
|
464
462
|
#
|
@@ -467,31 +465,38 @@ module Aws::KMS
|
|
467
465
|
# @return [String]
|
468
466
|
#
|
469
467
|
# @!attribute [rw] retiring_principal
|
470
|
-
# The principal that
|
471
|
-
#
|
468
|
+
# The principal that has permission to use the RetireGrant operation
|
469
|
+
# to retire the grant.
|
472
470
|
#
|
473
471
|
# To specify the principal, use the [Amazon Resource Name (ARN)][1] of
|
474
|
-
# an
|
475
|
-
#
|
476
|
-
#
|
477
|
-
#
|
478
|
-
#
|
472
|
+
# an Amazon Web Services principal. Valid Amazon Web Services
|
473
|
+
# principals include Amazon Web Services accounts (root), IAM users,
|
474
|
+
# federated users, and assumed role users. For examples of the ARN
|
475
|
+
# syntax to use for specifying a principal, see [Amazon Web Services
|
476
|
+
# Identity and Access Management (IAM)][2] in the Example ARNs section
|
477
|
+
# of the *Amazon Web Services General Reference*.
|
478
|
+
#
|
479
|
+
# The grant determines the retiring principal. Other principals might
|
480
|
+
# have permission to retire the grant or revoke the grant. For
|
481
|
+
# details, see RevokeGrant and [Retiring and revoking grants][3] in
|
482
|
+
# the *Key Management Service Developer Guide*.
|
479
483
|
#
|
480
484
|
#
|
481
485
|
#
|
482
486
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
483
487
|
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
|
488
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
|
484
489
|
# @return [String]
|
485
490
|
#
|
486
491
|
# @!attribute [rw] operations
|
487
492
|
# A list of operations that the grant permits.
|
488
493
|
#
|
489
|
-
# The operation must be supported on the
|
490
|
-
# create a grant for a symmetric
|
491
|
-
# or a grant for an asymmetric
|
492
|
-
# operation. If you try,
|
493
|
-
# exception. For details, see [Grant operations][1]
|
494
|
-
# Management Service Developer Guide*.
|
494
|
+
# The operation must be supported on the KMS key. For example, you
|
495
|
+
# cannot create a grant for a symmetric KMS key that allows the Sign
|
496
|
+
# operation, or a grant for an asymmetric KMS key that allows the
|
497
|
+
# GenerateDataKey operation. If you try, KMS returns a
|
498
|
+
# `ValidationError` exception. For details, see [Grant operations][1]
|
499
|
+
# in the *Key Management Service Developer Guide*.
|
495
500
|
#
|
496
501
|
#
|
497
502
|
#
|
@@ -501,31 +506,30 @@ module Aws::KMS
|
|
501
506
|
# @!attribute [rw] constraints
|
502
507
|
# Specifies a grant constraint.
|
503
508
|
#
|
504
|
-
#
|
509
|
+
# KMS supports the `EncryptionContextEquals` and
|
505
510
|
# `EncryptionContextSubset` grant constraints. Each constraint value
|
506
511
|
# can include up to 8 encryption context pairs. The encryption context
|
507
512
|
# value in each constraint cannot exceed 384 characters.
|
508
513
|
#
|
509
|
-
# These grant constraints allow
|
510
|
-
#
|
514
|
+
# These grant constraints allow the permissions in the grant only when
|
515
|
+
# the encryption context in the request matches
|
511
516
|
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
512
|
-
# the encryption context specified in this structure. For
|
513
|
-
#
|
514
|
-
#
|
515
|
-
#
|
516
|
-
#
|
517
|
+
# the encryption context specified in this structure. For information
|
518
|
+
# about grant constraints, see [Using grant constraints][1] in the
|
519
|
+
# *Key Management Service Developer Guide*. For more information about
|
520
|
+
# encryption context, see [Encryption Context][2] in the <i> <i>Key
|
521
|
+
# Management Service Developer Guide</i> </i>.
|
517
522
|
#
|
518
523
|
# The encryption context grant constraints are supported only on
|
519
524
|
# operations that include an encryption context. You cannot use an
|
520
525
|
# encryption context grant constraint for cryptographic operations
|
521
|
-
# with asymmetric
|
526
|
+
# with asymmetric KMS keys or for management operations, such as
|
522
527
|
# DescribeKey or RetireGrant.
|
523
528
|
#
|
524
529
|
#
|
525
530
|
#
|
526
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
531
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
527
532
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
528
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
529
533
|
# @return [Types::GrantConstraints]
|
530
534
|
#
|
531
535
|
# @!attribute [rw] grant_tokens
|
@@ -533,12 +537,13 @@ module Aws::KMS
|
|
533
537
|
#
|
534
538
|
# Use a grant token when your permission to call this operation comes
|
535
539
|
# from a new grant that has not yet achieved *eventual consistency*.
|
536
|
-
# For more information, see [Grant token][1]
|
537
|
-
# Management Service Developer Guide*.
|
540
|
+
# For more information, see [Grant token][1] and [Using a grant
|
541
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
538
542
|
#
|
539
543
|
#
|
540
544
|
#
|
541
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
545
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
546
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
542
547
|
# @return [Array<String>]
|
543
548
|
#
|
544
549
|
# @!attribute [rw] name
|
@@ -577,12 +582,13 @@ module Aws::KMS
|
|
577
582
|
#
|
578
583
|
# Use a grant token when your permission to call this operation comes
|
579
584
|
# from a new grant that has not yet achieved *eventual consistency*.
|
580
|
-
# For more information, see [Grant token][1]
|
581
|
-
# Management Service Developer Guide*.
|
585
|
+
# For more information, see [Grant token][1] and [Using a grant
|
586
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
582
587
|
#
|
583
588
|
#
|
584
589
|
#
|
585
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
590
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
591
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
586
592
|
# @return [String]
|
587
593
|
#
|
588
594
|
# @!attribute [rw] grant_id
|
@@ -609,6 +615,7 @@ module Aws::KMS
|
|
609
615
|
# description: "DescriptionType",
|
610
616
|
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
611
617
|
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
618
|
+
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
612
619
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
613
620
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
614
621
|
# bypass_policy_lockout_safety_check: false,
|
@@ -622,36 +629,37 @@ module Aws::KMS
|
|
622
629
|
# }
|
623
630
|
#
|
624
631
|
# @!attribute [rw] policy
|
625
|
-
# The key policy to attach to the
|
632
|
+
# The key policy to attach to the KMS key.
|
626
633
|
#
|
627
634
|
# If you provide a key policy, it must meet the following criteria:
|
628
635
|
#
|
629
636
|
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
630
637
|
# key policy must allow the principal that is making the `CreateKey`
|
631
|
-
# request to make a subsequent PutKeyPolicy request on the
|
632
|
-
# reduces the risk that the
|
633
|
-
# information, refer to the scenario in the [Default Key
|
634
|
-
# section of the <i> <i>
|
638
|
+
# request to make a subsequent PutKeyPolicy request on the KMS key.
|
639
|
+
# This reduces the risk that the KMS key becomes unmanageable. For
|
640
|
+
# more information, refer to the scenario in the [Default Key
|
641
|
+
# Policy][1] section of the <i> <i>Key Management Service Developer
|
635
642
|
# Guide</i> </i>.
|
636
643
|
#
|
637
644
|
# * Each statement in the key policy must contain one or more
|
638
645
|
# principals. The principals in the key policy must exist and be
|
639
|
-
# visible to
|
640
|
-
# example, an IAM user or role), you might need to
|
641
|
-
# before including the new principal in a key policy
|
642
|
-
# principal might not be immediately visible to
|
643
|
-
# information, see [Changes that I make are not always
|
644
|
-
# visible][2] in the *
|
645
|
-
# Guide*.
|
646
|
-
#
|
647
|
-
# If you do not provide a key policy,
|
648
|
-
# policy to the
|
649
|
-
# in the *
|
646
|
+
# visible to KMS. When you create a new Amazon Web Services
|
647
|
+
# principal (for example, an IAM user or role), you might need to
|
648
|
+
# enforce a delay before including the new principal in a key policy
|
649
|
+
# because the new principal might not be immediately visible to KMS.
|
650
|
+
# For more information, see [Changes that I make are not always
|
651
|
+
# immediately visible][2] in the *Amazon Web Services Identity and
|
652
|
+
# Access Management User Guide*.
|
653
|
+
#
|
654
|
+
# If you do not provide a key policy, KMS attaches a default key
|
655
|
+
# policy to the KMS key. For more information, see [Default Key
|
656
|
+
# Policy][3] in the *Key Management Service Developer Guide*.
|
650
657
|
#
|
651
658
|
# The key policy size quota is 32 kilobytes (32768 bytes).
|
652
659
|
#
|
653
660
|
# For help writing and formatting a JSON policy document, see the [IAM
|
654
|
-
# JSON Policy Reference][4] in the <i> <i>
|
661
|
+
# JSON Policy Reference][4] in the <i> <i>Identity and Access
|
662
|
+
# Management User Guide</i> </i>.
|
655
663
|
#
|
656
664
|
#
|
657
665
|
#
|
@@ -662,28 +670,32 @@ module Aws::KMS
|
|
662
670
|
# @return [String]
|
663
671
|
#
|
664
672
|
# @!attribute [rw] description
|
665
|
-
# A description of the
|
673
|
+
# A description of the KMS key.
|
666
674
|
#
|
667
|
-
# Use a description that helps you decide whether the
|
675
|
+
# Use a description that helps you decide whether the KMS key is
|
668
676
|
# appropriate for a task. The default value is an empty string (no
|
669
677
|
# description).
|
678
|
+
#
|
679
|
+
# To set or change the description after the key is created, use
|
680
|
+
# UpdateKeyDescription.
|
670
681
|
# @return [String]
|
671
682
|
#
|
672
683
|
# @!attribute [rw] key_usage
|
673
684
|
# Determines the [cryptographic operations][1] for which you can use
|
674
|
-
# the
|
675
|
-
# required only for asymmetric
|
676
|
-
# value after the
|
685
|
+
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
686
|
+
# is required only for asymmetric KMS keys. You can't change the
|
687
|
+
# `KeyUsage` value after the KMS key is created.
|
677
688
|
#
|
678
689
|
# Select only one valid value.
|
679
690
|
#
|
680
|
-
# * For symmetric
|
691
|
+
# * For symmetric KMS keys, omit the parameter or specify
|
681
692
|
# `ENCRYPT_DECRYPT`.
|
682
693
|
#
|
683
|
-
# * For asymmetric
|
694
|
+
# * For asymmetric KMS keys with RSA key material, specify
|
684
695
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
685
696
|
#
|
686
|
-
# * For asymmetric
|
697
|
+
# * For asymmetric KMS keys with ECC key material, specify
|
698
|
+
# `SIGN_VERIFY`.
|
687
699
|
#
|
688
700
|
#
|
689
701
|
#
|
@@ -691,28 +703,38 @@ module Aws::KMS
|
|
691
703
|
# @return [String]
|
692
704
|
#
|
693
705
|
# @!attribute [rw] customer_master_key_spec
|
694
|
-
#
|
695
|
-
# `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit symmetric key for
|
696
|
-
# encryption and decryption. For help choosing a key spec for your
|
697
|
-
# CMK, see [How to Choose Your CMK Configuration][1] in the *AWS Key
|
698
|
-
# Management Service Developer Guide*.
|
706
|
+
# Instead, use the `KeySpec` parameter.
|
699
707
|
#
|
700
|
-
# The `CustomerMasterKeySpec`
|
701
|
-
#
|
702
|
-
#
|
703
|
-
#
|
704
|
-
#
|
705
|
-
#
|
706
|
-
#
|
707
|
-
#
|
708
|
-
#
|
709
|
-
#
|
710
|
-
#
|
711
|
-
#
|
712
|
-
#
|
713
|
-
#
|
708
|
+
# The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
|
709
|
+
# way. Only the names differ. We recommend that you use `KeySpec`
|
710
|
+
# parameter in your code. However, to avoid breaking changes, KMS will
|
711
|
+
# support both parameters.
|
712
|
+
# @return [String]
|
713
|
+
#
|
714
|
+
# @!attribute [rw] key_spec
|
715
|
+
# Specifies the type of KMS key to create. The default value,
|
716
|
+
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
|
717
|
+
# for encryption and decryption. For help choosing a key spec for your
|
718
|
+
# KMS key, see [How to Choose Your KMS key Configuration][1] in the
|
719
|
+
# <i> <i>Key Management Service Developer Guide</i> </i>.
|
720
|
+
#
|
721
|
+
# The `KeySpec` determines whether the KMS key contains a symmetric
|
722
|
+
# key or an asymmetric key pair. It also determines the encryption
|
723
|
+
# algorithms or signing algorithms that the KMS key supports. You
|
724
|
+
# can't change the `KeySpec` after the KMS key is created. To further
|
725
|
+
# restrict the algorithms that can be used with the KMS key, use a
|
726
|
+
# condition key in its key policy or IAM policy. For more information,
|
727
|
+
# see [kms:EncryptionAlgorithm][2] or [kms:Signing Algorithm][3] in
|
728
|
+
# the <i> <i>Key Management Service Developer Guide</i> </i>.
|
729
|
+
#
|
730
|
+
# [Amazon Web Services services that are integrated with KMS][4] use
|
731
|
+
# symmetric KMS keys to protect your data. These services do not
|
732
|
+
# support asymmetric KMS keys. For help determining whether a KMS key
|
733
|
+
# is symmetric or asymmetric, see [Identifying Symmetric and
|
734
|
+
# Asymmetric KMS keys][5] in the *Key Management Service Developer
|
735
|
+
# Guide*.
|
714
736
|
#
|
715
|
-
#
|
737
|
+
# KMS supports the following key specs for KMS keys:
|
716
738
|
#
|
717
739
|
# * Symmetric key (default)
|
718
740
|
#
|
@@ -753,21 +775,21 @@ module Aws::KMS
|
|
753
775
|
# @return [String]
|
754
776
|
#
|
755
777
|
# @!attribute [rw] origin
|
756
|
-
# The source of the key material for the
|
757
|
-
# origin after you create the
|
758
|
-
# means that
|
778
|
+
# The source of the key material for the KMS key. You cannot change
|
779
|
+
# the origin after you create the KMS key. The default is `AWS_KMS`,
|
780
|
+
# which means that KMS creates the key material.
|
759
781
|
#
|
760
|
-
# To create a
|
761
|
-
# set the value to `EXTERNAL`. For more information about
|
762
|
-
# key material into
|
763
|
-
# *
|
764
|
-
# only for symmetric
|
782
|
+
# To create a KMS key with no key material (for imported key
|
783
|
+
# material), set the value to `EXTERNAL`. For more information about
|
784
|
+
# importing key material into KMS, see [Importing Key Material][1] in
|
785
|
+
# the *Key Management Service Developer Guide*. This value is valid
|
786
|
+
# only for symmetric KMS keys.
|
765
787
|
#
|
766
|
-
# To create a
|
767
|
-
# key material in the associated
|
768
|
-
#
|
769
|
-
#
|
770
|
-
#
|
788
|
+
# To create a KMS key in an KMS [custom key store][2] and create its
|
789
|
+
# key material in the associated CloudHSM cluster, set this value to
|
790
|
+
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
791
|
+
# to identify the custom key store. This value is valid only for
|
792
|
+
# symmetric KMS keys.
|
771
793
|
#
|
772
794
|
#
|
773
795
|
#
|
@@ -776,27 +798,26 @@ module Aws::KMS
|
|
776
798
|
# @return [String]
|
777
799
|
#
|
778
800
|
# @!attribute [rw] custom_key_store_id
|
779
|
-
# Creates the
|
780
|
-
# material in its associated
|
781
|
-
# a custom key store, you must also specify the `Origin` parameter
|
782
|
-
# with a value of `AWS_CLOUDHSM`. The
|
801
|
+
# Creates the KMS key in the specified [custom key store][1] and the
|
802
|
+
# key material in its associated CloudHSM cluster. To create a KMS key
|
803
|
+
# in a custom key store, you must also specify the `Origin` parameter
|
804
|
+
# with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that is
|
783
805
|
# associated with the custom key store must have at least two active
|
784
806
|
# HSMs, each in a different Availability Zone in the Region.
|
785
807
|
#
|
786
|
-
# This parameter is valid only for symmetric
|
787
|
-
# You cannot create an asymmetric
|
788
|
-
# custom key store.
|
808
|
+
# This parameter is valid only for symmetric KMS keys and regional KMS
|
809
|
+
# keys. You cannot create an asymmetric KMS key or a multi-Region key
|
810
|
+
# in a custom key store.
|
789
811
|
#
|
790
812
|
# To find the ID of a custom key store, use the
|
791
813
|
# DescribeCustomKeyStores operation.
|
792
814
|
#
|
793
|
-
# The response includes the custom key store ID and the ID of the
|
815
|
+
# The response includes the custom key store ID and the ID of the
|
794
816
|
# CloudHSM cluster.
|
795
817
|
#
|
796
818
|
# This operation is part of the [Custom Key Store feature][1] feature
|
797
|
-
# in
|
798
|
-
#
|
799
|
-
# store.
|
819
|
+
# in KMS, which combines the convenience and extensive integration of
|
820
|
+
# KMS with the isolation and control of a single-tenant key store.
|
800
821
|
#
|
801
822
|
#
|
802
823
|
#
|
@@ -807,16 +828,17 @@ module Aws::KMS
|
|
807
828
|
# A flag to indicate whether to bypass the key policy lockout safety
|
808
829
|
# check.
|
809
830
|
#
|
810
|
-
# Setting this value to true increases the risk that the
|
811
|
-
# unmanageable. Do not set this value to true
|
831
|
+
# Setting this value to true increases the risk that the KMS key
|
832
|
+
# becomes unmanageable. Do not set this value to true
|
833
|
+
# indiscriminately.
|
812
834
|
#
|
813
835
|
# For more information, refer to the scenario in the [Default Key
|
814
|
-
# Policy][1] section in the <i> <i>
|
815
|
-
#
|
836
|
+
# Policy][1] section in the <i> <i>Key Management Service Developer
|
837
|
+
# Guide</i> </i>.
|
816
838
|
#
|
817
839
|
# Use this parameter only when you include a policy in the request and
|
818
840
|
# you intend to prevent the principal that is making the request from
|
819
|
-
# making a subsequent PutKeyPolicy request on the
|
841
|
+
# making a subsequent PutKeyPolicy request on the KMS key.
|
820
842
|
#
|
821
843
|
# The default value is false.
|
822
844
|
#
|
@@ -826,12 +848,12 @@ module Aws::KMS
|
|
826
848
|
# @return [Boolean]
|
827
849
|
#
|
828
850
|
# @!attribute [rw] tags
|
829
|
-
# Assigns one or more tags to the
|
830
|
-
#
|
831
|
-
# operation.
|
851
|
+
# Assigns one or more tags to the KMS key. Use this parameter to tag
|
852
|
+
# the KMS key when it is created. To tag an existing KMS key, use the
|
853
|
+
# TagResource operation.
|
832
854
|
#
|
833
|
-
# <note markdown="1"> Tagging or untagging a
|
834
|
-
# For details, see [Using ABAC in
|
855
|
+
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
856
|
+
# KMS key. For details, see [Using ABAC in KMS][1] in the *Key
|
835
857
|
# Management Service Developer Guide*.
|
836
858
|
#
|
837
859
|
# </note>
|
@@ -841,14 +863,14 @@ module Aws::KMS
|
|
841
863
|
#
|
842
864
|
# Each tag consists of a tag key and a tag value. Both the tag key and
|
843
865
|
# the tag value are required, but the tag value can be an empty (null)
|
844
|
-
# string. You cannot have more than one tag on a
|
845
|
-
# key. If you specify an existing tag key with a different tag
|
846
|
-
#
|
866
|
+
# string. You cannot have more than one tag on a KMS key with the same
|
867
|
+
# tag key. If you specify an existing tag key with a different tag
|
868
|
+
# value, KMS replaces the current tag value with the specified one.
|
847
869
|
#
|
848
|
-
# When you
|
849
|
-
# allocation report with usage and costs
|
850
|
-
# also be used to control access to a
|
851
|
-
# Keys][3].
|
870
|
+
# When you add tags to an Amazon Web Services resource, Amazon Web
|
871
|
+
# Services generates a cost allocation report with usage and costs
|
872
|
+
# aggregated by tags. Tags can also be used to control access to a KMS
|
873
|
+
# key. For details, see [Tagging Keys][3].
|
852
874
|
#
|
853
875
|
#
|
854
876
|
#
|
@@ -859,27 +881,29 @@ module Aws::KMS
|
|
859
881
|
#
|
860
882
|
# @!attribute [rw] multi_region
|
861
883
|
# Creates a multi-Region primary key that you can replicate into other
|
862
|
-
#
|
884
|
+
# Amazon Web Services Regions. You cannot change this value after you
|
885
|
+
# create the KMS key.
|
863
886
|
#
|
864
887
|
# For a multi-Region key, set this parameter to `True`. For a
|
865
|
-
# single-Region
|
888
|
+
# single-Region KMS key, omit this parameter or set it to `False`. The
|
866
889
|
# default value is `False`.
|
867
890
|
#
|
868
|
-
# This operation supports *multi-Region keys*, an
|
869
|
-
# lets you create multiple interoperable
|
870
|
-
# Regions. Because these
|
871
|
-
# other metadata, you can use them
|
872
|
-
#
|
873
|
-
#
|
874
|
-
#
|
875
|
-
# keys][1] in the *
|
891
|
+
# This operation supports *multi-Region keys*, an KMS feature that
|
892
|
+
# lets you create multiple interoperable KMS keys in different Amazon
|
893
|
+
# Web Services Regions. Because these KMS keys have the same key ID,
|
894
|
+
# key material, and other metadata, you can use them interchangeably
|
895
|
+
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
896
|
+
# a different Amazon Web Services Region without re-encrypting the
|
897
|
+
# data or making a cross-Region call. For more information about
|
898
|
+
# multi-Region keys, see [Using multi-Region keys][1] in the *Key
|
899
|
+
# Management Service Developer Guide*.
|
876
900
|
#
|
877
901
|
# This value creates a *primary key*, not a replica. To create a
|
878
902
|
# *replica key*, use the ReplicateKey operation.
|
879
903
|
#
|
880
|
-
# You can create a symmetric or asymmetric multi-Region
|
881
|
-
# can create a multi-Region
|
882
|
-
# you cannot create a multi-Region
|
904
|
+
# You can create a symmetric or asymmetric multi-Region key, and you
|
905
|
+
# can create a multi-Region key with imported key material. However,
|
906
|
+
# you cannot create a multi-Region key in a custom key store.
|
883
907
|
#
|
884
908
|
#
|
885
909
|
#
|
@@ -893,6 +917,7 @@ module Aws::KMS
|
|
893
917
|
:description,
|
894
918
|
:key_usage,
|
895
919
|
:customer_master_key_spec,
|
920
|
+
:key_spec,
|
896
921
|
:origin,
|
897
922
|
:custom_key_store_id,
|
898
923
|
:bypass_policy_lockout_safety_check,
|
@@ -903,7 +928,7 @@ module Aws::KMS
|
|
903
928
|
end
|
904
929
|
|
905
930
|
# @!attribute [rw] key_metadata
|
906
|
-
# Metadata associated with the
|
931
|
+
# Metadata associated with the KMS key.
|
907
932
|
# @return [Types::KeyMetadata]
|
908
933
|
#
|
909
934
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyResponse AWS API Documentation
|
@@ -914,10 +939,10 @@ module Aws::KMS
|
|
914
939
|
include Aws::Structure
|
915
940
|
end
|
916
941
|
|
917
|
-
# The request was rejected because the custom key store contains
|
918
|
-
#
|
919
|
-
#
|
920
|
-
#
|
942
|
+
# The request was rejected because the custom key store contains KMS
|
943
|
+
# keys. After verifying that you do not need to use the KMS keys, use
|
944
|
+
# the ScheduleKeyDeletion operation to delete the KMS keys. After they
|
945
|
+
# are deleted, you can delete the custom key store.
|
921
946
|
#
|
922
947
|
# @!attribute [rw] message
|
923
948
|
# @return [String]
|
@@ -975,8 +1000,8 @@ module Aws::KMS
|
|
975
1000
|
include Aws::Structure
|
976
1001
|
end
|
977
1002
|
|
978
|
-
# The request was rejected because
|
979
|
-
#
|
1003
|
+
# The request was rejected because KMS cannot find a custom key store
|
1004
|
+
# with the specified key store name or ID.
|
980
1005
|
#
|
981
1006
|
# @!attribute [rw] message
|
982
1007
|
# @return [String]
|
@@ -1001,12 +1026,12 @@ module Aws::KMS
|
|
1001
1026
|
# @return [String]
|
1002
1027
|
#
|
1003
1028
|
# @!attribute [rw] cloud_hsm_cluster_id
|
1004
|
-
# A unique identifier for the
|
1005
|
-
#
|
1029
|
+
# A unique identifier for the CloudHSM cluster that is associated with
|
1030
|
+
# the custom key store.
|
1006
1031
|
# @return [String]
|
1007
1032
|
#
|
1008
1033
|
# @!attribute [rw] trust_anchor_certificate
|
1009
|
-
# The trust anchor certificate of the associated
|
1034
|
+
# The trust anchor certificate of the associated CloudHSM cluster.
|
1010
1035
|
# When you [initialize the cluster][1], you create this certificate
|
1011
1036
|
# and save it in the `customerCA.crt` file.
|
1012
1037
|
#
|
@@ -1016,22 +1041,22 @@ module Aws::KMS
|
|
1016
1041
|
# @return [String]
|
1017
1042
|
#
|
1018
1043
|
# @!attribute [rw] connection_state
|
1019
|
-
# Indicates whether the custom key store is connected to its
|
1020
|
-
#
|
1044
|
+
# Indicates whether the custom key store is connected to its CloudHSM
|
1045
|
+
# cluster.
|
1021
1046
|
#
|
1022
|
-
# You can create and use
|
1023
|
-
# connection state is `CONNECTED`.
|
1047
|
+
# You can create and use KMS keys in your custom key stores only when
|
1048
|
+
# its connection state is `CONNECTED`.
|
1024
1049
|
#
|
1025
1050
|
# The value is `DISCONNECTED` if the key store has never been
|
1026
1051
|
# connected or you use the DisconnectCustomKeyStore operation to
|
1027
1052
|
# disconnect it. If the value is `CONNECTED` but you are having
|
1028
1053
|
# trouble using the custom key store, make sure that its associated
|
1029
|
-
#
|
1054
|
+
# CloudHSM cluster is active and contains at least one active HSM.
|
1030
1055
|
#
|
1031
1056
|
# A value of `FAILED` indicates that an attempt to connect was
|
1032
1057
|
# unsuccessful. The `ConnectionErrorCode` field in the response
|
1033
1058
|
# indicates the cause of the failure. For help resolving a connection
|
1034
|
-
# failure, see [Troubleshooting a Custom Key Store][1] in the *
|
1059
|
+
# failure, see [Troubleshooting a Custom Key Store][1] in the *Key
|
1035
1060
|
# Management Service Developer Guide*.
|
1036
1061
|
#
|
1037
1062
|
#
|
@@ -1042,64 +1067,64 @@ module Aws::KMS
|
|
1042
1067
|
# @!attribute [rw] connection_error_code
|
1043
1068
|
# Describes the connection error. This field appears in the response
|
1044
1069
|
# only when the `ConnectionState` is `FAILED`. For help resolving
|
1045
|
-
# these errors, see [How to Fix a Connection Failure][1] in *
|
1070
|
+
# these errors, see [How to Fix a Connection Failure][1] in *Key
|
1046
1071
|
# Management Service Developer Guide*.
|
1047
1072
|
#
|
1048
1073
|
# Valid values are:
|
1049
1074
|
#
|
1050
|
-
# * `CLUSTER_NOT_FOUND` -
|
1051
|
-
#
|
1075
|
+
# * `CLUSTER_NOT_FOUND` - KMS cannot find the CloudHSM cluster with
|
1076
|
+
# the specified cluster ID.
|
1052
1077
|
#
|
1053
|
-
# * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated
|
1078
|
+
# * `INSUFFICIENT_CLOUDHSM_HSMS` - The associated CloudHSM cluster
|
1054
1079
|
# does not contain any active HSMs. To connect a custom key store to
|
1055
|
-
# its
|
1056
|
-
#
|
1080
|
+
# its CloudHSM cluster, the cluster must contain at least one active
|
1081
|
+
# HSM.
|
1057
1082
|
#
|
1058
|
-
# * `INTERNAL_ERROR` -
|
1059
|
-
#
|
1083
|
+
# * `INTERNAL_ERROR` - KMS could not complete the request due to an
|
1084
|
+
# internal error. Retry the request. For `ConnectCustomKeyStore`
|
1060
1085
|
# requests, disconnect the custom key store before trying to connect
|
1061
1086
|
# again.
|
1062
1087
|
#
|
1063
|
-
# * `INVALID_CREDENTIALS` -
|
1064
|
-
#
|
1065
|
-
#
|
1066
|
-
#
|
1067
|
-
#
|
1088
|
+
# * `INVALID_CREDENTIALS` - KMS does not have the correct password for
|
1089
|
+
# the `kmsuser` crypto user in the CloudHSM cluster. Before you can
|
1090
|
+
# connect your custom key store to its CloudHSM cluster, you must
|
1091
|
+
# change the `kmsuser` account password and update the key store
|
1092
|
+
# password value for the custom key store.
|
1068
1093
|
#
|
1069
|
-
# * `NETWORK_ERRORS` - Network errors are preventing
|
1094
|
+
# * `NETWORK_ERRORS` - Network errors are preventing KMS from
|
1070
1095
|
# connecting to the custom key store.
|
1071
1096
|
#
|
1072
|
-
# * `SUBNET_NOT_FOUND` - A subnet in the
|
1073
|
-
# configuration was deleted. If
|
1074
|
-
#
|
1075
|
-
#
|
1076
|
-
#
|
1077
|
-
#
|
1078
|
-
#
|
1079
|
-
#
|
1080
|
-
#
|
1097
|
+
# * `SUBNET_NOT_FOUND` - A subnet in the CloudHSM cluster
|
1098
|
+
# configuration was deleted. If KMS cannot find all of the subnets
|
1099
|
+
# in the cluster configuration, attempts to connect the custom key
|
1100
|
+
# store to the CloudHSM cluster fail. To fix this error, create a
|
1101
|
+
# cluster from a recent backup and associate it with your custom key
|
1102
|
+
# store. (This process creates a new cluster configuration with a
|
1103
|
+
# VPC and private subnets.) For details, see [How to Fix a
|
1104
|
+
# Connection Failure][1] in the *Key Management Service Developer
|
1105
|
+
# Guide*.
|
1081
1106
|
#
|
1082
1107
|
# * `USER_LOCKED_OUT` - The `kmsuser` CU account is locked out of the
|
1083
|
-
# associated
|
1084
|
-
# attempts. Before you can connect your custom key store to its
|
1108
|
+
# associated CloudHSM cluster due to too many failed password
|
1109
|
+
# attempts. Before you can connect your custom key store to its
|
1085
1110
|
# CloudHSM cluster, you must change the `kmsuser` account password
|
1086
1111
|
# and update the key store password value for the custom key store.
|
1087
1112
|
#
|
1088
1113
|
# * `USER_LOGGED_IN` - The `kmsuser` CU account is logged into the the
|
1089
|
-
# associated
|
1090
|
-
#
|
1091
|
-
#
|
1092
|
-
#
|
1093
|
-
#
|
1094
|
-
#
|
1095
|
-
#
|
1096
|
-
#
|
1097
|
-
#
|
1098
|
-
# * `USER_NOT_FOUND` -
|
1099
|
-
#
|
1100
|
-
#
|
1101
|
-
#
|
1102
|
-
#
|
1114
|
+
# associated CloudHSM cluster. This prevents KMS from rotating the
|
1115
|
+
# `kmsuser` account password and logging into the cluster. Before
|
1116
|
+
# you can connect your custom key store to its CloudHSM cluster, you
|
1117
|
+
# must log the `kmsuser` CU out of the cluster. If you changed the
|
1118
|
+
# `kmsuser` password to log into the cluster, you must also and
|
1119
|
+
# update the key store password value for the custom key store. For
|
1120
|
+
# help, see [How to Log Out and Reconnect][2] in the *Key Management
|
1121
|
+
# Service Developer Guide*.
|
1122
|
+
#
|
1123
|
+
# * `USER_NOT_FOUND` - KMS cannot find a `kmsuser` CU account in the
|
1124
|
+
# associated CloudHSM cluster. Before you can connect your custom
|
1125
|
+
# key store to its CloudHSM cluster, you must create a `kmsuser` CU
|
1126
|
+
# account in the cluster, and then update the key store password
|
1127
|
+
# value for the custom key store.
|
1103
1128
|
#
|
1104
1129
|
#
|
1105
1130
|
#
|
@@ -1145,17 +1170,17 @@ module Aws::KMS
|
|
1145
1170
|
# @!attribute [rw] encryption_context
|
1146
1171
|
# Specifies the encryption context to use when decrypting the data. An
|
1147
1172
|
# encryption context is valid only for [cryptographic operations][1]
|
1148
|
-
# with a symmetric
|
1149
|
-
# that
|
1173
|
+
# with a symmetric KMS key. The standard asymmetric encryption
|
1174
|
+
# algorithms that KMS uses do not support an encryption context.
|
1150
1175
|
#
|
1151
1176
|
# An *encryption context* is a collection of non-secret key-value
|
1152
1177
|
# pairs that represents additional authenticated data. When you use an
|
1153
1178
|
# encryption context to encrypt data, you must specify the same (an
|
1154
1179
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1155
1180
|
# An encryption context is optional when encrypting with a symmetric
|
1156
|
-
#
|
1181
|
+
# KMS key, but it is highly recommended.
|
1157
1182
|
#
|
1158
|
-
# For more information, see [Encryption Context][2] in the *
|
1183
|
+
# For more information, see [Encryption Context][2] in the *Key
|
1159
1184
|
# Management Service Developer Guide*.
|
1160
1185
|
#
|
1161
1186
|
#
|
@@ -1168,32 +1193,31 @@ module Aws::KMS
|
|
1168
1193
|
# A list of grant tokens.
|
1169
1194
|
#
|
1170
1195
|
# Use a grant token when your permission to call this operation comes
|
1171
|
-
# from a
|
1172
|
-
#
|
1173
|
-
#
|
1174
|
-
# consistency*. For more information, see [Grant token][1] in the *AWS
|
1175
|
-
# Key Management Service Developer Guide*.
|
1196
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
1197
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1198
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1176
1199
|
#
|
1177
1200
|
#
|
1178
1201
|
#
|
1179
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1202
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1203
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1180
1204
|
# @return [Array<String>]
|
1181
1205
|
#
|
1182
1206
|
# @!attribute [rw] key_id
|
1183
|
-
# Specifies the
|
1184
|
-
#
|
1185
|
-
# the ciphertext.
|
1207
|
+
# Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter
|
1208
|
+
# a key ID of the KMS key that was used to encrypt the ciphertext.
|
1186
1209
|
#
|
1187
1210
|
# This parameter is required only when the ciphertext was encrypted
|
1188
|
-
# under an asymmetric
|
1189
|
-
# get the
|
1190
|
-
# blob. However, it is always recommended as a best
|
1191
|
-
# practice ensures that you use the
|
1192
|
-
#
|
1193
|
-
#
|
1194
|
-
#
|
1195
|
-
#
|
1196
|
-
#
|
1211
|
+
# under an asymmetric KMS key. If you used a symmetric KMS key, KMS
|
1212
|
+
# can get the KMS key from metadata that it adds to the symmetric
|
1213
|
+
# ciphertext blob. However, it is always recommended as a best
|
1214
|
+
# practice. This practice ensures that you use the KMS key that you
|
1215
|
+
# intend.
|
1216
|
+
#
|
1217
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1218
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1219
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1220
|
+
# the key ARN or alias ARN.
|
1197
1221
|
#
|
1198
1222
|
# For example:
|
1199
1223
|
#
|
@@ -1206,7 +1230,7 @@ module Aws::KMS
|
|
1206
1230
|
#
|
1207
1231
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1208
1232
|
#
|
1209
|
-
# To get the key ID and key ARN for a
|
1233
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1210
1234
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1211
1235
|
# @return [String]
|
1212
1236
|
#
|
@@ -1217,9 +1241,9 @@ module Aws::KMS
|
|
1217
1241
|
# fails.
|
1218
1242
|
#
|
1219
1243
|
# This parameter is required only when the ciphertext was encrypted
|
1220
|
-
# under an asymmetric
|
1244
|
+
# under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
|
1221
1245
|
# represents the only supported algorithm that is valid for symmetric
|
1222
|
-
#
|
1246
|
+
# KMS keys.
|
1223
1247
|
# @return [String]
|
1224
1248
|
#
|
1225
1249
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
@@ -1235,8 +1259,8 @@ module Aws::KMS
|
|
1235
1259
|
end
|
1236
1260
|
|
1237
1261
|
# @!attribute [rw] key_id
|
1238
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
1239
|
-
# decrypt the ciphertext.
|
1262
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
|
1263
|
+
# to decrypt the ciphertext.
|
1240
1264
|
#
|
1241
1265
|
#
|
1242
1266
|
#
|
@@ -1244,8 +1268,9 @@ module Aws::KMS
|
|
1244
1268
|
# @return [String]
|
1245
1269
|
#
|
1246
1270
|
# @!attribute [rw] plaintext
|
1247
|
-
# Decrypted plaintext data. When you use the HTTP API or the
|
1248
|
-
# the value is Base64-encoded. Otherwise, it is not
|
1271
|
+
# Decrypted plaintext data. When you use the HTTP API or the Amazon
|
1272
|
+
# Web Services CLI, the value is Base64-encoded. Otherwise, it is not
|
1273
|
+
# Base64-encoded.
|
1249
1274
|
# @return [String]
|
1250
1275
|
#
|
1251
1276
|
# @!attribute [rw] encryption_algorithm
|
@@ -1314,10 +1339,10 @@ module Aws::KMS
|
|
1314
1339
|
# }
|
1315
1340
|
#
|
1316
1341
|
# @!attribute [rw] key_id
|
1317
|
-
# Identifies the
|
1318
|
-
# material. The `Origin` of the
|
1342
|
+
# Identifies the KMS key from which you are deleting imported key
|
1343
|
+
# material. The `Origin` of the KMS key must be `EXTERNAL`.
|
1319
1344
|
#
|
1320
|
-
# Specify the key ID or key ARN of the
|
1345
|
+
# Specify the key ID or key ARN of the KMS key.
|
1321
1346
|
#
|
1322
1347
|
# For example:
|
1323
1348
|
#
|
@@ -1326,7 +1351,7 @@ module Aws::KMS
|
|
1326
1351
|
# * Key ARN:
|
1327
1352
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1328
1353
|
#
|
1329
|
-
# To get the key ID and key ARN for a
|
1354
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1330
1355
|
# DescribeKey.
|
1331
1356
|
# @return [String]
|
1332
1357
|
#
|
@@ -1384,7 +1409,7 @@ module Aws::KMS
|
|
1384
1409
|
#
|
1385
1410
|
# @!attribute [rw] limit
|
1386
1411
|
# Use this parameter to specify the maximum number of items to return.
|
1387
|
-
# When this value is present,
|
1412
|
+
# When this value is present, KMS does not return more than the
|
1388
1413
|
# specified number of items, but it might return fewer.
|
1389
1414
|
# @return [Integer]
|
1390
1415
|
#
|
@@ -1440,16 +1465,17 @@ module Aws::KMS
|
|
1440
1465
|
# }
|
1441
1466
|
#
|
1442
1467
|
# @!attribute [rw] key_id
|
1443
|
-
# Describes the specified
|
1468
|
+
# Describes the specified KMS key.
|
1444
1469
|
#
|
1445
|
-
# If you specify a predefined
|
1446
|
-
# KMS associates the alias with an
|
1447
|
-
# its `KeyId` and
|
1470
|
+
# If you specify a predefined Amazon Web Services alias (an Amazon Web
|
1471
|
+
# Services alias with no key ID), KMS associates the alias with an
|
1472
|
+
# [Amazon Web Services managed key][1] and returns its `KeyId` and
|
1473
|
+
# `Arn` in the response.
|
1448
1474
|
#
|
1449
|
-
# To specify a
|
1450
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
1451
|
-
#
|
1452
|
-
# ARN.
|
1475
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1476
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1477
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1478
|
+
# the key ARN or alias ARN.
|
1453
1479
|
#
|
1454
1480
|
# For example:
|
1455
1481
|
#
|
@@ -1462,12 +1488,12 @@ module Aws::KMS
|
|
1462
1488
|
#
|
1463
1489
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1464
1490
|
#
|
1465
|
-
# To get the key ID and key ARN for a
|
1491
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1466
1492
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1467
1493
|
#
|
1468
1494
|
#
|
1469
1495
|
#
|
1470
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
|
1496
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmk
|
1471
1497
|
# @return [String]
|
1472
1498
|
#
|
1473
1499
|
# @!attribute [rw] grant_tokens
|
@@ -1475,12 +1501,13 @@ module Aws::KMS
|
|
1475
1501
|
#
|
1476
1502
|
# Use a grant token when your permission to call this operation comes
|
1477
1503
|
# from a new grant that has not yet achieved *eventual consistency*.
|
1478
|
-
# For more information, see [Grant token][1]
|
1479
|
-
# Management Service Developer Guide*.
|
1504
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1505
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1480
1506
|
#
|
1481
1507
|
#
|
1482
1508
|
#
|
1483
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1509
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1510
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1484
1511
|
# @return [Array<String>]
|
1485
1512
|
#
|
1486
1513
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKeyRequest AWS API Documentation
|
@@ -1512,9 +1539,9 @@ module Aws::KMS
|
|
1512
1539
|
# }
|
1513
1540
|
#
|
1514
1541
|
# @!attribute [rw] key_id
|
1515
|
-
# Identifies the
|
1542
|
+
# Identifies the KMS key to disable.
|
1516
1543
|
#
|
1517
|
-
# Specify the key ID or key ARN of the
|
1544
|
+
# Specify the key ID or key ARN of the KMS key.
|
1518
1545
|
#
|
1519
1546
|
# For example:
|
1520
1547
|
#
|
@@ -1523,7 +1550,7 @@ module Aws::KMS
|
|
1523
1550
|
# * Key ARN:
|
1524
1551
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1525
1552
|
#
|
1526
|
-
# To get the key ID and key ARN for a
|
1553
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1527
1554
|
# DescribeKey.
|
1528
1555
|
# @return [String]
|
1529
1556
|
#
|
@@ -1543,11 +1570,11 @@ module Aws::KMS
|
|
1543
1570
|
# }
|
1544
1571
|
#
|
1545
1572
|
# @!attribute [rw] key_id
|
1546
|
-
# Identifies a symmetric
|
1547
|
-
#
|
1548
|
-
# [imported key material][2], or
|
1573
|
+
# Identifies a symmetric KMS key. You cannot enable or disable
|
1574
|
+
# automatic rotation of [asymmetric KMS keys][1], KMS keys with
|
1575
|
+
# [imported key material][2], or KMS keys in a [custom key store][3].
|
1549
1576
|
#
|
1550
|
-
# Specify the key ID or key ARN of the
|
1577
|
+
# Specify the key ID or key ARN of the KMS key.
|
1551
1578
|
#
|
1552
1579
|
# For example:
|
1553
1580
|
#
|
@@ -1556,7 +1583,7 @@ module Aws::KMS
|
|
1556
1583
|
# * Key ARN:
|
1557
1584
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1558
1585
|
#
|
1559
|
-
# To get the key ID and key ARN for a
|
1586
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1560
1587
|
# DescribeKey.
|
1561
1588
|
#
|
1562
1589
|
#
|
@@ -1574,7 +1601,7 @@ module Aws::KMS
|
|
1574
1601
|
include Aws::Structure
|
1575
1602
|
end
|
1576
1603
|
|
1577
|
-
# The request was rejected because the specified
|
1604
|
+
# The request was rejected because the specified KMS key is not enabled.
|
1578
1605
|
#
|
1579
1606
|
# @!attribute [rw] message
|
1580
1607
|
# @return [String]
|
@@ -1620,9 +1647,9 @@ module Aws::KMS
|
|
1620
1647
|
# }
|
1621
1648
|
#
|
1622
1649
|
# @!attribute [rw] key_id
|
1623
|
-
# Identifies the
|
1650
|
+
# Identifies the KMS key to enable.
|
1624
1651
|
#
|
1625
|
-
# Specify the key ID or key ARN of the
|
1652
|
+
# Specify the key ID or key ARN of the KMS key.
|
1626
1653
|
#
|
1627
1654
|
# For example:
|
1628
1655
|
#
|
@@ -1631,7 +1658,7 @@ module Aws::KMS
|
|
1631
1658
|
# * Key ARN:
|
1632
1659
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1633
1660
|
#
|
1634
|
-
# To get the key ID and key ARN for a
|
1661
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1635
1662
|
# DescribeKey.
|
1636
1663
|
# @return [String]
|
1637
1664
|
#
|
@@ -1651,13 +1678,13 @@ module Aws::KMS
|
|
1651
1678
|
# }
|
1652
1679
|
#
|
1653
1680
|
# @!attribute [rw] key_id
|
1654
|
-
# Identifies a symmetric
|
1655
|
-
#
|
1656
|
-
# material][2], or
|
1681
|
+
# Identifies a symmetric KMS key. You cannot enable automatic rotation
|
1682
|
+
# of [asymmetric KMS keys][1], KMS keys with [imported key
|
1683
|
+
# material][2], or KMS keys in a [custom key store][3]. To enable or
|
1657
1684
|
# disable automatic rotation of a set of related [multi-Region
|
1658
1685
|
# keys][4], set the property on the primary key.
|
1659
1686
|
#
|
1660
|
-
# Specify the key ID or key ARN of the
|
1687
|
+
# Specify the key ID or key ARN of the KMS key.
|
1661
1688
|
#
|
1662
1689
|
# For example:
|
1663
1690
|
#
|
@@ -1666,7 +1693,7 @@ module Aws::KMS
|
|
1666
1693
|
# * Key ARN:
|
1667
1694
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1668
1695
|
#
|
1669
|
-
# To get the key ID and key ARN for a
|
1696
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1670
1697
|
# DescribeKey.
|
1671
1698
|
#
|
1672
1699
|
#
|
@@ -1699,13 +1726,12 @@ module Aws::KMS
|
|
1699
1726
|
# }
|
1700
1727
|
#
|
1701
1728
|
# @!attribute [rw] key_id
|
1702
|
-
# Identifies the
|
1703
|
-
# operation.
|
1729
|
+
# Identifies the KMS key to use in the encryption operation.
|
1704
1730
|
#
|
1705
|
-
# To specify a
|
1706
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
1707
|
-
#
|
1708
|
-
# ARN.
|
1731
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1732
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1733
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1734
|
+
# the key ARN or alias ARN.
|
1709
1735
|
#
|
1710
1736
|
# For example:
|
1711
1737
|
#
|
@@ -1718,7 +1744,7 @@ module Aws::KMS
|
|
1718
1744
|
#
|
1719
1745
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1720
1746
|
#
|
1721
|
-
# To get the key ID and key ARN for a
|
1747
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1722
1748
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1723
1749
|
# @return [String]
|
1724
1750
|
#
|
@@ -1729,8 +1755,8 @@ module Aws::KMS
|
|
1729
1755
|
# @!attribute [rw] encryption_context
|
1730
1756
|
# Specifies the encryption context that will be used to encrypt the
|
1731
1757
|
# data. An encryption context is valid only for [cryptographic
|
1732
|
-
# operations][1] with a symmetric
|
1733
|
-
# encryption algorithms that
|
1758
|
+
# operations][1] with a symmetric KMS key. The standard asymmetric
|
1759
|
+
# encryption algorithms that KMS uses do not support an encryption
|
1734
1760
|
# context.
|
1735
1761
|
#
|
1736
1762
|
# An *encryption context* is a collection of non-secret key-value
|
@@ -1738,9 +1764,9 @@ module Aws::KMS
|
|
1738
1764
|
# encryption context to encrypt data, you must specify the same (an
|
1739
1765
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1740
1766
|
# An encryption context is optional when encrypting with a symmetric
|
1741
|
-
#
|
1767
|
+
# KMS key, but it is highly recommended.
|
1742
1768
|
#
|
1743
|
-
# For more information, see [Encryption Context][2] in the *
|
1769
|
+
# For more information, see [Encryption Context][2] in the *Key
|
1744
1770
|
# Management Service Developer Guide*.
|
1745
1771
|
#
|
1746
1772
|
#
|
@@ -1754,22 +1780,23 @@ module Aws::KMS
|
|
1754
1780
|
#
|
1755
1781
|
# Use a grant token when your permission to call this operation comes
|
1756
1782
|
# from a new grant that has not yet achieved *eventual consistency*.
|
1757
|
-
# For more information, see [Grant token][1]
|
1758
|
-
# Management Service Developer Guide*.
|
1783
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1784
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1759
1785
|
#
|
1760
1786
|
#
|
1761
1787
|
#
|
1762
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1788
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1789
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1763
1790
|
# @return [Array<String>]
|
1764
1791
|
#
|
1765
1792
|
# @!attribute [rw] encryption_algorithm
|
1766
|
-
# Specifies the encryption algorithm that
|
1767
|
-
#
|
1793
|
+
# Specifies the encryption algorithm that KMS will use to encrypt the
|
1794
|
+
# plaintext message. The algorithm must be compatible with the KMS key
|
1768
1795
|
# that you specify.
|
1769
1796
|
#
|
1770
|
-
# This parameter is required only for asymmetric
|
1771
|
-
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
1772
|
-
#
|
1797
|
+
# This parameter is required only for asymmetric KMS keys. The default
|
1798
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric KMS
|
1799
|
+
# keys. If you are using an asymmetric KMS key, we recommend
|
1773
1800
|
# RSAES\_OAEP\_SHA\_256.
|
1774
1801
|
# @return [String]
|
1775
1802
|
#
|
@@ -1786,13 +1813,14 @@ module Aws::KMS
|
|
1786
1813
|
end
|
1787
1814
|
|
1788
1815
|
# @!attribute [rw] ciphertext_blob
|
1789
|
-
# The encrypted plaintext. When you use the HTTP API or the
|
1790
|
-
# the value is Base64-encoded. Otherwise, it is not
|
1816
|
+
# The encrypted plaintext. When you use the HTTP API or the Amazon Web
|
1817
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
1818
|
+
# Base64-encoded.
|
1791
1819
|
# @return [String]
|
1792
1820
|
#
|
1793
1821
|
# @!attribute [rw] key_id
|
1794
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
1795
|
-
# encrypt the plaintext.
|
1822
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
|
1823
|
+
# to encrypt the plaintext.
|
1796
1824
|
#
|
1797
1825
|
#
|
1798
1826
|
#
|
@@ -1850,9 +1878,9 @@ module Aws::KMS
|
|
1850
1878
|
# encryption context to encrypt data, you must specify the same (an
|
1851
1879
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1852
1880
|
# An encryption context is optional when encrypting with a symmetric
|
1853
|
-
#
|
1881
|
+
# KMS key, but it is highly recommended.
|
1854
1882
|
#
|
1855
|
-
# For more information, see [Encryption Context][1] in the *
|
1883
|
+
# For more information, see [Encryption Context][1] in the *Key
|
1856
1884
|
# Management Service Developer Guide*.
|
1857
1885
|
#
|
1858
1886
|
#
|
@@ -1861,15 +1889,15 @@ module Aws::KMS
|
|
1861
1889
|
# @return [Hash<String,String>]
|
1862
1890
|
#
|
1863
1891
|
# @!attribute [rw] key_id
|
1864
|
-
# Specifies the symmetric
|
1865
|
-
# data key pair. You cannot specify an asymmetric
|
1866
|
-
# custom key store. To get the type and origin of your
|
1867
|
-
# DescribeKey operation.
|
1868
|
-
#
|
1869
|
-
# To specify a
|
1870
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
1871
|
-
#
|
1872
|
-
# ARN.
|
1892
|
+
# Specifies the symmetric KMS key that encrypts the private key in the
|
1893
|
+
# data key pair. You cannot specify an asymmetric KMS key or a KMS key
|
1894
|
+
# in a custom key store. To get the type and origin of your KMS key,
|
1895
|
+
# use the DescribeKey operation.
|
1896
|
+
#
|
1897
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1898
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
1899
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
1900
|
+
# the key ARN or alias ARN.
|
1873
1901
|
#
|
1874
1902
|
# For example:
|
1875
1903
|
#
|
@@ -1882,17 +1910,17 @@ module Aws::KMS
|
|
1882
1910
|
#
|
1883
1911
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1884
1912
|
#
|
1885
|
-
# To get the key ID and key ARN for a
|
1913
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
1886
1914
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
1887
1915
|
# @return [String]
|
1888
1916
|
#
|
1889
1917
|
# @!attribute [rw] key_pair_spec
|
1890
1918
|
# Determines the type of data key pair that is generated.
|
1891
1919
|
#
|
1892
|
-
# The
|
1920
|
+
# The KMS rule that restricts the use of asymmetric RSA KMS keys to
|
1893
1921
|
# encrypt and decrypt or to sign and verify (but not both), and the
|
1894
|
-
# rule that permits you to use ECC
|
1895
|
-
# not effective outside of
|
1922
|
+
# rule that permits you to use ECC KMS keys only to sign and verify,
|
1923
|
+
# are not effective on data key pairs, which are used outside of KMS.
|
1896
1924
|
# @return [String]
|
1897
1925
|
#
|
1898
1926
|
# @!attribute [rw] grant_tokens
|
@@ -1900,12 +1928,13 @@ module Aws::KMS
|
|
1900
1928
|
#
|
1901
1929
|
# Use a grant token when your permission to call this operation comes
|
1902
1930
|
# from a new grant that has not yet achieved *eventual consistency*.
|
1903
|
-
# For more information, see [Grant token][1]
|
1904
|
-
# Management Service Developer Guide*.
|
1931
|
+
# For more information, see [Grant token][1] and [Using a grant
|
1932
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
1905
1933
|
#
|
1906
1934
|
#
|
1907
1935
|
#
|
1908
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1936
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
1937
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1909
1938
|
# @return [Array<String>]
|
1910
1939
|
#
|
1911
1940
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
|
@@ -1921,14 +1950,14 @@ module Aws::KMS
|
|
1921
1950
|
|
1922
1951
|
# @!attribute [rw] private_key_ciphertext_blob
|
1923
1952
|
# The encrypted copy of the private key. When you use the HTTP API or
|
1924
|
-
# the
|
1925
|
-
# Base64-encoded.
|
1953
|
+
# the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
|
1954
|
+
# it is not Base64-encoded.
|
1926
1955
|
# @return [String]
|
1927
1956
|
#
|
1928
1957
|
# @!attribute [rw] private_key_plaintext
|
1929
1958
|
# The plaintext copy of the private key. When you use the HTTP API or
|
1930
|
-
# the
|
1931
|
-
# Base64-encoded.
|
1959
|
+
# the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
|
1960
|
+
# it is not Base64-encoded.
|
1932
1961
|
# @return [String]
|
1933
1962
|
#
|
1934
1963
|
# @!attribute [rw] public_key
|
@@ -1936,8 +1965,8 @@ module Aws::KMS
|
|
1936
1965
|
# @return [String]
|
1937
1966
|
#
|
1938
1967
|
# @!attribute [rw] key_id
|
1939
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
1940
|
-
# the private key.
|
1968
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that
|
1969
|
+
# encrypted the private key.
|
1941
1970
|
#
|
1942
1971
|
#
|
1943
1972
|
#
|
@@ -1981,9 +2010,9 @@ module Aws::KMS
|
|
1981
2010
|
# encryption context to encrypt data, you must specify the same (an
|
1982
2011
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1983
2012
|
# An encryption context is optional when encrypting with a symmetric
|
1984
|
-
#
|
2013
|
+
# KMS key, but it is highly recommended.
|
1985
2014
|
#
|
1986
|
-
# For more information, see [Encryption Context][1] in the *
|
2015
|
+
# For more information, see [Encryption Context][1] in the *Key
|
1987
2016
|
# Management Service Developer Guide*.
|
1988
2017
|
#
|
1989
2018
|
#
|
@@ -1992,15 +2021,15 @@ module Aws::KMS
|
|
1992
2021
|
# @return [Hash<String,String>]
|
1993
2022
|
#
|
1994
2023
|
# @!attribute [rw] key_id
|
1995
|
-
# Specifies the
|
1996
|
-
# pair. You must specify a symmetric
|
1997
|
-
#
|
1998
|
-
# your
|
1999
|
-
#
|
2000
|
-
# To specify a
|
2001
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
2002
|
-
#
|
2003
|
-
# ARN.
|
2024
|
+
# Specifies the KMS key that encrypts the private key in the data key
|
2025
|
+
# pair. You must specify a symmetric KMS key. You cannot use an
|
2026
|
+
# asymmetric KMS key or a KMS key in a custom key store. To get the
|
2027
|
+
# type and origin of your KMS key, use the DescribeKey operation.
|
2028
|
+
#
|
2029
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2030
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
2031
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
2032
|
+
# the key ARN or alias ARN.
|
2004
2033
|
#
|
2005
2034
|
# For example:
|
2006
2035
|
#
|
@@ -2013,17 +2042,17 @@ module Aws::KMS
|
|
2013
2042
|
#
|
2014
2043
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2015
2044
|
#
|
2016
|
-
# To get the key ID and key ARN for a
|
2045
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2017
2046
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
2018
2047
|
# @return [String]
|
2019
2048
|
#
|
2020
2049
|
# @!attribute [rw] key_pair_spec
|
2021
2050
|
# Determines the type of data key pair that is generated.
|
2022
2051
|
#
|
2023
|
-
# The
|
2052
|
+
# The KMS rule that restricts the use of asymmetric RSA KMS keys to
|
2024
2053
|
# encrypt and decrypt or to sign and verify (but not both), and the
|
2025
|
-
# rule that permits you to use ECC
|
2026
|
-
# not effective outside of
|
2054
|
+
# rule that permits you to use ECC KMS keys only to sign and verify,
|
2055
|
+
# are not effective on data key pairs, which are used outside of KMS.
|
2027
2056
|
# @return [String]
|
2028
2057
|
#
|
2029
2058
|
# @!attribute [rw] grant_tokens
|
@@ -2031,12 +2060,13 @@ module Aws::KMS
|
|
2031
2060
|
#
|
2032
2061
|
# Use a grant token when your permission to call this operation comes
|
2033
2062
|
# from a new grant that has not yet achieved *eventual consistency*.
|
2034
|
-
# For more information, see [Grant token][1]
|
2035
|
-
# Management Service Developer Guide*.
|
2063
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2064
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
2036
2065
|
#
|
2037
2066
|
#
|
2038
2067
|
#
|
2039
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2068
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2069
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2040
2070
|
# @return [Array<String>]
|
2041
2071
|
#
|
2042
2072
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
|
@@ -2052,8 +2082,8 @@ module Aws::KMS
|
|
2052
2082
|
|
2053
2083
|
# @!attribute [rw] private_key_ciphertext_blob
|
2054
2084
|
# The encrypted copy of the private key. When you use the HTTP API or
|
2055
|
-
# the
|
2056
|
-
# Base64-encoded.
|
2085
|
+
# the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
|
2086
|
+
# it is not Base64-encoded.
|
2057
2087
|
# @return [String]
|
2058
2088
|
#
|
2059
2089
|
# @!attribute [rw] public_key
|
@@ -2061,8 +2091,8 @@ module Aws::KMS
|
|
2061
2091
|
# @return [String]
|
2062
2092
|
#
|
2063
2093
|
# @!attribute [rw] key_id
|
2064
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
2065
|
-
# the private key.
|
2094
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that
|
2095
|
+
# encrypted the private key.
|
2066
2096
|
#
|
2067
2097
|
#
|
2068
2098
|
#
|
@@ -2098,12 +2128,12 @@ module Aws::KMS
|
|
2098
2128
|
# }
|
2099
2129
|
#
|
2100
2130
|
# @!attribute [rw] key_id
|
2101
|
-
# Identifies the symmetric
|
2131
|
+
# Identifies the symmetric KMS key that encrypts the data key.
|
2102
2132
|
#
|
2103
|
-
# To specify a
|
2104
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
2105
|
-
#
|
2106
|
-
# ARN.
|
2133
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2134
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
2135
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
2136
|
+
# the key ARN or alias ARN.
|
2107
2137
|
#
|
2108
2138
|
# For example:
|
2109
2139
|
#
|
@@ -2116,7 +2146,7 @@ module Aws::KMS
|
|
2116
2146
|
#
|
2117
2147
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2118
2148
|
#
|
2119
|
-
# To get the key ID and key ARN for a
|
2149
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2120
2150
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
2121
2151
|
# @return [String]
|
2122
2152
|
#
|
@@ -2129,9 +2159,9 @@ module Aws::KMS
|
|
2129
2159
|
# encryption context to encrypt data, you must specify the same (an
|
2130
2160
|
# exact case-sensitive match) encryption context to decrypt the data.
|
2131
2161
|
# An encryption context is optional when encrypting with a symmetric
|
2132
|
-
#
|
2162
|
+
# KMS key, but it is highly recommended.
|
2133
2163
|
#
|
2134
|
-
# For more information, see [Encryption Context][1] in the *
|
2164
|
+
# For more information, see [Encryption Context][1] in the *Key
|
2135
2165
|
# Management Service Developer Guide*.
|
2136
2166
|
#
|
2137
2167
|
#
|
@@ -2163,12 +2193,13 @@ module Aws::KMS
|
|
2163
2193
|
#
|
2164
2194
|
# Use a grant token when your permission to call this operation comes
|
2165
2195
|
# from a new grant that has not yet achieved *eventual consistency*.
|
2166
|
-
# For more information, see [Grant token][1]
|
2167
|
-
# Management Service Developer Guide*.
|
2196
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2197
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
2168
2198
|
#
|
2169
2199
|
#
|
2170
2200
|
#
|
2171
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2201
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2202
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2172
2203
|
# @return [Array<String>]
|
2173
2204
|
#
|
2174
2205
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
|
@@ -2185,20 +2216,20 @@ module Aws::KMS
|
|
2185
2216
|
|
2186
2217
|
# @!attribute [rw] ciphertext_blob
|
2187
2218
|
# The encrypted copy of the data key. When you use the HTTP API or the
|
2188
|
-
#
|
2189
|
-
# Base64-encoded.
|
2219
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
2220
|
+
# is not Base64-encoded.
|
2190
2221
|
# @return [String]
|
2191
2222
|
#
|
2192
2223
|
# @!attribute [rw] plaintext
|
2193
|
-
# The plaintext data key. When you use the HTTP API or the
|
2194
|
-
# the value is Base64-encoded. Otherwise, it is not
|
2195
|
-
# Use this data key to encrypt your data outside of
|
2196
|
-
# it from memory as soon as possible.
|
2224
|
+
# The plaintext data key. When you use the HTTP API or the Amazon Web
|
2225
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2226
|
+
# Base64-encoded. Use this data key to encrypt your data outside of
|
2227
|
+
# KMS. Then, remove it from memory as soon as possible.
|
2197
2228
|
# @return [String]
|
2198
2229
|
#
|
2199
2230
|
# @!attribute [rw] key_id
|
2200
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
2201
|
-
# the data key.
|
2231
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that
|
2232
|
+
# encrypted the data key.
|
2202
2233
|
#
|
2203
2234
|
#
|
2204
2235
|
#
|
@@ -2229,13 +2260,12 @@ module Aws::KMS
|
|
2229
2260
|
# }
|
2230
2261
|
#
|
2231
2262
|
# @!attribute [rw] key_id
|
2232
|
-
# The identifier of the symmetric
|
2233
|
-
# encrypts the data key.
|
2263
|
+
# The identifier of the symmetric KMS key that encrypts the data key.
|
2234
2264
|
#
|
2235
|
-
# To specify a
|
2236
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
2237
|
-
#
|
2238
|
-
# ARN.
|
2265
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2266
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
2267
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
2268
|
+
# the key ARN or alias ARN.
|
2239
2269
|
#
|
2240
2270
|
# For example:
|
2241
2271
|
#
|
@@ -2248,7 +2278,7 @@ module Aws::KMS
|
|
2248
2278
|
#
|
2249
2279
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2250
2280
|
#
|
2251
|
-
# To get the key ID and key ARN for a
|
2281
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2252
2282
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
2253
2283
|
# @return [String]
|
2254
2284
|
#
|
@@ -2261,9 +2291,9 @@ module Aws::KMS
|
|
2261
2291
|
# encryption context to encrypt data, you must specify the same (an
|
2262
2292
|
# exact case-sensitive match) encryption context to decrypt the data.
|
2263
2293
|
# An encryption context is optional when encrypting with a symmetric
|
2264
|
-
#
|
2294
|
+
# KMS key, but it is highly recommended.
|
2265
2295
|
#
|
2266
|
-
# For more information, see [Encryption Context][1] in the *
|
2296
|
+
# For more information, see [Encryption Context][1] in the *Key
|
2267
2297
|
# Management Service Developer Guide*.
|
2268
2298
|
#
|
2269
2299
|
#
|
@@ -2288,12 +2318,13 @@ module Aws::KMS
|
|
2288
2318
|
#
|
2289
2319
|
# Use a grant token when your permission to call this operation comes
|
2290
2320
|
# from a new grant that has not yet achieved *eventual consistency*.
|
2291
|
-
# For more information, see [Grant token][1]
|
2292
|
-
# Management Service Developer Guide*.
|
2321
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2322
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
2293
2323
|
#
|
2294
2324
|
#
|
2295
2325
|
#
|
2296
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2326
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2327
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2297
2328
|
# @return [Array<String>]
|
2298
2329
|
#
|
2299
2330
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
|
@@ -2309,13 +2340,14 @@ module Aws::KMS
|
|
2309
2340
|
end
|
2310
2341
|
|
2311
2342
|
# @!attribute [rw] ciphertext_blob
|
2312
|
-
# The encrypted data key. When you use the HTTP API or the
|
2313
|
-
# the value is Base64-encoded. Otherwise, it is not
|
2343
|
+
# The encrypted data key. When you use the HTTP API or the Amazon Web
|
2344
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2345
|
+
# Base64-encoded.
|
2314
2346
|
# @return [String]
|
2315
2347
|
#
|
2316
2348
|
# @!attribute [rw] key_id
|
2317
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
2318
|
-
# the data key.
|
2349
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that
|
2350
|
+
# encrypted the data key.
|
2319
2351
|
#
|
2320
2352
|
#
|
2321
2353
|
#
|
@@ -2344,7 +2376,7 @@ module Aws::KMS
|
|
2344
2376
|
# @return [Integer]
|
2345
2377
|
#
|
2346
2378
|
# @!attribute [rw] custom_key_store_id
|
2347
|
-
# Generates the random byte string in the
|
2379
|
+
# Generates the random byte string in the CloudHSM cluster that is
|
2348
2380
|
# associated with the specified [custom key store][1]. To find the ID
|
2349
2381
|
# of a custom key store, use the DescribeCustomKeyStores operation.
|
2350
2382
|
#
|
@@ -2363,8 +2395,9 @@ module Aws::KMS
|
|
2363
2395
|
end
|
2364
2396
|
|
2365
2397
|
# @!attribute [rw] plaintext
|
2366
|
-
# The random byte string. When you use the HTTP API or the
|
2367
|
-
# the value is Base64-encoded. Otherwise, it is not
|
2398
|
+
# The random byte string. When you use the HTTP API or the Amazon Web
|
2399
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2400
|
+
# Base64-encoded.
|
2368
2401
|
# @return [String]
|
2369
2402
|
#
|
2370
2403
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
|
@@ -2384,9 +2417,9 @@ module Aws::KMS
|
|
2384
2417
|
# }
|
2385
2418
|
#
|
2386
2419
|
# @!attribute [rw] key_id
|
2387
|
-
# Gets the key policy for the specified
|
2420
|
+
# Gets the key policy for the specified KMS key.
|
2388
2421
|
#
|
2389
|
-
# Specify the key ID or key ARN of the
|
2422
|
+
# Specify the key ID or key ARN of the KMS key.
|
2390
2423
|
#
|
2391
2424
|
# For example:
|
2392
2425
|
#
|
@@ -2395,7 +2428,7 @@ module Aws::KMS
|
|
2395
2428
|
# * Key ARN:
|
2396
2429
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2397
2430
|
#
|
2398
|
-
# To get the key ID and key ARN for a
|
2431
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2399
2432
|
# DescribeKey.
|
2400
2433
|
# @return [String]
|
2401
2434
|
#
|
@@ -2433,11 +2466,11 @@ module Aws::KMS
|
|
2433
2466
|
# }
|
2434
2467
|
#
|
2435
2468
|
# @!attribute [rw] key_id
|
2436
|
-
# Gets the rotation status for the specified
|
2437
|
-
# (CMK).
|
2469
|
+
# Gets the rotation status for the specified KMS key.
|
2438
2470
|
#
|
2439
|
-
# Specify the key ID or key ARN of the
|
2440
|
-
# different
|
2471
|
+
# Specify the key ID or key ARN of the KMS key. To specify a KMS key
|
2472
|
+
# in a different Amazon Web Services account, you must use the key
|
2473
|
+
# ARN.
|
2441
2474
|
#
|
2442
2475
|
# For example:
|
2443
2476
|
#
|
@@ -2446,7 +2479,7 @@ module Aws::KMS
|
|
2446
2479
|
# * Key ARN:
|
2447
2480
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2448
2481
|
#
|
2449
|
-
# To get the key ID and key ARN for a
|
2482
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2450
2483
|
# DescribeKey.
|
2451
2484
|
# @return [String]
|
2452
2485
|
#
|
@@ -2480,10 +2513,10 @@ module Aws::KMS
|
|
2480
2513
|
# }
|
2481
2514
|
#
|
2482
2515
|
# @!attribute [rw] key_id
|
2483
|
-
# The identifier of the symmetric
|
2484
|
-
# material. The `Origin` of the
|
2516
|
+
# The identifier of the symmetric KMS key into which you will import
|
2517
|
+
# key material. The `Origin` of the KMS key must be `EXTERNAL`.
|
2485
2518
|
#
|
2486
|
-
# Specify the key ID or key ARN of the
|
2519
|
+
# Specify the key ID or key ARN of the KMS key.
|
2487
2520
|
#
|
2488
2521
|
# For example:
|
2489
2522
|
#
|
@@ -2492,14 +2525,14 @@ module Aws::KMS
|
|
2492
2525
|
# * Key ARN:
|
2493
2526
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2494
2527
|
#
|
2495
|
-
# To get the key ID and key ARN for a
|
2528
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2496
2529
|
# DescribeKey.
|
2497
2530
|
# @return [String]
|
2498
2531
|
#
|
2499
2532
|
# @!attribute [rw] wrapping_algorithm
|
2500
2533
|
# The algorithm you will use to encrypt the key material before
|
2501
2534
|
# importing it with ImportKeyMaterial. For more information, see
|
2502
|
-
# [Encrypt the Key Material][1] in the *
|
2535
|
+
# [Encrypt the Key Material][1] in the *Key Management Service
|
2503
2536
|
# Developer Guide*.
|
2504
2537
|
#
|
2505
2538
|
#
|
@@ -2523,9 +2556,9 @@ module Aws::KMS
|
|
2523
2556
|
end
|
2524
2557
|
|
2525
2558
|
# @!attribute [rw] key_id
|
2526
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
2527
|
-
# subsequent ImportKeyMaterial request. This is the same
|
2528
|
-
# in the `GetParametersForImport` request.
|
2559
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key to use in a
|
2560
|
+
# subsequent ImportKeyMaterial request. This is the same KMS key
|
2561
|
+
# specified in the `GetParametersForImport` request.
|
2529
2562
|
#
|
2530
2563
|
#
|
2531
2564
|
#
|
@@ -2568,12 +2601,12 @@ module Aws::KMS
|
|
2568
2601
|
# }
|
2569
2602
|
#
|
2570
2603
|
# @!attribute [rw] key_id
|
2571
|
-
# Identifies the asymmetric
|
2604
|
+
# Identifies the asymmetric KMS key that includes the public key.
|
2572
2605
|
#
|
2573
|
-
# To specify a
|
2574
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
2575
|
-
#
|
2576
|
-
# ARN.
|
2606
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2607
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
2608
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
2609
|
+
# the key ARN or alias ARN.
|
2577
2610
|
#
|
2578
2611
|
# For example:
|
2579
2612
|
#
|
@@ -2586,7 +2619,7 @@ module Aws::KMS
|
|
2586
2619
|
#
|
2587
2620
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2588
2621
|
#
|
2589
|
-
# To get the key ID and key ARN for a
|
2622
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2590
2623
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
2591
2624
|
# @return [String]
|
2592
2625
|
#
|
@@ -2595,12 +2628,13 @@ module Aws::KMS
|
|
2595
2628
|
#
|
2596
2629
|
# Use a grant token when your permission to call this operation comes
|
2597
2630
|
# from a new grant that has not yet achieved *eventual consistency*.
|
2598
|
-
# For more information, see [Grant token][1]
|
2599
|
-
# Management Service Developer Guide*.
|
2631
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2632
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
2600
2633
|
#
|
2601
2634
|
#
|
2602
2635
|
#
|
2603
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2636
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2637
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2604
2638
|
# @return [Array<String>]
|
2605
2639
|
#
|
2606
2640
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyRequest AWS API Documentation
|
@@ -2613,8 +2647,8 @@ module Aws::KMS
|
|
2613
2647
|
end
|
2614
2648
|
|
2615
2649
|
# @!attribute [rw] key_id
|
2616
|
-
# The Amazon Resource Name ([key ARN][1]) of the asymmetric
|
2617
|
-
# which the public key was downloaded.
|
2650
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
|
2651
|
+
# from which the public key was downloaded.
|
2618
2652
|
#
|
2619
2653
|
#
|
2620
2654
|
#
|
@@ -2626,8 +2660,8 @@ module Aws::KMS
|
|
2626
2660
|
#
|
2627
2661
|
# The value is a DER-encoded X.509 public key, also known as
|
2628
2662
|
# `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1]. When you
|
2629
|
-
# use the HTTP API or the
|
2630
|
-
# Otherwise, it is not Base64-encoded.
|
2663
|
+
# use the HTTP API or the Amazon Web Services CLI, the value is
|
2664
|
+
# Base64-encoded. Otherwise, it is not Base64-encoded.
|
2631
2665
|
#
|
2632
2666
|
#
|
2633
2667
|
#
|
@@ -2637,6 +2671,14 @@ module Aws::KMS
|
|
2637
2671
|
# @return [String]
|
2638
2672
|
#
|
2639
2673
|
# @!attribute [rw] customer_master_key_spec
|
2674
|
+
# Instead, use the `KeySpec` field in the `GetPublicKey` response.
|
2675
|
+
#
|
2676
|
+
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
2677
|
+
# value. We recommend that you use the `KeySpec` field in your code.
|
2678
|
+
# However, to avoid breaking changes, KMS will support both fields.
|
2679
|
+
# @return [String]
|
2680
|
+
#
|
2681
|
+
# @!attribute [rw] key_spec
|
2640
2682
|
# The type of the of the public key that was downloaded.
|
2641
2683
|
# @return [String]
|
2642
2684
|
#
|
@@ -2645,23 +2687,23 @@ module Aws::KMS
|
|
2645
2687
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
2646
2688
|
#
|
2647
2689
|
# This information is critical. If a public key with `SIGN_VERIFY` key
|
2648
|
-
# usage encrypts data outside of
|
2690
|
+
# usage encrypts data outside of KMS, the ciphertext cannot be
|
2649
2691
|
# decrypted.
|
2650
2692
|
# @return [String]
|
2651
2693
|
#
|
2652
2694
|
# @!attribute [rw] encryption_algorithms
|
2653
|
-
# The encryption algorithms that
|
2695
|
+
# The encryption algorithms that KMS supports for this key.
|
2654
2696
|
#
|
2655
2697
|
# This information is critical. If a public key encrypts data outside
|
2656
|
-
# of
|
2657
|
-
#
|
2698
|
+
# of KMS by using an unsupported encryption algorithm, the ciphertext
|
2699
|
+
# cannot be decrypted.
|
2658
2700
|
#
|
2659
2701
|
# This field appears in the response only when the `KeyUsage` of the
|
2660
2702
|
# public key is `ENCRYPT_DECRYPT`.
|
2661
2703
|
# @return [Array<String>]
|
2662
2704
|
#
|
2663
2705
|
# @!attribute [rw] signing_algorithms
|
2664
|
-
# The signing algorithms that
|
2706
|
+
# The signing algorithms that KMS supports for this key.
|
2665
2707
|
#
|
2666
2708
|
# This field appears in the response only when the `KeyUsage` of the
|
2667
2709
|
# public key is `SIGN_VERIFY`.
|
@@ -2673,6 +2715,7 @@ module Aws::KMS
|
|
2673
2715
|
:key_id,
|
2674
2716
|
:public_key,
|
2675
2717
|
:customer_master_key_spec,
|
2718
|
+
:key_spec,
|
2676
2719
|
:key_usage,
|
2677
2720
|
:encryption_algorithms,
|
2678
2721
|
:signing_algorithms)
|
@@ -2684,11 +2727,11 @@ module Aws::KMS
|
|
2684
2727
|
# only when the operation request includes the specified [encryption
|
2685
2728
|
# context][2].
|
2686
2729
|
#
|
2687
|
-
#
|
2730
|
+
# KMS applies the grant constraints only to cryptographic operations
|
2688
2731
|
# that support an encryption context, that is, all cryptographic
|
2689
|
-
# operations with a [symmetric
|
2732
|
+
# operations with a [symmetric KMS key][3]. Grant constraints are not
|
2690
2733
|
# applied to operations that do not support an encryption context, such
|
2691
|
-
# as cryptographic operations with asymmetric
|
2734
|
+
# as cryptographic operations with asymmetric KMS keys and management
|
2692
2735
|
# operations, such as DescribeKey or RetireGrant.
|
2693
2736
|
#
|
2694
2737
|
# In a cryptographic operation, the encryption context in the decryption
|
@@ -2703,8 +2746,8 @@ module Aws::KMS
|
|
2703
2746
|
# differ only by case. To require a fully case-sensitive encryption
|
2704
2747
|
# context, use the `kms:EncryptionContext:` and
|
2705
2748
|
# `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
|
2706
|
-
# details, see [kms:EncryptionContext:][4] in the <i> <i>
|
2707
|
-
#
|
2749
|
+
# details, see [kms:EncryptionContext:][4] in the <i> <i>Key Management
|
2750
|
+
# Service Developer Guide</i> </i>.
|
2708
2751
|
#
|
2709
2752
|
#
|
2710
2753
|
#
|
@@ -2760,8 +2803,7 @@ module Aws::KMS
|
|
2760
2803
|
# Contains information about a grant.
|
2761
2804
|
#
|
2762
2805
|
# @!attribute [rw] key_id
|
2763
|
-
# The unique identifier for the
|
2764
|
-
# grant applies.
|
2806
|
+
# The unique identifier for the KMS key to which the grant applies.
|
2765
2807
|
# @return [String]
|
2766
2808
|
#
|
2767
2809
|
# @!attribute [rw] grant_id
|
@@ -2783,10 +2825,10 @@ module Aws::KMS
|
|
2783
2825
|
#
|
2784
2826
|
# The `GranteePrincipal` field in the `ListGrants` response usually
|
2785
2827
|
# contains the user or role designated as the grantee principal in the
|
2786
|
-
# grant. However, when the grantee principal in the grant is an
|
2787
|
-
# service, the `GranteePrincipal` field contains the
|
2788
|
-
# principal][1], which might represent several different
|
2789
|
-
# principals.
|
2828
|
+
# grant. However, when the grantee principal in the grant is an Amazon
|
2829
|
+
# Web Services service, the `GranteePrincipal` field contains the
|
2830
|
+
# [service principal][1], which might represent several different
|
2831
|
+
# grantee principals.
|
2790
2832
|
#
|
2791
2833
|
#
|
2792
2834
|
#
|
@@ -2798,7 +2840,7 @@ module Aws::KMS
|
|
2798
2840
|
# @return [String]
|
2799
2841
|
#
|
2800
2842
|
# @!attribute [rw] issuing_account
|
2801
|
-
# The
|
2843
|
+
# The Amazon Web Services account under which the grant was issued.
|
2802
2844
|
# @return [String]
|
2803
2845
|
#
|
2804
2846
|
# @!attribute [rw] operations
|
@@ -2838,12 +2880,12 @@ module Aws::KMS
|
|
2838
2880
|
# }
|
2839
2881
|
#
|
2840
2882
|
# @!attribute [rw] key_id
|
2841
|
-
# The identifier of the symmetric
|
2842
|
-
# material. The
|
2843
|
-
# same
|
2844
|
-
# GetParametersForImport request.
|
2883
|
+
# The identifier of the symmetric KMS key that receives the imported
|
2884
|
+
# key material. The KMS key's `Origin` must be `EXTERNAL`. This must
|
2885
|
+
# be the same KMS key specified in the `KeyID` parameter of the
|
2886
|
+
# corresponding GetParametersForImport request.
|
2845
2887
|
#
|
2846
|
-
# Specify the key ID or key ARN of the
|
2888
|
+
# Specify the key ID or key ARN of the KMS key.
|
2847
2889
|
#
|
2848
2890
|
# For example:
|
2849
2891
|
#
|
@@ -2852,7 +2894,7 @@ module Aws::KMS
|
|
2852
2894
|
# * Key ARN:
|
2853
2895
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2854
2896
|
#
|
2855
|
-
# To get the key ID and key ARN for a
|
2897
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
2856
2898
|
# DescribeKey.
|
2857
2899
|
# @return [String]
|
2858
2900
|
#
|
@@ -2872,7 +2914,7 @@ module Aws::KMS
|
|
2872
2914
|
#
|
2873
2915
|
# @!attribute [rw] valid_to
|
2874
2916
|
# The time at which the imported key material expires. When the key
|
2875
|
-
# material expires,
|
2917
|
+
# material expires, KMS deletes the key material and the KMS key
|
2876
2918
|
# becomes unusable. You must omit this parameter when the
|
2877
2919
|
# `ExpirationModel` parameter is set to
|
2878
2920
|
# `KEY_MATERIAL_DOES_NOT_EXPIRE`. Otherwise it is required.
|
@@ -2902,10 +2944,10 @@ module Aws::KMS
|
|
2902
2944
|
#
|
2903
2945
|
class ImportKeyMaterialResponse < Aws::EmptyStructure; end
|
2904
2946
|
|
2905
|
-
# The request was rejected because the specified
|
2906
|
-
# data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
|
2907
|
-
# ReEncrypt request must identify the same
|
2908
|
-
# the ciphertext.
|
2947
|
+
# The request was rejected because the specified KMS key cannot decrypt
|
2948
|
+
# the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in a
|
2949
|
+
# ReEncrypt request must identify the same KMS key that was used to
|
2950
|
+
# encrypt the ciphertext.
|
2909
2951
|
#
|
2910
2952
|
# @!attribute [rw] message
|
2911
2953
|
# @return [String]
|
@@ -2920,7 +2962,7 @@ module Aws::KMS
|
|
2920
2962
|
|
2921
2963
|
# The request was rejected because the key material in the request is,
|
2922
2964
|
# expired, invalid, or is not the same key material that was previously
|
2923
|
-
# imported into this
|
2965
|
+
# imported into this KMS key.
|
2924
2966
|
#
|
2925
2967
|
# @!attribute [rw] message
|
2926
2968
|
# @return [String]
|
@@ -2934,8 +2976,8 @@ module Aws::KMS
|
|
2934
2976
|
end
|
2935
2977
|
|
2936
2978
|
# The request was rejected because the trust anchor certificate in the
|
2937
|
-
# request is not the trust anchor certificate for the specified
|
2938
|
-
#
|
2979
|
+
# request is not the trust anchor certificate for the specified CloudHSM
|
2980
|
+
# cluster.
|
2939
2981
|
#
|
2940
2982
|
# When you [initialize the cluster][1], you create the trust anchor
|
2941
2983
|
# certificate and save it in the `customerCA.crt` file.
|
@@ -2989,7 +3031,7 @@ module Aws::KMS
|
|
2989
3031
|
# corrupted, missing, or otherwise invalid.
|
2990
3032
|
#
|
2991
3033
|
# From the ImportKeyMaterial operation, the request was rejected because
|
2992
|
-
#
|
3034
|
+
# KMS could not decrypt the encrypted (wrapped) key material.
|
2993
3035
|
#
|
2994
3036
|
# @!attribute [rw] message
|
2995
3037
|
# @return [String]
|
@@ -3030,7 +3072,7 @@ module Aws::KMS
|
|
3030
3072
|
end
|
3031
3073
|
|
3032
3074
|
# The request was rejected because the provided import token is invalid
|
3033
|
-
# or is associated with a different
|
3075
|
+
# or is associated with a different KMS key.
|
3034
3076
|
#
|
3035
3077
|
# @!attribute [rw] message
|
3036
3078
|
# @return [String]
|
@@ -3045,20 +3087,20 @@ module Aws::KMS
|
|
3045
3087
|
|
3046
3088
|
# The request was rejected for one of the following reasons:
|
3047
3089
|
#
|
3048
|
-
# * The `KeyUsage` value of the
|
3090
|
+
# * The `KeyUsage` value of the KMS key is incompatible with the API
|
3049
3091
|
# operation.
|
3050
3092
|
#
|
3051
3093
|
# * The encryption algorithm or signing algorithm specified for the
|
3052
|
-
# operation is incompatible with the type of key material in the
|
3053
|
-
# `(
|
3094
|
+
# operation is incompatible with the type of key material in the KMS
|
3095
|
+
# key `(KeySpec`).
|
3054
3096
|
#
|
3055
3097
|
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
3056
3098
|
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying,
|
3057
|
-
# the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a
|
3058
|
-
# use the DescribeKey operation.
|
3099
|
+
# the `KeyUsage` must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS
|
3100
|
+
# key, use the DescribeKey operation.
|
3059
3101
|
#
|
3060
3102
|
# To find the encryption or signing algorithms supported for a
|
3061
|
-
# particular
|
3103
|
+
# particular KMS key, use the DescribeKey operation.
|
3062
3104
|
#
|
3063
3105
|
# @!attribute [rw] message
|
3064
3106
|
# @return [String]
|
@@ -3101,8 +3143,8 @@ module Aws::KMS
|
|
3101
3143
|
|
3102
3144
|
# The request was rejected because the signature verification failed.
|
3103
3145
|
# Signature verification fails when it cannot confirm that signature was
|
3104
|
-
# produced by signing the specified message with the specified
|
3105
|
-
# signing algorithm.
|
3146
|
+
# produced by signing the specified message with the specified KMS key
|
3147
|
+
# and signing algorithm.
|
3106
3148
|
#
|
3107
3149
|
# @!attribute [rw] message
|
3108
3150
|
# @return [String]
|
@@ -3118,9 +3160,9 @@ module Aws::KMS
|
|
3118
3160
|
# The request was rejected because the state of the specified resource
|
3119
3161
|
# is not valid for this request.
|
3120
3162
|
#
|
3121
|
-
# For more information about how key state affects the use of a
|
3122
|
-
# [
|
3123
|
-
#
|
3163
|
+
# For more information about how key state affects the use of a KMS key,
|
3164
|
+
# see [Key state: Effect on your KMS key][1] in the <i> <i>Key
|
3165
|
+
# Management Service Developer Guide</i> </i>.
|
3124
3166
|
#
|
3125
3167
|
#
|
3126
3168
|
#
|
@@ -3156,23 +3198,24 @@ module Aws::KMS
|
|
3156
3198
|
include Aws::Structure
|
3157
3199
|
end
|
3158
3200
|
|
3159
|
-
# Contains metadata about a
|
3201
|
+
# Contains metadata about a KMS key.
|
3160
3202
|
#
|
3161
3203
|
# This data type is used as a response element for the CreateKey and
|
3162
3204
|
# DescribeKey operations.
|
3163
3205
|
#
|
3164
3206
|
# @!attribute [rw] aws_account_id
|
3165
|
-
# The twelve-digit account ID of the
|
3207
|
+
# The twelve-digit account ID of the Amazon Web Services account that
|
3208
|
+
# owns the KMS key.
|
3166
3209
|
# @return [String]
|
3167
3210
|
#
|
3168
3211
|
# @!attribute [rw] key_id
|
3169
|
-
# The globally unique identifier for the
|
3212
|
+
# The globally unique identifier for the KMS key.
|
3170
3213
|
# @return [String]
|
3171
3214
|
#
|
3172
3215
|
# @!attribute [rw] arn
|
3173
|
-
# The Amazon Resource Name (ARN) of the
|
3174
|
-
# Key Management Service (
|
3175
|
-
#
|
3216
|
+
# The Amazon Resource Name (ARN) of the KMS key. For examples, see
|
3217
|
+
# [Key Management Service (KMS)][1] in the Example ARNs section of the
|
3218
|
+
# *Amazon Web Services General Reference*.
|
3176
3219
|
#
|
3177
3220
|
#
|
3178
3221
|
#
|
@@ -3180,20 +3223,20 @@ module Aws::KMS
|
|
3180
3223
|
# @return [String]
|
3181
3224
|
#
|
3182
3225
|
# @!attribute [rw] creation_date
|
3183
|
-
# The date and time when the
|
3226
|
+
# The date and time when the KMS key was created.
|
3184
3227
|
# @return [Time]
|
3185
3228
|
#
|
3186
3229
|
# @!attribute [rw] enabled
|
3187
|
-
# Specifies whether the
|
3188
|
-
# this value is true, otherwise it is false.
|
3230
|
+
# Specifies whether the KMS key is enabled. When `KeyState` is
|
3231
|
+
# `Enabled` this value is true, otherwise it is false.
|
3189
3232
|
# @return [Boolean]
|
3190
3233
|
#
|
3191
3234
|
# @!attribute [rw] description
|
3192
|
-
# The description of the
|
3235
|
+
# The description of the KMS key.
|
3193
3236
|
# @return [String]
|
3194
3237
|
#
|
3195
3238
|
# @!attribute [rw] key_usage
|
3196
|
-
# The [cryptographic operations][1] for which you can use the
|
3239
|
+
# The [cryptographic operations][1] for which you can use the KMS key.
|
3197
3240
|
#
|
3198
3241
|
#
|
3199
3242
|
#
|
@@ -3201,11 +3244,11 @@ module Aws::KMS
|
|
3201
3244
|
# @return [String]
|
3202
3245
|
#
|
3203
3246
|
# @!attribute [rw] key_state
|
3204
|
-
# The current status of the
|
3247
|
+
# The current status of the KMS key.
|
3205
3248
|
#
|
3206
|
-
# For more information about how key state affects the use of a
|
3207
|
-
# see [Key state: Effect on your
|
3208
|
-
# Service Developer Guide*.
|
3249
|
+
# For more information about how key state affects the use of a KMS
|
3250
|
+
# key, see [Key state: Effect on your KMS key][1] in the *Key
|
3251
|
+
# Management Service Developer Guide*.
|
3209
3252
|
#
|
3210
3253
|
#
|
3211
3254
|
#
|
@@ -3213,8 +3256,8 @@ module Aws::KMS
|
|
3213
3256
|
# @return [String]
|
3214
3257
|
#
|
3215
3258
|
# @!attribute [rw] deletion_date
|
3216
|
-
# The date and time after which
|
3217
|
-
# is present only when the
|
3259
|
+
# The date and time after which KMS deletes this KMS key. This value
|
3260
|
+
# is present only when the KMS key is scheduled for deletion, that is,
|
3218
3261
|
# when its `KeyState` is `PendingDeletion`.
|
3219
3262
|
#
|
3220
3263
|
# When the primary key in a multi-Region key is scheduled for deletion
|
@@ -3225,25 +3268,25 @@ module Aws::KMS
|
|
3225
3268
|
#
|
3226
3269
|
# @!attribute [rw] valid_to
|
3227
3270
|
# The time at which the imported key material expires. When the key
|
3228
|
-
# material expires,
|
3229
|
-
# becomes unusable. This value is present only for
|
3230
|
-
# is `EXTERNAL` and whose `ExpirationModel` is
|
3231
|
-
# otherwise this value is omitted.
|
3271
|
+
# material expires, KMS deletes the key material and the KMS key
|
3272
|
+
# becomes unusable. This value is present only for KMS keys whose
|
3273
|
+
# `Origin` is `EXTERNAL` and whose `ExpirationModel` is
|
3274
|
+
# `KEY_MATERIAL_EXPIRES`, otherwise this value is omitted.
|
3232
3275
|
# @return [Time]
|
3233
3276
|
#
|
3234
3277
|
# @!attribute [rw] origin
|
3235
|
-
# The source of the
|
3236
|
-
#
|
3237
|
-
# key material was imported
|
3238
|
-
#
|
3239
|
-
#
|
3240
|
-
#
|
3278
|
+
# The source of the key material for the KMS key. When this value is
|
3279
|
+
# `AWS_KMS`, KMS created the key material. When this value is
|
3280
|
+
# `EXTERNAL`, the key material was imported or the KMS key doesn't
|
3281
|
+
# have any key material. When this value is `AWS_CLOUDHSM`, the key
|
3282
|
+
# material was created in the CloudHSM cluster associated with a
|
3283
|
+
# custom key store.
|
3241
3284
|
# @return [String]
|
3242
3285
|
#
|
3243
3286
|
# @!attribute [rw] custom_key_store_id
|
3244
3287
|
# A unique identifier for the [custom key store][1] that contains the
|
3245
|
-
#
|
3246
|
-
# key store.
|
3288
|
+
# KMS key. This value is present only when the KMS key is created in a
|
3289
|
+
# custom key store.
|
3247
3290
|
#
|
3248
3291
|
#
|
3249
3292
|
#
|
@@ -3251,11 +3294,11 @@ module Aws::KMS
|
|
3251
3294
|
# @return [String]
|
3252
3295
|
#
|
3253
3296
|
# @!attribute [rw] cloud_hsm_cluster_id
|
3254
|
-
# The cluster ID of the
|
3255
|
-
# material for the
|
3256
|
-
# store][1],
|
3257
|
-
# associated
|
3258
|
-
#
|
3297
|
+
# The cluster ID of the CloudHSM cluster that contains the key
|
3298
|
+
# material for the KMS key. When you create a KMS key in a [custom key
|
3299
|
+
# store][1], KMS creates the key material for the KMS key in the
|
3300
|
+
# associated CloudHSM cluster. This value is present only when the KMS
|
3301
|
+
# key is created in a custom key store.
|
3259
3302
|
#
|
3260
3303
|
#
|
3261
3304
|
#
|
@@ -3263,49 +3306,57 @@ module Aws::KMS
|
|
3263
3306
|
# @return [String]
|
3264
3307
|
#
|
3265
3308
|
# @!attribute [rw] expiration_model
|
3266
|
-
# Specifies whether the
|
3309
|
+
# Specifies whether the KMS key's key material expires. This value is
|
3267
3310
|
# present only when `Origin` is `EXTERNAL`, otherwise this value is
|
3268
3311
|
# omitted.
|
3269
3312
|
# @return [String]
|
3270
3313
|
#
|
3271
3314
|
# @!attribute [rw] key_manager
|
3272
|
-
# The manager of the
|
3273
|
-
#
|
3274
|
-
# see [
|
3275
|
-
# Developer Guide*.
|
3315
|
+
# The manager of the KMS key. KMS keys in your Amazon Web Services
|
3316
|
+
# account are either customer managed or Amazon Web Services managed.
|
3317
|
+
# For more information about the difference, see [KMS keys][1] in the
|
3318
|
+
# *Key Management Service Developer Guide*.
|
3276
3319
|
#
|
3277
3320
|
#
|
3278
3321
|
#
|
3279
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
3322
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys
|
3280
3323
|
# @return [String]
|
3281
3324
|
#
|
3282
3325
|
# @!attribute [rw] customer_master_key_spec
|
3283
|
-
#
|
3326
|
+
# Instead, use the `KeySpec` field.
|
3327
|
+
#
|
3328
|
+
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
3329
|
+
# value. We recommend that you use the `KeySpec` field in your code.
|
3330
|
+
# However, to avoid breaking changes, KMS will support both fields.
|
3331
|
+
# @return [String]
|
3332
|
+
#
|
3333
|
+
# @!attribute [rw] key_spec
|
3334
|
+
# Describes the type of key material in the KMS key.
|
3284
3335
|
# @return [String]
|
3285
3336
|
#
|
3286
3337
|
# @!attribute [rw] encryption_algorithms
|
3287
|
-
# The encryption algorithms that the
|
3288
|
-
#
|
3338
|
+
# The encryption algorithms that the KMS key supports. You cannot use
|
3339
|
+
# the KMS key with other encryption algorithms within KMS.
|
3289
3340
|
#
|
3290
|
-
# This value is present only when the `KeyUsage` of the
|
3341
|
+
# This value is present only when the `KeyUsage` of the KMS key is
|
3291
3342
|
# `ENCRYPT_DECRYPT`.
|
3292
3343
|
# @return [Array<String>]
|
3293
3344
|
#
|
3294
3345
|
# @!attribute [rw] signing_algorithms
|
3295
|
-
# The signing algorithms that the
|
3296
|
-
# with other signing algorithms within
|
3346
|
+
# The signing algorithms that the KMS key supports. You cannot use the
|
3347
|
+
# KMS key with other signing algorithms within KMS.
|
3297
3348
|
#
|
3298
|
-
# This field appears only when the `KeyUsage` of the
|
3349
|
+
# This field appears only when the `KeyUsage` of the KMS key is
|
3299
3350
|
# `SIGN_VERIFY`.
|
3300
3351
|
# @return [Array<String>]
|
3301
3352
|
#
|
3302
3353
|
# @!attribute [rw] multi_region
|
3303
|
-
# Indicates whether the
|
3354
|
+
# Indicates whether the KMS key is a multi-Region (`True`) or regional
|
3304
3355
|
# (`False`) key. This value is `True` for multi-Region primary and
|
3305
|
-
# replica
|
3356
|
+
# replica keys and `False` for regional KMS keys.
|
3306
3357
|
#
|
3307
3358
|
# For more information about multi-Region keys, see [Using
|
3308
|
-
# multi-Region keys][1] in the *
|
3359
|
+
# multi-Region keys][1] in the *Key Management Service Developer
|
3309
3360
|
# Guide*.
|
3310
3361
|
#
|
3311
3362
|
#
|
@@ -3314,32 +3365,33 @@ module Aws::KMS
|
|
3314
3365
|
# @return [Boolean]
|
3315
3366
|
#
|
3316
3367
|
# @!attribute [rw] multi_region_configuration
|
3317
|
-
# Lists the primary and replica
|
3368
|
+
# Lists the primary and replica keys in same multi-Region key. This
|
3318
3369
|
# field is present only when the value of the `MultiRegion` field is
|
3319
3370
|
# `True`.
|
3320
3371
|
#
|
3321
|
-
# For more information about any listed
|
3372
|
+
# For more information about any listed KMS key, use the DescribeKey
|
3322
3373
|
# operation.
|
3323
3374
|
#
|
3324
|
-
# * `MultiRegionKeyType` indicates whether the
|
3325
|
-
# `REPLICA` key.
|
3375
|
+
# * `MultiRegionKeyType` indicates whether the KMS key is a `PRIMARY`
|
3376
|
+
# or `REPLICA` key.
|
3326
3377
|
#
|
3327
3378
|
# * `PrimaryKey` displays the key ARN and Region of the primary key.
|
3328
|
-
# This field displays the current
|
3379
|
+
# This field displays the current KMS key if it is the primary key.
|
3329
3380
|
#
|
3330
3381
|
# * `ReplicaKeys` displays the key ARNs and Regions of all replica
|
3331
|
-
# keys. This field includes the current
|
3382
|
+
# keys. This field includes the current KMS key if it is a replica
|
3383
|
+
# key.
|
3332
3384
|
# @return [Types::MultiRegionConfiguration]
|
3333
3385
|
#
|
3334
3386
|
# @!attribute [rw] pending_deletion_window_in_days
|
3335
3387
|
# The waiting period before the primary key in a multi-Region key is
|
3336
3388
|
# deleted. This waiting period begins when the last of its replica
|
3337
3389
|
# keys is deleted. This value is present only when the `KeyState` of
|
3338
|
-
# the
|
3339
|
-
# the primary key in a multi-Region key, it is scheduled for
|
3340
|
-
# and it still has existing replica keys.
|
3390
|
+
# the KMS key is `PendingReplicaDeletion`. That indicates that the KMS
|
3391
|
+
# key is the primary key in a multi-Region key, it is scheduled for
|
3392
|
+
# deletion, and it still has existing replica keys.
|
3341
3393
|
#
|
3342
|
-
# When a
|
3394
|
+
# When a single-Region KMS key or a multi-Region replica key is
|
3343
3395
|
# scheduled for deletion, its deletion date is displayed in the
|
3344
3396
|
# `DeletionDate` field. However, when the primary key in a
|
3345
3397
|
# multi-Region key is scheduled for deletion, its waiting period
|
@@ -3369,6 +3421,7 @@ module Aws::KMS
|
|
3369
3421
|
:expiration_model,
|
3370
3422
|
:key_manager,
|
3371
3423
|
:customer_master_key_spec,
|
3424
|
+
:key_spec,
|
3372
3425
|
:encryption_algorithms,
|
3373
3426
|
:signing_algorithms,
|
3374
3427
|
:multi_region,
|
@@ -3378,8 +3431,8 @@ module Aws::KMS
|
|
3378
3431
|
include Aws::Structure
|
3379
3432
|
end
|
3380
3433
|
|
3381
|
-
# The request was rejected because the specified
|
3382
|
-
# You can retry the request.
|
3434
|
+
# The request was rejected because the specified KMS key was not
|
3435
|
+
# available. You can retry the request.
|
3383
3436
|
#
|
3384
3437
|
# @!attribute [rw] message
|
3385
3438
|
# @return [String]
|
@@ -3393,8 +3446,8 @@ module Aws::KMS
|
|
3393
3446
|
end
|
3394
3447
|
|
3395
3448
|
# The request was rejected because a quota was exceeded. For more
|
3396
|
-
# information, see [Quotas][1] in the *
|
3397
|
-
#
|
3449
|
+
# information, see [Quotas][1] in the *Key Management Service Developer
|
3450
|
+
# Guide*.
|
3398
3451
|
#
|
3399
3452
|
#
|
3400
3453
|
#
|
@@ -3421,13 +3474,13 @@ module Aws::KMS
|
|
3421
3474
|
# }
|
3422
3475
|
#
|
3423
3476
|
# @!attribute [rw] key_id
|
3424
|
-
# Lists only aliases that are associated with the specified
|
3425
|
-
# a
|
3477
|
+
# Lists only aliases that are associated with the specified KMS key.
|
3478
|
+
# Enter a KMS key in your Amazon Web Services account.
|
3426
3479
|
#
|
3427
3480
|
# This parameter is optional. If you omit it, `ListAliases` returns
|
3428
3481
|
# all aliases in the account and Region.
|
3429
3482
|
#
|
3430
|
-
# Specify the key ID or key ARN of the
|
3483
|
+
# Specify the key ID or key ARN of the KMS key.
|
3431
3484
|
#
|
3432
3485
|
# For example:
|
3433
3486
|
#
|
@@ -3436,13 +3489,13 @@ module Aws::KMS
|
|
3436
3489
|
# * Key ARN:
|
3437
3490
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3438
3491
|
#
|
3439
|
-
# To get the key ID and key ARN for a
|
3492
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3440
3493
|
# DescribeKey.
|
3441
3494
|
# @return [String]
|
3442
3495
|
#
|
3443
3496
|
# @!attribute [rw] limit
|
3444
3497
|
# Use this parameter to specify the maximum number of items to return.
|
3445
|
-
# When this value is present,
|
3498
|
+
# When this value is present, KMS does not return more than the
|
3446
3499
|
# specified number of items, but it might return fewer.
|
3447
3500
|
#
|
3448
3501
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3505,7 +3558,7 @@ module Aws::KMS
|
|
3505
3558
|
#
|
3506
3559
|
# @!attribute [rw] limit
|
3507
3560
|
# Use this parameter to specify the maximum number of items to return.
|
3508
|
-
# When this value is present,
|
3561
|
+
# When this value is present, KMS does not return more than the
|
3509
3562
|
# specified number of items, but it might return fewer.
|
3510
3563
|
#
|
3511
3564
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3520,11 +3573,12 @@ module Aws::KMS
|
|
3520
3573
|
# @return [String]
|
3521
3574
|
#
|
3522
3575
|
# @!attribute [rw] key_id
|
3523
|
-
# Returns only grants for the specified
|
3524
|
-
#
|
3576
|
+
# Returns only grants for the specified KMS key. This parameter is
|
3577
|
+
# required.
|
3525
3578
|
#
|
3526
|
-
# Specify the key ID or key ARN of the
|
3527
|
-
# different
|
3579
|
+
# Specify the key ID or key ARN of the KMS key. To specify a KMS key
|
3580
|
+
# in a different Amazon Web Services account, you must use the key
|
3581
|
+
# ARN.
|
3528
3582
|
#
|
3529
3583
|
# For example:
|
3530
3584
|
#
|
@@ -3533,7 +3587,7 @@ module Aws::KMS
|
|
3533
3587
|
# * Key ARN:
|
3534
3588
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3535
3589
|
#
|
3536
|
-
# To get the key ID and key ARN for a
|
3590
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3537
3591
|
# DescribeKey.
|
3538
3592
|
# @return [String]
|
3539
3593
|
#
|
@@ -3595,10 +3649,9 @@ module Aws::KMS
|
|
3595
3649
|
# }
|
3596
3650
|
#
|
3597
3651
|
# @!attribute [rw] key_id
|
3598
|
-
# Gets the names of key policies for the specified
|
3599
|
-
# (CMK).
|
3652
|
+
# Gets the names of key policies for the specified KMS key.
|
3600
3653
|
#
|
3601
|
-
# Specify the key ID or key ARN of the
|
3654
|
+
# Specify the key ID or key ARN of the KMS key.
|
3602
3655
|
#
|
3603
3656
|
# For example:
|
3604
3657
|
#
|
@@ -3607,13 +3660,13 @@ module Aws::KMS
|
|
3607
3660
|
# * Key ARN:
|
3608
3661
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3609
3662
|
#
|
3610
|
-
# To get the key ID and key ARN for a
|
3663
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3611
3664
|
# DescribeKey.
|
3612
3665
|
# @return [String]
|
3613
3666
|
#
|
3614
3667
|
# @!attribute [rw] limit
|
3615
3668
|
# Use this parameter to specify the maximum number of items to return.
|
3616
|
-
# When this value is present,
|
3669
|
+
# When this value is present, KMS does not return more than the
|
3617
3670
|
# specified number of items, but it might return fewer.
|
3618
3671
|
#
|
3619
3672
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3675,7 +3728,7 @@ module Aws::KMS
|
|
3675
3728
|
#
|
3676
3729
|
# @!attribute [rw] limit
|
3677
3730
|
# Use this parameter to specify the maximum number of items to return.
|
3678
|
-
# When this value is present,
|
3731
|
+
# When this value is present, KMS does not return more than the
|
3679
3732
|
# specified number of items, but it might return fewer.
|
3680
3733
|
#
|
3681
3734
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3699,7 +3752,7 @@ module Aws::KMS
|
|
3699
3752
|
end
|
3700
3753
|
|
3701
3754
|
# @!attribute [rw] keys
|
3702
|
-
# A list of
|
3755
|
+
# A list of KMS keys.
|
3703
3756
|
# @return [Array<Types::KeyListEntry>]
|
3704
3757
|
#
|
3705
3758
|
# @!attribute [rw] next_marker
|
@@ -3734,9 +3787,9 @@ module Aws::KMS
|
|
3734
3787
|
# }
|
3735
3788
|
#
|
3736
3789
|
# @!attribute [rw] key_id
|
3737
|
-
# Gets tags on the specified
|
3790
|
+
# Gets tags on the specified KMS key.
|
3738
3791
|
#
|
3739
|
-
# Specify the key ID or key ARN of the
|
3792
|
+
# Specify the key ID or key ARN of the KMS key.
|
3740
3793
|
#
|
3741
3794
|
# For example:
|
3742
3795
|
#
|
@@ -3745,13 +3798,13 @@ module Aws::KMS
|
|
3745
3798
|
# * Key ARN:
|
3746
3799
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3747
3800
|
#
|
3748
|
-
# To get the key ID and key ARN for a
|
3801
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3749
3802
|
# DescribeKey.
|
3750
3803
|
# @return [String]
|
3751
3804
|
#
|
3752
3805
|
# @!attribute [rw] limit
|
3753
3806
|
# Use this parameter to specify the maximum number of items to return.
|
3754
|
-
# When this value is present,
|
3807
|
+
# When this value is present, KMS does not return more than the
|
3755
3808
|
# specified number of items, but it might return fewer.
|
3756
3809
|
#
|
3757
3810
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3780,8 +3833,8 @@ module Aws::KMS
|
|
3780
3833
|
# @!attribute [rw] tags
|
3781
3834
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
3782
3835
|
#
|
3783
|
-
# <note markdown="1"> Tagging or untagging a
|
3784
|
-
# For details, see [Using ABAC in
|
3836
|
+
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
3837
|
+
# KMS key. For details, see [Using ABAC in KMS][1] in the *Key
|
3785
3838
|
# Management Service Developer Guide*.
|
3786
3839
|
#
|
3787
3840
|
# </note>
|
@@ -3826,7 +3879,7 @@ module Aws::KMS
|
|
3826
3879
|
#
|
3827
3880
|
# @!attribute [rw] limit
|
3828
3881
|
# Use this parameter to specify the maximum number of items to return.
|
3829
|
-
# When this value is present,
|
3882
|
+
# When this value is present, KMS does not return more than the
|
3830
3883
|
# specified number of items, but it might return fewer.
|
3831
3884
|
#
|
3832
3885
|
# This value is optional. If you include a value, it must be between 1
|
@@ -3842,12 +3895,13 @@ module Aws::KMS
|
|
3842
3895
|
#
|
3843
3896
|
# @!attribute [rw] retiring_principal
|
3844
3897
|
# The retiring principal for which to list grants. Enter a principal
|
3845
|
-
# in your
|
3898
|
+
# in your Amazon Web Services account.
|
3846
3899
|
#
|
3847
3900
|
# To specify the retiring principal, use the [Amazon Resource Name
|
3848
|
-
# (ARN)][1] of an
|
3849
|
-
# accounts (root), IAM
|
3850
|
-
#
|
3901
|
+
# (ARN)][1] of an Amazon Web Services principal. Valid Amazon Web
|
3902
|
+
# Services principals include Amazon Web Services accounts (root), IAM
|
3903
|
+
# users, federated users, and assumed role users. For examples of the
|
3904
|
+
# ARN syntax for specifying a principal, see [Amazon Web Services
|
3851
3905
|
# Identity and Access Management (IAM)][2] in the Example ARNs section
|
3852
3906
|
# of the *Amazon Web Services General Reference*.
|
3853
3907
|
#
|
@@ -3881,25 +3935,25 @@ module Aws::KMS
|
|
3881
3935
|
include Aws::Structure
|
3882
3936
|
end
|
3883
3937
|
|
3884
|
-
# Describes the configuration of this multi-Region
|
3885
|
-
# appears only when the
|
3886
|
-
#
|
3938
|
+
# Describes the configuration of this multi-Region key. This field
|
3939
|
+
# appears only when the KMS key is a primary or replica of a
|
3940
|
+
# multi-Region key.
|
3887
3941
|
#
|
3888
|
-
# For more information about any listed
|
3942
|
+
# For more information about any listed KMS key, use the DescribeKey
|
3889
3943
|
# operation.
|
3890
3944
|
#
|
3891
3945
|
# @!attribute [rw] multi_region_key_type
|
3892
|
-
# Indicates whether the
|
3946
|
+
# Indicates whether the KMS key is a `PRIMARY` or `REPLICA` key.
|
3893
3947
|
# @return [String]
|
3894
3948
|
#
|
3895
3949
|
# @!attribute [rw] primary_key
|
3896
3950
|
# Displays the key ARN and Region of the primary key. This field
|
3897
|
-
# includes the current
|
3951
|
+
# includes the current KMS key if it is the primary key.
|
3898
3952
|
# @return [Types::MultiRegionKey]
|
3899
3953
|
#
|
3900
3954
|
# @!attribute [rw] replica_keys
|
3901
3955
|
# displays the key ARNs and Regions of all replica keys. This field
|
3902
|
-
# includes the current
|
3956
|
+
# includes the current KMS key if it is a replica key.
|
3903
3957
|
# @return [Array<Types::MultiRegionKey>]
|
3904
3958
|
#
|
3905
3959
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionConfiguration AWS API Documentation
|
@@ -3920,8 +3974,8 @@ module Aws::KMS
|
|
3920
3974
|
# @return [String]
|
3921
3975
|
#
|
3922
3976
|
# @!attribute [rw] region
|
3923
|
-
# Displays the
|
3924
|
-
# multi-Region key.
|
3977
|
+
# Displays the Amazon Web Services Region of a primary or replica key
|
3978
|
+
# in a multi-Region key.
|
3925
3979
|
# @return [String]
|
3926
3980
|
#
|
3927
3981
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/MultiRegionKey AWS API Documentation
|
@@ -3958,9 +4012,9 @@ module Aws::KMS
|
|
3958
4012
|
# }
|
3959
4013
|
#
|
3960
4014
|
# @!attribute [rw] key_id
|
3961
|
-
# Sets the key policy on the specified
|
4015
|
+
# Sets the key policy on the specified KMS key.
|
3962
4016
|
#
|
3963
|
-
# Specify the key ID or key ARN of the
|
4017
|
+
# Specify the key ID or key ARN of the KMS key.
|
3964
4018
|
#
|
3965
4019
|
# For example:
|
3966
4020
|
#
|
@@ -3969,7 +4023,7 @@ module Aws::KMS
|
|
3969
4023
|
# * Key ARN:
|
3970
4024
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3971
4025
|
#
|
3972
|
-
# To get the key ID and key ARN for a
|
4026
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3973
4027
|
# DescribeKey.
|
3974
4028
|
# @return [String]
|
3975
4029
|
#
|
@@ -3978,31 +4032,31 @@ module Aws::KMS
|
|
3978
4032
|
# @return [String]
|
3979
4033
|
#
|
3980
4034
|
# @!attribute [rw] policy
|
3981
|
-
# The key policy to attach to the
|
4035
|
+
# The key policy to attach to the KMS key.
|
3982
4036
|
#
|
3983
4037
|
# The key policy must meet the following criteria:
|
3984
4038
|
#
|
3985
4039
|
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
3986
4040
|
# key policy must allow the principal that is making the
|
3987
4041
|
# `PutKeyPolicy` request to make a subsequent `PutKeyPolicy` request
|
3988
|
-
# on the
|
4042
|
+
# on the KMS key. This reduces the risk that the KMS key becomes
|
3989
4043
|
# unmanageable. For more information, refer to the scenario in the
|
3990
|
-
# [Default Key Policy][1] section of the *
|
4044
|
+
# [Default Key Policy][1] section of the *Key Management Service
|
3991
4045
|
# Developer Guide*.
|
3992
4046
|
#
|
3993
4047
|
# * Each statement in the key policy must contain one or more
|
3994
4048
|
# principals. The principals in the key policy must exist and be
|
3995
|
-
# visible to
|
3996
|
-
# example, an IAM user or role), you might need to
|
3997
|
-
# before including the new principal in a key policy
|
3998
|
-
# principal might not be immediately visible to
|
3999
|
-
# information, see [Changes that I make are not always
|
4000
|
-
# visible][2] in the *
|
4001
|
-
# Guide*.
|
4049
|
+
# visible to KMS. When you create a new Amazon Web Services
|
4050
|
+
# principal (for example, an IAM user or role), you might need to
|
4051
|
+
# enforce a delay before including the new principal in a key policy
|
4052
|
+
# because the new principal might not be immediately visible to KMS.
|
4053
|
+
# For more information, see [Changes that I make are not always
|
4054
|
+
# immediately visible][2] in the *Amazon Web Services Identity and
|
4055
|
+
# Access Management User Guide*.
|
4002
4056
|
#
|
4003
4057
|
# The key policy cannot exceed 32 kilobytes (32768 bytes). For more
|
4004
|
-
# information, see [Resource Quotas][3] in the *
|
4005
|
-
#
|
4058
|
+
# information, see [Resource Quotas][3] in the *Key Management Service
|
4059
|
+
# Developer Guide*.
|
4006
4060
|
#
|
4007
4061
|
#
|
4008
4062
|
#
|
@@ -4015,16 +4069,16 @@ module Aws::KMS
|
|
4015
4069
|
# A flag to indicate whether to bypass the key policy lockout safety
|
4016
4070
|
# check.
|
4017
4071
|
#
|
4018
|
-
# Setting this value to true increases the risk that the
|
4019
|
-
# unmanageable. Do not set this value to true
|
4072
|
+
# Setting this value to true increases the risk that the KMS key
|
4073
|
+
# becomes unmanageable. Do not set this value to true
|
4074
|
+
# indiscriminately.
|
4020
4075
|
#
|
4021
4076
|
# For more information, refer to the scenario in the [Default Key
|
4022
|
-
# Policy][1] section in the *
|
4023
|
-
# Guide*.
|
4077
|
+
# Policy][1] section in the *Key Management Service Developer Guide*.
|
4024
4078
|
#
|
4025
4079
|
# Use this parameter only when you intend to prevent the principal
|
4026
4080
|
# that is making the request from making a subsequent `PutKeyPolicy`
|
4027
|
-
# request on the
|
4081
|
+
# request on the KMS key.
|
4028
4082
|
#
|
4029
4083
|
# The default value is false.
|
4030
4084
|
#
|
@@ -4076,9 +4130,9 @@ module Aws::KMS
|
|
4076
4130
|
# encryption context to encrypt data, you must specify the same (an
|
4077
4131
|
# exact case-sensitive match) encryption context to decrypt the data.
|
4078
4132
|
# An encryption context is optional when encrypting with a symmetric
|
4079
|
-
#
|
4133
|
+
# KMS key, but it is highly recommended.
|
4080
4134
|
#
|
4081
|
-
# For more information, see [Encryption Context][1] in the *
|
4135
|
+
# For more information, see [Encryption Context][1] in the *Key
|
4082
4136
|
# Management Service Developer Guide*.
|
4083
4137
|
#
|
4084
4138
|
#
|
@@ -4087,20 +4141,21 @@ module Aws::KMS
|
|
4087
4141
|
# @return [Hash<String,String>]
|
4088
4142
|
#
|
4089
4143
|
# @!attribute [rw] source_key_id
|
4090
|
-
# Specifies the
|
4091
|
-
#
|
4092
|
-
#
|
4144
|
+
# Specifies the KMS key that KMS will use to decrypt the ciphertext
|
4145
|
+
# before it is re-encrypted. Enter a key ID of the KMS key that was
|
4146
|
+
# used to encrypt the ciphertext.
|
4093
4147
|
#
|
4094
4148
|
# This parameter is required only when the ciphertext was encrypted
|
4095
|
-
# under an asymmetric
|
4096
|
-
# get the
|
4097
|
-
# blob. However, it is always recommended as a best
|
4098
|
-
# practice ensures that you use the
|
4099
|
-
#
|
4100
|
-
#
|
4101
|
-
#
|
4102
|
-
#
|
4103
|
-
#
|
4149
|
+
# under an asymmetric KMS key. If you used a symmetric KMS key, KMS
|
4150
|
+
# can get the KMS key from metadata that it adds to the symmetric
|
4151
|
+
# ciphertext blob. However, it is always recommended as a best
|
4152
|
+
# practice. This practice ensures that you use the KMS key that you
|
4153
|
+
# intend.
|
4154
|
+
#
|
4155
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
4156
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
4157
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
4158
|
+
# the key ARN or alias ARN.
|
4104
4159
|
#
|
4105
4160
|
# For example:
|
4106
4161
|
#
|
@@ -4113,20 +4168,20 @@ module Aws::KMS
|
|
4113
4168
|
#
|
4114
4169
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
4115
4170
|
#
|
4116
|
-
# To get the key ID and key ARN for a
|
4171
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4117
4172
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
4118
4173
|
# @return [String]
|
4119
4174
|
#
|
4120
4175
|
# @!attribute [rw] destination_key_id
|
4121
|
-
# A unique identifier for the
|
4122
|
-
# Specify a symmetric or asymmetric
|
4123
|
-
# `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a
|
4124
|
-
# DescribeKey operation.
|
4125
|
-
#
|
4126
|
-
# To specify a
|
4127
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
4128
|
-
#
|
4129
|
-
# ARN.
|
4176
|
+
# A unique identifier for the KMS key that is used to reencrypt the
|
4177
|
+
# data. Specify a symmetric or asymmetric KMS key with a `KeyUsage`
|
4178
|
+
# value of `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a KMS
|
4179
|
+
# key, use the DescribeKey operation.
|
4180
|
+
#
|
4181
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
4182
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
4183
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
4184
|
+
# the key ARN or alias ARN.
|
4130
4185
|
#
|
4131
4186
|
# For example:
|
4132
4187
|
#
|
@@ -4139,7 +4194,7 @@ module Aws::KMS
|
|
4139
4194
|
#
|
4140
4195
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
4141
4196
|
#
|
4142
|
-
# To get the key ID and key ARN for a
|
4197
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4143
4198
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
4144
4199
|
# @return [String]
|
4145
4200
|
#
|
@@ -4148,17 +4203,17 @@ module Aws::KMS
|
|
4148
4203
|
# data.
|
4149
4204
|
#
|
4150
4205
|
# A destination encryption context is valid only when the destination
|
4151
|
-
#
|
4152
|
-
# asymmetric
|
4206
|
+
# KMS key is a symmetric KMS key. The standard ciphertext format for
|
4207
|
+
# asymmetric KMS keys does not include fields for metadata.
|
4153
4208
|
#
|
4154
4209
|
# An *encryption context* is a collection of non-secret key-value
|
4155
4210
|
# pairs that represents additional authenticated data. When you use an
|
4156
4211
|
# encryption context to encrypt data, you must specify the same (an
|
4157
4212
|
# exact case-sensitive match) encryption context to decrypt the data.
|
4158
4213
|
# An encryption context is optional when encrypting with a symmetric
|
4159
|
-
#
|
4214
|
+
# KMS key, but it is highly recommended.
|
4160
4215
|
#
|
4161
|
-
# For more information, see [Encryption Context][1] in the *
|
4216
|
+
# For more information, see [Encryption Context][1] in the *Key
|
4162
4217
|
# Management Service Developer Guide*.
|
4163
4218
|
#
|
4164
4219
|
#
|
@@ -4167,26 +4222,26 @@ module Aws::KMS
|
|
4167
4222
|
# @return [Hash<String,String>]
|
4168
4223
|
#
|
4169
4224
|
# @!attribute [rw] source_encryption_algorithm
|
4170
|
-
# Specifies the encryption algorithm that
|
4171
|
-
#
|
4172
|
-
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
4173
|
-
#
|
4225
|
+
# Specifies the encryption algorithm that KMS will use to decrypt the
|
4226
|
+
# ciphertext before it is reencrypted. The default value,
|
4227
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric KMS
|
4228
|
+
# keys.
|
4174
4229
|
#
|
4175
4230
|
# Specify the same algorithm that was used to encrypt the ciphertext.
|
4176
4231
|
# If you specify a different algorithm, the decrypt attempt fails.
|
4177
4232
|
#
|
4178
4233
|
# This parameter is required only when the ciphertext was encrypted
|
4179
|
-
# under an asymmetric
|
4234
|
+
# under an asymmetric KMS key.
|
4180
4235
|
# @return [String]
|
4181
4236
|
#
|
4182
4237
|
# @!attribute [rw] destination_encryption_algorithm
|
4183
|
-
# Specifies the encryption algorithm that
|
4184
|
-
#
|
4238
|
+
# Specifies the encryption algorithm that KMS will use to reecrypt the
|
4239
|
+
# data after it has decrypted it. The default value,
|
4185
4240
|
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
4186
|
-
# symmetric
|
4241
|
+
# symmetric KMS keys.
|
4187
4242
|
#
|
4188
|
-
# This parameter is required only when the destination
|
4189
|
-
# asymmetric
|
4243
|
+
# This parameter is required only when the destination KMS key is an
|
4244
|
+
# asymmetric KMS key.
|
4190
4245
|
# @return [String]
|
4191
4246
|
#
|
4192
4247
|
# @!attribute [rw] grant_tokens
|
@@ -4194,12 +4249,13 @@ module Aws::KMS
|
|
4194
4249
|
#
|
4195
4250
|
# Use a grant token when your permission to call this operation comes
|
4196
4251
|
# from a new grant that has not yet achieved *eventual consistency*.
|
4197
|
-
# For more information, see [Grant token][1]
|
4198
|
-
# Management Service Developer Guide*.
|
4252
|
+
# For more information, see [Grant token][1] and [Using a grant
|
4253
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
4199
4254
|
#
|
4200
4255
|
#
|
4201
4256
|
#
|
4202
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4257
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
4258
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
4203
4259
|
# @return [Array<String>]
|
4204
4260
|
#
|
4205
4261
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
|
@@ -4218,17 +4274,19 @@ module Aws::KMS
|
|
4218
4274
|
end
|
4219
4275
|
|
4220
4276
|
# @!attribute [rw] ciphertext_blob
|
4221
|
-
# The reencrypted data. When you use the HTTP API or the
|
4222
|
-
# value is Base64-encoded. Otherwise, it is not
|
4277
|
+
# The reencrypted data. When you use the HTTP API or the Amazon Web
|
4278
|
+
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
4279
|
+
# Base64-encoded.
|
4223
4280
|
# @return [String]
|
4224
4281
|
#
|
4225
4282
|
# @!attribute [rw] source_key_id
|
4226
|
-
# Unique identifier of the
|
4283
|
+
# Unique identifier of the KMS key used to originally encrypt the
|
4284
|
+
# data.
|
4227
4285
|
# @return [String]
|
4228
4286
|
#
|
4229
4287
|
# @!attribute [rw] key_id
|
4230
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
4231
|
-
# reencrypt the data.
|
4288
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key that was used
|
4289
|
+
# to reencrypt the data.
|
4232
4290
|
#
|
4233
4291
|
#
|
4234
4292
|
#
|
@@ -4275,7 +4333,7 @@ module Aws::KMS
|
|
4275
4333
|
#
|
4276
4334
|
# @!attribute [rw] key_id
|
4277
4335
|
# Identifies the multi-Region primary key that is being replicated. To
|
4278
|
-
# determine whether a
|
4336
|
+
# determine whether a KMS key is a multi-Region primary key, use the
|
4279
4337
|
# DescribeKey operation to check the value of the `MultiRegionKeyType`
|
4280
4338
|
# property.
|
4281
4339
|
#
|
@@ -4288,29 +4346,30 @@ module Aws::KMS
|
|
4288
4346
|
# * Key ARN:
|
4289
4347
|
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
4290
4348
|
#
|
4291
|
-
# To get the key ID and key ARN for a
|
4349
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4292
4350
|
# DescribeKey.
|
4293
4351
|
# @return [String]
|
4294
4352
|
#
|
4295
4353
|
# @!attribute [rw] replica_region
|
4296
|
-
# The Region ID of the
|
4354
|
+
# The Region ID of the Amazon Web Services Region for this replica
|
4355
|
+
# key.
|
4297
4356
|
#
|
4298
4357
|
# Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
|
4299
|
-
# list of
|
4300
|
-
# service endpoints][1] in the *Amazon Web Services General
|
4358
|
+
# list of Amazon Web Services Regions in which KMS is supported, see
|
4359
|
+
# [KMS service endpoints][1] in the *Amazon Web Services General
|
4301
4360
|
# Reference*.
|
4302
4361
|
#
|
4303
|
-
# The replica must be in a different
|
4304
|
-
# and other replicas of that primary key, but in the
|
4305
|
-
# partition.
|
4306
|
-
# Region is not enabled by default, the
|
4307
|
-
# the Region.
|
4362
|
+
# The replica must be in a different Amazon Web Services Region than
|
4363
|
+
# its primary key and other replicas of that primary key, but in the
|
4364
|
+
# same Amazon Web Services partition. KMS must be available in the
|
4365
|
+
# replica Region. If the Region is not enabled by default, the Amazon
|
4366
|
+
# Web Services account must be enabled in the Region.
|
4308
4367
|
#
|
4309
|
-
# For information about
|
4310
|
-
# (ARNs) in the *Amazon Web Services General
|
4311
|
-
# information about enabling and disabling
|
4312
|
-
# Region][3] and [Disabling a Region][4] in
|
4313
|
-
# General Reference*.
|
4368
|
+
# For information about Amazon Web Services partitions, see [Amazon
|
4369
|
+
# Resource Names (ARNs) in the *Amazon Web Services General
|
4370
|
+
# Reference*.][2] For information about enabling and disabling
|
4371
|
+
# Regions, see [Enabling a Region][3] and [Disabling a Region][4] in
|
4372
|
+
# the *Amazon Web Services General Reference*.
|
4314
4373
|
#
|
4315
4374
|
#
|
4316
4375
|
#
|
@@ -4321,33 +4380,33 @@ module Aws::KMS
|
|
4321
4380
|
# @return [String]
|
4322
4381
|
#
|
4323
4382
|
# @!attribute [rw] policy
|
4324
|
-
# The key policy to attach to the
|
4325
|
-
# you do not provide a key policy,
|
4326
|
-
# policy][1] to the
|
4383
|
+
# The key policy to attach to the KMS key. This parameter is optional.
|
4384
|
+
# If you do not provide a key policy, KMS attaches the [default key
|
4385
|
+
# policy][1] to the KMS key.
|
4327
4386
|
#
|
4328
4387
|
# The key policy is not a shared property of multi-Region keys. You
|
4329
4388
|
# can specify the same key policy or a different key policy for each
|
4330
|
-
# key in a set of related multi-Region keys.
|
4331
|
-
#
|
4389
|
+
# key in a set of related multi-Region keys. KMS does not synchronize
|
4390
|
+
# this property.
|
4332
4391
|
#
|
4333
4392
|
# If you provide a key policy, it must meet the following criteria:
|
4334
4393
|
#
|
4335
4394
|
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
4336
4395
|
# key policy must give the caller `kms:PutKeyPolicy` permission on
|
4337
|
-
# the replica
|
4396
|
+
# the replica key. This reduces the risk that the KMS key becomes
|
4338
4397
|
# unmanageable. For more information, refer to the scenario in the
|
4339
|
-
# [Default Key Policy][2] section of the <i> <i>
|
4398
|
+
# [Default Key Policy][2] section of the <i> <i>Key Management
|
4340
4399
|
# Service Developer Guide</i> </i>.
|
4341
4400
|
#
|
4342
4401
|
# * Each statement in the key policy must contain one or more
|
4343
4402
|
# principals. The principals in the key policy must exist and be
|
4344
|
-
# visible to
|
4345
|
-
# example, an IAM user or role), you might need to
|
4346
|
-
# before including the new principal in a key policy
|
4347
|
-
# principal might not be immediately visible to
|
4348
|
-
# information, see [Changes that I make are not always
|
4349
|
-
# visible][3] in the
|
4350
|
-
# Guide
|
4403
|
+
# visible to KMS. When you create a new Amazon Web Services
|
4404
|
+
# principal (for example, an IAM user or role), you might need to
|
4405
|
+
# enforce a delay before including the new principal in a key policy
|
4406
|
+
# because the new principal might not be immediately visible to KMS.
|
4407
|
+
# For more information, see [Changes that I make are not always
|
4408
|
+
# immediately visible][3] in the <i> <i>Identity and Access
|
4409
|
+
# Management User Guide</i> </i>.
|
4351
4410
|
#
|
4352
4411
|
# * The key policy size quota is 32 kilobytes (32768 bytes).
|
4353
4412
|
#
|
@@ -4362,16 +4421,16 @@ module Aws::KMS
|
|
4362
4421
|
# A flag to indicate whether to bypass the key policy lockout safety
|
4363
4422
|
# check.
|
4364
4423
|
#
|
4365
|
-
# Setting this value to true increases the risk that the
|
4366
|
-
# unmanageable. Do not set this value to true
|
4424
|
+
# Setting this value to true increases the risk that the KMS key
|
4425
|
+
# becomes unmanageable. Do not set this value to true
|
4426
|
+
# indiscriminately.
|
4367
4427
|
#
|
4368
4428
|
# For more information, refer to the scenario in the [Default Key
|
4369
|
-
# Policy][1] section in the *
|
4370
|
-
# Guide*.
|
4429
|
+
# Policy][1] section in the *Key Management Service Developer Guide*.
|
4371
4430
|
#
|
4372
4431
|
# Use this parameter only when you intend to prevent the principal
|
4373
4432
|
# that is making the request from making a subsequent `PutKeyPolicy`
|
4374
|
-
# request on the
|
4433
|
+
# request on the KMS key.
|
4375
4434
|
#
|
4376
4435
|
# The default value is false.
|
4377
4436
|
#
|
@@ -4381,23 +4440,22 @@ module Aws::KMS
|
|
4381
4440
|
# @return [Boolean]
|
4382
4441
|
#
|
4383
4442
|
# @!attribute [rw] description
|
4384
|
-
# A description of the
|
4385
|
-
#
|
4386
|
-
# empty string (no description).
|
4443
|
+
# A description of the KMS key. The default value is an empty string
|
4444
|
+
# (no description).
|
4387
4445
|
#
|
4388
4446
|
# The description is not a shared property of multi-Region keys. You
|
4389
4447
|
# can specify the same description or a different description for each
|
4390
|
-
# key in a set of related multi-Region keys.
|
4391
|
-
#
|
4448
|
+
# key in a set of related multi-Region keys. KMS does not synchronize
|
4449
|
+
# this property.
|
4392
4450
|
# @return [String]
|
4393
4451
|
#
|
4394
4452
|
# @!attribute [rw] tags
|
4395
4453
|
# Assigns one or more tags to the replica key. Use this parameter to
|
4396
|
-
# tag the
|
4397
|
-
# TagResource operation.
|
4454
|
+
# tag the KMS key when it is created. To tag an existing KMS key, use
|
4455
|
+
# the TagResource operation.
|
4398
4456
|
#
|
4399
|
-
# <note markdown="1"> Tagging or untagging a
|
4400
|
-
# For details, see [Using ABAC in
|
4457
|
+
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
4458
|
+
# KMS key. For details, see [Using ABAC in KMS][1] in the *Key
|
4401
4459
|
# Management Service Developer Guide*.
|
4402
4460
|
#
|
4403
4461
|
# </note>
|
@@ -4407,18 +4465,18 @@ module Aws::KMS
|
|
4407
4465
|
#
|
4408
4466
|
# Tags are not a shared property of multi-Region keys. You can specify
|
4409
4467
|
# the same tags or different tags for each key in a set of related
|
4410
|
-
# multi-Region keys.
|
4468
|
+
# multi-Region keys. KMS does not synchronize this property.
|
4411
4469
|
#
|
4412
4470
|
# Each tag consists of a tag key and a tag value. Both the tag key and
|
4413
4471
|
# the tag value are required, but the tag value can be an empty (null)
|
4414
|
-
# string. You cannot have more than one tag on a
|
4415
|
-
# key. If you specify an existing tag key with a different tag
|
4416
|
-
#
|
4472
|
+
# string. You cannot have more than one tag on a KMS key with the same
|
4473
|
+
# tag key. If you specify an existing tag key with a different tag
|
4474
|
+
# value, KMS replaces the current tag value with the specified one.
|
4417
4475
|
#
|
4418
|
-
# When you
|
4419
|
-
# allocation report with usage and costs
|
4420
|
-
# also be used to control access to a
|
4421
|
-
# Keys][3].
|
4476
|
+
# When you add tags to an Amazon Web Services resource, Amazon Web
|
4477
|
+
# Services generates a cost allocation report with usage and costs
|
4478
|
+
# aggregated by tags. Tags can also be used to control access to a KMS
|
4479
|
+
# key. For details, see [Tagging Keys][3].
|
4422
4480
|
#
|
4423
4481
|
#
|
4424
4482
|
#
|
@@ -4441,9 +4499,10 @@ module Aws::KMS
|
|
4441
4499
|
end
|
4442
4500
|
|
4443
4501
|
# @!attribute [rw] replica_key_metadata
|
4444
|
-
# Displays details about the new replica
|
4502
|
+
# Displays details about the new replica key, including its Amazon
|
4445
4503
|
# Resource Name ([key ARN][1]) and [key state][2]. It also includes
|
4446
|
-
# the ARN and
|
4504
|
+
# the ARN and Amazon Web Services Region of its primary key and other
|
4505
|
+
# replica keys.
|
4447
4506
|
#
|
4448
4507
|
#
|
4449
4508
|
#
|
@@ -4486,7 +4545,7 @@ module Aws::KMS
|
|
4486
4545
|
# consistency.
|
4487
4546
|
#
|
4488
4547
|
# Only the CreateGrant operation returns a grant token. For details,
|
4489
|
-
# see [Grant token][1] and [Eventual consistency][2] in the *
|
4548
|
+
# see [Grant token][1] and [Eventual consistency][2] in the *Key
|
4490
4549
|
# Management Service Developer Guide*.
|
4491
4550
|
#
|
4492
4551
|
#
|
@@ -4496,8 +4555,8 @@ module Aws::KMS
|
|
4496
4555
|
# @return [String]
|
4497
4556
|
#
|
4498
4557
|
# @!attribute [rw] key_id
|
4499
|
-
# The key ARN
|
4500
|
-
# the ListKeys operation.
|
4558
|
+
# The key ARN KMS key associated with the grant. To find the key ARN,
|
4559
|
+
# use the ListKeys operation.
|
4501
4560
|
#
|
4502
4561
|
# For example:
|
4503
4562
|
# `arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
@@ -4532,12 +4591,13 @@ module Aws::KMS
|
|
4532
4591
|
# }
|
4533
4592
|
#
|
4534
4593
|
# @!attribute [rw] key_id
|
4535
|
-
# A unique identifier for the
|
4536
|
-
#
|
4537
|
-
#
|
4594
|
+
# A unique identifier for the KMS key associated with the grant. To
|
4595
|
+
# get the key ID and key ARN for a KMS key, use ListKeys or
|
4596
|
+
# DescribeKey.
|
4538
4597
|
#
|
4539
|
-
# Specify the key ID or key ARN of the
|
4540
|
-
# different
|
4598
|
+
# Specify the key ID or key ARN of the KMS key. To specify a KMS key
|
4599
|
+
# in a different Amazon Web Services account, you must use the key
|
4600
|
+
# ARN.
|
4541
4601
|
#
|
4542
4602
|
# For example:
|
4543
4603
|
#
|
@@ -4546,7 +4606,7 @@ module Aws::KMS
|
|
4546
4606
|
# * Key ARN:
|
4547
4607
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4548
4608
|
#
|
4549
|
-
# To get the key ID and key ARN for a
|
4609
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4550
4610
|
# DescribeKey.
|
4551
4611
|
# @return [String]
|
4552
4612
|
#
|
@@ -4573,9 +4633,9 @@ module Aws::KMS
|
|
4573
4633
|
# }
|
4574
4634
|
#
|
4575
4635
|
# @!attribute [rw] key_id
|
4576
|
-
# The unique identifier of the
|
4636
|
+
# The unique identifier of the KMS key to delete.
|
4577
4637
|
#
|
4578
|
-
# Specify the key ID or key ARN of the
|
4638
|
+
# Specify the key ID or key ARN of the KMS key.
|
4579
4639
|
#
|
4580
4640
|
# For example:
|
4581
4641
|
#
|
@@ -4584,16 +4644,16 @@ module Aws::KMS
|
|
4584
4644
|
# * Key ARN:
|
4585
4645
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4586
4646
|
#
|
4587
|
-
# To get the key ID and key ARN for a
|
4647
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4588
4648
|
# DescribeKey.
|
4589
4649
|
# @return [String]
|
4590
4650
|
#
|
4591
4651
|
# @!attribute [rw] pending_window_in_days
|
4592
4652
|
# The waiting period, specified in number of days. After the waiting
|
4593
|
-
# period ends,
|
4653
|
+
# period ends, KMS deletes the KMS key.
|
4594
4654
|
#
|
4595
|
-
# If the
|
4596
|
-
# period begins when the last of its replica keys is deleted.
|
4655
|
+
# If the KMS key is a multi-Region primary key with replicas, the
|
4656
|
+
# waiting period begins when the last of its replica keys is deleted.
|
4597
4657
|
# Otherwise, the waiting period begins immediately.
|
4598
4658
|
#
|
4599
4659
|
# This value is optional. If you include a value, it must be between 7
|
@@ -4610,8 +4670,8 @@ module Aws::KMS
|
|
4610
4670
|
end
|
4611
4671
|
|
4612
4672
|
# @!attribute [rw] key_id
|
4613
|
-
# The Amazon Resource Name ([key ARN][1]) of the
|
4614
|
-
# scheduled.
|
4673
|
+
# The Amazon Resource Name ([key ARN][1]) of the KMS key whose
|
4674
|
+
# deletion is scheduled.
|
4615
4675
|
#
|
4616
4676
|
#
|
4617
4677
|
#
|
@@ -4619,20 +4679,19 @@ module Aws::KMS
|
|
4619
4679
|
# @return [String]
|
4620
4680
|
#
|
4621
4681
|
# @!attribute [rw] deletion_date
|
4622
|
-
# The date and time after which
|
4623
|
-
# key (CMK).
|
4682
|
+
# The date and time after which KMS deletes the KMS key.
|
4624
4683
|
#
|
4625
|
-
# If the
|
4684
|
+
# If the KMS key is a multi-Region primary key with replica keys, this
|
4626
4685
|
# field does not appear. The deletion date for the primary key isn't
|
4627
4686
|
# known until its last replica key is deleted.
|
4628
4687
|
# @return [Time]
|
4629
4688
|
#
|
4630
4689
|
# @!attribute [rw] key_state
|
4631
|
-
# The current status of the
|
4690
|
+
# The current status of the KMS key.
|
4632
4691
|
#
|
4633
|
-
# For more information about how key state affects the use of a
|
4634
|
-
# see [Key state: Effect on your
|
4635
|
-
# Service Developer Guide*.
|
4692
|
+
# For more information about how key state affects the use of a KMS
|
4693
|
+
# key, see [Key state: Effect on your KMS key][1] in the *Key
|
4694
|
+
# Management Service Developer Guide*.
|
4636
4695
|
#
|
4637
4696
|
#
|
4638
4697
|
#
|
@@ -4640,10 +4699,10 @@ module Aws::KMS
|
|
4640
4699
|
# @return [String]
|
4641
4700
|
#
|
4642
4701
|
# @!attribute [rw] pending_window_in_days
|
4643
|
-
# The waiting period before the
|
4702
|
+
# The waiting period before the KMS key is deleted.
|
4644
4703
|
#
|
4645
|
-
# If the
|
4646
|
-
# period begins when the last of its replica keys is deleted.
|
4704
|
+
# If the KMS key is a multi-Region primary key with replicas, the
|
4705
|
+
# waiting period begins when the last of its replica keys is deleted.
|
4647
4706
|
# Otherwise, the waiting period begins immediately.
|
4648
4707
|
# @return [Integer]
|
4649
4708
|
#
|
@@ -4670,15 +4729,15 @@ module Aws::KMS
|
|
4670
4729
|
# }
|
4671
4730
|
#
|
4672
4731
|
# @!attribute [rw] key_id
|
4673
|
-
# Identifies an asymmetric
|
4674
|
-
# asymmetric
|
4675
|
-
# must be `SIGN_VERIFY`. To find the `KeyUsage` of a
|
4676
|
-
# DescribeKey operation.
|
4677
|
-
#
|
4678
|
-
# To specify a
|
4679
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
4680
|
-
#
|
4681
|
-
# ARN.
|
4732
|
+
# Identifies an asymmetric KMS key. KMS uses the private key in the
|
4733
|
+
# asymmetric KMS key to sign the message. The `KeyUsage` type of the
|
4734
|
+
# KMS key must be `SIGN_VERIFY`. To find the `KeyUsage` of a KMS key,
|
4735
|
+
# use the DescribeKey operation.
|
4736
|
+
#
|
4737
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
4738
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
4739
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
4740
|
+
# the key ARN or alias ARN.
|
4682
4741
|
#
|
4683
4742
|
# For example:
|
4684
4743
|
#
|
@@ -4691,7 +4750,7 @@ module Aws::KMS
|
|
4691
4750
|
#
|
4692
4751
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
4693
4752
|
#
|
4694
|
-
# To get the key ID and key ARN for a
|
4753
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4695
4754
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
4696
4755
|
# @return [String]
|
4697
4756
|
#
|
@@ -4699,14 +4758,14 @@ module Aws::KMS
|
|
4699
4758
|
# Specifies the message or message digest to sign. Messages can be
|
4700
4759
|
# 0-4096 bytes. To sign a larger message, provide the message digest.
|
4701
4760
|
#
|
4702
|
-
# If you provide a message,
|
4703
|
-
#
|
4761
|
+
# If you provide a message, KMS generates a hash digest of the message
|
4762
|
+
# and then signs it.
|
4704
4763
|
# @return [String]
|
4705
4764
|
#
|
4706
4765
|
# @!attribute [rw] message_type
|
4707
|
-
# Tells
|
4708
|
-
#
|
4709
|
-
#
|
4766
|
+
# Tells KMS whether the value of the `Message` parameter is a message
|
4767
|
+
# or message digest. The default value, RAW, indicates a message. To
|
4768
|
+
# indicate a message digest, enter `DIGEST`.
|
4710
4769
|
# @return [String]
|
4711
4770
|
#
|
4712
4771
|
# @!attribute [rw] grant_tokens
|
@@ -4714,19 +4773,20 @@ module Aws::KMS
|
|
4714
4773
|
#
|
4715
4774
|
# Use a grant token when your permission to call this operation comes
|
4716
4775
|
# from a new grant that has not yet achieved *eventual consistency*.
|
4717
|
-
# For more information, see [Grant token][1]
|
4718
|
-
# Management Service Developer Guide*.
|
4776
|
+
# For more information, see [Grant token][1] and [Using a grant
|
4777
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
4719
4778
|
#
|
4720
4779
|
#
|
4721
4780
|
#
|
4722
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4781
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
4782
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
4723
4783
|
# @return [Array<String>]
|
4724
4784
|
#
|
4725
4785
|
# @!attribute [rw] signing_algorithm
|
4726
4786
|
# Specifies the signing algorithm to use when signing the message.
|
4727
4787
|
#
|
4728
4788
|
# Choose an algorithm that is compatible with the type and size of the
|
4729
|
-
# specified asymmetric
|
4789
|
+
# specified asymmetric KMS key.
|
4730
4790
|
# @return [String]
|
4731
4791
|
#
|
4732
4792
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
|
@@ -4742,8 +4802,8 @@ module Aws::KMS
|
|
4742
4802
|
end
|
4743
4803
|
|
4744
4804
|
# @!attribute [rw] key_id
|
4745
|
-
# The Amazon Resource Name ([key ARN][1]) of the asymmetric
|
4746
|
-
# was used to sign the message.
|
4805
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
|
4806
|
+
# that was used to sign the message.
|
4747
4807
|
#
|
4748
4808
|
#
|
4749
4809
|
#
|
@@ -4762,8 +4822,8 @@ module Aws::KMS
|
|
4762
4822
|
# 2.2.3][2]. This is the most commonly used signature format and is
|
4763
4823
|
# appropriate for most uses.
|
4764
4824
|
#
|
4765
|
-
# When you use the HTTP API or the
|
4766
|
-
# Base64-encoded. Otherwise, it is not Base64-encoded.
|
4825
|
+
# When you use the HTTP API or the Amazon Web Services CLI, the value
|
4826
|
+
# is Base64-encoded. Otherwise, it is not Base64-encoded.
|
4767
4827
|
#
|
4768
4828
|
#
|
4769
4829
|
#
|
@@ -4790,8 +4850,8 @@ module Aws::KMS
|
|
4790
4850
|
# (null) strings.
|
4791
4851
|
#
|
4792
4852
|
# For information about the rules that apply to tag keys and tag values,
|
4793
|
-
# see [User-Defined Tag Restrictions][1] in the *
|
4794
|
-
# Management User Guide*.
|
4853
|
+
# see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
|
4854
|
+
# Billing and Cost Management User Guide*.
|
4795
4855
|
#
|
4796
4856
|
#
|
4797
4857
|
#
|
@@ -4849,9 +4909,9 @@ module Aws::KMS
|
|
4849
4909
|
# }
|
4850
4910
|
#
|
4851
4911
|
# @!attribute [rw] key_id
|
4852
|
-
# Identifies a customer managed
|
4912
|
+
# Identifies a customer managed key in the account and Region.
|
4853
4913
|
#
|
4854
|
-
# Specify the key ID or key ARN of the
|
4914
|
+
# Specify the key ID or key ARN of the KMS key.
|
4855
4915
|
#
|
4856
4916
|
# For example:
|
4857
4917
|
#
|
@@ -4860,7 +4920,7 @@ module Aws::KMS
|
|
4860
4920
|
# * Key ARN:
|
4861
4921
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4862
4922
|
#
|
4863
|
-
# To get the key ID and key ARN for a
|
4923
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4864
4924
|
# DescribeKey.
|
4865
4925
|
# @return [String]
|
4866
4926
|
#
|
@@ -4870,9 +4930,9 @@ module Aws::KMS
|
|
4870
4930
|
# Each tag consists of a tag key and a tag value. The tag value can be
|
4871
4931
|
# an empty (null) string.
|
4872
4932
|
#
|
4873
|
-
# You cannot have more than one tag on a
|
4874
|
-
# you specify an existing tag key with a different tag value,
|
4875
|
-
# replaces the current tag value with the specified one.
|
4933
|
+
# You cannot have more than one tag on a KMS key with the same tag
|
4934
|
+
# key. If you specify an existing tag key with a different tag value,
|
4935
|
+
# KMS replaces the current tag value with the specified one.
|
4876
4936
|
# @return [Array<Types::Tag>]
|
4877
4937
|
#
|
4878
4938
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResourceRequest AWS API Documentation
|
@@ -4907,9 +4967,9 @@ module Aws::KMS
|
|
4907
4967
|
# }
|
4908
4968
|
#
|
4909
4969
|
# @!attribute [rw] key_id
|
4910
|
-
# Identifies the
|
4970
|
+
# Identifies the KMS key from which you are removing tags.
|
4911
4971
|
#
|
4912
|
-
# Specify the key ID or key ARN of the
|
4972
|
+
# Specify the key ID or key ARN of the KMS key.
|
4913
4973
|
#
|
4914
4974
|
# For example:
|
4915
4975
|
#
|
@@ -4918,7 +4978,7 @@ module Aws::KMS
|
|
4918
4978
|
# * Key ARN:
|
4919
4979
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4920
4980
|
#
|
4921
|
-
# To get the key ID and key ARN for a
|
4981
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4922
4982
|
# DescribeKey.
|
4923
4983
|
# @return [String]
|
4924
4984
|
#
|
@@ -4944,23 +5004,23 @@ module Aws::KMS
|
|
4944
5004
|
# }
|
4945
5005
|
#
|
4946
5006
|
# @!attribute [rw] alias_name
|
4947
|
-
# Identifies the alias that is changing its
|
4948
|
-
# with `alias/` followed by the alias name, such as
|
5007
|
+
# Identifies the alias that is changing its KMS key. This value must
|
5008
|
+
# begin with `alias/` followed by the alias name, such as
|
4949
5009
|
# `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
|
4950
5010
|
# name.
|
4951
5011
|
# @return [String]
|
4952
5012
|
#
|
4953
5013
|
# @!attribute [rw] target_key_id
|
4954
|
-
# Identifies the [customer managed
|
4955
|
-
# alias. You don't have permission to associate an alias with an
|
4956
|
-
# managed
|
5014
|
+
# Identifies the [customer managed key][1] to associate with the
|
5015
|
+
# alias. You don't have permission to associate an alias with an
|
5016
|
+
# [Amazon Web Services managed key][2].
|
4957
5017
|
#
|
4958
|
-
# The
|
4959
|
-
# Also, the new target
|
4960
|
-
#
|
4961
|
-
# key usage.
|
5018
|
+
# The KMS key must be in the same Amazon Web Services account and
|
5019
|
+
# Region as the alias. Also, the new target KMS key must be the same
|
5020
|
+
# type as the current target KMS key (both symmetric or both
|
5021
|
+
# asymmetric) and they must have the same key usage.
|
4962
5022
|
#
|
4963
|
-
# Specify the key ID or key ARN of the
|
5023
|
+
# Specify the key ID or key ARN of the KMS key.
|
4964
5024
|
#
|
4965
5025
|
# For example:
|
4966
5026
|
#
|
@@ -4969,10 +5029,10 @@ module Aws::KMS
|
|
4969
5029
|
# * Key ARN:
|
4970
5030
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4971
5031
|
#
|
4972
|
-
# To get the key ID and key ARN for a
|
5032
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
4973
5033
|
# DescribeKey.
|
4974
5034
|
#
|
4975
|
-
# To verify that the alias is mapped to the correct
|
5035
|
+
# To verify that the alias is mapped to the correct KMS key, use
|
4976
5036
|
# ListAliases.
|
4977
5037
|
#
|
4978
5038
|
#
|
@@ -5008,21 +5068,21 @@ module Aws::KMS
|
|
5008
5068
|
#
|
5009
5069
|
# @!attribute [rw] new_custom_key_store_name
|
5010
5070
|
# Changes the friendly name of the custom key store to the value that
|
5011
|
-
# you specify. The custom key store name must be unique in the
|
5012
|
-
# account.
|
5071
|
+
# you specify. The custom key store name must be unique in the Amazon
|
5072
|
+
# Web Services account.
|
5013
5073
|
# @return [String]
|
5014
5074
|
#
|
5015
5075
|
# @!attribute [rw] key_store_password
|
5016
5076
|
# Enter the current password of the `kmsuser` crypto user (CU) in the
|
5017
|
-
#
|
5077
|
+
# CloudHSM cluster that is associated with the custom key store.
|
5018
5078
|
#
|
5019
|
-
# This parameter tells
|
5079
|
+
# This parameter tells KMS the current password of the `kmsuser`
|
5020
5080
|
# crypto user (CU). It does not set or change the password of any
|
5021
|
-
# users in the
|
5081
|
+
# users in the CloudHSM cluster.
|
5022
5082
|
# @return [String]
|
5023
5083
|
#
|
5024
5084
|
# @!attribute [rw] cloud_hsm_cluster_id
|
5025
|
-
# Associates the custom key store with a related
|
5085
|
+
# Associates the custom key store with a related CloudHSM cluster.
|
5026
5086
|
#
|
5027
5087
|
# Enter the cluster ID of the cluster that you used to create the
|
5028
5088
|
# custom key store or a cluster that shares a backup history and has
|
@@ -5063,9 +5123,9 @@ module Aws::KMS
|
|
5063
5123
|
# }
|
5064
5124
|
#
|
5065
5125
|
# @!attribute [rw] key_id
|
5066
|
-
# Updates the description of the specified
|
5126
|
+
# Updates the description of the specified KMS key.
|
5067
5127
|
#
|
5068
|
-
# Specify the key ID or key ARN of the
|
5128
|
+
# Specify the key ID or key ARN of the KMS key.
|
5069
5129
|
#
|
5070
5130
|
# For example:
|
5071
5131
|
#
|
@@ -5074,12 +5134,12 @@ module Aws::KMS
|
|
5074
5134
|
# * Key ARN:
|
5075
5135
|
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
5076
5136
|
#
|
5077
|
-
# To get the key ID and key ARN for a
|
5137
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
5078
5138
|
# DescribeKey.
|
5079
5139
|
# @return [String]
|
5080
5140
|
#
|
5081
5141
|
# @!attribute [rw] description
|
5082
|
-
# New description for the
|
5142
|
+
# New description for the KMS key.
|
5083
5143
|
# @return [String]
|
5084
5144
|
#
|
5085
5145
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
|
@@ -5101,7 +5161,7 @@ module Aws::KMS
|
|
5101
5161
|
#
|
5102
5162
|
# @!attribute [rw] key_id
|
5103
5163
|
# Identifies the current primary key. When the operation completes,
|
5104
|
-
# this
|
5164
|
+
# this KMS key will be a replica key.
|
5105
5165
|
#
|
5106
5166
|
# Specify the key ID or key ARN of a multi-Region primary key.
|
5107
5167
|
#
|
@@ -5112,14 +5172,14 @@ module Aws::KMS
|
|
5112
5172
|
# * Key ARN:
|
5113
5173
|
# `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`
|
5114
5174
|
#
|
5115
|
-
# To get the key ID and key ARN for a
|
5175
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
5116
5176
|
# DescribeKey.
|
5117
5177
|
# @return [String]
|
5118
5178
|
#
|
5119
5179
|
# @!attribute [rw] primary_region
|
5120
|
-
# The
|
5121
|
-
# `us-east-1` or `ap-southeast-2`. There must be an
|
5122
|
-
# key in this Region.
|
5180
|
+
# The Amazon Web Services Region of the new primary key. Enter the
|
5181
|
+
# Region ID, such as `us-east-1` or `ap-southeast-2`. There must be an
|
5182
|
+
# existing replica key in this Region.
|
5123
5183
|
#
|
5124
5184
|
# When the operation completes, the multi-Region key in this Region
|
5125
5185
|
# will be the primary key.
|
@@ -5147,15 +5207,15 @@ module Aws::KMS
|
|
5147
5207
|
# }
|
5148
5208
|
#
|
5149
5209
|
# @!attribute [rw] key_id
|
5150
|
-
# Identifies the asymmetric
|
5151
|
-
# signature. This must be the same
|
5152
|
-
# signature. If you specify a different
|
5210
|
+
# Identifies the asymmetric KMS key that will be used to verify the
|
5211
|
+
# signature. This must be the same KMS key that was used to generate
|
5212
|
+
# the signature. If you specify a different KMS key, the signature
|
5153
5213
|
# verification fails.
|
5154
5214
|
#
|
5155
|
-
# To specify a
|
5156
|
-
# When using an alias name, prefix it with `"alias/"`. To specify
|
5157
|
-
#
|
5158
|
-
# ARN.
|
5215
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
5216
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
5217
|
+
# a KMS key in a different Amazon Web Services account, you must use
|
5218
|
+
# the key ARN or alias ARN.
|
5159
5219
|
#
|
5160
5220
|
# For example:
|
5161
5221
|
#
|
@@ -5168,7 +5228,7 @@ module Aws::KMS
|
|
5168
5228
|
#
|
5169
5229
|
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
5170
5230
|
#
|
5171
|
-
# To get the key ID and key ARN for a
|
5231
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
5172
5232
|
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
5173
5233
|
# @return [String]
|
5174
5234
|
#
|
@@ -5183,9 +5243,9 @@ module Aws::KMS
|
|
5183
5243
|
# @return [String]
|
5184
5244
|
#
|
5185
5245
|
# @!attribute [rw] message_type
|
5186
|
-
# Tells
|
5187
|
-
#
|
5188
|
-
#
|
5246
|
+
# Tells KMS whether the value of the `Message` parameter is a message
|
5247
|
+
# or message digest. The default value, RAW, indicates a message. To
|
5248
|
+
# indicate a message digest, enter `DIGEST`.
|
5189
5249
|
#
|
5190
5250
|
# Use the `DIGEST` value only when the value of the `Message`
|
5191
5251
|
# parameter is a message digest. If you use the `DIGEST` value with a
|
@@ -5207,12 +5267,13 @@ module Aws::KMS
|
|
5207
5267
|
#
|
5208
5268
|
# Use a grant token when your permission to call this operation comes
|
5209
5269
|
# from a new grant that has not yet achieved *eventual consistency*.
|
5210
|
-
# For more information, see [Grant token][1]
|
5211
|
-
# Management Service Developer Guide*.
|
5270
|
+
# For more information, see [Grant token][1] and [Using a grant
|
5271
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
5212
5272
|
#
|
5213
5273
|
#
|
5214
5274
|
#
|
5215
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5275
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
5276
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
5216
5277
|
# @return [Array<String>]
|
5217
5278
|
#
|
5218
5279
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
|
@@ -5229,8 +5290,8 @@ module Aws::KMS
|
|
5229
5290
|
end
|
5230
5291
|
|
5231
5292
|
# @!attribute [rw] key_id
|
5232
|
-
# The Amazon Resource Name ([key ARN][1]) of the asymmetric
|
5233
|
-
# was used to verify the signature.
|
5293
|
+
# The Amazon Resource Name ([key ARN][1]) of the asymmetric KMS key
|
5294
|
+
# that was used to verify the signature.
|
5234
5295
|
#
|
5235
5296
|
#
|
5236
5297
|
#
|