aws-sdk-kms 1.52.0 → 1.72.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +103 -1
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +3617 -1262
- data/lib/aws-sdk-kms/client_api.rb +246 -7
- data/lib/aws-sdk-kms/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-kms/endpoint_provider.rb +54 -0
- data/lib/aws-sdk-kms/endpoints.rb +716 -0
- data/lib/aws-sdk-kms/errors.rb +224 -0
- data/lib/aws-sdk-kms/plugins/endpoints.rb +168 -0
- data/lib/aws-sdk-kms/types.rb +2211 -970
- data/lib/aws-sdk-kms.rb +5 -1
- metadata +8 -4
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -61,13 +61,6 @@ module Aws::KMS
|
|
61
61
|
include Aws::Structure
|
62
62
|
end
|
63
63
|
|
64
|
-
# @note When making an API call, you may pass CancelKeyDeletionRequest
|
65
|
-
# data as a hash:
|
66
|
-
#
|
67
|
-
# {
|
68
|
-
# key_id: "KeyIdType", # required
|
69
|
-
# }
|
70
|
-
#
|
71
64
|
# @!attribute [rw] key_id
|
72
65
|
# Identifies the KMS key whose deletion is being canceled.
|
73
66
|
#
|
@@ -110,14 +103,14 @@ module Aws::KMS
|
|
110
103
|
end
|
111
104
|
|
112
105
|
# The request was rejected because the specified CloudHSM cluster is
|
113
|
-
# already associated with
|
114
|
-
#
|
115
|
-
# Each
|
116
|
-
# cluster.
|
106
|
+
# already associated with an CloudHSM key store in the account, or it
|
107
|
+
# shares a backup history with an CloudHSM key store in the account.
|
108
|
+
# Each CloudHSM key store in the account must be associated with a
|
109
|
+
# different CloudHSM cluster.
|
117
110
|
#
|
118
|
-
#
|
119
|
-
# certificate. To view the cluster certificate of
|
120
|
-
# [DescribeClusters][1] operation.
|
111
|
+
# CloudHSM clusters that share a backup history have the same cluster
|
112
|
+
# certificate. To view the cluster certificate of an CloudHSM cluster,
|
113
|
+
# use the [DescribeClusters][1] operation.
|
121
114
|
#
|
122
115
|
#
|
123
116
|
#
|
@@ -135,22 +128,23 @@ module Aws::KMS
|
|
135
128
|
end
|
136
129
|
|
137
130
|
# The request was rejected because the associated CloudHSM cluster did
|
138
|
-
# not meet the configuration requirements for
|
131
|
+
# not meet the configuration requirements for an CloudHSM key store.
|
139
132
|
#
|
140
|
-
# * The cluster must be configured with private subnets in at
|
141
|
-
# different Availability Zones in the Region.
|
133
|
+
# * The CloudHSM cluster must be configured with private subnets in at
|
134
|
+
# least two different Availability Zones in the Region.
|
142
135
|
#
|
143
136
|
# * The [security group for the cluster][1]
|
144
137
|
# (cloudhsm-cluster-*<cluster-id>*-sg) must include inbound
|
145
138
|
# rules and outbound rules that allow TCP traffic on ports 2223-2225.
|
146
139
|
# The **Source** in the inbound rules and the **Destination** in the
|
147
140
|
# outbound rules must match the security group ID. These rules are set
|
148
|
-
# by default when you create the cluster. Do not delete or
|
149
|
-
# them. To get information about a particular security group,
|
150
|
-
# [DescribeSecurityGroups][2] operation.
|
141
|
+
# by default when you create the CloudHSM cluster. Do not delete or
|
142
|
+
# change them. To get information about a particular security group,
|
143
|
+
# use the [DescribeSecurityGroups][2] operation.
|
151
144
|
#
|
152
|
-
# * The cluster must contain at least as many HSMs as the
|
153
|
-
# requires. To add HSMs, use the CloudHSM [CreateHsm][3]
|
145
|
+
# * The CloudHSM cluster must contain at least as many HSMs as the
|
146
|
+
# operation requires. To add HSMs, use the CloudHSM [CreateHsm][3]
|
147
|
+
# operation.
|
154
148
|
#
|
155
149
|
# For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
|
156
150
|
# operations, the CloudHSM cluster must have at least two active HSMs,
|
@@ -158,7 +152,7 @@ module Aws::KMS
|
|
158
152
|
# operation, the CloudHSM must contain at least one active HSM.
|
159
153
|
#
|
160
154
|
# For information about the requirements for an CloudHSM cluster that is
|
161
|
-
# associated with
|
155
|
+
# associated with an CloudHSM key store, see [Assemble the
|
162
156
|
# Prerequisites][4] in the *Key Management Service Developer Guide*. For
|
163
157
|
# information about creating a private subnet for an CloudHSM cluster,
|
164
158
|
# see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
|
@@ -184,10 +178,10 @@ module Aws::KMS
|
|
184
178
|
include Aws::Structure
|
185
179
|
end
|
186
180
|
|
187
|
-
# The request was rejected because the CloudHSM cluster
|
188
|
-
#
|
189
|
-
#
|
190
|
-
#
|
181
|
+
# The request was rejected because the CloudHSM cluster associated with
|
182
|
+
# the CloudHSM key store is not active. Initialize and activate the
|
183
|
+
# cluster and try the command again. For detailed instructions, see
|
184
|
+
# [Getting Started][1] in the *CloudHSM User Guide*.
|
191
185
|
#
|
192
186
|
#
|
193
187
|
#
|
@@ -221,16 +215,17 @@ module Aws::KMS
|
|
221
215
|
|
222
216
|
# The request was rejected because the specified CloudHSM cluster has a
|
223
217
|
# different cluster certificate than the original cluster. You cannot
|
224
|
-
# use the operation to specify an unrelated cluster
|
218
|
+
# use the operation to specify an unrelated cluster for an CloudHSM key
|
219
|
+
# store.
|
225
220
|
#
|
226
|
-
# Specify
|
227
|
-
# cluster. This includes clusters that were created from a
|
228
|
-
# current cluster, and clusters that were created from the
|
229
|
-
# that produced the current cluster.
|
221
|
+
# Specify an CloudHSM cluster that shares a backup history with the
|
222
|
+
# original cluster. This includes clusters that were created from a
|
223
|
+
# backup of the current cluster, and clusters that were created from the
|
224
|
+
# same backup that produced the current cluster.
|
230
225
|
#
|
231
|
-
#
|
232
|
-
# certificate. To view the cluster certificate of
|
233
|
-
# [DescribeClusters][1] operation.
|
226
|
+
# CloudHSM clusters that share a backup history have the same cluster
|
227
|
+
# certificate. To view the cluster certificate of an CloudHSM cluster,
|
228
|
+
# use the [DescribeClusters][1] operation.
|
234
229
|
#
|
235
230
|
#
|
236
231
|
#
|
@@ -247,13 +242,6 @@ module Aws::KMS
|
|
247
242
|
include Aws::Structure
|
248
243
|
end
|
249
244
|
|
250
|
-
# @note When making an API call, you may pass ConnectCustomKeyStoreRequest
|
251
|
-
# data as a hash:
|
252
|
-
#
|
253
|
-
# {
|
254
|
-
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
255
|
-
# }
|
256
|
-
#
|
257
245
|
# @!attribute [rw] custom_key_store_id
|
258
246
|
# Enter the key store ID of the custom key store that you want to
|
259
247
|
# connect. To find the ID of a custom key store, use the
|
@@ -272,18 +260,14 @@ module Aws::KMS
|
|
272
260
|
#
|
273
261
|
class ConnectCustomKeyStoreResponse < Aws::EmptyStructure; end
|
274
262
|
|
275
|
-
# @note When making an API call, you may pass CreateAliasRequest
|
276
|
-
# data as a hash:
|
277
|
-
#
|
278
|
-
# {
|
279
|
-
# alias_name: "AliasNameType", # required
|
280
|
-
# target_key_id: "KeyIdType", # required
|
281
|
-
# }
|
282
|
-
#
|
283
263
|
# @!attribute [rw] alias_name
|
284
264
|
# Specifies the alias name. This value must begin with `alias/`
|
285
265
|
# followed by a name, such as `alias/ExampleAlias`.
|
286
266
|
#
|
267
|
+
# Do not include confidential or sensitive information in this field.
|
268
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
269
|
+
# other output.
|
270
|
+
#
|
287
271
|
# The `AliasName` value must be string of 1-256 characters. It can
|
288
272
|
# contain only alphanumeric characters, forward slashes (/),
|
289
273
|
# underscores (\_), and dashes (-). The alias name cannot begin with
|
@@ -333,26 +317,24 @@ module Aws::KMS
|
|
333
317
|
include Aws::Structure
|
334
318
|
end
|
335
319
|
|
336
|
-
# @note When making an API call, you may pass CreateCustomKeyStoreRequest
|
337
|
-
# data as a hash:
|
338
|
-
#
|
339
|
-
# {
|
340
|
-
# custom_key_store_name: "CustomKeyStoreNameType", # required
|
341
|
-
# cloud_hsm_cluster_id: "CloudHsmClusterIdType", # required
|
342
|
-
# trust_anchor_certificate: "TrustAnchorCertificateType", # required
|
343
|
-
# key_store_password: "KeyStorePasswordType", # required
|
344
|
-
# }
|
345
|
-
#
|
346
320
|
# @!attribute [rw] custom_key_store_name
|
347
321
|
# Specifies a friendly name for the custom key store. The name must be
|
348
|
-
# unique in your Amazon Web Services account.
|
322
|
+
# unique in your Amazon Web Services account and Region. This
|
323
|
+
# parameter is required for all custom key stores.
|
324
|
+
#
|
325
|
+
# Do not include confidential or sensitive information in this field.
|
326
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
327
|
+
# other output.
|
349
328
|
# @return [String]
|
350
329
|
#
|
351
330
|
# @!attribute [rw] cloud_hsm_cluster_id
|
352
|
-
# Identifies the CloudHSM cluster for
|
353
|
-
#
|
354
|
-
#
|
355
|
-
#
|
331
|
+
# Identifies the CloudHSM cluster for an CloudHSM key store. This
|
332
|
+
# parameter is required for custom key stores with
|
333
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
334
|
+
#
|
335
|
+
# Enter the cluster ID of any active CloudHSM cluster that is not
|
336
|
+
# already associated with a custom key store. To find the cluster ID,
|
337
|
+
# use the [DescribeClusters][1] operation.
|
356
338
|
#
|
357
339
|
#
|
358
340
|
#
|
@@ -360,9 +342,13 @@ module Aws::KMS
|
|
360
342
|
# @return [String]
|
361
343
|
#
|
362
344
|
# @!attribute [rw] trust_anchor_certificate
|
363
|
-
#
|
364
|
-
#
|
365
|
-
#
|
345
|
+
# Specifies the certificate for an CloudHSM key store. This parameter
|
346
|
+
# is required for custom key stores with a `CustomKeyStoreType` of
|
347
|
+
# `AWS_CLOUDHSM`.
|
348
|
+
#
|
349
|
+
# Enter the content of the trust anchor certificate for the CloudHSM
|
350
|
+
# cluster. This is the content of the `customerCA.crt` file that you
|
351
|
+
# created when you [initialized the cluster][1].
|
366
352
|
#
|
367
353
|
#
|
368
354
|
#
|
@@ -370,6 +356,10 @@ module Aws::KMS
|
|
370
356
|
# @return [String]
|
371
357
|
#
|
372
358
|
# @!attribute [rw] key_store_password
|
359
|
+
# Specifies the `kmsuser` password for an CloudHSM key store. This
|
360
|
+
# parameter is required for custom key stores with a
|
361
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
362
|
+
#
|
373
363
|
# Enter the password of the [ `kmsuser` crypto user (CU) account][1]
|
374
364
|
# in the specified CloudHSM cluster. KMS logs into the cluster as this
|
375
365
|
# user to manage key material on your behalf.
|
@@ -385,13 +375,167 @@ module Aws::KMS
|
|
385
375
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
386
376
|
# @return [String]
|
387
377
|
#
|
378
|
+
# @!attribute [rw] custom_key_store_type
|
379
|
+
# Specifies the type of custom key store. The default value is
|
380
|
+
# `AWS_CLOUDHSM`.
|
381
|
+
#
|
382
|
+
# For a custom key store backed by an CloudHSM cluster, omit the
|
383
|
+
# parameter or enter `AWS_CLOUDHSM`. For a custom key store backed by
|
384
|
+
# an external key manager outside of Amazon Web Services, enter
|
385
|
+
# `EXTERNAL_KEY_STORE`. You cannot change this property after the key
|
386
|
+
# store is created.
|
387
|
+
# @return [String]
|
388
|
+
#
|
389
|
+
# @!attribute [rw] xks_proxy_uri_endpoint
|
390
|
+
# Specifies the endpoint that KMS uses to send requests to the
|
391
|
+
# external key store proxy (XKS proxy). This parameter is required for
|
392
|
+
# custom key stores with a `CustomKeyStoreType` of
|
393
|
+
# `EXTERNAL_KEY_STORE`.
|
394
|
+
#
|
395
|
+
# The protocol must be HTTPS. KMS communicates on port 443. Do not
|
396
|
+
# specify the port in the `XksProxyUriEndpoint` value.
|
397
|
+
#
|
398
|
+
# For external key stores with `XksProxyConnectivity` value of
|
399
|
+
# `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
|
400
|
+
# DNS name of the VPC endpoint service.
|
401
|
+
#
|
402
|
+
# For external key stores with `PUBLIC_ENDPOINT` connectivity, this
|
403
|
+
# endpoint must be reachable before you create the custom key store.
|
404
|
+
# KMS connects to the external key store proxy while creating the
|
405
|
+
# custom key store. For external key stores with
|
406
|
+
# `VPC_ENDPOINT_SERVICE` connectivity, KMS connects when you call the
|
407
|
+
# ConnectCustomKeyStore operation.
|
408
|
+
#
|
409
|
+
# The value of this parameter must begin with `https://`. The
|
410
|
+
# remainder can contain upper and lower case letters (A-Z and a-z),
|
411
|
+
# numbers (0-9), dots (`.`), and hyphens (`-`). Additional slashes
|
412
|
+
# (`/` and ``) are not permitted.
|
413
|
+
#
|
414
|
+
# <b>Uniqueness requirements: </b>
|
415
|
+
#
|
416
|
+
# * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
|
417
|
+
# must be unique in the Amazon Web Services account and Region.
|
418
|
+
#
|
419
|
+
# * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
|
420
|
+
# use the same `XksProxyUriEndpoint` value as an external key store
|
421
|
+
# with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
|
422
|
+
# Services Region.
|
423
|
+
#
|
424
|
+
# * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
|
425
|
+
# must have its own private DNS name. The `XksProxyUriEndpoint`
|
426
|
+
# value for external key stores with `VPC_ENDPOINT_SERVICE`
|
427
|
+
# connectivity (private DNS name) must be unique in the Amazon Web
|
428
|
+
# Services account and Region.
|
429
|
+
# @return [String]
|
430
|
+
#
|
431
|
+
# @!attribute [rw] xks_proxy_uri_path
|
432
|
+
# Specifies the base path to the proxy APIs for this external key
|
433
|
+
# store. To find this value, see the documentation for your external
|
434
|
+
# key store proxy. This parameter is required for all custom key
|
435
|
+
# stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
436
|
+
#
|
437
|
+
# The value must start with `/` and must end with `/kms/xks/v1` where
|
438
|
+
# `v1` represents the version of the KMS external key store proxy API.
|
439
|
+
# This path can include an optional prefix between the required
|
440
|
+
# elements such as `/prefix/kms/xks/v1`.
|
441
|
+
#
|
442
|
+
# <b>Uniqueness requirements: </b>
|
443
|
+
#
|
444
|
+
# * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
|
445
|
+
# must be unique in the Amazon Web Services account and Region.
|
446
|
+
#
|
447
|
+
# ^
|
448
|
+
# @return [String]
|
449
|
+
#
|
450
|
+
# @!attribute [rw] xks_proxy_vpc_endpoint_service_name
|
451
|
+
# Specifies the name of the Amazon VPC endpoint service for interface
|
452
|
+
# endpoints that is used to communicate with your external key store
|
453
|
+
# proxy (XKS proxy). This parameter is required when the value of
|
454
|
+
# `CustomKeyStoreType` is `EXTERNAL_KEY_STORE` and the value of
|
455
|
+
# `XksProxyConnectivity` is `VPC_ENDPOINT_SERVICE`.
|
456
|
+
#
|
457
|
+
# The Amazon VPC endpoint service must [fulfill all requirements][1]
|
458
|
+
# for use with an external key store.
|
459
|
+
#
|
460
|
+
# **Uniqueness requirements:**
|
461
|
+
#
|
462
|
+
# * External key stores with `VPC_ENDPOINT_SERVICE` connectivity can
|
463
|
+
# share an Amazon VPC, but each external key store must have its own
|
464
|
+
# VPC endpoint service and private DNS name.
|
465
|
+
#
|
466
|
+
# ^
|
467
|
+
#
|
468
|
+
#
|
469
|
+
#
|
470
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
|
471
|
+
# @return [String]
|
472
|
+
#
|
473
|
+
# @!attribute [rw] xks_proxy_authentication_credential
|
474
|
+
# Specifies an authentication credential for the external key store
|
475
|
+
# proxy (XKS proxy). This parameter is required for all custom key
|
476
|
+
# stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
477
|
+
#
|
478
|
+
# The `XksProxyAuthenticationCredential` has two required elements:
|
479
|
+
# `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
|
480
|
+
# identifier for the `RawSecretAccessKey`. For character requirements,
|
481
|
+
# see
|
482
|
+
# [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
|
483
|
+
#
|
484
|
+
# KMS uses this authentication credential to sign requests to the
|
485
|
+
# external key store proxy on your behalf. This credential is
|
486
|
+
# unrelated to Identity and Access Management (IAM) and Amazon Web
|
487
|
+
# Services credentials.
|
488
|
+
#
|
489
|
+
# This parameter doesn't set or change the authentication credentials
|
490
|
+
# on the XKS proxy. It just tells KMS the credential that you
|
491
|
+
# established on your external key store proxy. If you rotate your
|
492
|
+
# proxy authentication credential, use the UpdateCustomKeyStore
|
493
|
+
# operation to provide the new credential to KMS.
|
494
|
+
# @return [Types::XksProxyAuthenticationCredentialType]
|
495
|
+
#
|
496
|
+
# @!attribute [rw] xks_proxy_connectivity
|
497
|
+
# Indicates how KMS communicates with the external key store proxy.
|
498
|
+
# This parameter is required for custom key stores with a
|
499
|
+
# `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
500
|
+
#
|
501
|
+
# If the external key store proxy uses a public endpoint, specify
|
502
|
+
# `PUBLIC_ENDPOINT`. If the external key store proxy uses a Amazon VPC
|
503
|
+
# endpoint service for communication with KMS, specify
|
504
|
+
# `VPC_ENDPOINT_SERVICE`. For help making this choice, see [Choosing a
|
505
|
+
# connectivity option][1] in the *Key Management Service Developer
|
506
|
+
# Guide*.
|
507
|
+
#
|
508
|
+
# An Amazon VPC endpoint service keeps your communication with KMS in
|
509
|
+
# a private address space entirely within Amazon Web Services, but it
|
510
|
+
# requires more configuration, including establishing a Amazon VPC
|
511
|
+
# with multiple subnets, a VPC endpoint service, a network load
|
512
|
+
# balancer, and a verified private DNS name. A public endpoint is
|
513
|
+
# simpler to set up, but it might be slower and might not fulfill your
|
514
|
+
# security requirements. You might consider testing with a public
|
515
|
+
# endpoint, and then establishing a VPC endpoint service for
|
516
|
+
# production tasks. Note that this choice does not determine the
|
517
|
+
# location of the external key store proxy. Even if you choose a VPC
|
518
|
+
# endpoint service, the proxy can be hosted within the VPC or outside
|
519
|
+
# of Amazon Web Services such as in your corporate data center.
|
520
|
+
#
|
521
|
+
#
|
522
|
+
#
|
523
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
|
524
|
+
# @return [String]
|
525
|
+
#
|
388
526
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
|
389
527
|
#
|
390
528
|
class CreateCustomKeyStoreRequest < Struct.new(
|
391
529
|
:custom_key_store_name,
|
392
530
|
:cloud_hsm_cluster_id,
|
393
531
|
:trust_anchor_certificate,
|
394
|
-
:key_store_password
|
532
|
+
:key_store_password,
|
533
|
+
:custom_key_store_type,
|
534
|
+
:xks_proxy_uri_endpoint,
|
535
|
+
:xks_proxy_uri_path,
|
536
|
+
:xks_proxy_vpc_endpoint_service_name,
|
537
|
+
:xks_proxy_authentication_credential,
|
538
|
+
:xks_proxy_connectivity)
|
395
539
|
SENSITIVE = [:key_store_password]
|
396
540
|
include Aws::Structure
|
397
541
|
end
|
@@ -408,26 +552,6 @@ module Aws::KMS
|
|
408
552
|
include Aws::Structure
|
409
553
|
end
|
410
554
|
|
411
|
-
# @note When making an API call, you may pass CreateGrantRequest
|
412
|
-
# data as a hash:
|
413
|
-
#
|
414
|
-
# {
|
415
|
-
# key_id: "KeyIdType", # required
|
416
|
-
# grantee_principal: "PrincipalIdType", # required
|
417
|
-
# retiring_principal: "PrincipalIdType",
|
418
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
|
419
|
-
# constraints: {
|
420
|
-
# encryption_context_subset: {
|
421
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
422
|
-
# },
|
423
|
-
# encryption_context_equals: {
|
424
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
425
|
-
# },
|
426
|
-
# },
|
427
|
-
# grant_tokens: ["GrantTokenType"],
|
428
|
-
# name: "GrantNameType",
|
429
|
-
# }
|
430
|
-
#
|
431
555
|
# @!attribute [rw] key_id
|
432
556
|
# Identifies the KMS key for the grant. The grant gives principals
|
433
557
|
# permission to use this KMS key.
|
@@ -450,18 +574,16 @@ module Aws::KMS
|
|
450
574
|
# @!attribute [rw] grantee_principal
|
451
575
|
# The identity that gets the permissions specified in the grant.
|
452
576
|
#
|
453
|
-
# To specify the principal, use the
|
454
|
-
# an Amazon Web Services principal. Valid
|
455
|
-
#
|
456
|
-
#
|
457
|
-
#
|
458
|
-
#
|
459
|
-
# ARNs section of the *Amazon Web Services General Reference*.
|
577
|
+
# To specify the grantee principal, use the Amazon Resource Name (ARN)
|
578
|
+
# of an Amazon Web Services principal. Valid principals include Amazon
|
579
|
+
# Web Services accounts, IAM users, IAM roles, federated users, and
|
580
|
+
# assumed role users. For help with the ARN syntax for a principal,
|
581
|
+
# see [IAM ARNs][1] in the <i> <i>Identity and Access Management User
|
582
|
+
# Guide</i> </i>.
|
460
583
|
#
|
461
584
|
#
|
462
585
|
#
|
463
|
-
# [1]: https://docs.aws.amazon.com/
|
464
|
-
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
|
586
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
|
465
587
|
# @return [String]
|
466
588
|
#
|
467
589
|
# @!attribute [rw] retiring_principal
|
@@ -469,12 +591,11 @@ module Aws::KMS
|
|
469
591
|
# to retire the grant.
|
470
592
|
#
|
471
593
|
# To specify the principal, use the [Amazon Resource Name (ARN)][1] of
|
472
|
-
# an Amazon Web Services principal. Valid
|
473
|
-
#
|
474
|
-
#
|
475
|
-
#
|
476
|
-
#
|
477
|
-
# of the *Amazon Web Services General Reference*.
|
594
|
+
# an Amazon Web Services principal. Valid principals include Amazon
|
595
|
+
# Web Services accounts, IAM users, IAM roles, federated users, and
|
596
|
+
# assumed role users. For help with the ARN syntax for a principal,
|
597
|
+
# see [IAM ARNs][2] in the <i> <i>Identity and Access Management User
|
598
|
+
# Guide</i> </i>.
|
478
599
|
#
|
479
600
|
# The grant determines the retiring principal. Other principals might
|
480
601
|
# have permission to retire the grant or revoke the grant. For
|
@@ -484,19 +605,20 @@ module Aws::KMS
|
|
484
605
|
#
|
485
606
|
#
|
486
607
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
487
|
-
# [2]: https://docs.aws.amazon.com/
|
608
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
|
488
609
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
|
489
610
|
# @return [String]
|
490
611
|
#
|
491
612
|
# @!attribute [rw] operations
|
492
613
|
# A list of operations that the grant permits.
|
493
614
|
#
|
494
|
-
#
|
495
|
-
#
|
496
|
-
#
|
497
|
-
#
|
498
|
-
#
|
499
|
-
#
|
615
|
+
# This list must include only operations that are permitted in a
|
616
|
+
# grant. Also, the operation must be supported on the KMS key. For
|
617
|
+
# example, you cannot create a grant for a symmetric encryption KMS
|
618
|
+
# key that allows the Sign operation, or a grant for an asymmetric KMS
|
619
|
+
# key that allows the GenerateDataKey operation. If you try, KMS
|
620
|
+
# returns a `ValidationError` exception. For details, see [Grant
|
621
|
+
# operations][1] in the *Key Management Service Developer Guide*.
|
500
622
|
#
|
501
623
|
#
|
502
624
|
#
|
@@ -506,30 +628,44 @@ module Aws::KMS
|
|
506
628
|
# @!attribute [rw] constraints
|
507
629
|
# Specifies a grant constraint.
|
508
630
|
#
|
631
|
+
# Do not include confidential or sensitive information in this field.
|
632
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
633
|
+
# other output.
|
634
|
+
#
|
509
635
|
# KMS supports the `EncryptionContextEquals` and
|
510
|
-
# `EncryptionContextSubset` grant constraints
|
511
|
-
#
|
512
|
-
#
|
513
|
-
#
|
514
|
-
#
|
515
|
-
# the encryption context in the request matches
|
516
|
-
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
517
|
-
# the encryption context specified in this structure. For information
|
518
|
-
# about grant constraints, see [Using grant constraints][1] in the
|
519
|
-
# *Key Management Service Developer Guide*. For more information about
|
520
|
-
# encryption context, see [Encryption Context][2] in the <i> <i>Key
|
521
|
-
# Management Service Developer Guide</i> </i>.
|
636
|
+
# `EncryptionContextSubset` grant constraints, which allow the
|
637
|
+
# permissions in the grant only when the encryption context in the
|
638
|
+
# request matches (`EncryptionContextEquals`) or includes
|
639
|
+
# (`EncryptionContextSubset`) the encryption context specified in the
|
640
|
+
# constraint.
|
522
641
|
#
|
523
642
|
# The encryption context grant constraints are supported only on
|
524
|
-
# operations that include an
|
525
|
-
#
|
526
|
-
# with
|
527
|
-
#
|
643
|
+
# [grant operations][1] that include an `EncryptionContext` parameter,
|
644
|
+
# such as cryptographic operations on symmetric encryption KMS keys.
|
645
|
+
# Grants with grant constraints can include the DescribeKey and
|
646
|
+
# RetireGrant operations, but the constraint doesn't apply to these
|
647
|
+
# operations. If a grant with a grant constraint includes the
|
648
|
+
# `CreateGrant` operation, the constraint requires that any grants
|
649
|
+
# created with the `CreateGrant` permission have an equally strict or
|
650
|
+
# stricter encryption context constraint.
|
528
651
|
#
|
652
|
+
# You cannot use an encryption context grant constraint for
|
653
|
+
# cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
|
654
|
+
# Operations with these keys don't support an encryption context.
|
529
655
|
#
|
656
|
+
# Each constraint value can include up to 8 encryption context pairs.
|
657
|
+
# The encryption context value in each constraint cannot exceed 384
|
658
|
+
# characters. For information about grant constraints, see [Using
|
659
|
+
# grant constraints][2] in the *Key Management Service Developer
|
660
|
+
# Guide*. For more information about encryption context, see
|
661
|
+
# [Encryption context][3] in the <i> <i>Key Management Service
|
662
|
+
# Developer Guide</i> </i>.
|
530
663
|
#
|
531
|
-
#
|
532
|
-
#
|
664
|
+
#
|
665
|
+
#
|
666
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
667
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
668
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
533
669
|
# @return [Types::GrantConstraints]
|
534
670
|
#
|
535
671
|
# @!attribute [rw] grant_tokens
|
@@ -550,6 +686,10 @@ module Aws::KMS
|
|
550
686
|
# A friendly name for the grant. Use this value to prevent the
|
551
687
|
# unintended creation of duplicate grants when retrying this request.
|
552
688
|
#
|
689
|
+
# Do not include confidential or sensitive information in this field.
|
690
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
691
|
+
# other output.
|
692
|
+
#
|
553
693
|
# When this value is absent, all `CreateGrant` requests result in a
|
554
694
|
# new grant with a unique `GrantId` even if all the supplied
|
555
695
|
# parameters are identical. This can result in unintended duplicates
|
@@ -563,6 +703,18 @@ module Aws::KMS
|
|
563
703
|
# the same grant ID can be used interchangeably.
|
564
704
|
# @return [String]
|
565
705
|
#
|
706
|
+
# @!attribute [rw] dry_run
|
707
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
708
|
+
# parameter.
|
709
|
+
#
|
710
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
711
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
712
|
+
#
|
713
|
+
#
|
714
|
+
#
|
715
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
716
|
+
# @return [Boolean]
|
717
|
+
#
|
566
718
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
|
567
719
|
#
|
568
720
|
class CreateGrantRequest < Struct.new(
|
@@ -572,7 +724,8 @@ module Aws::KMS
|
|
572
724
|
:operations,
|
573
725
|
:constraints,
|
574
726
|
:grant_tokens,
|
575
|
-
:name
|
727
|
+
:name,
|
728
|
+
:dry_run)
|
576
729
|
SENSITIVE = []
|
577
730
|
include Aws::Structure
|
578
731
|
end
|
@@ -607,53 +760,30 @@ module Aws::KMS
|
|
607
760
|
include Aws::Structure
|
608
761
|
end
|
609
762
|
|
610
|
-
# @note When making an API call, you may pass CreateKeyRequest
|
611
|
-
# data as a hash:
|
612
|
-
#
|
613
|
-
# {
|
614
|
-
# policy: "PolicyType",
|
615
|
-
# description: "DescriptionType",
|
616
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
617
|
-
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
618
|
-
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
619
|
-
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
620
|
-
# custom_key_store_id: "CustomKeyStoreIdType",
|
621
|
-
# bypass_policy_lockout_safety_check: false,
|
622
|
-
# tags: [
|
623
|
-
# {
|
624
|
-
# tag_key: "TagKeyType", # required
|
625
|
-
# tag_value: "TagValueType", # required
|
626
|
-
# },
|
627
|
-
# ],
|
628
|
-
# multi_region: false,
|
629
|
-
# }
|
630
|
-
#
|
631
763
|
# @!attribute [rw] policy
|
632
764
|
# The key policy to attach to the KMS key.
|
633
765
|
#
|
634
766
|
# If you provide a key policy, it must meet the following criteria:
|
635
767
|
#
|
636
|
-
# *
|
637
|
-
#
|
638
|
-
#
|
639
|
-
#
|
640
|
-
#
|
641
|
-
#
|
642
|
-
# Guide</i> </i>.
|
768
|
+
# * The key policy must allow the calling principal to make a
|
769
|
+
# subsequent `PutKeyPolicy` request on the KMS key. This reduces the
|
770
|
+
# risk that the KMS key becomes unmanageable. For more information,
|
771
|
+
# see [Default key policy][1] in the *Key Management Service
|
772
|
+
# Developer Guide*. (To omit this condition, set
|
773
|
+
# `BypassPolicyLockoutSafetyCheck` to true.)
|
643
774
|
#
|
644
775
|
# * Each statement in the key policy must contain one or more
|
645
776
|
# principals. The principals in the key policy must exist and be
|
646
777
|
# visible to KMS. When you create a new Amazon Web Services
|
647
|
-
# principal
|
648
|
-
#
|
649
|
-
#
|
650
|
-
#
|
651
|
-
#
|
652
|
-
# Access Management User Guide*.
|
778
|
+
# principal, you might need to enforce a delay before including the
|
779
|
+
# new principal in a key policy because the new principal might not
|
780
|
+
# be immediately visible to KMS. For more information, see [Changes
|
781
|
+
# that I make are not always immediately visible][2] in the *Amazon
|
782
|
+
# Web Services Identity and Access Management User Guide*.
|
653
783
|
#
|
654
784
|
# If you do not provide a key policy, KMS attaches a default key
|
655
|
-
# policy to the KMS key. For more information, see [Default
|
656
|
-
#
|
785
|
+
# policy to the KMS key. For more information, see [Default key
|
786
|
+
# policy][3] in the *Key Management Service Developer Guide*.
|
657
787
|
#
|
658
788
|
# The key policy size quota is 32 kilobytes (32768 bytes).
|
659
789
|
#
|
@@ -663,18 +793,20 @@ module Aws::KMS
|
|
663
793
|
#
|
664
794
|
#
|
665
795
|
#
|
666
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
796
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
667
797
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
668
798
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
669
799
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
670
800
|
# @return [String]
|
671
801
|
#
|
672
802
|
# @!attribute [rw] description
|
673
|
-
# A description of the KMS key.
|
803
|
+
# A description of the KMS key. Use a description that helps you
|
804
|
+
# decide whether the KMS key is appropriate for a task. The default
|
805
|
+
# value is an empty string (no description).
|
674
806
|
#
|
675
|
-
#
|
676
|
-
#
|
677
|
-
#
|
807
|
+
# Do not include confidential or sensitive information in this field.
|
808
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
809
|
+
# other output.
|
678
810
|
#
|
679
811
|
# To set or change the description after the key is created, use
|
680
812
|
# UpdateKeyDescription.
|
@@ -683,20 +815,26 @@ module Aws::KMS
|
|
683
815
|
# @!attribute [rw] key_usage
|
684
816
|
# Determines the [cryptographic operations][1] for which you can use
|
685
817
|
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
686
|
-
# is
|
687
|
-
#
|
818
|
+
# is optional when you are creating a symmetric encryption KMS key;
|
819
|
+
# otherwise, it is required. You can't change the `KeyUsage` value
|
820
|
+
# after the KMS key is created.
|
688
821
|
#
|
689
822
|
# Select only one valid value.
|
690
823
|
#
|
691
|
-
# * For symmetric KMS keys, omit the parameter or specify
|
824
|
+
# * For symmetric encryption KMS keys, omit the parameter or specify
|
692
825
|
# `ENCRYPT_DECRYPT`.
|
693
826
|
#
|
827
|
+
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
828
|
+
#
|
694
829
|
# * For asymmetric KMS keys with RSA key material, specify
|
695
830
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
696
831
|
#
|
697
832
|
# * For asymmetric KMS keys with ECC key material, specify
|
698
833
|
# `SIGN_VERIFY`.
|
699
834
|
#
|
835
|
+
# * For asymmetric KMS keys with SM2 key material (China Regions
|
836
|
+
# only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
837
|
+
#
|
700
838
|
#
|
701
839
|
#
|
702
840
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
@@ -707,41 +845,50 @@ module Aws::KMS
|
|
707
845
|
#
|
708
846
|
# The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
|
709
847
|
# way. Only the names differ. We recommend that you use `KeySpec`
|
710
|
-
# parameter in your code. However, to avoid breaking changes, KMS
|
711
|
-
#
|
848
|
+
# parameter in your code. However, to avoid breaking changes, KMS
|
849
|
+
# supports both parameters.
|
712
850
|
# @return [String]
|
713
851
|
#
|
714
852
|
# @!attribute [rw] key_spec
|
715
853
|
# Specifies the type of KMS key to create. The default value,
|
716
|
-
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit
|
717
|
-
# for encryption and decryption
|
718
|
-
#
|
719
|
-
#
|
854
|
+
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key
|
855
|
+
# that is used for encryption and decryption, except in China Regions,
|
856
|
+
# where it creates a 128-bit symmetric key that uses SM4 encryption.
|
857
|
+
# For help choosing a key spec for your KMS key, see [Choosing a KMS
|
858
|
+
# key type][1] in the <i> <i>Key Management Service Developer
|
859
|
+
# Guide</i> </i>.
|
720
860
|
#
|
721
861
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
722
|
-
# key or an asymmetric key pair. It also determines the
|
723
|
-
#
|
724
|
-
#
|
725
|
-
#
|
726
|
-
#
|
727
|
-
#
|
728
|
-
#
|
729
|
-
#
|
730
|
-
# [Amazon Web Services services that are integrated with KMS][
|
731
|
-
# symmetric KMS keys to protect your data. These services
|
732
|
-
# support asymmetric KMS keys
|
733
|
-
# is symmetric or asymmetric, see [Identifying Symmetric and
|
734
|
-
# Asymmetric KMS keys][5] in the *Key Management Service Developer
|
735
|
-
# Guide*.
|
862
|
+
# key or an asymmetric key pair. It also determines the algorithms
|
863
|
+
# that the KMS key supports. You can't change the `KeySpec` after the
|
864
|
+
# KMS key is created. To further restrict the algorithms that can be
|
865
|
+
# used with the KMS key, use a condition key in its key policy or IAM
|
866
|
+
# policy. For more information, see [kms:EncryptionAlgorithm][2],
|
867
|
+
# [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
|
868
|
+
# <i>Key Management Service Developer Guide</i> </i>.
|
869
|
+
#
|
870
|
+
# [Amazon Web Services services that are integrated with KMS][5] use
|
871
|
+
# symmetric encryption KMS keys to protect your data. These services
|
872
|
+
# do not support asymmetric KMS keys or HMAC KMS keys.
|
736
873
|
#
|
737
874
|
# KMS supports the following key specs for KMS keys:
|
738
875
|
#
|
739
|
-
# * Symmetric key (default)
|
876
|
+
# * Symmetric encryption key (default)
|
740
877
|
#
|
741
|
-
# * `SYMMETRIC_DEFAULT`
|
878
|
+
# * `SYMMETRIC_DEFAULT`
|
742
879
|
#
|
743
880
|
# ^
|
744
881
|
#
|
882
|
+
# * HMAC keys (symmetric)
|
883
|
+
#
|
884
|
+
# * `HMAC_224`
|
885
|
+
#
|
886
|
+
# * `HMAC_256`
|
887
|
+
#
|
888
|
+
# * `HMAC_384`
|
889
|
+
#
|
890
|
+
# * `HMAC_512`
|
891
|
+
#
|
745
892
|
# * Asymmetric RSA key pairs
|
746
893
|
#
|
747
894
|
# * `RSA_2048`
|
@@ -765,13 +912,19 @@ module Aws::KMS
|
|
765
912
|
#
|
766
913
|
# ^
|
767
914
|
#
|
915
|
+
# * SM2 key pairs (China Regions only)
|
916
|
+
#
|
917
|
+
# * `SM2`
|
918
|
+
#
|
919
|
+
# ^
|
920
|
+
#
|
768
921
|
#
|
769
922
|
#
|
770
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose
|
923
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
|
771
924
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
|
772
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-
|
773
|
-
# [4]:
|
774
|
-
# [5]:
|
925
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
|
926
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
|
927
|
+
# [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
|
775
928
|
# @return [String]
|
776
929
|
#
|
777
930
|
# @!attribute [rw] origin
|
@@ -779,45 +932,48 @@ module Aws::KMS
|
|
779
932
|
# the origin after you create the KMS key. The default is `AWS_KMS`,
|
780
933
|
# which means that KMS creates the key material.
|
781
934
|
#
|
782
|
-
# To create a KMS key with no key material (for imported key
|
783
|
-
# material), set
|
784
|
-
# importing key material into KMS, see [Importing Key Material][
|
785
|
-
# the *Key Management Service Developer Guide*.
|
786
|
-
# only for symmetric KMS keys.
|
935
|
+
# To [create a KMS key with no key material][1] (for imported key
|
936
|
+
# material), set this value to `EXTERNAL`. For more information about
|
937
|
+
# importing key material into KMS, see [Importing Key Material][2] in
|
938
|
+
# the *Key Management Service Developer Guide*. The `EXTERNAL` origin
|
939
|
+
# value is valid only for symmetric KMS keys.
|
787
940
|
#
|
788
|
-
# To create a KMS key in an
|
789
|
-
#
|
941
|
+
# To [create a KMS key in an CloudHSM key store][3] and create its key
|
942
|
+
# material in the associated CloudHSM cluster, set this value to
|
790
943
|
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
791
|
-
# to identify the
|
792
|
-
#
|
944
|
+
# to identify the CloudHSM key store. The `KeySpec` value must be
|
945
|
+
# `SYMMETRIC_DEFAULT`.
|
946
|
+
#
|
947
|
+
# To [create a KMS key in an external key store][4], set this value to
|
948
|
+
# `EXTERNAL_KEY_STORE`. You must also use the `CustomKeyStoreId`
|
949
|
+
# parameter to identify the external key store and the `XksKeyId`
|
950
|
+
# parameter to identify the associated external key. The `KeySpec`
|
951
|
+
# value must be `SYMMETRIC_DEFAULT`.
|
793
952
|
#
|
794
953
|
#
|
795
954
|
#
|
796
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
797
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
955
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
|
956
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
957
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html
|
958
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
|
798
959
|
# @return [String]
|
799
960
|
#
|
800
961
|
# @!attribute [rw] custom_key_store_id
|
801
|
-
# Creates the KMS key in the specified [custom key store][1]
|
802
|
-
#
|
803
|
-
#
|
804
|
-
# with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that is
|
805
|
-
# associated with the custom key store must have at least two active
|
806
|
-
# HSMs, each in a different Availability Zone in the Region.
|
807
|
-
#
|
808
|
-
# This parameter is valid only for symmetric KMS keys and regional KMS
|
809
|
-
# keys. You cannot create an asymmetric KMS key or a multi-Region key
|
810
|
-
# in a custom key store.
|
811
|
-
#
|
812
|
-
# To find the ID of a custom key store, use the
|
962
|
+
# Creates the KMS key in the specified [custom key store][1]. The
|
963
|
+
# `ConnectionState` of the custom key store must be `CONNECTED`. To
|
964
|
+
# find the CustomKeyStoreID and ConnectionState use the
|
813
965
|
# DescribeCustomKeyStores operation.
|
814
966
|
#
|
815
|
-
#
|
816
|
-
#
|
967
|
+
# This parameter is valid only for symmetric encryption KMS keys in a
|
968
|
+
# single Region. You cannot create any other type of KMS key in a
|
969
|
+
# custom key store.
|
817
970
|
#
|
818
|
-
#
|
819
|
-
#
|
820
|
-
#
|
971
|
+
# When you create a KMS key in an CloudHSM key store, KMS generates a
|
972
|
+
# non-exportable 256-bit symmetric key in its associated CloudHSM
|
973
|
+
# cluster and associates it with the KMS key. When you create a KMS
|
974
|
+
# key in an external key store, you must use the `XksKeyId` parameter
|
975
|
+
# to specify an external key that serves as key material for the KMS
|
976
|
+
# key.
|
821
977
|
#
|
822
978
|
#
|
823
979
|
#
|
@@ -825,26 +981,23 @@ module Aws::KMS
|
|
825
981
|
# @return [String]
|
826
982
|
#
|
827
983
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
828
|
-
#
|
829
|
-
#
|
984
|
+
# Skips ("bypasses") the key policy lockout safety check. The
|
985
|
+
# default value is false.
|
830
986
|
#
|
831
987
|
# Setting this value to true increases the risk that the KMS key
|
832
988
|
# becomes unmanageable. Do not set this value to true
|
833
989
|
# indiscriminately.
|
834
990
|
#
|
835
|
-
# For more information,
|
836
|
-
#
|
837
|
-
# Guide</i> </i>.
|
838
|
-
#
|
839
|
-
# Use this parameter only when you include a policy in the request and
|
840
|
-
# you intend to prevent the principal that is making the request from
|
841
|
-
# making a subsequent PutKeyPolicy request on the KMS key.
|
991
|
+
# For more information, see [Default key policy][1] in the *Key
|
992
|
+
# Management Service Developer Guide*.
|
842
993
|
#
|
843
|
-
#
|
994
|
+
# Use this parameter only when you intend to prevent the principal
|
995
|
+
# that is making the request from making a subsequent PutKeyPolicy
|
996
|
+
# request on the KMS key.
|
844
997
|
#
|
845
998
|
#
|
846
999
|
#
|
847
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
1000
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
848
1001
|
# @return [Boolean]
|
849
1002
|
#
|
850
1003
|
# @!attribute [rw] tags
|
@@ -852,9 +1005,13 @@ module Aws::KMS
|
|
852
1005
|
# the KMS key when it is created. To tag an existing KMS key, use the
|
853
1006
|
# TagResource operation.
|
854
1007
|
#
|
1008
|
+
# Do not include confidential or sensitive information in this field.
|
1009
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
1010
|
+
# other output.
|
1011
|
+
#
|
855
1012
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
856
|
-
# KMS key. For details, see [
|
857
|
-
#
|
1013
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
1014
|
+
# Service Developer Guide*.
|
858
1015
|
#
|
859
1016
|
# </note>
|
860
1017
|
#
|
@@ -895,7 +1052,7 @@ module Aws::KMS
|
|
895
1052
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
896
1053
|
# a different Amazon Web Services Region without re-encrypting the
|
897
1054
|
# data or making a cross-Region call. For more information about
|
898
|
-
# multi-Region keys, see [
|
1055
|
+
# multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
|
899
1056
|
# Management Service Developer Guide*.
|
900
1057
|
#
|
901
1058
|
# This value creates a *primary key*, not a replica. To create a
|
@@ -910,6 +1067,43 @@ module Aws::KMS
|
|
910
1067
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
911
1068
|
# @return [Boolean]
|
912
1069
|
#
|
1070
|
+
# @!attribute [rw] xks_key_id
|
1071
|
+
# Identifies the [external key][1] that serves as key material for the
|
1072
|
+
# KMS key in an [external key store][2]. Specify the ID that the
|
1073
|
+
# [external key store proxy][3] uses to refer to the external key. For
|
1074
|
+
# help, see the documentation for your external key store proxy.
|
1075
|
+
#
|
1076
|
+
# This parameter is required for a KMS key with an `Origin` value of
|
1077
|
+
# `EXTERNAL_KEY_STORE`. It is not valid for KMS keys with any other
|
1078
|
+
# `Origin` value.
|
1079
|
+
#
|
1080
|
+
# The external key must be an existing 256-bit AES symmetric
|
1081
|
+
# encryption key hosted outside of Amazon Web Services in an external
|
1082
|
+
# key manager associated with the external key store specified by the
|
1083
|
+
# `CustomKeyStoreId` parameter. This key must be enabled and
|
1084
|
+
# configured to perform encryption and decryption. Each KMS key in an
|
1085
|
+
# external key store must use a different external key. For details,
|
1086
|
+
# see [Requirements for a KMS key in an external key store][4] in the
|
1087
|
+
# *Key Management Service Developer Guide*.
|
1088
|
+
#
|
1089
|
+
# Each KMS key in an external key store is associated two backing
|
1090
|
+
# keys. One is key material that KMS generates. The other is the
|
1091
|
+
# external key specified by this parameter. When you use the KMS key
|
1092
|
+
# in an external key store to encrypt data, the encryption operation
|
1093
|
+
# is performed first by KMS using the KMS key material, and then by
|
1094
|
+
# the external key manager using the specified external key, a process
|
1095
|
+
# known as *double encryption*. For details, see [Double
|
1096
|
+
# encryption][5] in the *Key Management Service Developer Guide*.
|
1097
|
+
#
|
1098
|
+
#
|
1099
|
+
#
|
1100
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
1101
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
|
1102
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
|
1103
|
+
# [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
|
1104
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
|
1105
|
+
# @return [String]
|
1106
|
+
#
|
913
1107
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
|
914
1108
|
#
|
915
1109
|
class CreateKeyRequest < Struct.new(
|
@@ -922,7 +1116,8 @@ module Aws::KMS
|
|
922
1116
|
:custom_key_store_id,
|
923
1117
|
:bypass_policy_lockout_safety_check,
|
924
1118
|
:tags,
|
925
|
-
:multi_region
|
1119
|
+
:multi_region,
|
1120
|
+
:xks_key_id)
|
926
1121
|
SENSITIVE = []
|
927
1122
|
include Aws::Structure
|
928
1123
|
end
|
@@ -961,18 +1156,29 @@ module Aws::KMS
|
|
961
1156
|
#
|
962
1157
|
# This exception is thrown under the following conditions:
|
963
1158
|
#
|
964
|
-
# * You requested the
|
965
|
-
#
|
966
|
-
#
|
1159
|
+
# * You requested the ConnectCustomKeyStore operation on a custom key
|
1160
|
+
# store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
|
1161
|
+
# operation is valid for all other `ConnectionState` values. To
|
1162
|
+
# reconnect a custom key store in a `FAILED` state, disconnect it
|
1163
|
+
# (DisconnectCustomKeyStore), then connect it
|
1164
|
+
# (`ConnectCustomKeyStore`).
|
1165
|
+
#
|
1166
|
+
# * You requested the CreateKey operation in a custom key store that is
|
1167
|
+
# not connected. This operations is valid only when the custom key
|
1168
|
+
# store `ConnectionState` is `CONNECTED`.
|
1169
|
+
#
|
1170
|
+
# * You requested the DisconnectCustomKeyStore operation on a custom key
|
1171
|
+
# store with a `ConnectionState` of `DISCONNECTING` or `DISCONNECTED`.
|
1172
|
+
# This operation is valid for all other `ConnectionState` values.
|
967
1173
|
#
|
968
1174
|
# * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
|
969
1175
|
# operation on a custom key store that is not disconnected. This
|
970
1176
|
# operation is valid only when the custom key store `ConnectionState`
|
971
1177
|
# is `DISCONNECTED`.
|
972
1178
|
#
|
973
|
-
# * You requested the
|
974
|
-
#
|
975
|
-
#
|
1179
|
+
# * You requested the GenerateRandom operation in an CloudHSM key store
|
1180
|
+
# that is not connected. This operation is valid only when the
|
1181
|
+
# CloudHSM key store `ConnectionState` is `CONNECTED`.
|
976
1182
|
#
|
977
1183
|
# @!attribute [rw] message
|
978
1184
|
# @return [String]
|
@@ -1027,13 +1233,17 @@ module Aws::KMS
|
|
1027
1233
|
#
|
1028
1234
|
# @!attribute [rw] cloud_hsm_cluster_id
|
1029
1235
|
# A unique identifier for the CloudHSM cluster that is associated with
|
1030
|
-
#
|
1236
|
+
# an CloudHSM key store. This field appears only when the
|
1237
|
+
# `CustomKeyStoreType` is `AWS_CLOUDHSM`.
|
1031
1238
|
# @return [String]
|
1032
1239
|
#
|
1033
1240
|
# @!attribute [rw] trust_anchor_certificate
|
1034
|
-
# The trust anchor certificate of the
|
1035
|
-
# When you [initialize the cluster][1], you
|
1036
|
-
# and save it in the `customerCA.crt` file.
|
1241
|
+
# The trust anchor certificate of the CloudHSM cluster associated with
|
1242
|
+
# an CloudHSM key store. When you [initialize the cluster][1], you
|
1243
|
+
# create this certificate and save it in the `customerCA.crt` file.
|
1244
|
+
#
|
1245
|
+
# This field appears only when the `CustomKeyStoreType` is
|
1246
|
+
# `AWS_CLOUDHSM`.
|
1037
1247
|
#
|
1038
1248
|
#
|
1039
1249
|
#
|
@@ -1041,22 +1251,30 @@ module Aws::KMS
|
|
1041
1251
|
# @return [String]
|
1042
1252
|
#
|
1043
1253
|
# @!attribute [rw] connection_state
|
1044
|
-
# Indicates whether the custom key store is connected to its
|
1045
|
-
#
|
1254
|
+
# Indicates whether the custom key store is connected to its backing
|
1255
|
+
# key store. For an CloudHSM key store, the `ConnectionState`
|
1256
|
+
# indicates whether it is connected to its CloudHSM cluster. For an
|
1257
|
+
# external key store, the `ConnectionState` indicates whether it is
|
1258
|
+
# connected to the external key store proxy that communicates with
|
1259
|
+
# your external key manager.
|
1046
1260
|
#
|
1047
1261
|
# You can create and use KMS keys in your custom key stores only when
|
1048
|
-
# its
|
1049
|
-
#
|
1050
|
-
# The value is `DISCONNECTED` if the key store
|
1051
|
-
# connected or you use the DisconnectCustomKeyStore
|
1052
|
-
# disconnect it. If the value is `CONNECTED` but you are
|
1053
|
-
# trouble using the custom key store, make sure that
|
1054
|
-
#
|
1262
|
+
# its `ConnectionState` is `CONNECTED`.
|
1263
|
+
#
|
1264
|
+
# The `ConnectionState` value is `DISCONNECTED` only if the key store
|
1265
|
+
# has never been connected or you use the DisconnectCustomKeyStore
|
1266
|
+
# operation to disconnect it. If the value is `CONNECTED` but you are
|
1267
|
+
# having trouble using the custom key store, make sure that the
|
1268
|
+
# backing key store is reachable and active. For an CloudHSM key
|
1269
|
+
# store, verify that its associated CloudHSM cluster is active and
|
1270
|
+
# contains at least one active HSM. For an external key store, verify
|
1271
|
+
# that the external key store proxy and external key manager are
|
1272
|
+
# connected and enabled.
|
1055
1273
|
#
|
1056
1274
|
# A value of `FAILED` indicates that an attempt to connect was
|
1057
1275
|
# unsuccessful. The `ConnectionErrorCode` field in the response
|
1058
1276
|
# indicates the cause of the failure. For help resolving a connection
|
1059
|
-
# failure, see [Troubleshooting a
|
1277
|
+
# failure, see [Troubleshooting a custom key store][1] in the *Key
|
1060
1278
|
# Management Service Developer Guide*.
|
1061
1279
|
#
|
1062
1280
|
#
|
@@ -1066,35 +1284,52 @@ module Aws::KMS
|
|
1066
1284
|
#
|
1067
1285
|
# @!attribute [rw] connection_error_code
|
1068
1286
|
# Describes the connection error. This field appears in the response
|
1069
|
-
# only when the `ConnectionState` is `FAILED`.
|
1070
|
-
#
|
1071
|
-
#
|
1287
|
+
# only when the `ConnectionState` is `FAILED`.
|
1288
|
+
#
|
1289
|
+
# Many failures can be resolved by updating the properties of the
|
1290
|
+
# custom key store. To update a custom key store, disconnect it
|
1291
|
+
# (DisconnectCustomKeyStore), correct the errors
|
1292
|
+
# (UpdateCustomKeyStore), and try to connect again
|
1293
|
+
# (ConnectCustomKeyStore). For additional help resolving these errors,
|
1294
|
+
# see [How to Fix a Connection Failure][1] in *Key Management Service
|
1295
|
+
# Developer Guide*.
|
1296
|
+
#
|
1297
|
+
# **All custom key stores:**
|
1298
|
+
#
|
1299
|
+
# * `INTERNAL_ERROR` — KMS could not complete the request due to an
|
1300
|
+
# internal error. Retry the request. For `ConnectCustomKeyStore`
|
1301
|
+
# requests, disconnect the custom key store before trying to connect
|
1302
|
+
# again.
|
1303
|
+
#
|
1304
|
+
# * `NETWORK_ERRORS` — Network errors are preventing KMS from
|
1305
|
+
# connecting the custom key store to its backing key store.
|
1072
1306
|
#
|
1073
|
-
#
|
1307
|
+
# **CloudHSM key stores:**
|
1074
1308
|
#
|
1075
|
-
# * `CLUSTER_NOT_FOUND`
|
1309
|
+
# * `CLUSTER_NOT_FOUND` — KMS cannot find the CloudHSM cluster with
|
1076
1310
|
# the specified cluster ID.
|
1077
1311
|
#
|
1078
|
-
# * `INSUFFICIENT_CLOUDHSM_HSMS`
|
1312
|
+
# * `INSUFFICIENT_CLOUDHSM_HSMS` — The associated CloudHSM cluster
|
1079
1313
|
# does not contain any active HSMs. To connect a custom key store to
|
1080
1314
|
# its CloudHSM cluster, the cluster must contain at least one active
|
1081
1315
|
# HSM.
|
1082
1316
|
#
|
1083
|
-
# * `
|
1084
|
-
#
|
1085
|
-
#
|
1086
|
-
#
|
1087
|
-
#
|
1088
|
-
#
|
1089
|
-
#
|
1090
|
-
# connect your custom key store to its CloudHSM cluster, you must
|
1091
|
-
# change the `kmsuser` account password and update the key store
|
1092
|
-
# password value for the custom key store.
|
1317
|
+
# * `INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET` — At least one private
|
1318
|
+
# subnet associated with the CloudHSM cluster doesn't have any
|
1319
|
+
# available IP addresses. A CloudHSM key store connection requires
|
1320
|
+
# one free IP address in each of the associated private subnets,
|
1321
|
+
# although two are preferable. For details, see [How to Fix a
|
1322
|
+
# Connection Failure][1] in the *Key Management Service Developer
|
1323
|
+
# Guide*.
|
1093
1324
|
#
|
1094
|
-
# * `
|
1095
|
-
#
|
1325
|
+
# * `INVALID_CREDENTIALS` — The `KeyStorePassword` for the custom key
|
1326
|
+
# store doesn't match the current password of the `kmsuser` crypto
|
1327
|
+
# user in the CloudHSM cluster. Before you can connect your custom
|
1328
|
+
# key store to its CloudHSM cluster, you must change the `kmsuser`
|
1329
|
+
# account password and update the `KeyStorePassword` value for the
|
1330
|
+
# custom key store.
|
1096
1331
|
#
|
1097
|
-
# * `SUBNET_NOT_FOUND`
|
1332
|
+
# * `SUBNET_NOT_FOUND` — A subnet in the CloudHSM cluster
|
1098
1333
|
# configuration was deleted. If KMS cannot find all of the subnets
|
1099
1334
|
# in the cluster configuration, attempts to connect the custom key
|
1100
1335
|
# store to the CloudHSM cluster fail. To fix this error, create a
|
@@ -1104,13 +1339,13 @@ module Aws::KMS
|
|
1104
1339
|
# Connection Failure][1] in the *Key Management Service Developer
|
1105
1340
|
# Guide*.
|
1106
1341
|
#
|
1107
|
-
# * `USER_LOCKED_OUT`
|
1342
|
+
# * `USER_LOCKED_OUT` — The `kmsuser` CU account is locked out of the
|
1108
1343
|
# associated CloudHSM cluster due to too many failed password
|
1109
1344
|
# attempts. Before you can connect your custom key store to its
|
1110
1345
|
# CloudHSM cluster, you must change the `kmsuser` account password
|
1111
1346
|
# and update the key store password value for the custom key store.
|
1112
1347
|
#
|
1113
|
-
# * `USER_LOGGED_IN`
|
1348
|
+
# * `USER_LOGGED_IN` — The `kmsuser` CU account is logged into the
|
1114
1349
|
# associated CloudHSM cluster. This prevents KMS from rotating the
|
1115
1350
|
# `kmsuser` account password and logging into the cluster. Before
|
1116
1351
|
# you can connect your custom key store to its CloudHSM cluster, you
|
@@ -1120,22 +1355,119 @@ module Aws::KMS
|
|
1120
1355
|
# help, see [How to Log Out and Reconnect][2] in the *Key Management
|
1121
1356
|
# Service Developer Guide*.
|
1122
1357
|
#
|
1123
|
-
# * `USER_NOT_FOUND`
|
1358
|
+
# * `USER_NOT_FOUND` — KMS cannot find a `kmsuser` CU account in the
|
1124
1359
|
# associated CloudHSM cluster. Before you can connect your custom
|
1125
1360
|
# key store to its CloudHSM cluster, you must create a `kmsuser` CU
|
1126
1361
|
# account in the cluster, and then update the key store password
|
1127
1362
|
# value for the custom key store.
|
1128
1363
|
#
|
1364
|
+
# **External key stores:**
|
1365
|
+
#
|
1366
|
+
# * `INVALID_CREDENTIALS` — One or both of the
|
1367
|
+
# `XksProxyAuthenticationCredential` values is not valid on the
|
1368
|
+
# specified external key store proxy.
|
1369
|
+
#
|
1370
|
+
# * `XKS_PROXY_ACCESS_DENIED` — KMS requests are denied access to the
|
1371
|
+
# external key store proxy. If the external key store proxy has
|
1372
|
+
# authorization rules, verify that they permit KMS to communicate
|
1373
|
+
# with the proxy on your behalf.
|
1374
|
+
#
|
1375
|
+
# * `XKS_PROXY_INVALID_CONFIGURATION` — A configuration error is
|
1376
|
+
# preventing the external key store from connecting to its proxy.
|
1377
|
+
# Verify the value of the `XksProxyUriPath`.
|
1378
|
+
#
|
1379
|
+
# * `XKS_PROXY_INVALID_RESPONSE` — KMS cannot interpret the response
|
1380
|
+
# from the external key store proxy. If you see this connection
|
1381
|
+
# error code repeatedly, notify your external key store proxy
|
1382
|
+
# vendor.
|
1383
|
+
#
|
1384
|
+
# * `XKS_PROXY_INVALID_TLS_CONFIGURATION` — KMS cannot connect to the
|
1385
|
+
# external key store proxy because the TLS configuration is invalid.
|
1386
|
+
# Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify
|
1387
|
+
# that the TLS certificate is not expired, and that it matches the
|
1388
|
+
# hostname in the `XksProxyUriEndpoint` value, and that it is signed
|
1389
|
+
# by a certificate authority included in the [Trusted Certificate
|
1390
|
+
# Authorities][3] list.
|
1391
|
+
#
|
1392
|
+
# * `XKS_PROXY_NOT_REACHABLE` — KMS can't communicate with your
|
1393
|
+
# external key store proxy. Verify that the `XksProxyUriEndpoint`
|
1394
|
+
# and `XksProxyUriPath` are correct. Use the tools for your external
|
1395
|
+
# key store proxy to verify that the proxy is active and available
|
1396
|
+
# on its network. Also, verify that your external key manager
|
1397
|
+
# instances are operating properly. Connection attempts fail with
|
1398
|
+
# this connection error code if the proxy reports that all external
|
1399
|
+
# key manager instances are unavailable.
|
1400
|
+
#
|
1401
|
+
# * `XKS_PROXY_TIMED_OUT` — KMS can connect to the external key store
|
1402
|
+
# proxy, but the proxy does not respond to KMS in the time allotted.
|
1403
|
+
# If you see this connection error code repeatedly, notify your
|
1404
|
+
# external key store proxy vendor.
|
1405
|
+
#
|
1406
|
+
# * `XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION` — The Amazon VPC
|
1407
|
+
# endpoint service configuration doesn't conform to the
|
1408
|
+
# requirements for an KMS external key store.
|
1409
|
+
#
|
1410
|
+
# * The VPC endpoint service must be an endpoint service for
|
1411
|
+
# interface endpoints in the caller's Amazon Web Services
|
1412
|
+
# account.
|
1413
|
+
#
|
1414
|
+
# * It must have a network load balancer (NLB) connected to at least
|
1415
|
+
# two subnets, each in a different Availability Zone.
|
1416
|
+
#
|
1417
|
+
# * The `Allow principals` list must include the KMS service
|
1418
|
+
# principal for the Region, `cks.kms.<region>.amazonaws.com`, such
|
1419
|
+
# as `cks.kms.us-east-1.amazonaws.com`.
|
1420
|
+
#
|
1421
|
+
# * It must *not* require [acceptance][4] of connection requests.
|
1422
|
+
#
|
1423
|
+
# * It must have a private DNS name. The private DNS name for an
|
1424
|
+
# external key store with `VPC_ENDPOINT_SERVICE` connectivity must
|
1425
|
+
# be unique in its Amazon Web Services Region.
|
1426
|
+
#
|
1427
|
+
# * The domain of the private DNS name must have a [verification
|
1428
|
+
# status][5] of `verified`.
|
1429
|
+
#
|
1430
|
+
# * The [TLS certificate][6] specifies the private DNS hostname at
|
1431
|
+
# which the endpoint is reachable.
|
1432
|
+
#
|
1433
|
+
# * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
|
1434
|
+
# endpoint service that it uses to communicate with the external key
|
1435
|
+
# store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
|
1436
|
+
# correct and the KMS service principal has service consumer
|
1437
|
+
# permissions on the Amazon VPC endpoint service.
|
1438
|
+
#
|
1129
1439
|
#
|
1130
1440
|
#
|
1131
1441
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
|
1132
1442
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
|
1443
|
+
# [3]: https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities
|
1444
|
+
# [4]: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
|
1445
|
+
# [5]: https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html
|
1446
|
+
# [6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
|
1133
1447
|
# @return [String]
|
1134
1448
|
#
|
1135
1449
|
# @!attribute [rw] creation_date
|
1136
1450
|
# The date and time when the custom key store was created.
|
1137
1451
|
# @return [Time]
|
1138
1452
|
#
|
1453
|
+
# @!attribute [rw] custom_key_store_type
|
1454
|
+
# Indicates the type of the custom key store. `AWS_CLOUDHSM` indicates
|
1455
|
+
# a custom key store backed by an CloudHSM cluster.
|
1456
|
+
# `EXTERNAL_KEY_STORE` indicates a custom key store backed by an
|
1457
|
+
# external key store proxy and external key manager outside of Amazon
|
1458
|
+
# Web Services.
|
1459
|
+
# @return [String]
|
1460
|
+
#
|
1461
|
+
# @!attribute [rw] xks_proxy_configuration
|
1462
|
+
# Configuration settings for the external key store proxy (XKS proxy).
|
1463
|
+
# The external key store proxy translates KMS requests into a format
|
1464
|
+
# that your external key manager can understand. The proxy
|
1465
|
+
# configuration includes connection information that KMS requires.
|
1466
|
+
#
|
1467
|
+
# This field appears only when the `CustomKeyStoreType` is
|
1468
|
+
# `EXTERNAL_KEY_STORE`.
|
1469
|
+
# @return [Types::XksProxyConfigurationType]
|
1470
|
+
#
|
1139
1471
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoresListEntry AWS API Documentation
|
1140
1472
|
#
|
1141
1473
|
class CustomKeyStoresListEntry < Struct.new(
|
@@ -1145,24 +1477,13 @@ module Aws::KMS
|
|
1145
1477
|
:trust_anchor_certificate,
|
1146
1478
|
:connection_state,
|
1147
1479
|
:connection_error_code,
|
1148
|
-
:creation_date
|
1480
|
+
:creation_date,
|
1481
|
+
:custom_key_store_type,
|
1482
|
+
:xks_proxy_configuration)
|
1149
1483
|
SENSITIVE = []
|
1150
1484
|
include Aws::Structure
|
1151
1485
|
end
|
1152
1486
|
|
1153
|
-
# @note When making an API call, you may pass DecryptRequest
|
1154
|
-
# data as a hash:
|
1155
|
-
#
|
1156
|
-
# {
|
1157
|
-
# ciphertext_blob: "data", # required
|
1158
|
-
# encryption_context: {
|
1159
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
1160
|
-
# },
|
1161
|
-
# grant_tokens: ["GrantTokenType"],
|
1162
|
-
# key_id: "KeyIdType",
|
1163
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
1164
|
-
# }
|
1165
|
-
#
|
1166
1487
|
# @!attribute [rw] ciphertext_blob
|
1167
1488
|
# Ciphertext to be decrypted. The blob includes metadata.
|
1168
1489
|
# @return [String]
|
@@ -1170,17 +1491,20 @@ module Aws::KMS
|
|
1170
1491
|
# @!attribute [rw] encryption_context
|
1171
1492
|
# Specifies the encryption context to use when decrypting the data. An
|
1172
1493
|
# encryption context is valid only for [cryptographic operations][1]
|
1173
|
-
# with a symmetric KMS key. The standard asymmetric
|
1174
|
-
# algorithms that KMS uses do not
|
1494
|
+
# with a symmetric encryption KMS key. The standard asymmetric
|
1495
|
+
# encryption algorithms and HMAC algorithms that KMS uses do not
|
1496
|
+
# support an encryption context.
|
1175
1497
|
#
|
1176
1498
|
# An *encryption context* is a collection of non-secret key-value
|
1177
|
-
# pairs that
|
1499
|
+
# pairs that represent additional authenticated data. When you use an
|
1178
1500
|
# encryption context to encrypt data, you must specify the same (an
|
1179
1501
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1180
|
-
# An encryption context is
|
1181
|
-
# KMS
|
1502
|
+
# An encryption context is supported only on operations with symmetric
|
1503
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
1504
|
+
# keys, an encryption context is optional, but it is strongly
|
1505
|
+
# recommended.
|
1182
1506
|
#
|
1183
|
-
# For more information, see [Encryption
|
1507
|
+
# For more information, see [Encryption context][2] in the *Key
|
1184
1508
|
# Management Service Developer Guide*.
|
1185
1509
|
#
|
1186
1510
|
#
|
@@ -1204,15 +1528,18 @@ module Aws::KMS
|
|
1204
1528
|
# @return [Array<String>]
|
1205
1529
|
#
|
1206
1530
|
# @!attribute [rw] key_id
|
1207
|
-
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
1208
|
-
#
|
1531
|
+
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
1532
|
+
#
|
1533
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
1534
|
+
# ciphertext. If you identify a different KMS key, the `Decrypt`
|
1535
|
+
# operation throws an `IncorrectKeyException`.
|
1209
1536
|
#
|
1210
1537
|
# This parameter is required only when the ciphertext was encrypted
|
1211
|
-
# under an asymmetric KMS key. If you used a symmetric
|
1212
|
-
# can get the KMS key from metadata that it adds to the
|
1213
|
-
# ciphertext blob. However, it is always recommended as a
|
1214
|
-
# practice. This practice ensures that you use the KMS key that
|
1215
|
-
# intend.
|
1538
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
1539
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
1540
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
1541
|
+
# best practice. This practice ensures that you use the KMS key that
|
1542
|
+
# you intend.
|
1216
1543
|
#
|
1217
1544
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1218
1545
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
@@ -1243,9 +1570,49 @@ module Aws::KMS
|
|
1243
1570
|
# This parameter is required only when the ciphertext was encrypted
|
1244
1571
|
# under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
|
1245
1572
|
# represents the only supported algorithm that is valid for symmetric
|
1246
|
-
# KMS keys.
|
1573
|
+
# encryption KMS keys.
|
1247
1574
|
# @return [String]
|
1248
1575
|
#
|
1576
|
+
# @!attribute [rw] recipient
|
1577
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
1578
|
+
# enclave and the encryption algorithm to use with the enclave's
|
1579
|
+
# public key. The only valid encryption algorithm is
|
1580
|
+
# `RSAES_OAEP_SHA_256`.
|
1581
|
+
#
|
1582
|
+
# This parameter only supports attestation documents for Amazon Web
|
1583
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
1584
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
1585
|
+
#
|
1586
|
+
# When you use this parameter, instead of returning the plaintext
|
1587
|
+
# data, KMS encrypts the plaintext data with the public key in the
|
1588
|
+
# attestation document, and returns the resulting ciphertext in the
|
1589
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can
|
1590
|
+
# be decrypted only with the private key in the enclave. The
|
1591
|
+
# `Plaintext` field in the response is null or empty.
|
1592
|
+
#
|
1593
|
+
# For information about the interaction between KMS and Amazon Web
|
1594
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
1595
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
1596
|
+
#
|
1597
|
+
#
|
1598
|
+
#
|
1599
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
1600
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
1601
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
1602
|
+
# @return [Types::RecipientInfo]
|
1603
|
+
#
|
1604
|
+
# @!attribute [rw] dry_run
|
1605
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
1606
|
+
# parameter.
|
1607
|
+
#
|
1608
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
1609
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
1610
|
+
#
|
1611
|
+
#
|
1612
|
+
#
|
1613
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
1614
|
+
# @return [Boolean]
|
1615
|
+
#
|
1249
1616
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
1250
1617
|
#
|
1251
1618
|
class DecryptRequest < Struct.new(
|
@@ -1253,7 +1620,9 @@ module Aws::KMS
|
|
1253
1620
|
:encryption_context,
|
1254
1621
|
:grant_tokens,
|
1255
1622
|
:key_id,
|
1256
|
-
:encryption_algorithm
|
1623
|
+
:encryption_algorithm,
|
1624
|
+
:recipient,
|
1625
|
+
:dry_run)
|
1257
1626
|
SENSITIVE = []
|
1258
1627
|
include Aws::Structure
|
1259
1628
|
end
|
@@ -1271,29 +1640,42 @@ module Aws::KMS
|
|
1271
1640
|
# Decrypted plaintext data. When you use the HTTP API or the Amazon
|
1272
1641
|
# Web Services CLI, the value is Base64-encoded. Otherwise, it is not
|
1273
1642
|
# Base64-encoded.
|
1643
|
+
#
|
1644
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
1645
|
+
# `Plaintext` field is null or empty.
|
1274
1646
|
# @return [String]
|
1275
1647
|
#
|
1276
1648
|
# @!attribute [rw] encryption_algorithm
|
1277
1649
|
# The encryption algorithm that was used to decrypt the ciphertext.
|
1278
1650
|
# @return [String]
|
1279
1651
|
#
|
1652
|
+
# @!attribute [rw] ciphertext_for_recipient
|
1653
|
+
# The plaintext data encrypted with the public key in the attestation
|
1654
|
+
# document.
|
1655
|
+
#
|
1656
|
+
# This field is included in the response only when the `Recipient`
|
1657
|
+
# parameter in the request includes a valid attestation document from
|
1658
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
1659
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
1660
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
1661
|
+
# Management Service Developer Guide*.
|
1662
|
+
#
|
1663
|
+
#
|
1664
|
+
#
|
1665
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
1666
|
+
# @return [String]
|
1667
|
+
#
|
1280
1668
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
|
1281
1669
|
#
|
1282
1670
|
class DecryptResponse < Struct.new(
|
1283
1671
|
:key_id,
|
1284
1672
|
:plaintext,
|
1285
|
-
:encryption_algorithm
|
1673
|
+
:encryption_algorithm,
|
1674
|
+
:ciphertext_for_recipient)
|
1286
1675
|
SENSITIVE = [:plaintext]
|
1287
1676
|
include Aws::Structure
|
1288
1677
|
end
|
1289
1678
|
|
1290
|
-
# @note When making an API call, you may pass DeleteAliasRequest
|
1291
|
-
# data as a hash:
|
1292
|
-
#
|
1293
|
-
# {
|
1294
|
-
# alias_name: "AliasNameType", # required
|
1295
|
-
# }
|
1296
|
-
#
|
1297
1679
|
# @!attribute [rw] alias_name
|
1298
1680
|
# The alias to be deleted. The alias name must begin with `alias/`
|
1299
1681
|
# followed by the alias name, such as `alias/ExampleAlias`.
|
@@ -1307,13 +1689,6 @@ module Aws::KMS
|
|
1307
1689
|
include Aws::Structure
|
1308
1690
|
end
|
1309
1691
|
|
1310
|
-
# @note When making an API call, you may pass DeleteCustomKeyStoreRequest
|
1311
|
-
# data as a hash:
|
1312
|
-
#
|
1313
|
-
# {
|
1314
|
-
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
1315
|
-
# }
|
1316
|
-
#
|
1317
1692
|
# @!attribute [rw] custom_key_store_id
|
1318
1693
|
# Enter the ID of the custom key store you want to delete. To find the
|
1319
1694
|
# ID of a custom key store, use the DescribeCustomKeyStores operation.
|
@@ -1331,13 +1706,6 @@ module Aws::KMS
|
|
1331
1706
|
#
|
1332
1707
|
class DeleteCustomKeyStoreResponse < Aws::EmptyStructure; end
|
1333
1708
|
|
1334
|
-
# @note When making an API call, you may pass DeleteImportedKeyMaterialRequest
|
1335
|
-
# data as a hash:
|
1336
|
-
#
|
1337
|
-
# {
|
1338
|
-
# key_id: "KeyIdType", # required
|
1339
|
-
# }
|
1340
|
-
#
|
1341
1709
|
# @!attribute [rw] key_id
|
1342
1710
|
# Identifies the KMS key from which you are deleting imported key
|
1343
1711
|
# material. The `Origin` of the KMS key must be `EXTERNAL`.
|
@@ -1363,8 +1731,8 @@ module Aws::KMS
|
|
1363
1731
|
include Aws::Structure
|
1364
1732
|
end
|
1365
1733
|
|
1366
|
-
# The system timed out while trying to fulfill the request.
|
1367
|
-
#
|
1734
|
+
# The system timed out while trying to fulfill the request. You can
|
1735
|
+
# retry the request.
|
1368
1736
|
#
|
1369
1737
|
# @!attribute [rw] message
|
1370
1738
|
# @return [String]
|
@@ -1377,24 +1745,14 @@ module Aws::KMS
|
|
1377
1745
|
include Aws::Structure
|
1378
1746
|
end
|
1379
1747
|
|
1380
|
-
# @note When making an API call, you may pass DescribeCustomKeyStoresRequest
|
1381
|
-
# data as a hash:
|
1382
|
-
#
|
1383
|
-
# {
|
1384
|
-
# custom_key_store_id: "CustomKeyStoreIdType",
|
1385
|
-
# custom_key_store_name: "CustomKeyStoreNameType",
|
1386
|
-
# limit: 1,
|
1387
|
-
# marker: "MarkerType",
|
1388
|
-
# }
|
1389
|
-
#
|
1390
1748
|
# @!attribute [rw] custom_key_store_id
|
1391
1749
|
# Gets only information about the specified custom key store. Enter
|
1392
1750
|
# the key store ID.
|
1393
1751
|
#
|
1394
1752
|
# By default, this operation gets information about all custom key
|
1395
1753
|
# stores in the account and Region. To limit the output to a
|
1396
|
-
# particular custom key store,
|
1397
|
-
#
|
1754
|
+
# particular custom key store, provide either the `CustomKeyStoreId`
|
1755
|
+
# or `CustomKeyStoreName` parameter, but not both.
|
1398
1756
|
# @return [String]
|
1399
1757
|
#
|
1400
1758
|
# @!attribute [rw] custom_key_store_name
|
@@ -1403,8 +1761,8 @@ module Aws::KMS
|
|
1403
1761
|
#
|
1404
1762
|
# By default, this operation gets information about all custom key
|
1405
1763
|
# stores in the account and Region. To limit the output to a
|
1406
|
-
# particular custom key store,
|
1407
|
-
#
|
1764
|
+
# particular custom key store, provide either the `CustomKeyStoreId`
|
1765
|
+
# or `CustomKeyStoreName` parameter, but not both.
|
1408
1766
|
# @return [String]
|
1409
1767
|
#
|
1410
1768
|
# @!attribute [rw] limit
|
@@ -1456,14 +1814,6 @@ module Aws::KMS
|
|
1456
1814
|
include Aws::Structure
|
1457
1815
|
end
|
1458
1816
|
|
1459
|
-
# @note When making an API call, you may pass DescribeKeyRequest
|
1460
|
-
# data as a hash:
|
1461
|
-
#
|
1462
|
-
# {
|
1463
|
-
# key_id: "KeyIdType", # required
|
1464
|
-
# grant_tokens: ["GrantTokenType"],
|
1465
|
-
# }
|
1466
|
-
#
|
1467
1817
|
# @!attribute [rw] key_id
|
1468
1818
|
# Describes the specified KMS key.
|
1469
1819
|
#
|
@@ -1531,13 +1881,6 @@ module Aws::KMS
|
|
1531
1881
|
include Aws::Structure
|
1532
1882
|
end
|
1533
1883
|
|
1534
|
-
# @note When making an API call, you may pass DisableKeyRequest
|
1535
|
-
# data as a hash:
|
1536
|
-
#
|
1537
|
-
# {
|
1538
|
-
# key_id: "KeyIdType", # required
|
1539
|
-
# }
|
1540
|
-
#
|
1541
1884
|
# @!attribute [rw] key_id
|
1542
1885
|
# Identifies the KMS key to disable.
|
1543
1886
|
#
|
@@ -1562,17 +1905,11 @@ module Aws::KMS
|
|
1562
1905
|
include Aws::Structure
|
1563
1906
|
end
|
1564
1907
|
|
1565
|
-
# @note When making an API call, you may pass DisableKeyRotationRequest
|
1566
|
-
# data as a hash:
|
1567
|
-
#
|
1568
|
-
# {
|
1569
|
-
# key_id: "KeyIdType", # required
|
1570
|
-
# }
|
1571
|
-
#
|
1572
1908
|
# @!attribute [rw] key_id
|
1573
|
-
# Identifies a symmetric KMS key. You cannot enable or
|
1574
|
-
# automatic rotation of [asymmetric KMS keys][1], KMS
|
1575
|
-
# [imported key material][
|
1909
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
1910
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
1911
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
1912
|
+
# [custom key store][4].
|
1576
1913
|
#
|
1577
1914
|
# Specify the key ID or key ARN of the KMS key.
|
1578
1915
|
#
|
@@ -1589,8 +1926,9 @@ module Aws::KMS
|
|
1589
1926
|
#
|
1590
1927
|
#
|
1591
1928
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
1592
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1593
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1929
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
1930
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1931
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1594
1932
|
# @return [String]
|
1595
1933
|
#
|
1596
1934
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
|
@@ -1614,13 +1952,6 @@ module Aws::KMS
|
|
1614
1952
|
include Aws::Structure
|
1615
1953
|
end
|
1616
1954
|
|
1617
|
-
# @note When making an API call, you may pass DisconnectCustomKeyStoreRequest
|
1618
|
-
# data as a hash:
|
1619
|
-
#
|
1620
|
-
# {
|
1621
|
-
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
1622
|
-
# }
|
1623
|
-
#
|
1624
1955
|
# @!attribute [rw] custom_key_store_id
|
1625
1956
|
# Enter the ID of the custom key store you want to disconnect. To find
|
1626
1957
|
# the ID of a custom key store, use the DescribeCustomKeyStores
|
@@ -1639,13 +1970,19 @@ module Aws::KMS
|
|
1639
1970
|
#
|
1640
1971
|
class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
|
1641
1972
|
|
1642
|
-
#
|
1643
|
-
# data as a hash:
|
1973
|
+
# The request was rejected because the DryRun parameter was specified.
|
1644
1974
|
#
|
1645
|
-
#
|
1646
|
-
#
|
1647
|
-
# }
|
1975
|
+
# @!attribute [rw] message
|
1976
|
+
# @return [String]
|
1648
1977
|
#
|
1978
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DryRunOperationException AWS API Documentation
|
1979
|
+
#
|
1980
|
+
class DryRunOperationException < Struct.new(
|
1981
|
+
:message)
|
1982
|
+
SENSITIVE = []
|
1983
|
+
include Aws::Structure
|
1984
|
+
end
|
1985
|
+
|
1649
1986
|
# @!attribute [rw] key_id
|
1650
1987
|
# Identifies the KMS key to enable.
|
1651
1988
|
#
|
@@ -1670,19 +2007,12 @@ module Aws::KMS
|
|
1670
2007
|
include Aws::Structure
|
1671
2008
|
end
|
1672
2009
|
|
1673
|
-
# @note When making an API call, you may pass EnableKeyRotationRequest
|
1674
|
-
# data as a hash:
|
1675
|
-
#
|
1676
|
-
# {
|
1677
|
-
# key_id: "KeyIdType", # required
|
1678
|
-
# }
|
1679
|
-
#
|
1680
2010
|
# @!attribute [rw] key_id
|
1681
|
-
# Identifies a symmetric KMS key. You cannot enable
|
1682
|
-
# of [asymmetric KMS keys][1], KMS keys
|
1683
|
-
# material][
|
1684
|
-
# disable automatic rotation of a set of
|
1685
|
-
# keys][
|
2011
|
+
# Identifies a symmetric encryption KMS key. You cannot enable
|
2012
|
+
# automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
|
2013
|
+
# KMS keys with [imported key material][3], or KMS keys in a [custom
|
2014
|
+
# key store][4]. To enable or disable automatic rotation of a set of
|
2015
|
+
# related [multi-Region keys][5], set the property on the primary key.
|
1686
2016
|
#
|
1687
2017
|
# Specify the key ID or key ARN of the KMS key.
|
1688
2018
|
#
|
@@ -1698,10 +2028,11 @@ module Aws::KMS
|
|
1698
2028
|
#
|
1699
2029
|
#
|
1700
2030
|
#
|
1701
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1702
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1703
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1704
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2031
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
2032
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
2033
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
2034
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2035
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
1705
2036
|
# @return [String]
|
1706
2037
|
#
|
1707
2038
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
@@ -1712,21 +2043,10 @@ module Aws::KMS
|
|
1712
2043
|
include Aws::Structure
|
1713
2044
|
end
|
1714
2045
|
|
1715
|
-
# @note When making an API call, you may pass EncryptRequest
|
1716
|
-
# data as a hash:
|
1717
|
-
#
|
1718
|
-
# {
|
1719
|
-
# key_id: "KeyIdType", # required
|
1720
|
-
# plaintext: "data", # required
|
1721
|
-
# encryption_context: {
|
1722
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
1723
|
-
# },
|
1724
|
-
# grant_tokens: ["GrantTokenType"],
|
1725
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
1726
|
-
# }
|
1727
|
-
#
|
1728
2046
|
# @!attribute [rw] key_id
|
1729
|
-
# Identifies the KMS key to use in the encryption operation.
|
2047
|
+
# Identifies the KMS key to use in the encryption operation. The KMS
|
2048
|
+
# key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
|
2049
|
+
# `KeyUsage` of a KMS key, use the DescribeKey operation.
|
1730
2050
|
#
|
1731
2051
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1732
2052
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
@@ -1755,18 +2075,24 @@ module Aws::KMS
|
|
1755
2075
|
# @!attribute [rw] encryption_context
|
1756
2076
|
# Specifies the encryption context that will be used to encrypt the
|
1757
2077
|
# data. An encryption context is valid only for [cryptographic
|
1758
|
-
# operations][1] with a symmetric KMS key. The standard
|
1759
|
-
# encryption algorithms that KMS uses
|
1760
|
-
# context.
|
2078
|
+
# operations][1] with a symmetric encryption KMS key. The standard
|
2079
|
+
# asymmetric encryption algorithms and HMAC algorithms that KMS uses
|
2080
|
+
# do not support an encryption context.
|
2081
|
+
#
|
2082
|
+
# Do not include confidential or sensitive information in this field.
|
2083
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2084
|
+
# other output.
|
1761
2085
|
#
|
1762
2086
|
# An *encryption context* is a collection of non-secret key-value
|
1763
|
-
# pairs that
|
2087
|
+
# pairs that represent additional authenticated data. When you use an
|
1764
2088
|
# encryption context to encrypt data, you must specify the same (an
|
1765
2089
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1766
|
-
# An encryption context is
|
1767
|
-
# KMS
|
2090
|
+
# An encryption context is supported only on operations with symmetric
|
2091
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
2092
|
+
# keys, an encryption context is optional, but it is strongly
|
2093
|
+
# recommended.
|
1768
2094
|
#
|
1769
|
-
# For more information, see [Encryption
|
2095
|
+
# For more information, see [Encryption context][2] in the *Key
|
1770
2096
|
# Management Service Developer Guide*.
|
1771
2097
|
#
|
1772
2098
|
#
|
@@ -1795,11 +2121,25 @@ module Aws::KMS
|
|
1795
2121
|
# that you specify.
|
1796
2122
|
#
|
1797
2123
|
# This parameter is required only for asymmetric KMS keys. The default
|
1798
|
-
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
1799
|
-
# keys. If you are using an asymmetric KMS key, we
|
1800
|
-
# RSAES\_OAEP\_SHA\_256.
|
2124
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
2125
|
+
# encryption KMS keys. If you are using an asymmetric KMS key, we
|
2126
|
+
# recommend RSAES\_OAEP\_SHA\_256.
|
2127
|
+
#
|
2128
|
+
# The SM2PKE algorithm is only available in China Regions.
|
1801
2129
|
# @return [String]
|
1802
2130
|
#
|
2131
|
+
# @!attribute [rw] dry_run
|
2132
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2133
|
+
# parameter.
|
2134
|
+
#
|
2135
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2136
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2137
|
+
#
|
2138
|
+
#
|
2139
|
+
#
|
2140
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2141
|
+
# @return [Boolean]
|
2142
|
+
#
|
1803
2143
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
1804
2144
|
#
|
1805
2145
|
class EncryptRequest < Struct.new(
|
@@ -1807,7 +2147,8 @@ module Aws::KMS
|
|
1807
2147
|
:plaintext,
|
1808
2148
|
:encryption_context,
|
1809
2149
|
:grant_tokens,
|
1810
|
-
:encryption_algorithm
|
2150
|
+
:encryption_algorithm,
|
2151
|
+
:dry_run)
|
1811
2152
|
SENSITIVE = [:plaintext]
|
1812
2153
|
include Aws::Structure
|
1813
2154
|
end
|
@@ -1857,30 +2198,24 @@ module Aws::KMS
|
|
1857
2198
|
include Aws::Structure
|
1858
2199
|
end
|
1859
2200
|
|
1860
|
-
# @note When making an API call, you may pass GenerateDataKeyPairRequest
|
1861
|
-
# data as a hash:
|
1862
|
-
#
|
1863
|
-
# {
|
1864
|
-
# encryption_context: {
|
1865
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
1866
|
-
# },
|
1867
|
-
# key_id: "KeyIdType", # required
|
1868
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
1869
|
-
# grant_tokens: ["GrantTokenType"],
|
1870
|
-
# }
|
1871
|
-
#
|
1872
2201
|
# @!attribute [rw] encryption_context
|
1873
2202
|
# Specifies the encryption context that will be used when encrypting
|
1874
2203
|
# the private key in the data key pair.
|
1875
2204
|
#
|
2205
|
+
# Do not include confidential or sensitive information in this field.
|
2206
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2207
|
+
# other output.
|
2208
|
+
#
|
1876
2209
|
# An *encryption context* is a collection of non-secret key-value
|
1877
|
-
# pairs that
|
2210
|
+
# pairs that represent additional authenticated data. When you use an
|
1878
2211
|
# encryption context to encrypt data, you must specify the same (an
|
1879
2212
|
# exact case-sensitive match) encryption context to decrypt the data.
|
1880
|
-
# An encryption context is
|
1881
|
-
# KMS
|
2213
|
+
# An encryption context is supported only on operations with symmetric
|
2214
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
2215
|
+
# keys, an encryption context is optional, but it is strongly
|
2216
|
+
# recommended.
|
1882
2217
|
#
|
1883
|
-
# For more information, see [Encryption
|
2218
|
+
# For more information, see [Encryption context][1] in the *Key
|
1884
2219
|
# Management Service Developer Guide*.
|
1885
2220
|
#
|
1886
2221
|
#
|
@@ -1889,10 +2224,10 @@ module Aws::KMS
|
|
1889
2224
|
# @return [Hash<String,String>]
|
1890
2225
|
#
|
1891
2226
|
# @!attribute [rw] key_id
|
1892
|
-
# Specifies the symmetric KMS key that encrypts the private
|
1893
|
-
# data key pair. You cannot specify an asymmetric KMS key
|
1894
|
-
# in a custom key store. To get the type and origin of
|
1895
|
-
# use the DescribeKey operation.
|
2227
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
2228
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
2229
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
2230
|
+
# your KMS key, use the DescribeKey operation.
|
1896
2231
|
#
|
1897
2232
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
1898
2233
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
@@ -1917,10 +2252,11 @@ module Aws::KMS
|
|
1917
2252
|
# @!attribute [rw] key_pair_spec
|
1918
2253
|
# Determines the type of data key pair that is generated.
|
1919
2254
|
#
|
1920
|
-
# The KMS rule that restricts the use of asymmetric RSA
|
1921
|
-
# encrypt and decrypt or to sign and verify (but not both),
|
1922
|
-
# rule that permits you to use ECC KMS keys only to sign and
|
1923
|
-
# are not effective on data key pairs, which are used outside
|
2255
|
+
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
|
2256
|
+
# keys to encrypt and decrypt or to sign and verify (but not both),
|
2257
|
+
# and the rule that permits you to use ECC KMS keys only to sign and
|
2258
|
+
# verify, are not effective on data key pairs, which are used outside
|
2259
|
+
# of KMS. The SM2 key spec is only available in China Regions.
|
1924
2260
|
# @return [String]
|
1925
2261
|
#
|
1926
2262
|
# @!attribute [rw] grant_tokens
|
@@ -1937,13 +2273,58 @@ module Aws::KMS
|
|
1937
2273
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
1938
2274
|
# @return [Array<String>]
|
1939
2275
|
#
|
2276
|
+
# @!attribute [rw] recipient
|
2277
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
2278
|
+
# enclave and the encryption algorithm to use with the enclave's
|
2279
|
+
# public key. The only valid encryption algorithm is
|
2280
|
+
# `RSAES_OAEP_SHA_256`.
|
2281
|
+
#
|
2282
|
+
# This parameter only supports attestation documents for Amazon Web
|
2283
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
2284
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
2285
|
+
#
|
2286
|
+
# When you use this parameter, instead of returning a plaintext copy
|
2287
|
+
# of the private data key, KMS encrypts the plaintext private data key
|
2288
|
+
# under the public key in the attestation document, and returns the
|
2289
|
+
# resulting ciphertext in the `CiphertextForRecipient` field in the
|
2290
|
+
# response. This ciphertext can be decrypted only with the private key
|
2291
|
+
# in the enclave. The `CiphertextBlob` field in the response contains
|
2292
|
+
# a copy of the private data key encrypted under the KMS key specified
|
2293
|
+
# by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
|
2294
|
+
# response is null or empty.
|
2295
|
+
#
|
2296
|
+
# For information about the interaction between KMS and Amazon Web
|
2297
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
2298
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
2299
|
+
#
|
2300
|
+
#
|
2301
|
+
#
|
2302
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
2303
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
2304
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2305
|
+
# @return [Types::RecipientInfo]
|
2306
|
+
#
|
2307
|
+
# @!attribute [rw] dry_run
|
2308
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2309
|
+
# parameter.
|
2310
|
+
#
|
2311
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2312
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2313
|
+
#
|
2314
|
+
#
|
2315
|
+
#
|
2316
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2317
|
+
# @return [Boolean]
|
2318
|
+
#
|
1940
2319
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
|
1941
2320
|
#
|
1942
2321
|
class GenerateDataKeyPairRequest < Struct.new(
|
1943
2322
|
:encryption_context,
|
1944
2323
|
:key_id,
|
1945
2324
|
:key_pair_spec,
|
1946
|
-
:grant_tokens
|
2325
|
+
:grant_tokens,
|
2326
|
+
:recipient,
|
2327
|
+
:dry_run)
|
1947
2328
|
SENSITIVE = []
|
1948
2329
|
include Aws::Structure
|
1949
2330
|
end
|
@@ -1958,10 +2339,15 @@ module Aws::KMS
|
|
1958
2339
|
# The plaintext copy of the private key. When you use the HTTP API or
|
1959
2340
|
# the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
|
1960
2341
|
# it is not Base64-encoded.
|
2342
|
+
#
|
2343
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
2344
|
+
# `PrivateKeyPlaintext` field is null or empty.
|
1961
2345
|
# @return [String]
|
1962
2346
|
#
|
1963
2347
|
# @!attribute [rw] public_key
|
1964
|
-
# The public key (in plaintext).
|
2348
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
2349
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
2350
|
+
# is not Base64-encoded.
|
1965
2351
|
# @return [String]
|
1966
2352
|
#
|
1967
2353
|
# @!attribute [rw] key_id
|
@@ -1977,6 +2363,23 @@ module Aws::KMS
|
|
1977
2363
|
# The type of data key pair that was generated.
|
1978
2364
|
# @return [String]
|
1979
2365
|
#
|
2366
|
+
# @!attribute [rw] ciphertext_for_recipient
|
2367
|
+
# The plaintext private data key encrypted with the public key from
|
2368
|
+
# the Nitro enclave. This ciphertext can be decrypted only by using a
|
2369
|
+
# private key in the Nitro enclave.
|
2370
|
+
#
|
2371
|
+
# This field is included in the response only when the `Recipient`
|
2372
|
+
# parameter in the request includes a valid attestation document from
|
2373
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
2374
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
2375
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
2376
|
+
# Management Service Developer Guide*.
|
2377
|
+
#
|
2378
|
+
#
|
2379
|
+
#
|
2380
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2381
|
+
# @return [String]
|
2382
|
+
#
|
1980
2383
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
|
1981
2384
|
#
|
1982
2385
|
class GenerateDataKeyPairResponse < Struct.new(
|
@@ -1984,35 +2387,30 @@ module Aws::KMS
|
|
1984
2387
|
:private_key_plaintext,
|
1985
2388
|
:public_key,
|
1986
2389
|
:key_id,
|
1987
|
-
:key_pair_spec
|
2390
|
+
:key_pair_spec,
|
2391
|
+
:ciphertext_for_recipient)
|
1988
2392
|
SENSITIVE = [:private_key_plaintext]
|
1989
2393
|
include Aws::Structure
|
1990
2394
|
end
|
1991
2395
|
|
1992
|
-
# @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
|
1993
|
-
# data as a hash:
|
1994
|
-
#
|
1995
|
-
# {
|
1996
|
-
# encryption_context: {
|
1997
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
1998
|
-
# },
|
1999
|
-
# key_id: "KeyIdType", # required
|
2000
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
2001
|
-
# grant_tokens: ["GrantTokenType"],
|
2002
|
-
# }
|
2003
|
-
#
|
2004
2396
|
# @!attribute [rw] encryption_context
|
2005
2397
|
# Specifies the encryption context that will be used when encrypting
|
2006
2398
|
# the private key in the data key pair.
|
2007
2399
|
#
|
2400
|
+
# Do not include confidential or sensitive information in this field.
|
2401
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2402
|
+
# other output.
|
2403
|
+
#
|
2008
2404
|
# An *encryption context* is a collection of non-secret key-value
|
2009
|
-
# pairs that
|
2405
|
+
# pairs that represent additional authenticated data. When you use an
|
2010
2406
|
# encryption context to encrypt data, you must specify the same (an
|
2011
2407
|
# exact case-sensitive match) encryption context to decrypt the data.
|
2012
|
-
# An encryption context is
|
2013
|
-
# KMS
|
2408
|
+
# An encryption context is supported only on operations with symmetric
|
2409
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
2410
|
+
# keys, an encryption context is optional, but it is strongly
|
2411
|
+
# recommended.
|
2014
2412
|
#
|
2015
|
-
# For more information, see [Encryption
|
2413
|
+
# For more information, see [Encryption context][1] in the *Key
|
2016
2414
|
# Management Service Developer Guide*.
|
2017
2415
|
#
|
2018
2416
|
#
|
@@ -2021,10 +2419,10 @@ module Aws::KMS
|
|
2021
2419
|
# @return [Hash<String,String>]
|
2022
2420
|
#
|
2023
2421
|
# @!attribute [rw] key_id
|
2024
|
-
# Specifies the KMS key that encrypts the private
|
2025
|
-
# pair. You
|
2026
|
-
#
|
2027
|
-
#
|
2422
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
2423
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
2424
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
2425
|
+
# your KMS key, use the DescribeKey operation.
|
2028
2426
|
#
|
2029
2427
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2030
2428
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
@@ -2049,10 +2447,11 @@ module Aws::KMS
|
|
2049
2447
|
# @!attribute [rw] key_pair_spec
|
2050
2448
|
# Determines the type of data key pair that is generated.
|
2051
2449
|
#
|
2052
|
-
# The KMS rule that restricts the use of asymmetric RSA
|
2053
|
-
# encrypt and decrypt or to sign and verify (but not both),
|
2054
|
-
# rule that permits you to use ECC KMS keys only to sign and
|
2055
|
-
# are not effective on data key pairs, which are used outside
|
2450
|
+
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
|
2451
|
+
# keys to encrypt and decrypt or to sign and verify (but not both),
|
2452
|
+
# and the rule that permits you to use ECC KMS keys only to sign and
|
2453
|
+
# verify, are not effective on data key pairs, which are used outside
|
2454
|
+
# of KMS. The SM2 key spec is only available in China Regions.
|
2056
2455
|
# @return [String]
|
2057
2456
|
#
|
2058
2457
|
# @!attribute [rw] grant_tokens
|
@@ -2069,13 +2468,26 @@ module Aws::KMS
|
|
2069
2468
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2070
2469
|
# @return [Array<String>]
|
2071
2470
|
#
|
2471
|
+
# @!attribute [rw] dry_run
|
2472
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2473
|
+
# parameter.
|
2474
|
+
#
|
2475
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2476
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2477
|
+
#
|
2478
|
+
#
|
2479
|
+
#
|
2480
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2481
|
+
# @return [Boolean]
|
2482
|
+
#
|
2072
2483
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
|
2073
2484
|
#
|
2074
2485
|
class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
|
2075
2486
|
:encryption_context,
|
2076
2487
|
:key_id,
|
2077
2488
|
:key_pair_spec,
|
2078
|
-
:grant_tokens
|
2489
|
+
:grant_tokens,
|
2490
|
+
:dry_run)
|
2079
2491
|
SENSITIVE = []
|
2080
2492
|
include Aws::Structure
|
2081
2493
|
end
|
@@ -2087,7 +2499,9 @@ module Aws::KMS
|
|
2087
2499
|
# @return [String]
|
2088
2500
|
#
|
2089
2501
|
# @!attribute [rw] public_key
|
2090
|
-
# The public key (in plaintext).
|
2502
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
2503
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
2504
|
+
# is not Base64-encoded.
|
2091
2505
|
# @return [String]
|
2092
2506
|
#
|
2093
2507
|
# @!attribute [rw] key_id
|
@@ -2114,21 +2528,11 @@ module Aws::KMS
|
|
2114
2528
|
include Aws::Structure
|
2115
2529
|
end
|
2116
2530
|
|
2117
|
-
# @note When making an API call, you may pass GenerateDataKeyRequest
|
2118
|
-
# data as a hash:
|
2119
|
-
#
|
2120
|
-
# {
|
2121
|
-
# key_id: "KeyIdType", # required
|
2122
|
-
# encryption_context: {
|
2123
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
2124
|
-
# },
|
2125
|
-
# number_of_bytes: 1,
|
2126
|
-
# key_spec: "AES_256", # accepts AES_256, AES_128
|
2127
|
-
# grant_tokens: ["GrantTokenType"],
|
2128
|
-
# }
|
2129
|
-
#
|
2130
2531
|
# @!attribute [rw] key_id
|
2131
|
-
#
|
2532
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
2533
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
2534
|
+
# custom key store. To get the type and origin of your KMS key, use
|
2535
|
+
# the DescribeKey operation.
|
2132
2536
|
#
|
2133
2537
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2134
2538
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
@@ -2154,14 +2558,20 @@ module Aws::KMS
|
|
2154
2558
|
# Specifies the encryption context that will be used when encrypting
|
2155
2559
|
# the data key.
|
2156
2560
|
#
|
2561
|
+
# Do not include confidential or sensitive information in this field.
|
2562
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2563
|
+
# other output.
|
2564
|
+
#
|
2157
2565
|
# An *encryption context* is a collection of non-secret key-value
|
2158
|
-
# pairs that
|
2566
|
+
# pairs that represent additional authenticated data. When you use an
|
2159
2567
|
# encryption context to encrypt data, you must specify the same (an
|
2160
2568
|
# exact case-sensitive match) encryption context to decrypt the data.
|
2161
|
-
# An encryption context is
|
2162
|
-
# KMS
|
2569
|
+
# An encryption context is supported only on operations with symmetric
|
2570
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
2571
|
+
# keys, an encryption context is optional, but it is strongly
|
2572
|
+
# recommended.
|
2163
2573
|
#
|
2164
|
-
# For more information, see [Encryption
|
2574
|
+
# For more information, see [Encryption context][1] in the *Key
|
2165
2575
|
# Management Service Developer Guide*.
|
2166
2576
|
#
|
2167
2577
|
#
|
@@ -2202,6 +2612,48 @@ module Aws::KMS
|
|
2202
2612
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2203
2613
|
# @return [Array<String>]
|
2204
2614
|
#
|
2615
|
+
# @!attribute [rw] recipient
|
2616
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
2617
|
+
# enclave and the encryption algorithm to use with the enclave's
|
2618
|
+
# public key. The only valid encryption algorithm is
|
2619
|
+
# `RSAES_OAEP_SHA_256`.
|
2620
|
+
#
|
2621
|
+
# This parameter only supports attestation documents for Amazon Web
|
2622
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
2623
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
2624
|
+
#
|
2625
|
+
# When you use this parameter, instead of returning the plaintext data
|
2626
|
+
# key, KMS encrypts the plaintext data key under the public key in the
|
2627
|
+
# attestation document, and returns the resulting ciphertext in the
|
2628
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can
|
2629
|
+
# be decrypted only with the private key in the enclave. The
|
2630
|
+
# `CiphertextBlob` field in the response contains a copy of the data
|
2631
|
+
# key encrypted under the KMS key specified by the `KeyId` parameter.
|
2632
|
+
# The `Plaintext` field in the response is null or empty.
|
2633
|
+
#
|
2634
|
+
# For information about the interaction between KMS and Amazon Web
|
2635
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
2636
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
2637
|
+
#
|
2638
|
+
#
|
2639
|
+
#
|
2640
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
2641
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
2642
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2643
|
+
# @return [Types::RecipientInfo]
|
2644
|
+
#
|
2645
|
+
# @!attribute [rw] dry_run
|
2646
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2647
|
+
# parameter.
|
2648
|
+
#
|
2649
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2650
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2651
|
+
#
|
2652
|
+
#
|
2653
|
+
#
|
2654
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2655
|
+
# @return [Boolean]
|
2656
|
+
#
|
2205
2657
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
|
2206
2658
|
#
|
2207
2659
|
class GenerateDataKeyRequest < Struct.new(
|
@@ -2209,7 +2661,9 @@ module Aws::KMS
|
|
2209
2661
|
:encryption_context,
|
2210
2662
|
:number_of_bytes,
|
2211
2663
|
:key_spec,
|
2212
|
-
:grant_tokens
|
2664
|
+
:grant_tokens,
|
2665
|
+
:recipient,
|
2666
|
+
:dry_run)
|
2213
2667
|
SENSITIVE = []
|
2214
2668
|
include Aws::Structure
|
2215
2669
|
end
|
@@ -2225,6 +2679,9 @@ module Aws::KMS
|
|
2225
2679
|
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2226
2680
|
# Base64-encoded. Use this data key to encrypt your data outside of
|
2227
2681
|
# KMS. Then, remove it from memory as soon as possible.
|
2682
|
+
#
|
2683
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
2684
|
+
# `Plaintext` field is null or empty.
|
2228
2685
|
# @return [String]
|
2229
2686
|
#
|
2230
2687
|
# @!attribute [rw] key_id
|
@@ -2236,31 +2693,39 @@ module Aws::KMS
|
|
2236
2693
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2237
2694
|
# @return [String]
|
2238
2695
|
#
|
2696
|
+
# @!attribute [rw] ciphertext_for_recipient
|
2697
|
+
# The plaintext data key encrypted with the public key from the Nitro
|
2698
|
+
# enclave. This ciphertext can be decrypted only by using a private
|
2699
|
+
# key in the Nitro enclave.
|
2700
|
+
#
|
2701
|
+
# This field is included in the response only when the `Recipient`
|
2702
|
+
# parameter in the request includes a valid attestation document from
|
2703
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
2704
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
2705
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
2706
|
+
# Management Service Developer Guide*.
|
2707
|
+
#
|
2708
|
+
#
|
2709
|
+
#
|
2710
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2711
|
+
# @return [String]
|
2712
|
+
#
|
2239
2713
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
|
2240
2714
|
#
|
2241
2715
|
class GenerateDataKeyResponse < Struct.new(
|
2242
2716
|
:ciphertext_blob,
|
2243
2717
|
:plaintext,
|
2244
|
-
:key_id
|
2718
|
+
:key_id,
|
2719
|
+
:ciphertext_for_recipient)
|
2245
2720
|
SENSITIVE = [:plaintext]
|
2246
2721
|
include Aws::Structure
|
2247
2722
|
end
|
2248
2723
|
|
2249
|
-
# @note When making an API call, you may pass GenerateDataKeyWithoutPlaintextRequest
|
2250
|
-
# data as a hash:
|
2251
|
-
#
|
2252
|
-
# {
|
2253
|
-
# key_id: "KeyIdType", # required
|
2254
|
-
# encryption_context: {
|
2255
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
2256
|
-
# },
|
2257
|
-
# key_spec: "AES_256", # accepts AES_256, AES_128
|
2258
|
-
# number_of_bytes: 1,
|
2259
|
-
# grant_tokens: ["GrantTokenType"],
|
2260
|
-
# }
|
2261
|
-
#
|
2262
2724
|
# @!attribute [rw] key_id
|
2263
|
-
#
|
2725
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
2726
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
2727
|
+
# custom key store. To get the type and origin of your KMS key, use
|
2728
|
+
# the DescribeKey operation.
|
2264
2729
|
#
|
2265
2730
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
2266
2731
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
@@ -2286,14 +2751,20 @@ module Aws::KMS
|
|
2286
2751
|
# Specifies the encryption context that will be used when encrypting
|
2287
2752
|
# the data key.
|
2288
2753
|
#
|
2754
|
+
# Do not include confidential or sensitive information in this field.
|
2755
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2756
|
+
# other output.
|
2757
|
+
#
|
2289
2758
|
# An *encryption context* is a collection of non-secret key-value
|
2290
|
-
# pairs that
|
2759
|
+
# pairs that represent additional authenticated data. When you use an
|
2291
2760
|
# encryption context to encrypt data, you must specify the same (an
|
2292
2761
|
# exact case-sensitive match) encryption context to decrypt the data.
|
2293
|
-
# An encryption context is
|
2294
|
-
# KMS
|
2762
|
+
# An encryption context is supported only on operations with symmetric
|
2763
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
2764
|
+
# keys, an encryption context is optional, but it is strongly
|
2765
|
+
# recommended.
|
2295
2766
|
#
|
2296
|
-
# For more information, see [Encryption
|
2767
|
+
# For more information, see [Encryption context][1] in the *Key
|
2297
2768
|
# Management Service Developer Guide*.
|
2298
2769
|
#
|
2299
2770
|
#
|
@@ -2327,6 +2798,18 @@ module Aws::KMS
|
|
2327
2798
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2328
2799
|
# @return [Array<String>]
|
2329
2800
|
#
|
2801
|
+
# @!attribute [rw] dry_run
|
2802
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2803
|
+
# parameter.
|
2804
|
+
#
|
2805
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2806
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2807
|
+
#
|
2808
|
+
#
|
2809
|
+
#
|
2810
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2811
|
+
# @return [Boolean]
|
2812
|
+
#
|
2330
2813
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
|
2331
2814
|
#
|
2332
2815
|
class GenerateDataKeyWithoutPlaintextRequest < Struct.new(
|
@@ -2334,7 +2817,8 @@ module Aws::KMS
|
|
2334
2817
|
:encryption_context,
|
2335
2818
|
:key_spec,
|
2336
2819
|
:number_of_bytes,
|
2337
|
-
:grant_tokens
|
2820
|
+
:grant_tokens,
|
2821
|
+
:dry_run)
|
2338
2822
|
SENSITIVE = []
|
2339
2823
|
include Aws::Structure
|
2340
2824
|
end
|
@@ -2363,33 +2847,150 @@ module Aws::KMS
|
|
2363
2847
|
include Aws::Structure
|
2364
2848
|
end
|
2365
2849
|
|
2366
|
-
#
|
2367
|
-
#
|
2850
|
+
# @!attribute [rw] message
|
2851
|
+
# The message to be hashed. Specify a message of up to 4,096 bytes.
|
2852
|
+
#
|
2853
|
+
# `GenerateMac` and VerifyMac do not provide special handling for
|
2854
|
+
# message digests. If you generate an HMAC for a hash digest of a
|
2855
|
+
# message, you must verify the HMAC of the same hash digest.
|
2856
|
+
# @return [String]
|
2857
|
+
#
|
2858
|
+
# @!attribute [rw] key_id
|
2859
|
+
# The HMAC KMS key to use in the operation. The MAC algorithm computes
|
2860
|
+
# the HMAC for the message and the key as described in [RFC 2104][1].
|
2861
|
+
#
|
2862
|
+
# To identify an HMAC KMS key, use the DescribeKey operation and see
|
2863
|
+
# the `KeySpec` field in the response.
|
2864
|
+
#
|
2865
|
+
#
|
2866
|
+
#
|
2867
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
2868
|
+
# @return [String]
|
2869
|
+
#
|
2870
|
+
# @!attribute [rw] mac_algorithm
|
2871
|
+
# The MAC algorithm used in the operation.
|
2872
|
+
#
|
2873
|
+
# The algorithm must be compatible with the HMAC KMS key that you
|
2874
|
+
# specify. To find the MAC algorithms that your HMAC KMS key supports,
|
2875
|
+
# use the DescribeKey operation and see the `MacAlgorithms` field in
|
2876
|
+
# the `DescribeKey` response.
|
2877
|
+
# @return [String]
|
2878
|
+
#
|
2879
|
+
# @!attribute [rw] grant_tokens
|
2880
|
+
# A list of grant tokens.
|
2881
|
+
#
|
2882
|
+
# Use a grant token when your permission to call this operation comes
|
2883
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
2884
|
+
# For more information, see [Grant token][1] and [Using a grant
|
2885
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
2886
|
+
#
|
2887
|
+
#
|
2888
|
+
#
|
2889
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
2890
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2891
|
+
# @return [Array<String>]
|
2892
|
+
#
|
2893
|
+
# @!attribute [rw] dry_run
|
2894
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2895
|
+
# parameter.
|
2896
|
+
#
|
2897
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2898
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2899
|
+
#
|
2900
|
+
#
|
2901
|
+
#
|
2902
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2903
|
+
# @return [Boolean]
|
2904
|
+
#
|
2905
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
|
2906
|
+
#
|
2907
|
+
class GenerateMacRequest < Struct.new(
|
2908
|
+
:message,
|
2909
|
+
:key_id,
|
2910
|
+
:mac_algorithm,
|
2911
|
+
:grant_tokens,
|
2912
|
+
:dry_run)
|
2913
|
+
SENSITIVE = [:message]
|
2914
|
+
include Aws::Structure
|
2915
|
+
end
|
2916
|
+
|
2917
|
+
# @!attribute [rw] mac
|
2918
|
+
# The hash-based message authentication code (HMAC) that was generated
|
2919
|
+
# for the specified message, HMAC KMS key, and MAC algorithm.
|
2920
|
+
#
|
2921
|
+
# This is the standard, raw HMAC defined in [RFC 2104][1].
|
2922
|
+
#
|
2923
|
+
#
|
2924
|
+
#
|
2925
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
2926
|
+
# @return [String]
|
2927
|
+
#
|
2928
|
+
# @!attribute [rw] mac_algorithm
|
2929
|
+
# The MAC algorithm that was used to generate the HMAC.
|
2930
|
+
# @return [String]
|
2368
2931
|
#
|
2369
|
-
#
|
2370
|
-
#
|
2371
|
-
#
|
2372
|
-
# }
|
2932
|
+
# @!attribute [rw] key_id
|
2933
|
+
# The HMAC KMS key used in the operation.
|
2934
|
+
# @return [String]
|
2373
2935
|
#
|
2936
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
|
2937
|
+
#
|
2938
|
+
class GenerateMacResponse < Struct.new(
|
2939
|
+
:mac,
|
2940
|
+
:mac_algorithm,
|
2941
|
+
:key_id)
|
2942
|
+
SENSITIVE = []
|
2943
|
+
include Aws::Structure
|
2944
|
+
end
|
2945
|
+
|
2374
2946
|
# @!attribute [rw] number_of_bytes
|
2375
|
-
# The length of the byte string.
|
2947
|
+
# The length of the random byte string. This parameter is required.
|
2376
2948
|
# @return [Integer]
|
2377
2949
|
#
|
2378
2950
|
# @!attribute [rw] custom_key_store_id
|
2379
2951
|
# Generates the random byte string in the CloudHSM cluster that is
|
2380
|
-
# associated with the specified
|
2381
|
-
#
|
2952
|
+
# associated with the specified CloudHSM key store. To find the ID of
|
2953
|
+
# a custom key store, use the DescribeCustomKeyStores operation.
|
2382
2954
|
#
|
2955
|
+
# External key store IDs are not valid for this parameter. If you
|
2956
|
+
# specify the ID of an external key store, `GenerateRandom` throws an
|
2957
|
+
# `UnsupportedOperationException`.
|
2958
|
+
# @return [String]
|
2383
2959
|
#
|
2960
|
+
# @!attribute [rw] recipient
|
2961
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
2962
|
+
# enclave and the encryption algorithm to use with the enclave's
|
2963
|
+
# public key. The only valid encryption algorithm is
|
2964
|
+
# `RSAES_OAEP_SHA_256`.
|
2384
2965
|
#
|
2385
|
-
#
|
2386
|
-
#
|
2966
|
+
# This parameter only supports attestation documents for Amazon Web
|
2967
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
2968
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
2969
|
+
#
|
2970
|
+
# When you use this parameter, instead of returning plaintext bytes,
|
2971
|
+
# KMS encrypts the plaintext bytes under the public key in the
|
2972
|
+
# attestation document, and returns the resulting ciphertext in the
|
2973
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can
|
2974
|
+
# be decrypted only with the private key in the enclave. The
|
2975
|
+
# `Plaintext` field in the response is null or empty.
|
2976
|
+
#
|
2977
|
+
# For information about the interaction between KMS and Amazon Web
|
2978
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
2979
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
2980
|
+
#
|
2981
|
+
#
|
2982
|
+
#
|
2983
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
2984
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
2985
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2986
|
+
# @return [Types::RecipientInfo]
|
2387
2987
|
#
|
2388
2988
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
|
2389
2989
|
#
|
2390
2990
|
class GenerateRandomRequest < Struct.new(
|
2391
2991
|
:number_of_bytes,
|
2392
|
-
:custom_key_store_id
|
2992
|
+
:custom_key_store_id,
|
2993
|
+
:recipient)
|
2393
2994
|
SENSITIVE = []
|
2394
2995
|
include Aws::Structure
|
2395
2996
|
end
|
@@ -2398,24 +2999,37 @@ module Aws::KMS
|
|
2398
2999
|
# The random byte string. When you use the HTTP API or the Amazon Web
|
2399
3000
|
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2400
3001
|
# Base64-encoded.
|
3002
|
+
#
|
3003
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
3004
|
+
# `Plaintext` field is null or empty.
|
3005
|
+
# @return [String]
|
3006
|
+
#
|
3007
|
+
# @!attribute [rw] ciphertext_for_recipient
|
3008
|
+
# The plaintext random bytes encrypted with the public key from the
|
3009
|
+
# Nitro enclave. This ciphertext can be decrypted only by using a
|
3010
|
+
# private key in the Nitro enclave.
|
3011
|
+
#
|
3012
|
+
# This field is included in the response only when the `Recipient`
|
3013
|
+
# parameter in the request includes a valid attestation document from
|
3014
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
3015
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
3016
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
3017
|
+
# Management Service Developer Guide*.
|
3018
|
+
#
|
3019
|
+
#
|
3020
|
+
#
|
3021
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2401
3022
|
# @return [String]
|
2402
3023
|
#
|
2403
3024
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
|
2404
3025
|
#
|
2405
3026
|
class GenerateRandomResponse < Struct.new(
|
2406
|
-
:plaintext
|
3027
|
+
:plaintext,
|
3028
|
+
:ciphertext_for_recipient)
|
2407
3029
|
SENSITIVE = [:plaintext]
|
2408
3030
|
include Aws::Structure
|
2409
3031
|
end
|
2410
3032
|
|
2411
|
-
# @note When making an API call, you may pass GetKeyPolicyRequest
|
2412
|
-
# data as a hash:
|
2413
|
-
#
|
2414
|
-
# {
|
2415
|
-
# key_id: "KeyIdType", # required
|
2416
|
-
# policy_name: "PolicyNameType", # required
|
2417
|
-
# }
|
2418
|
-
#
|
2419
3033
|
# @!attribute [rw] key_id
|
2420
3034
|
# Gets the key policy for the specified KMS key.
|
2421
3035
|
#
|
@@ -2458,13 +3072,6 @@ module Aws::KMS
|
|
2458
3072
|
include Aws::Structure
|
2459
3073
|
end
|
2460
3074
|
|
2461
|
-
# @note When making an API call, you may pass GetKeyRotationStatusRequest
|
2462
|
-
# data as a hash:
|
2463
|
-
#
|
2464
|
-
# {
|
2465
|
-
# key_id: "KeyIdType", # required
|
2466
|
-
# }
|
2467
|
-
#
|
2468
3075
|
# @!attribute [rw] key_id
|
2469
3076
|
# Gets the rotation status for the specified KMS key.
|
2470
3077
|
#
|
@@ -2503,18 +3110,14 @@ module Aws::KMS
|
|
2503
3110
|
include Aws::Structure
|
2504
3111
|
end
|
2505
3112
|
|
2506
|
-
# @note When making an API call, you may pass GetParametersForImportRequest
|
2507
|
-
# data as a hash:
|
2508
|
-
#
|
2509
|
-
# {
|
2510
|
-
# key_id: "KeyIdType", # required
|
2511
|
-
# wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
2512
|
-
# wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
|
2513
|
-
# }
|
2514
|
-
#
|
2515
3113
|
# @!attribute [rw] key_id
|
2516
|
-
# The identifier of the
|
2517
|
-
# key material. The `Origin` of the KMS key must be
|
3114
|
+
# The identifier of the KMS key that will be associated with the
|
3115
|
+
# imported key material. The `Origin` of the KMS key must be
|
3116
|
+
# `EXTERNAL`.
|
3117
|
+
#
|
3118
|
+
# All KMS key types are supported, including multi-Region keys.
|
3119
|
+
# However, you cannot import key material into a KMS key in a custom
|
3120
|
+
# key store.
|
2518
3121
|
#
|
2519
3122
|
# Specify the key ID or key ARN of the KMS key.
|
2520
3123
|
#
|
@@ -2530,19 +3133,54 @@ module Aws::KMS
|
|
2530
3133
|
# @return [String]
|
2531
3134
|
#
|
2532
3135
|
# @!attribute [rw] wrapping_algorithm
|
2533
|
-
# The algorithm you will use
|
2534
|
-
#
|
2535
|
-
#
|
2536
|
-
#
|
3136
|
+
# The algorithm you will use with the RSA public key (`PublicKey`) in
|
3137
|
+
# the response to protect your key material during import. For more
|
3138
|
+
# information, see [Select a wrapping
|
3139
|
+
# algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
|
3140
|
+
# in the *Key Management Service Developer Guide*.
|
3141
|
+
#
|
3142
|
+
# For RSA\_AES wrapping algorithms, you encrypt your key material with
|
3143
|
+
# an AES key that you generate, then encrypt your AES key with the RSA
|
3144
|
+
# public key from KMS. For RSAES wrapping algorithms, you encrypt your
|
3145
|
+
# key material directly with the RSA public key from KMS.
|
3146
|
+
#
|
3147
|
+
# The wrapping algorithms that you can use depend on the type of key
|
3148
|
+
# material that you are importing. To import an RSA private key, you
|
3149
|
+
# must use an RSA\_AES wrapping algorithm.
|
3150
|
+
#
|
3151
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
|
3152
|
+
# ECC key material.
|
3153
|
+
#
|
3154
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and
|
3155
|
+
# ECC key material.
|
2537
3156
|
#
|
3157
|
+
# * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key
|
3158
|
+
# material, except RSA key material (private key).
|
2538
3159
|
#
|
3160
|
+
# You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with
|
3161
|
+
# the RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key
|
3162
|
+
# material.
|
2539
3163
|
#
|
2540
|
-
#
|
3164
|
+
# * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
|
3165
|
+
# except RSA key material (private key).
|
3166
|
+
#
|
3167
|
+
# You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
|
3168
|
+
# RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
|
3169
|
+
#
|
3170
|
+
# * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
|
3171
|
+
# symmetric encryption key material (and only in legacy mode).
|
2541
3172
|
# @return [String]
|
2542
3173
|
#
|
2543
3174
|
# @!attribute [rw] wrapping_key_spec
|
2544
|
-
# The type of
|
2545
|
-
#
|
3175
|
+
# The type of RSA public key to return in the response. You will use
|
3176
|
+
# this wrapping key with the specified wrapping algorithm to protect
|
3177
|
+
# your key material during import.
|
3178
|
+
#
|
3179
|
+
# Use the longest RSA wrapping key that is practical.
|
3180
|
+
#
|
3181
|
+
# You cannot use an RSA\_2048 public key to directly wrap an
|
3182
|
+
# ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
|
3183
|
+
# algorithm or choose a longer RSA public key.
|
2546
3184
|
# @return [String]
|
2547
3185
|
#
|
2548
3186
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
|
@@ -2592,14 +3230,6 @@ module Aws::KMS
|
|
2592
3230
|
include Aws::Structure
|
2593
3231
|
end
|
2594
3232
|
|
2595
|
-
# @note When making an API call, you may pass GetPublicKeyRequest
|
2596
|
-
# data as a hash:
|
2597
|
-
#
|
2598
|
-
# {
|
2599
|
-
# key_id: "KeyIdType", # required
|
2600
|
-
# grant_tokens: ["GrantTokenType"],
|
2601
|
-
# }
|
2602
|
-
#
|
2603
3233
|
# @!attribute [rw] key_id
|
2604
3234
|
# Identifies the asymmetric KMS key that includes the public key.
|
2605
3235
|
#
|
@@ -2675,7 +3305,7 @@ module Aws::KMS
|
|
2675
3305
|
#
|
2676
3306
|
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
2677
3307
|
# value. We recommend that you use the `KeySpec` field in your code.
|
2678
|
-
# However, to avoid breaking changes, KMS
|
3308
|
+
# However, to avoid breaking changes, KMS supports both fields.
|
2679
3309
|
# @return [String]
|
2680
3310
|
#
|
2681
3311
|
# @!attribute [rw] key_spec
|
@@ -2756,18 +3386,6 @@ module Aws::KMS
|
|
2756
3386
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
|
2757
3387
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
|
2758
3388
|
#
|
2759
|
-
# @note When making an API call, you may pass GrantConstraints
|
2760
|
-
# data as a hash:
|
2761
|
-
#
|
2762
|
-
# {
|
2763
|
-
# encryption_context_subset: {
|
2764
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
2765
|
-
# },
|
2766
|
-
# encryption_context_equals: {
|
2767
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
2768
|
-
# },
|
2769
|
-
# }
|
2770
|
-
#
|
2771
3389
|
# @!attribute [rw] encryption_context_subset
|
2772
3390
|
# A list of key-value pairs that must be included in the encryption
|
2773
3391
|
# context of the [cryptographic operation][1] request. The grant
|
@@ -2868,22 +3486,20 @@ module Aws::KMS
|
|
2868
3486
|
include Aws::Structure
|
2869
3487
|
end
|
2870
3488
|
|
2871
|
-
# @note When making an API call, you may pass ImportKeyMaterialRequest
|
2872
|
-
# data as a hash:
|
2873
|
-
#
|
2874
|
-
# {
|
2875
|
-
# key_id: "KeyIdType", # required
|
2876
|
-
# import_token: "data", # required
|
2877
|
-
# encrypted_key_material: "data", # required
|
2878
|
-
# valid_to: Time.now,
|
2879
|
-
# expiration_model: "KEY_MATERIAL_EXPIRES", # accepts KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
|
2880
|
-
# }
|
2881
|
-
#
|
2882
3489
|
# @!attribute [rw] key_id
|
2883
|
-
# The identifier of the
|
2884
|
-
# key material.
|
2885
|
-
#
|
2886
|
-
#
|
3490
|
+
# The identifier of the KMS key that will be associated with the
|
3491
|
+
# imported key material. This must be the same KMS key specified in
|
3492
|
+
# the `KeyID` parameter of the corresponding GetParametersForImport
|
3493
|
+
# request. The `Origin` of the KMS key must be `EXTERNAL` and its
|
3494
|
+
# `KeyState` must be `PendingImport`.
|
3495
|
+
#
|
3496
|
+
# The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
|
3497
|
+
# asymmetric encryption KMS key, or asymmetric signing KMS key,
|
3498
|
+
# including a [multi-Region
|
3499
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of
|
3500
|
+
# any supported type. You cannot perform this operation on a KMS key
|
3501
|
+
# in a custom key store, or on a KMS key in a different Amazon Web
|
3502
|
+
# Services account.
|
2887
3503
|
#
|
2888
3504
|
# Specify the key ID or key ARN of the KMS key.
|
2889
3505
|
#
|
@@ -2907,25 +3523,47 @@ module Aws::KMS
|
|
2907
3523
|
#
|
2908
3524
|
# @!attribute [rw] encrypted_key_material
|
2909
3525
|
# The encrypted key material to import. The key material must be
|
2910
|
-
# encrypted
|
3526
|
+
# encrypted under the public wrapping key that GetParametersForImport
|
2911
3527
|
# returned, using the wrapping algorithm that you specified in the
|
2912
3528
|
# same `GetParametersForImport` request.
|
2913
3529
|
# @return [String]
|
2914
3530
|
#
|
2915
3531
|
# @!attribute [rw] valid_to
|
2916
|
-
# The time
|
2917
|
-
#
|
2918
|
-
#
|
2919
|
-
#
|
2920
|
-
#
|
3532
|
+
# The date and time when the imported key material expires. This
|
3533
|
+
# parameter is required when the value of the `ExpirationModel`
|
3534
|
+
# parameter is `KEY_MATERIAL_EXPIRES`. Otherwise it is not valid.
|
3535
|
+
#
|
3536
|
+
# The value of this parameter must be a future date and time. The
|
3537
|
+
# maximum value is 365 days from the request date.
|
3538
|
+
#
|
3539
|
+
# When the key material expires, KMS deletes the key material from the
|
3540
|
+
# KMS key. Without its key material, the KMS key is unusable. To use
|
3541
|
+
# the KMS key in cryptographic operations, you must reimport the same
|
3542
|
+
# key material.
|
3543
|
+
#
|
3544
|
+
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
3545
|
+
# current import after the request completes. To change either value,
|
3546
|
+
# you must delete (DeleteImportedKeyMaterial) and reimport the key
|
3547
|
+
# material.
|
2921
3548
|
# @return [Time]
|
2922
3549
|
#
|
2923
3550
|
# @!attribute [rw] expiration_model
|
2924
3551
|
# Specifies whether the key material expires. The default is
|
2925
|
-
# `KEY_MATERIAL_EXPIRES
|
2926
|
-
#
|
3552
|
+
# `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
|
3553
|
+
# expiration time][1] in the *Key Management Service Developer Guide*.
|
3554
|
+
#
|
3555
|
+
# When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
|
3556
|
+
# must specify a value for the `ValidTo` parameter. When value is
|
2927
3557
|
# `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo`
|
2928
3558
|
# parameter.
|
3559
|
+
#
|
3560
|
+
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
3561
|
+
# current import after the request completes. To change either value,
|
3562
|
+
# you must reimport the key material.
|
3563
|
+
#
|
3564
|
+
#
|
3565
|
+
#
|
3566
|
+
# [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
|
2929
3567
|
# @return [String]
|
2930
3568
|
#
|
2931
3569
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
|
@@ -2976,11 +3614,11 @@ module Aws::KMS
|
|
2976
3614
|
end
|
2977
3615
|
|
2978
3616
|
# The request was rejected because the trust anchor certificate in the
|
2979
|
-
# request
|
2980
|
-
# cluster.
|
3617
|
+
# request to create an CloudHSM key store is not the trust anchor
|
3618
|
+
# certificate for the specified CloudHSM cluster.
|
2981
3619
|
#
|
2982
|
-
# When you [initialize the cluster][1], you create the trust
|
2983
|
-
# certificate and save it in the `customerCA.crt` file.
|
3620
|
+
# When you [initialize the CloudHSM cluster][1], you create the trust
|
3621
|
+
# anchor certificate and save it in the `customerCA.crt` file.
|
2984
3622
|
#
|
2985
3623
|
#
|
2986
3624
|
#
|
@@ -3095,9 +3733,11 @@ module Aws::KMS
|
|
3095
3733
|
# key `(KeySpec`).
|
3096
3734
|
#
|
3097
3735
|
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
3098
|
-
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
3099
|
-
# the `KeyUsage` must be `SIGN_VERIFY`.
|
3100
|
-
#
|
3736
|
+
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
3737
|
+
# messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
|
3738
|
+
# verifying message authentication codes (MACs), the `KeyUsage` must be
|
3739
|
+
# `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
|
3740
|
+
# DescribeKey operation.
|
3101
3741
|
#
|
3102
3742
|
# To find the encryption or signing algorithms supported for a
|
3103
3743
|
# particular KMS key, use the DescribeKey operation.
|
@@ -3141,6 +3781,22 @@ module Aws::KMS
|
|
3141
3781
|
include Aws::Structure
|
3142
3782
|
end
|
3143
3783
|
|
3784
|
+
# The request was rejected because the HMAC verification failed. HMAC
|
3785
|
+
# verification fails when the HMAC computed by using the specified
|
3786
|
+
# message, HMAC KMS key, and MAC algorithm does not match the HMAC
|
3787
|
+
# specified in the request.
|
3788
|
+
#
|
3789
|
+
# @!attribute [rw] message
|
3790
|
+
# @return [String]
|
3791
|
+
#
|
3792
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
|
3793
|
+
#
|
3794
|
+
class KMSInvalidMacException < Struct.new(
|
3795
|
+
:message)
|
3796
|
+
SENSITIVE = []
|
3797
|
+
include Aws::Structure
|
3798
|
+
end
|
3799
|
+
|
3144
3800
|
# The request was rejected because the signature verification failed.
|
3145
3801
|
# Signature verification fails when it cannot confirm that signature was
|
3146
3802
|
# produced by signing the specified message with the specified KMS key
|
@@ -3160,9 +3816,19 @@ module Aws::KMS
|
|
3160
3816
|
# The request was rejected because the state of the specified resource
|
3161
3817
|
# is not valid for this request.
|
3162
3818
|
#
|
3163
|
-
#
|
3164
|
-
#
|
3165
|
-
#
|
3819
|
+
# This exceptions means one of the following:
|
3820
|
+
#
|
3821
|
+
# * The key state of the KMS key is not compatible with the operation.
|
3822
|
+
#
|
3823
|
+
# To find the key state, use the DescribeKey operation. For more
|
3824
|
+
# information about which key states are compatible with each KMS
|
3825
|
+
# operation, see [Key states of KMS keys][1] in the <i> <i>Key
|
3826
|
+
# Management Service Developer Guide</i> </i>.
|
3827
|
+
#
|
3828
|
+
# * For cryptographic operations on KMS keys in custom key stores, this
|
3829
|
+
# exception represents a general failure with many possible causes. To
|
3830
|
+
# identify the cause, see the error message that accompanies the
|
3831
|
+
# exception.
|
3166
3832
|
#
|
3167
3833
|
#
|
3168
3834
|
#
|
@@ -3200,8 +3866,8 @@ module Aws::KMS
|
|
3200
3866
|
|
3201
3867
|
# Contains metadata about a KMS key.
|
3202
3868
|
#
|
3203
|
-
# This data type is used as a response element for the CreateKey
|
3204
|
-
# DescribeKey operations.
|
3869
|
+
# This data type is used as a response element for the CreateKey,
|
3870
|
+
# DescribeKey, and ReplicateKey operations.
|
3205
3871
|
#
|
3206
3872
|
# @!attribute [rw] aws_account_id
|
3207
3873
|
# The twelve-digit account ID of the Amazon Web Services account that
|
@@ -3247,8 +3913,8 @@ module Aws::KMS
|
|
3247
3913
|
# The current status of the KMS key.
|
3248
3914
|
#
|
3249
3915
|
# For more information about how key state affects the use of a KMS
|
3250
|
-
# key, see [Key
|
3251
|
-
#
|
3916
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
3917
|
+
# Developer Guide*.
|
3252
3918
|
#
|
3253
3919
|
#
|
3254
3920
|
#
|
@@ -3285,7 +3951,7 @@ module Aws::KMS
|
|
3285
3951
|
#
|
3286
3952
|
# @!attribute [rw] custom_key_store_id
|
3287
3953
|
# A unique identifier for the [custom key store][1] that contains the
|
3288
|
-
# KMS key. This
|
3954
|
+
# KMS key. This field is present only when the KMS key is created in a
|
3289
3955
|
# custom key store.
|
3290
3956
|
#
|
3291
3957
|
#
|
@@ -3295,10 +3961,10 @@ module Aws::KMS
|
|
3295
3961
|
#
|
3296
3962
|
# @!attribute [rw] cloud_hsm_cluster_id
|
3297
3963
|
# The cluster ID of the CloudHSM cluster that contains the key
|
3298
|
-
# material for the KMS key. When you create a KMS key in
|
3299
|
-
# store][1], KMS creates the key material for the KMS key
|
3300
|
-
# associated CloudHSM cluster. This
|
3301
|
-
# key is created in
|
3964
|
+
# material for the KMS key. When you create a KMS key in an CloudHSM
|
3965
|
+
# [custom key store][1], KMS creates the key material for the KMS key
|
3966
|
+
# in the associated CloudHSM cluster. This field is present only when
|
3967
|
+
# the KMS key is created in an CloudHSM key store.
|
3302
3968
|
#
|
3303
3969
|
#
|
3304
3970
|
#
|
@@ -3327,7 +3993,7 @@ module Aws::KMS
|
|
3327
3993
|
#
|
3328
3994
|
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
3329
3995
|
# value. We recommend that you use the `KeySpec` field in your code.
|
3330
|
-
# However, to avoid breaking changes, KMS
|
3996
|
+
# However, to avoid breaking changes, KMS supports both fields.
|
3331
3997
|
# @return [String]
|
3332
3998
|
#
|
3333
3999
|
# @!attribute [rw] key_spec
|
@@ -3355,9 +4021,8 @@ module Aws::KMS
|
|
3355
4021
|
# (`False`) key. This value is `True` for multi-Region primary and
|
3356
4022
|
# replica keys and `False` for regional KMS keys.
|
3357
4023
|
#
|
3358
|
-
# For more information about multi-Region keys, see [
|
3359
|
-
#
|
3360
|
-
# Guide*.
|
4024
|
+
# For more information about multi-Region keys, see [Multi-Region keys
|
4025
|
+
# in KMS][1] in the *Key Management Service Developer Guide*.
|
3361
4026
|
#
|
3362
4027
|
#
|
3363
4028
|
#
|
@@ -3402,6 +4067,26 @@ module Aws::KMS
|
|
3402
4067
|
# the deletion date appears in the `DeletionDate` field.
|
3403
4068
|
# @return [Integer]
|
3404
4069
|
#
|
4070
|
+
# @!attribute [rw] mac_algorithms
|
4071
|
+
# The message authentication code (MAC) algorithm that the HMAC KMS
|
4072
|
+
# key supports.
|
4073
|
+
#
|
4074
|
+
# This value is present only when the `KeyUsage` of the KMS key is
|
4075
|
+
# `GENERATE_VERIFY_MAC`.
|
4076
|
+
# @return [Array<String>]
|
4077
|
+
#
|
4078
|
+
# @!attribute [rw] xks_key_configuration
|
4079
|
+
# Information about the external key that is associated with a KMS key
|
4080
|
+
# in an external key store.
|
4081
|
+
#
|
4082
|
+
# For more information, see [External key][1] in the *Key Management
|
4083
|
+
# Service Developer Guide*.
|
4084
|
+
#
|
4085
|
+
#
|
4086
|
+
#
|
4087
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
4088
|
+
# @return [Types::XksKeyConfigurationType]
|
4089
|
+
#
|
3405
4090
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
3406
4091
|
#
|
3407
4092
|
class KeyMetadata < Struct.new(
|
@@ -3426,7 +4111,9 @@ module Aws::KMS
|
|
3426
4111
|
:signing_algorithms,
|
3427
4112
|
:multi_region,
|
3428
4113
|
:multi_region_configuration,
|
3429
|
-
:pending_deletion_window_in_days
|
4114
|
+
:pending_deletion_window_in_days,
|
4115
|
+
:mac_algorithms,
|
4116
|
+
:xks_key_configuration)
|
3430
4117
|
SENSITIVE = []
|
3431
4118
|
include Aws::Structure
|
3432
4119
|
end
|
@@ -3464,15 +4151,6 @@ module Aws::KMS
|
|
3464
4151
|
include Aws::Structure
|
3465
4152
|
end
|
3466
4153
|
|
3467
|
-
# @note When making an API call, you may pass ListAliasesRequest
|
3468
|
-
# data as a hash:
|
3469
|
-
#
|
3470
|
-
# {
|
3471
|
-
# key_id: "KeyIdType",
|
3472
|
-
# limit: 1,
|
3473
|
-
# marker: "MarkerType",
|
3474
|
-
# }
|
3475
|
-
#
|
3476
4154
|
# @!attribute [rw] key_id
|
3477
4155
|
# Lists only aliases that are associated with the specified KMS key.
|
3478
4156
|
# Enter a KMS key in your Amazon Web Services account.
|
@@ -3545,17 +4223,6 @@ module Aws::KMS
|
|
3545
4223
|
include Aws::Structure
|
3546
4224
|
end
|
3547
4225
|
|
3548
|
-
# @note When making an API call, you may pass ListGrantsRequest
|
3549
|
-
# data as a hash:
|
3550
|
-
#
|
3551
|
-
# {
|
3552
|
-
# limit: 1,
|
3553
|
-
# marker: "MarkerType",
|
3554
|
-
# key_id: "KeyIdType", # required
|
3555
|
-
# grant_id: "GrantIdType",
|
3556
|
-
# grantee_principal: "PrincipalIdType",
|
3557
|
-
# }
|
3558
|
-
#
|
3559
4226
|
# @!attribute [rw] limit
|
3560
4227
|
# Use this parameter to specify the maximum number of items to return.
|
3561
4228
|
# When this value is present, KMS does not return more than the
|
@@ -3639,15 +4306,6 @@ module Aws::KMS
|
|
3639
4306
|
include Aws::Structure
|
3640
4307
|
end
|
3641
4308
|
|
3642
|
-
# @note When making an API call, you may pass ListKeyPoliciesRequest
|
3643
|
-
# data as a hash:
|
3644
|
-
#
|
3645
|
-
# {
|
3646
|
-
# key_id: "KeyIdType", # required
|
3647
|
-
# limit: 1,
|
3648
|
-
# marker: "MarkerType",
|
3649
|
-
# }
|
3650
|
-
#
|
3651
4309
|
# @!attribute [rw] key_id
|
3652
4310
|
# Gets the names of key policies for the specified KMS key.
|
3653
4311
|
#
|
@@ -3718,14 +4376,6 @@ module Aws::KMS
|
|
3718
4376
|
include Aws::Structure
|
3719
4377
|
end
|
3720
4378
|
|
3721
|
-
# @note When making an API call, you may pass ListKeysRequest
|
3722
|
-
# data as a hash:
|
3723
|
-
#
|
3724
|
-
# {
|
3725
|
-
# limit: 1,
|
3726
|
-
# marker: "MarkerType",
|
3727
|
-
# }
|
3728
|
-
#
|
3729
4379
|
# @!attribute [rw] limit
|
3730
4380
|
# Use this parameter to specify the maximum number of items to return.
|
3731
4381
|
# When this value is present, KMS does not return more than the
|
@@ -3777,15 +4427,6 @@ module Aws::KMS
|
|
3777
4427
|
include Aws::Structure
|
3778
4428
|
end
|
3779
4429
|
|
3780
|
-
# @note When making an API call, you may pass ListResourceTagsRequest
|
3781
|
-
# data as a hash:
|
3782
|
-
#
|
3783
|
-
# {
|
3784
|
-
# key_id: "KeyIdType", # required
|
3785
|
-
# limit: 1,
|
3786
|
-
# marker: "MarkerType",
|
3787
|
-
# }
|
3788
|
-
#
|
3789
4430
|
# @!attribute [rw] key_id
|
3790
4431
|
# Gets tags on the specified KMS key.
|
3791
4432
|
#
|
@@ -3834,8 +4475,8 @@ module Aws::KMS
|
|
3834
4475
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
3835
4476
|
#
|
3836
4477
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
3837
|
-
# KMS key. For details, see [
|
3838
|
-
#
|
4478
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
4479
|
+
# Service Developer Guide*.
|
3839
4480
|
#
|
3840
4481
|
# </note>
|
3841
4482
|
#
|
@@ -3868,15 +4509,6 @@ module Aws::KMS
|
|
3868
4509
|
include Aws::Structure
|
3869
4510
|
end
|
3870
4511
|
|
3871
|
-
# @note When making an API call, you may pass ListRetirableGrantsRequest
|
3872
|
-
# data as a hash:
|
3873
|
-
#
|
3874
|
-
# {
|
3875
|
-
# limit: 1,
|
3876
|
-
# marker: "MarkerType",
|
3877
|
-
# retiring_principal: "PrincipalIdType", # required
|
3878
|
-
# }
|
3879
|
-
#
|
3880
4512
|
# @!attribute [rw] limit
|
3881
4513
|
# Use this parameter to specify the maximum number of items to return.
|
3882
4514
|
# When this value is present, KMS does not return more than the
|
@@ -3898,17 +4530,16 @@ module Aws::KMS
|
|
3898
4530
|
# in your Amazon Web Services account.
|
3899
4531
|
#
|
3900
4532
|
# To specify the retiring principal, use the [Amazon Resource Name
|
3901
|
-
# (ARN)][1] of an Amazon Web Services principal. Valid
|
3902
|
-
#
|
3903
|
-
#
|
3904
|
-
#
|
3905
|
-
#
|
3906
|
-
# of the *Amazon Web Services General Reference*.
|
4533
|
+
# (ARN)][1] of an Amazon Web Services principal. Valid principals
|
4534
|
+
# include Amazon Web Services accounts, IAM users, IAM roles,
|
4535
|
+
# federated users, and assumed role users. For help with the ARN
|
4536
|
+
# syntax for a principal, see [IAM ARNs][2] in the <i> <i>Identity and
|
4537
|
+
# Access Management User Guide</i> </i>.
|
3907
4538
|
#
|
3908
4539
|
#
|
3909
4540
|
#
|
3910
4541
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
3911
|
-
# [2]: https://docs.aws.amazon.com/
|
4542
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
|
3912
4543
|
# @return [String]
|
3913
4544
|
#
|
3914
4545
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrantsRequest AWS API Documentation
|
@@ -4001,16 +4632,6 @@ module Aws::KMS
|
|
4001
4632
|
include Aws::Structure
|
4002
4633
|
end
|
4003
4634
|
|
4004
|
-
# @note When making an API call, you may pass PutKeyPolicyRequest
|
4005
|
-
# data as a hash:
|
4006
|
-
#
|
4007
|
-
# {
|
4008
|
-
# key_id: "KeyIdType", # required
|
4009
|
-
# policy_name: "PolicyNameType", # required
|
4010
|
-
# policy: "PolicyType", # required
|
4011
|
-
# bypass_policy_lockout_safety_check: false,
|
4012
|
-
# }
|
4013
|
-
#
|
4014
4635
|
# @!attribute [rw] key_id
|
4015
4636
|
# Sets the key policy on the specified KMS key.
|
4016
4637
|
#
|
@@ -4036,55 +4657,65 @@ module Aws::KMS
|
|
4036
4657
|
#
|
4037
4658
|
# The key policy must meet the following criteria:
|
4038
4659
|
#
|
4039
|
-
# *
|
4040
|
-
#
|
4041
|
-
#
|
4042
|
-
#
|
4043
|
-
#
|
4044
|
-
#
|
4045
|
-
# Developer Guide*.
|
4660
|
+
# * The key policy must allow the calling principal to make a
|
4661
|
+
# subsequent `PutKeyPolicy` request on the KMS key. This reduces the
|
4662
|
+
# risk that the KMS key becomes unmanageable. For more information,
|
4663
|
+
# see [Default key policy][1] in the *Key Management Service
|
4664
|
+
# Developer Guide*. (To omit this condition, set
|
4665
|
+
# `BypassPolicyLockoutSafetyCheck` to true.)
|
4046
4666
|
#
|
4047
4667
|
# * Each statement in the key policy must contain one or more
|
4048
4668
|
# principals. The principals in the key policy must exist and be
|
4049
4669
|
# visible to KMS. When you create a new Amazon Web Services
|
4050
|
-
# principal
|
4051
|
-
#
|
4052
|
-
#
|
4053
|
-
#
|
4054
|
-
#
|
4055
|
-
#
|
4056
|
-
#
|
4057
|
-
# The key policy cannot exceed 32 kilobytes (32768 bytes). For more
|
4058
|
-
# information, see [Resource Quotas][3] in the *Key Management Service
|
4059
|
-
# Developer Guide*.
|
4670
|
+
# principal, you might need to enforce a delay before including the
|
4671
|
+
# new principal in a key policy because the new principal might not
|
4672
|
+
# be immediately visible to KMS. For more information, see [Changes
|
4673
|
+
# that I make are not always immediately visible][2] in the *Amazon
|
4674
|
+
# Web Services Identity and Access Management User Guide*.
|
4675
|
+
#
|
4676
|
+
# A key policy document can include only the following characters:
|
4060
4677
|
#
|
4678
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
4679
|
+
# through the end of the ASCII character range.
|
4061
4680
|
#
|
4681
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
4682
|
+
# character set (through `\u00FF`).
|
4062
4683
|
#
|
4063
|
-
#
|
4684
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
4685
|
+
# (`\u000D`) special characters
|
4686
|
+
#
|
4687
|
+
# For information about key policies, see [Key policies in KMS][3] in
|
4688
|
+
# the *Key Management Service Developer Guide*.For help writing and
|
4689
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
4690
|
+
# Reference][4] in the <i> <i>Identity and Access Management User
|
4691
|
+
# Guide</i> </i>.
|
4692
|
+
#
|
4693
|
+
#
|
4694
|
+
#
|
4695
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
4064
4696
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
4065
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
4697
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4698
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
4066
4699
|
# @return [String]
|
4067
4700
|
#
|
4068
4701
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
4069
|
-
#
|
4070
|
-
#
|
4702
|
+
# Skips ("bypasses") the key policy lockout safety check. The
|
4703
|
+
# default value is false.
|
4071
4704
|
#
|
4072
4705
|
# Setting this value to true increases the risk that the KMS key
|
4073
4706
|
# becomes unmanageable. Do not set this value to true
|
4074
4707
|
# indiscriminately.
|
4075
4708
|
#
|
4076
|
-
# For more information,
|
4077
|
-
#
|
4709
|
+
# For more information, see [Default key policy][1] in the *Key
|
4710
|
+
# Management Service Developer Guide*.
|
4078
4711
|
#
|
4079
4712
|
# Use this parameter only when you intend to prevent the principal
|
4080
|
-
# that is making the request from making a subsequent
|
4713
|
+
# that is making the request from making a subsequent PutKeyPolicy
|
4081
4714
|
# request on the KMS key.
|
4082
4715
|
#
|
4083
|
-
# The default value is false.
|
4084
|
-
#
|
4085
4716
|
#
|
4086
4717
|
#
|
4087
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
4718
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
4088
4719
|
# @return [Boolean]
|
4089
4720
|
#
|
4090
4721
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicyRequest AWS API Documentation
|
@@ -4098,24 +4729,6 @@ module Aws::KMS
|
|
4098
4729
|
include Aws::Structure
|
4099
4730
|
end
|
4100
4731
|
|
4101
|
-
# @note When making an API call, you may pass ReEncryptRequest
|
4102
|
-
# data as a hash:
|
4103
|
-
#
|
4104
|
-
# {
|
4105
|
-
# ciphertext_blob: "data", # required
|
4106
|
-
# source_encryption_context: {
|
4107
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
4108
|
-
# },
|
4109
|
-
# source_key_id: "KeyIdType",
|
4110
|
-
# destination_key_id: "KeyIdType", # required
|
4111
|
-
# destination_encryption_context: {
|
4112
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
4113
|
-
# },
|
4114
|
-
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
4115
|
-
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
4116
|
-
# grant_tokens: ["GrantTokenType"],
|
4117
|
-
# }
|
4118
|
-
#
|
4119
4732
|
# @!attribute [rw] ciphertext_blob
|
4120
4733
|
# Ciphertext of the data to reencrypt.
|
4121
4734
|
# @return [String]
|
@@ -4126,13 +4739,15 @@ module Aws::KMS
|
|
4126
4739
|
# ciphertext.
|
4127
4740
|
#
|
4128
4741
|
# An *encryption context* is a collection of non-secret key-value
|
4129
|
-
# pairs that
|
4742
|
+
# pairs that represent additional authenticated data. When you use an
|
4130
4743
|
# encryption context to encrypt data, you must specify the same (an
|
4131
4744
|
# exact case-sensitive match) encryption context to decrypt the data.
|
4132
|
-
# An encryption context is
|
4133
|
-
# KMS
|
4745
|
+
# An encryption context is supported only on operations with symmetric
|
4746
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
4747
|
+
# keys, an encryption context is optional, but it is strongly
|
4748
|
+
# recommended.
|
4134
4749
|
#
|
4135
|
-
# For more information, see [Encryption
|
4750
|
+
# For more information, see [Encryption context][1] in the *Key
|
4136
4751
|
# Management Service Developer Guide*.
|
4137
4752
|
#
|
4138
4753
|
#
|
@@ -4142,15 +4757,18 @@ module Aws::KMS
|
|
4142
4757
|
#
|
4143
4758
|
# @!attribute [rw] source_key_id
|
4144
4759
|
# Specifies the KMS key that KMS will use to decrypt the ciphertext
|
4145
|
-
# before it is re-encrypted.
|
4146
|
-
#
|
4760
|
+
# before it is re-encrypted.
|
4761
|
+
#
|
4762
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
4763
|
+
# ciphertext. If you identify a different KMS key, the `ReEncrypt`
|
4764
|
+
# operation throws an `IncorrectKeyException`.
|
4147
4765
|
#
|
4148
4766
|
# This parameter is required only when the ciphertext was encrypted
|
4149
|
-
# under an asymmetric KMS key. If you used a symmetric
|
4150
|
-
# can get the KMS key from metadata that it adds to the
|
4151
|
-
# ciphertext blob. However, it is always recommended as a
|
4152
|
-
# practice. This practice ensures that you use the KMS key that
|
4153
|
-
# intend.
|
4767
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
4768
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
4769
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
4770
|
+
# best practice. This practice ensures that you use the KMS key that
|
4771
|
+
# you intend.
|
4154
4772
|
#
|
4155
4773
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
4156
4774
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
@@ -4174,9 +4792,9 @@ module Aws::KMS
|
|
4174
4792
|
#
|
4175
4793
|
# @!attribute [rw] destination_key_id
|
4176
4794
|
# A unique identifier for the KMS key that is used to reencrypt the
|
4177
|
-
# data. Specify a symmetric
|
4178
|
-
# value of `ENCRYPT_DECRYPT`. To find the
|
4179
|
-
# key, use the DescribeKey operation.
|
4795
|
+
# data. Specify a symmetric encryption KMS key or an asymmetric KMS
|
4796
|
+
# key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
|
4797
|
+
# `KeyUsage` value of a KMS key, use the DescribeKey operation.
|
4180
4798
|
#
|
4181
4799
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
4182
4800
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
@@ -4202,18 +4820,24 @@ module Aws::KMS
|
|
4202
4820
|
# Specifies that encryption context to use when the reencrypting the
|
4203
4821
|
# data.
|
4204
4822
|
#
|
4823
|
+
# Do not include confidential or sensitive information in this field.
|
4824
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
4825
|
+
# other output.
|
4826
|
+
#
|
4205
4827
|
# A destination encryption context is valid only when the destination
|
4206
|
-
# KMS key is a symmetric KMS key. The standard ciphertext
|
4207
|
-
# asymmetric KMS keys does not include fields for metadata.
|
4828
|
+
# KMS key is a symmetric encryption KMS key. The standard ciphertext
|
4829
|
+
# format for asymmetric KMS keys does not include fields for metadata.
|
4208
4830
|
#
|
4209
4831
|
# An *encryption context* is a collection of non-secret key-value
|
4210
|
-
# pairs that
|
4832
|
+
# pairs that represent additional authenticated data. When you use an
|
4211
4833
|
# encryption context to encrypt data, you must specify the same (an
|
4212
4834
|
# exact case-sensitive match) encryption context to decrypt the data.
|
4213
|
-
# An encryption context is
|
4214
|
-
# KMS
|
4835
|
+
# An encryption context is supported only on operations with symmetric
|
4836
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
4837
|
+
# keys, an encryption context is optional, but it is strongly
|
4838
|
+
# recommended.
|
4215
4839
|
#
|
4216
|
-
# For more information, see [Encryption
|
4840
|
+
# For more information, see [Encryption context][1] in the *Key
|
4217
4841
|
# Management Service Developer Guide*.
|
4218
4842
|
#
|
4219
4843
|
#
|
@@ -4224,8 +4848,8 @@ module Aws::KMS
|
|
4224
4848
|
# @!attribute [rw] source_encryption_algorithm
|
4225
4849
|
# Specifies the encryption algorithm that KMS will use to decrypt the
|
4226
4850
|
# ciphertext before it is reencrypted. The default value,
|
4227
|
-
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
4228
|
-
# keys.
|
4851
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
4852
|
+
# encryption KMS keys.
|
4229
4853
|
#
|
4230
4854
|
# Specify the same algorithm that was used to encrypt the ciphertext.
|
4231
4855
|
# If you specify a different algorithm, the decrypt attempt fails.
|
@@ -4238,7 +4862,7 @@ module Aws::KMS
|
|
4238
4862
|
# Specifies the encryption algorithm that KMS will use to reecrypt the
|
4239
4863
|
# data after it has decrypted it. The default value,
|
4240
4864
|
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
4241
|
-
# symmetric KMS keys.
|
4865
|
+
# symmetric encryption KMS keys.
|
4242
4866
|
#
|
4243
4867
|
# This parameter is required only when the destination KMS key is an
|
4244
4868
|
# asymmetric KMS key.
|
@@ -4258,6 +4882,18 @@ module Aws::KMS
|
|
4258
4882
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
4259
4883
|
# @return [Array<String>]
|
4260
4884
|
#
|
4885
|
+
# @!attribute [rw] dry_run
|
4886
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
4887
|
+
# parameter.
|
4888
|
+
#
|
4889
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
4890
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
4891
|
+
#
|
4892
|
+
#
|
4893
|
+
#
|
4894
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
4895
|
+
# @return [Boolean]
|
4896
|
+
#
|
4261
4897
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
|
4262
4898
|
#
|
4263
4899
|
class ReEncryptRequest < Struct.new(
|
@@ -4268,7 +4904,8 @@ module Aws::KMS
|
|
4268
4904
|
:destination_encryption_context,
|
4269
4905
|
:source_encryption_algorithm,
|
4270
4906
|
:destination_encryption_algorithm,
|
4271
|
-
:grant_tokens
|
4907
|
+
:grant_tokens,
|
4908
|
+
:dry_run)
|
4272
4909
|
SENSITIVE = []
|
4273
4910
|
include Aws::Structure
|
4274
4911
|
end
|
@@ -4314,23 +4951,39 @@ module Aws::KMS
|
|
4314
4951
|
include Aws::Structure
|
4315
4952
|
end
|
4316
4953
|
|
4317
|
-
#
|
4318
|
-
#
|
4954
|
+
# Contains information about the party that receives the response from
|
4955
|
+
# the API operation.
|
4956
|
+
#
|
4957
|
+
# This data type is designed to support Amazon Web Services Nitro
|
4958
|
+
# Enclaves, which lets you create an isolated compute environment in
|
4959
|
+
# Amazon EC2. For information about the interaction between KMS and
|
4960
|
+
# Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
|
4961
|
+
# Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
|
4962
|
+
#
|
4963
|
+
#
|
4319
4964
|
#
|
4320
|
-
#
|
4321
|
-
# key_id: "KeyIdType", # required
|
4322
|
-
# replica_region: "RegionType", # required
|
4323
|
-
# policy: "PolicyType",
|
4324
|
-
# bypass_policy_lockout_safety_check: false,
|
4325
|
-
# description: "DescriptionType",
|
4326
|
-
# tags: [
|
4327
|
-
# {
|
4328
|
-
# tag_key: "TagKeyType", # required
|
4329
|
-
# tag_value: "TagValueType", # required
|
4330
|
-
# },
|
4331
|
-
# ],
|
4332
|
-
# }
|
4965
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
4333
4966
|
#
|
4967
|
+
# @!attribute [rw] key_encryption_algorithm
|
4968
|
+
# The encryption algorithm that KMS should use with the public key for
|
4969
|
+
# an Amazon Web Services Nitro Enclave to encrypt plaintext values for
|
4970
|
+
# the response. The only valid value is `RSAES_OAEP_SHA_256`.
|
4971
|
+
# @return [String]
|
4972
|
+
#
|
4973
|
+
# @!attribute [rw] attestation_document
|
4974
|
+
# The attestation document for an Amazon Web Services Nitro Enclave.
|
4975
|
+
# This document includes the enclave's public key.
|
4976
|
+
# @return [String]
|
4977
|
+
#
|
4978
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
|
4979
|
+
#
|
4980
|
+
class RecipientInfo < Struct.new(
|
4981
|
+
:key_encryption_algorithm,
|
4982
|
+
:attestation_document)
|
4983
|
+
SENSITIVE = []
|
4984
|
+
include Aws::Structure
|
4985
|
+
end
|
4986
|
+
|
4334
4987
|
# @!attribute [rw] key_id
|
4335
4988
|
# Identifies the multi-Region primary key that is being replicated. To
|
4336
4989
|
# determine whether a KMS key is a multi-Region primary key, use the
|
@@ -4359,24 +5012,33 @@ module Aws::KMS
|
|
4359
5012
|
# [KMS service endpoints][1] in the *Amazon Web Services General
|
4360
5013
|
# Reference*.
|
4361
5014
|
#
|
5015
|
+
# <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
5016
|
+
# If you try to replicate an HMAC KMS key in an Amazon Web Services
|
5017
|
+
# Region in which HMAC keys are not supported, the `ReplicateKey`
|
5018
|
+
# operation returns an `UnsupportedOperationException`. For a list of
|
5019
|
+
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
5020
|
+
# KMS][2] in the *Key Management Service Developer Guide*.
|
5021
|
+
#
|
5022
|
+
# </note>
|
5023
|
+
#
|
4362
5024
|
# The replica must be in a different Amazon Web Services Region than
|
4363
5025
|
# its primary key and other replicas of that primary key, but in the
|
4364
5026
|
# same Amazon Web Services partition. KMS must be available in the
|
4365
5027
|
# replica Region. If the Region is not enabled by default, the Amazon
|
4366
|
-
# Web Services account must be enabled in the Region.
|
4367
|
-
#
|
4368
|
-
#
|
4369
|
-
#
|
4370
|
-
#
|
4371
|
-
#
|
4372
|
-
# the *Amazon Web Services General Reference*.
|
5028
|
+
# Web Services account must be enabled in the Region. For information
|
5029
|
+
# about Amazon Web Services partitions, see [Amazon Resource Names
|
5030
|
+
# (ARNs)][3] in the *Amazon Web Services General Reference*. For
|
5031
|
+
# information about enabling and disabling Regions, see [Enabling a
|
5032
|
+
# Region][4] and [Disabling a Region][5] in the *Amazon Web Services
|
5033
|
+
# General Reference*.
|
4373
5034
|
#
|
4374
5035
|
#
|
4375
5036
|
#
|
4376
5037
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
4377
|
-
# [2]: https://docs.aws.amazon.com/
|
4378
|
-
# [3]: https://docs.aws.amazon.com/general/latest/gr/
|
4379
|
-
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-
|
5038
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
5039
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
5040
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
5041
|
+
# [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
4380
5042
|
# @return [String]
|
4381
5043
|
#
|
4382
5044
|
# @!attribute [rw] policy
|
@@ -4391,58 +5053,76 @@ module Aws::KMS
|
|
4391
5053
|
#
|
4392
5054
|
# If you provide a key policy, it must meet the following criteria:
|
4393
5055
|
#
|
4394
|
-
# *
|
4395
|
-
#
|
4396
|
-
#
|
4397
|
-
#
|
4398
|
-
#
|
4399
|
-
#
|
5056
|
+
# * The key policy must allow the calling principal to make a
|
5057
|
+
# subsequent `PutKeyPolicy` request on the KMS key. This reduces the
|
5058
|
+
# risk that the KMS key becomes unmanageable. For more information,
|
5059
|
+
# see [Default key policy][2] in the *Key Management Service
|
5060
|
+
# Developer Guide*. (To omit this condition, set
|
5061
|
+
# `BypassPolicyLockoutSafetyCheck` to true.)
|
4400
5062
|
#
|
4401
5063
|
# * Each statement in the key policy must contain one or more
|
4402
5064
|
# principals. The principals in the key policy must exist and be
|
4403
5065
|
# visible to KMS. When you create a new Amazon Web Services
|
4404
|
-
# principal
|
4405
|
-
#
|
4406
|
-
#
|
4407
|
-
#
|
4408
|
-
#
|
4409
|
-
#
|
5066
|
+
# principal, you might need to enforce a delay before including the
|
5067
|
+
# new principal in a key policy because the new principal might not
|
5068
|
+
# be immediately visible to KMS. For more information, see [Changes
|
5069
|
+
# that I make are not always immediately visible][3] in the *Amazon
|
5070
|
+
# Web Services Identity and Access Management User Guide*.
|
5071
|
+
#
|
5072
|
+
# A key policy document can include only the following characters:
|
5073
|
+
#
|
5074
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
5075
|
+
# through the end of the ASCII character range.
|
5076
|
+
#
|
5077
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
5078
|
+
# character set (through `\u00FF`).
|
4410
5079
|
#
|
4411
|
-
# * The
|
5080
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
5081
|
+
# (`\u000D`) special characters
|
5082
|
+
#
|
5083
|
+
# For information about key policies, see [Key policies in KMS][4] in
|
5084
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
5085
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
5086
|
+
# Reference][5] in the <i> <i>Identity and Access Management User
|
5087
|
+
# Guide</i> </i>.
|
4412
5088
|
#
|
4413
5089
|
#
|
4414
5090
|
#
|
4415
5091
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
4416
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
5092
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
4417
5093
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
5094
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
5095
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
4418
5096
|
# @return [String]
|
4419
5097
|
#
|
4420
5098
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
4421
|
-
#
|
4422
|
-
#
|
5099
|
+
# Skips ("bypasses") the key policy lockout safety check. The
|
5100
|
+
# default value is false.
|
4423
5101
|
#
|
4424
5102
|
# Setting this value to true increases the risk that the KMS key
|
4425
5103
|
# becomes unmanageable. Do not set this value to true
|
4426
5104
|
# indiscriminately.
|
4427
5105
|
#
|
4428
|
-
# For more information,
|
4429
|
-
#
|
5106
|
+
# For more information, see [Default key policy][1] in the *Key
|
5107
|
+
# Management Service Developer Guide*.
|
4430
5108
|
#
|
4431
5109
|
# Use this parameter only when you intend to prevent the principal
|
4432
|
-
# that is making the request from making a subsequent
|
5110
|
+
# that is making the request from making a subsequent PutKeyPolicy
|
4433
5111
|
# request on the KMS key.
|
4434
5112
|
#
|
4435
|
-
# The default value is false.
|
4436
|
-
#
|
4437
5113
|
#
|
4438
5114
|
#
|
4439
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
5115
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key
|
4440
5116
|
# @return [Boolean]
|
4441
5117
|
#
|
4442
5118
|
# @!attribute [rw] description
|
4443
5119
|
# A description of the KMS key. The default value is an empty string
|
4444
5120
|
# (no description).
|
4445
5121
|
#
|
5122
|
+
# Do not include confidential or sensitive information in this field.
|
5123
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5124
|
+
# other output.
|
5125
|
+
#
|
4446
5126
|
# The description is not a shared property of multi-Region keys. You
|
4447
5127
|
# can specify the same description or a different description for each
|
4448
5128
|
# key in a set of related multi-Region keys. KMS does not synchronize
|
@@ -4454,9 +5134,13 @@ module Aws::KMS
|
|
4454
5134
|
# tag the KMS key when it is created. To tag an existing KMS key, use
|
4455
5135
|
# the TagResource operation.
|
4456
5136
|
#
|
5137
|
+
# Do not include confidential or sensitive information in this field.
|
5138
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5139
|
+
# other output.
|
5140
|
+
#
|
4457
5141
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
4458
|
-
# KMS key. For details, see [
|
4459
|
-
#
|
5142
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
5143
|
+
# Service Developer Guide*.
|
4460
5144
|
#
|
4461
5145
|
# </note>
|
4462
5146
|
#
|
@@ -4500,9 +5184,9 @@ module Aws::KMS
|
|
4500
5184
|
|
4501
5185
|
# @!attribute [rw] replica_key_metadata
|
4502
5186
|
# Displays details about the new replica key, including its Amazon
|
4503
|
-
# Resource Name ([key ARN][1]) and [
|
4504
|
-
# the ARN and Amazon Web Services Region of its primary
|
4505
|
-
# replica keys.
|
5187
|
+
# Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
|
5188
|
+
# also includes the ARN and Amazon Web Services Region of its primary
|
5189
|
+
# key and other replica keys.
|
4506
5190
|
#
|
4507
5191
|
#
|
4508
5192
|
#
|
@@ -4530,15 +5214,6 @@ module Aws::KMS
|
|
4530
5214
|
include Aws::Structure
|
4531
5215
|
end
|
4532
5216
|
|
4533
|
-
# @note When making an API call, you may pass RetireGrantRequest
|
4534
|
-
# data as a hash:
|
4535
|
-
#
|
4536
|
-
# {
|
4537
|
-
# grant_token: "GrantTokenType",
|
4538
|
-
# key_id: "KeyIdType",
|
4539
|
-
# grant_id: "GrantIdType",
|
4540
|
-
# }
|
4541
|
-
#
|
4542
5217
|
# @!attribute [rw] grant_token
|
4543
5218
|
# Identifies the grant to be retired. You can use a grant token to
|
4544
5219
|
# identify a new grant even before it has achieved eventual
|
@@ -4572,24 +5247,29 @@ module Aws::KMS
|
|
4572
5247
|
# ^
|
4573
5248
|
# @return [String]
|
4574
5249
|
#
|
5250
|
+
# @!attribute [rw] dry_run
|
5251
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
5252
|
+
# parameter.
|
5253
|
+
#
|
5254
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
5255
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
5256
|
+
#
|
5257
|
+
#
|
5258
|
+
#
|
5259
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
5260
|
+
# @return [Boolean]
|
5261
|
+
#
|
4575
5262
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
|
4576
5263
|
#
|
4577
5264
|
class RetireGrantRequest < Struct.new(
|
4578
5265
|
:grant_token,
|
4579
5266
|
:key_id,
|
4580
|
-
:grant_id
|
5267
|
+
:grant_id,
|
5268
|
+
:dry_run)
|
4581
5269
|
SENSITIVE = []
|
4582
5270
|
include Aws::Structure
|
4583
5271
|
end
|
4584
5272
|
|
4585
|
-
# @note When making an API call, you may pass RevokeGrantRequest
|
4586
|
-
# data as a hash:
|
4587
|
-
#
|
4588
|
-
# {
|
4589
|
-
# key_id: "KeyIdType", # required
|
4590
|
-
# grant_id: "GrantIdType", # required
|
4591
|
-
# }
|
4592
|
-
#
|
4593
5273
|
# @!attribute [rw] key_id
|
4594
5274
|
# A unique identifier for the KMS key associated with the grant. To
|
4595
5275
|
# get the key ID and key ARN for a KMS key, use ListKeys or
|
@@ -4615,23 +5295,28 @@ module Aws::KMS
|
|
4615
5295
|
# CreateGrant, ListGrants, or ListRetirableGrants.
|
4616
5296
|
# @return [String]
|
4617
5297
|
#
|
5298
|
+
# @!attribute [rw] dry_run
|
5299
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
5300
|
+
# parameter.
|
5301
|
+
#
|
5302
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
5303
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
5304
|
+
#
|
5305
|
+
#
|
5306
|
+
#
|
5307
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
5308
|
+
# @return [Boolean]
|
5309
|
+
#
|
4618
5310
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
|
4619
5311
|
#
|
4620
5312
|
class RevokeGrantRequest < Struct.new(
|
4621
5313
|
:key_id,
|
4622
|
-
:grant_id
|
5314
|
+
:grant_id,
|
5315
|
+
:dry_run)
|
4623
5316
|
SENSITIVE = []
|
4624
5317
|
include Aws::Structure
|
4625
5318
|
end
|
4626
5319
|
|
4627
|
-
# @note When making an API call, you may pass ScheduleKeyDeletionRequest
|
4628
|
-
# data as a hash:
|
4629
|
-
#
|
4630
|
-
# {
|
4631
|
-
# key_id: "KeyIdType", # required
|
4632
|
-
# pending_window_in_days: 1,
|
4633
|
-
# }
|
4634
|
-
#
|
4635
5320
|
# @!attribute [rw] key_id
|
4636
5321
|
# The unique identifier of the KMS key to delete.
|
4637
5322
|
#
|
@@ -4652,12 +5337,19 @@ module Aws::KMS
|
|
4652
5337
|
# The waiting period, specified in number of days. After the waiting
|
4653
5338
|
# period ends, KMS deletes the KMS key.
|
4654
5339
|
#
|
4655
|
-
# If the KMS key is a multi-Region primary key with
|
5340
|
+
# If the KMS key is a multi-Region primary key with replica keys, the
|
4656
5341
|
# waiting period begins when the last of its replica keys is deleted.
|
4657
5342
|
# Otherwise, the waiting period begins immediately.
|
4658
5343
|
#
|
4659
5344
|
# This value is optional. If you include a value, it must be between 7
|
4660
5345
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
5346
|
+
# You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
|
5347
|
+
# condition key to further constrain the values that principals can
|
5348
|
+
# specify in the `PendingWindowInDays` parameter.
|
5349
|
+
#
|
5350
|
+
#
|
5351
|
+
#
|
5352
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days
|
4661
5353
|
# @return [Integer]
|
4662
5354
|
#
|
4663
5355
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionRequest AWS API Documentation
|
@@ -4690,8 +5382,8 @@ module Aws::KMS
|
|
4690
5382
|
# The current status of the KMS key.
|
4691
5383
|
#
|
4692
5384
|
# For more information about how key state affects the use of a KMS
|
4693
|
-
# key, see [Key
|
4694
|
-
#
|
5385
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
5386
|
+
# Developer Guide*.
|
4695
5387
|
#
|
4696
5388
|
#
|
4697
5389
|
#
|
@@ -4717,17 +5409,6 @@ module Aws::KMS
|
|
4717
5409
|
include Aws::Structure
|
4718
5410
|
end
|
4719
5411
|
|
4720
|
-
# @note When making an API call, you may pass SignRequest
|
4721
|
-
# data as a hash:
|
4722
|
-
#
|
4723
|
-
# {
|
4724
|
-
# key_id: "KeyIdType", # required
|
4725
|
-
# message: "data", # required
|
4726
|
-
# message_type: "RAW", # accepts RAW, DIGEST
|
4727
|
-
# grant_tokens: ["GrantTokenType"],
|
4728
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
4729
|
-
# }
|
4730
|
-
#
|
4731
5412
|
# @!attribute [rw] key_id
|
4732
5413
|
# Identifies an asymmetric KMS key. KMS uses the private key in the
|
4733
5414
|
# asymmetric KMS key to sign the message. The `KeyUsage` type of the
|
@@ -4756,16 +5437,55 @@ module Aws::KMS
|
|
4756
5437
|
#
|
4757
5438
|
# @!attribute [rw] message
|
4758
5439
|
# Specifies the message or message digest to sign. Messages can be
|
4759
|
-
# 0-4096 bytes. To sign a larger message, provide
|
5440
|
+
# 0-4096 bytes. To sign a larger message, provide a message digest.
|
4760
5441
|
#
|
4761
|
-
# If you provide a message,
|
4762
|
-
#
|
5442
|
+
# If you provide a message digest, use the `DIGEST` value of
|
5443
|
+
# `MessageType` to prevent the digest from being hashed again while
|
5444
|
+
# signing.
|
4763
5445
|
# @return [String]
|
4764
5446
|
#
|
4765
5447
|
# @!attribute [rw] message_type
|
4766
|
-
# Tells KMS whether the value of the `Message` parameter
|
4767
|
-
#
|
4768
|
-
#
|
5448
|
+
# Tells KMS whether the value of the `Message` parameter should be
|
5449
|
+
# hashed as part of the signing algorithm. Use `RAW` for unhashed
|
5450
|
+
# messages; use `DIGEST` for message digests, which are already
|
5451
|
+
# hashed.
|
5452
|
+
#
|
5453
|
+
# When the value of `MessageType` is `RAW`, KMS uses the standard
|
5454
|
+
# signing algorithm, which begins with a hash function. When the value
|
5455
|
+
# is `DIGEST`, KMS skips the hashing step in the signing algorithm.
|
5456
|
+
#
|
5457
|
+
# Use the `DIGEST` value only when the value of the `Message`
|
5458
|
+
# parameter is a message digest. If you use the `DIGEST` value with an
|
5459
|
+
# unhashed message, the security of the signing operation can be
|
5460
|
+
# compromised.
|
5461
|
+
#
|
5462
|
+
# When the value of `MessageType`is `DIGEST`, the length of the
|
5463
|
+
# `Message` value must match the length of hashed messages for the
|
5464
|
+
# specified signing algorithm.
|
5465
|
+
#
|
5466
|
+
# You can submit a message digest and omit the `MessageType` or
|
5467
|
+
# specify `RAW` so the digest is hashed again while signing. However,
|
5468
|
+
# this can cause verification failures when verifying with a system
|
5469
|
+
# that assumes a single hash.
|
5470
|
+
#
|
5471
|
+
# The hashing algorithm in that `Sign` uses is based on the
|
5472
|
+
# `SigningAlgorithm` value.
|
5473
|
+
#
|
5474
|
+
# * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
|
5475
|
+
# algorithm.
|
5476
|
+
#
|
5477
|
+
# * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
|
5478
|
+
# algorithm.
|
5479
|
+
#
|
5480
|
+
# * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
|
5481
|
+
# algorithm.
|
5482
|
+
#
|
5483
|
+
# * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
|
5484
|
+
# verification with SM2 key pairs][1].
|
5485
|
+
#
|
5486
|
+
#
|
5487
|
+
#
|
5488
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
|
4769
5489
|
# @return [String]
|
4770
5490
|
#
|
4771
5491
|
# @!attribute [rw] grant_tokens
|
@@ -4786,9 +5506,23 @@ module Aws::KMS
|
|
4786
5506
|
# Specifies the signing algorithm to use when signing the message.
|
4787
5507
|
#
|
4788
5508
|
# Choose an algorithm that is compatible with the type and size of the
|
4789
|
-
# specified asymmetric KMS key.
|
5509
|
+
# specified asymmetric KMS key. When signing with RSA key pairs,
|
5510
|
+
# RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
|
5511
|
+
# algorithms for compatibility with existing applications.
|
4790
5512
|
# @return [String]
|
4791
5513
|
#
|
5514
|
+
# @!attribute [rw] dry_run
|
5515
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
5516
|
+
# parameter.
|
5517
|
+
#
|
5518
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
5519
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
5520
|
+
#
|
5521
|
+
#
|
5522
|
+
#
|
5523
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
5524
|
+
# @return [Boolean]
|
5525
|
+
#
|
4792
5526
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
|
4793
5527
|
#
|
4794
5528
|
class SignRequest < Struct.new(
|
@@ -4796,7 +5530,8 @@ module Aws::KMS
|
|
4796
5530
|
:message,
|
4797
5531
|
:message_type,
|
4798
5532
|
:grant_tokens,
|
4799
|
-
:signing_algorithm
|
5533
|
+
:signing_algorithm,
|
5534
|
+
:dry_run)
|
4800
5535
|
SENSITIVE = [:message]
|
4801
5536
|
include Aws::Structure
|
4802
5537
|
end
|
@@ -4818,7 +5553,7 @@ module Aws::KMS
|
|
4818
5553
|
#
|
4819
5554
|
# * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
|
4820
5555
|
# `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
|
4821
|
-
# object as defined by
|
5556
|
+
# object as defined by ANSI X9.62–2005 and [RFC 3279 Section
|
4822
5557
|
# 2.2.3][2]. This is the most commonly used signature format and is
|
4823
5558
|
# appropriate for most uses.
|
4824
5559
|
#
|
@@ -4849,6 +5584,10 @@ module Aws::KMS
|
|
4849
5584
|
# keys and tag values are both required, but tag values can be empty
|
4850
5585
|
# (null) strings.
|
4851
5586
|
#
|
5587
|
+
# Do not include confidential or sensitive information in this field.
|
5588
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
5589
|
+
# output.
|
5590
|
+
#
|
4852
5591
|
# For information about the rules that apply to tag keys and tag values,
|
4853
5592
|
# see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
|
4854
5593
|
# Billing and Cost Management User Guide*.
|
@@ -4857,14 +5596,6 @@ module Aws::KMS
|
|
4857
5596
|
#
|
4858
5597
|
# [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
|
4859
5598
|
#
|
4860
|
-
# @note When making an API call, you may pass Tag
|
4861
|
-
# data as a hash:
|
4862
|
-
#
|
4863
|
-
# {
|
4864
|
-
# tag_key: "TagKeyType", # required
|
4865
|
-
# tag_value: "TagValueType", # required
|
4866
|
-
# }
|
4867
|
-
#
|
4868
5599
|
# @!attribute [rw] tag_key
|
4869
5600
|
# The key of the tag.
|
4870
5601
|
# @return [String]
|
@@ -4895,19 +5626,6 @@ module Aws::KMS
|
|
4895
5626
|
include Aws::Structure
|
4896
5627
|
end
|
4897
5628
|
|
4898
|
-
# @note When making an API call, you may pass TagResourceRequest
|
4899
|
-
# data as a hash:
|
4900
|
-
#
|
4901
|
-
# {
|
4902
|
-
# key_id: "KeyIdType", # required
|
4903
|
-
# tags: [ # required
|
4904
|
-
# {
|
4905
|
-
# tag_key: "TagKeyType", # required
|
4906
|
-
# tag_value: "TagValueType", # required
|
4907
|
-
# },
|
4908
|
-
# ],
|
4909
|
-
# }
|
4910
|
-
#
|
4911
5629
|
# @!attribute [rw] key_id
|
4912
5630
|
# Identifies a customer managed key in the account and Region.
|
4913
5631
|
#
|
@@ -4925,10 +5643,12 @@ module Aws::KMS
|
|
4925
5643
|
# @return [String]
|
4926
5644
|
#
|
4927
5645
|
# @!attribute [rw] tags
|
4928
|
-
# One or more tags.
|
5646
|
+
# One or more tags. Each tag consists of a tag key and a tag value.
|
5647
|
+
# The tag value can be an empty (null) string.
|
4929
5648
|
#
|
4930
|
-
#
|
4931
|
-
#
|
5649
|
+
# Do not include confidential or sensitive information in this field.
|
5650
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5651
|
+
# other output.
|
4932
5652
|
#
|
4933
5653
|
# You cannot have more than one tag on a KMS key with the same tag
|
4934
5654
|
# key. If you specify an existing tag key with a different tag value,
|
@@ -4958,14 +5678,6 @@ module Aws::KMS
|
|
4958
5678
|
include Aws::Structure
|
4959
5679
|
end
|
4960
5680
|
|
4961
|
-
# @note When making an API call, you may pass UntagResourceRequest
|
4962
|
-
# data as a hash:
|
4963
|
-
#
|
4964
|
-
# {
|
4965
|
-
# key_id: "KeyIdType", # required
|
4966
|
-
# tag_keys: ["TagKeyType"], # required
|
4967
|
-
# }
|
4968
|
-
#
|
4969
5681
|
# @!attribute [rw] key_id
|
4970
5682
|
# Identifies the KMS key from which you are removing tags.
|
4971
5683
|
#
|
@@ -4995,19 +5707,15 @@ module Aws::KMS
|
|
4995
5707
|
include Aws::Structure
|
4996
5708
|
end
|
4997
5709
|
|
4998
|
-
# @note When making an API call, you may pass UpdateAliasRequest
|
4999
|
-
# data as a hash:
|
5000
|
-
#
|
5001
|
-
# {
|
5002
|
-
# alias_name: "AliasNameType", # required
|
5003
|
-
# target_key_id: "KeyIdType", # required
|
5004
|
-
# }
|
5005
|
-
#
|
5006
5710
|
# @!attribute [rw] alias_name
|
5007
5711
|
# Identifies the alias that is changing its KMS key. This value must
|
5008
5712
|
# begin with `alias/` followed by the alias name, such as
|
5009
|
-
# `alias/ExampleAlias`. You cannot use UpdateAlias to change the
|
5010
|
-
# name.
|
5713
|
+
# `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the
|
5714
|
+
# alias name.
|
5715
|
+
#
|
5716
|
+
# Do not include confidential or sensitive information in this field.
|
5717
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5718
|
+
# other output.
|
5011
5719
|
# @return [String]
|
5012
5720
|
#
|
5013
5721
|
# @!attribute [rw] target_key_id
|
@@ -5018,7 +5726,7 @@ module Aws::KMS
|
|
5018
5726
|
# The KMS key must be in the same Amazon Web Services account and
|
5019
5727
|
# Region as the alias. Also, the new target KMS key must be the same
|
5020
5728
|
# type as the current target KMS key (both symmetric or both
|
5021
|
-
# asymmetric) and they must have the same key usage.
|
5729
|
+
# asymmetric or both HMAC) and they must have the same key usage.
|
5022
5730
|
#
|
5023
5731
|
# Specify the key ID or key ARN of the KMS key.
|
5024
5732
|
#
|
@@ -5050,16 +5758,6 @@ module Aws::KMS
|
|
5050
5758
|
include Aws::Structure
|
5051
5759
|
end
|
5052
5760
|
|
5053
|
-
# @note When making an API call, you may pass UpdateCustomKeyStoreRequest
|
5054
|
-
# data as a hash:
|
5055
|
-
#
|
5056
|
-
# {
|
5057
|
-
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
5058
|
-
# new_custom_key_store_name: "CustomKeyStoreNameType",
|
5059
|
-
# key_store_password: "KeyStorePasswordType",
|
5060
|
-
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
5061
|
-
# }
|
5062
|
-
#
|
5063
5761
|
# @!attribute [rw] custom_key_store_id
|
5064
5762
|
# Identifies the custom key store that you want to update. Enter the
|
5065
5763
|
# ID of the custom key store. To find the ID of a custom key store,
|
@@ -5070,19 +5768,32 @@ module Aws::KMS
|
|
5070
5768
|
# Changes the friendly name of the custom key store to the value that
|
5071
5769
|
# you specify. The custom key store name must be unique in the Amazon
|
5072
5770
|
# Web Services account.
|
5771
|
+
#
|
5772
|
+
# Do not include confidential or sensitive information in this field.
|
5773
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5774
|
+
# other output.
|
5775
|
+
#
|
5776
|
+
# To change this value, an CloudHSM key store must be disconnected. An
|
5777
|
+
# external key store can be connected or disconnected.
|
5073
5778
|
# @return [String]
|
5074
5779
|
#
|
5075
5780
|
# @!attribute [rw] key_store_password
|
5076
5781
|
# Enter the current password of the `kmsuser` crypto user (CU) in the
|
5077
|
-
# CloudHSM cluster that is associated with the custom key store.
|
5782
|
+
# CloudHSM cluster that is associated with the custom key store. This
|
5783
|
+
# parameter is valid only for custom key stores with a
|
5784
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
5078
5785
|
#
|
5079
5786
|
# This parameter tells KMS the current password of the `kmsuser`
|
5080
5787
|
# crypto user (CU). It does not set or change the password of any
|
5081
5788
|
# users in the CloudHSM cluster.
|
5789
|
+
#
|
5790
|
+
# To change this value, the CloudHSM key store must be disconnected.
|
5082
5791
|
# @return [String]
|
5083
5792
|
#
|
5084
5793
|
# @!attribute [rw] cloud_hsm_cluster_id
|
5085
5794
|
# Associates the custom key store with a related CloudHSM cluster.
|
5795
|
+
# This parameter is valid only for custom key stores with a
|
5796
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
5086
5797
|
#
|
5087
5798
|
# Enter the cluster ID of the cluster that you used to create the
|
5088
5799
|
# custom key store or a cluster that shares a backup history and has
|
@@ -5093,19 +5804,111 @@ module Aws::KMS
|
|
5093
5804
|
# To view the cluster certificate of a cluster, use the
|
5094
5805
|
# [DescribeClusters][2] operation.
|
5095
5806
|
#
|
5807
|
+
# To change this value, the CloudHSM key store must be disconnected.
|
5808
|
+
#
|
5096
5809
|
#
|
5097
5810
|
#
|
5098
5811
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
|
5099
5812
|
# [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
5100
5813
|
# @return [String]
|
5101
5814
|
#
|
5815
|
+
# @!attribute [rw] xks_proxy_uri_endpoint
|
5816
|
+
# Changes the URI endpoint that KMS uses to connect to your external
|
5817
|
+
# key store proxy (XKS proxy). This parameter is valid only for custom
|
5818
|
+
# key stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
5819
|
+
#
|
5820
|
+
# For external key stores with an `XksProxyConnectivity` value of
|
5821
|
+
# `PUBLIC_ENDPOINT`, the protocol must be HTTPS.
|
5822
|
+
#
|
5823
|
+
# For external key stores with an `XksProxyConnectivity` value of
|
5824
|
+
# `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
|
5825
|
+
# DNS name associated with the VPC endpoint service. Each external key
|
5826
|
+
# store must use a different private DNS name.
|
5827
|
+
#
|
5828
|
+
# The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
|
5829
|
+
# be unique in the Amazon Web Services account and Region.
|
5830
|
+
#
|
5831
|
+
# To change this value, the external key store must be disconnected.
|
5832
|
+
# @return [String]
|
5833
|
+
#
|
5834
|
+
# @!attribute [rw] xks_proxy_uri_path
|
5835
|
+
# Changes the base path to the proxy APIs for this external key store.
|
5836
|
+
# To find this value, see the documentation for your external key
|
5837
|
+
# manager and external key store proxy (XKS proxy). This parameter is
|
5838
|
+
# valid only for custom key stores with a `CustomKeyStoreType` of
|
5839
|
+
# `EXTERNAL_KEY_STORE`.
|
5840
|
+
#
|
5841
|
+
# The value must start with `/` and must end with `/kms/xks/v1`, where
|
5842
|
+
# `v1` represents the version of the KMS external key store proxy API.
|
5843
|
+
# You can include an optional prefix between the required elements
|
5844
|
+
# such as `/example/kms/xks/v1`.
|
5845
|
+
#
|
5846
|
+
# The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
|
5847
|
+
# be unique in the Amazon Web Services account and Region.
|
5848
|
+
#
|
5849
|
+
# You can change this value when the external key store is connected
|
5850
|
+
# or disconnected.
|
5851
|
+
# @return [String]
|
5852
|
+
#
|
5853
|
+
# @!attribute [rw] xks_proxy_vpc_endpoint_service_name
|
5854
|
+
# Changes the name that KMS uses to identify the Amazon VPC endpoint
|
5855
|
+
# service for your external key store proxy (XKS proxy). This
|
5856
|
+
# parameter is valid when the `CustomKeyStoreType` is
|
5857
|
+
# `EXTERNAL_KEY_STORE` and the `XksProxyConnectivity` is
|
5858
|
+
# `VPC_ENDPOINT_SERVICE`.
|
5859
|
+
#
|
5860
|
+
# To change this value, the external key store must be disconnected.
|
5861
|
+
# @return [String]
|
5862
|
+
#
|
5863
|
+
# @!attribute [rw] xks_proxy_authentication_credential
|
5864
|
+
# Changes the credentials that KMS uses to sign requests to the
|
5865
|
+
# external key store proxy (XKS proxy). This parameter is valid only
|
5866
|
+
# for custom key stores with a `CustomKeyStoreType` of
|
5867
|
+
# `EXTERNAL_KEY_STORE`.
|
5868
|
+
#
|
5869
|
+
# You must specify both the `AccessKeyId` and `SecretAccessKey` value
|
5870
|
+
# in the authentication credential, even if you are only updating one
|
5871
|
+
# value.
|
5872
|
+
#
|
5873
|
+
# This parameter doesn't establish or change your authentication
|
5874
|
+
# credentials on the proxy. It just tells KMS the credential that you
|
5875
|
+
# established with your external key store proxy. For example, if you
|
5876
|
+
# rotate the credential on your external key store proxy, you can use
|
5877
|
+
# this parameter to update the credential in KMS.
|
5878
|
+
#
|
5879
|
+
# You can change this value when the external key store is connected
|
5880
|
+
# or disconnected.
|
5881
|
+
# @return [Types::XksProxyAuthenticationCredentialType]
|
5882
|
+
#
|
5883
|
+
# @!attribute [rw] xks_proxy_connectivity
|
5884
|
+
# Changes the connectivity setting for the external key store. To
|
5885
|
+
# indicate that the external key store proxy uses a Amazon VPC
|
5886
|
+
# endpoint service to communicate with KMS, specify
|
5887
|
+
# `VPC_ENDPOINT_SERVICE`. Otherwise, specify `PUBLIC_ENDPOINT`.
|
5888
|
+
#
|
5889
|
+
# If you change the `XksProxyConnectivity` to `VPC_ENDPOINT_SERVICE`,
|
5890
|
+
# you must also change the `XksProxyUriEndpoint` and add an
|
5891
|
+
# `XksProxyVpcEndpointServiceName` value.
|
5892
|
+
#
|
5893
|
+
# If you change the `XksProxyConnectivity` to `PUBLIC_ENDPOINT`, you
|
5894
|
+
# must also change the `XksProxyUriEndpoint` and specify a null or
|
5895
|
+
# empty string for the `XksProxyVpcEndpointServiceName` value.
|
5896
|
+
#
|
5897
|
+
# To change this value, the external key store must be disconnected.
|
5898
|
+
# @return [String]
|
5899
|
+
#
|
5102
5900
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation
|
5103
5901
|
#
|
5104
5902
|
class UpdateCustomKeyStoreRequest < Struct.new(
|
5105
5903
|
:custom_key_store_id,
|
5106
5904
|
:new_custom_key_store_name,
|
5107
5905
|
:key_store_password,
|
5108
|
-
:cloud_hsm_cluster_id
|
5906
|
+
:cloud_hsm_cluster_id,
|
5907
|
+
:xks_proxy_uri_endpoint,
|
5908
|
+
:xks_proxy_uri_path,
|
5909
|
+
:xks_proxy_vpc_endpoint_service_name,
|
5910
|
+
:xks_proxy_authentication_credential,
|
5911
|
+
:xks_proxy_connectivity)
|
5109
5912
|
SENSITIVE = [:key_store_password]
|
5110
5913
|
include Aws::Structure
|
5111
5914
|
end
|
@@ -5114,14 +5917,6 @@ module Aws::KMS
|
|
5114
5917
|
#
|
5115
5918
|
class UpdateCustomKeyStoreResponse < Aws::EmptyStructure; end
|
5116
5919
|
|
5117
|
-
# @note When making an API call, you may pass UpdateKeyDescriptionRequest
|
5118
|
-
# data as a hash:
|
5119
|
-
#
|
5120
|
-
# {
|
5121
|
-
# key_id: "KeyIdType", # required
|
5122
|
-
# description: "DescriptionType", # required
|
5123
|
-
# }
|
5124
|
-
#
|
5125
5920
|
# @!attribute [rw] key_id
|
5126
5921
|
# Updates the description of the specified KMS key.
|
5127
5922
|
#
|
@@ -5140,6 +5935,10 @@ module Aws::KMS
|
|
5140
5935
|
#
|
5141
5936
|
# @!attribute [rw] description
|
5142
5937
|
# New description for the KMS key.
|
5938
|
+
#
|
5939
|
+
# Do not include confidential or sensitive information in this field.
|
5940
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5941
|
+
# other output.
|
5143
5942
|
# @return [String]
|
5144
5943
|
#
|
5145
5944
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
|
@@ -5151,14 +5950,6 @@ module Aws::KMS
|
|
5151
5950
|
include Aws::Structure
|
5152
5951
|
end
|
5153
5952
|
|
5154
|
-
# @note When making an API call, you may pass UpdatePrimaryRegionRequest
|
5155
|
-
# data as a hash:
|
5156
|
-
#
|
5157
|
-
# {
|
5158
|
-
# key_id: "KeyIdType", # required
|
5159
|
-
# primary_region: "RegionType", # required
|
5160
|
-
# }
|
5161
|
-
#
|
5162
5953
|
# @!attribute [rw] key_id
|
5163
5954
|
# Identifies the current primary key. When the operation completes,
|
5164
5955
|
# this KMS key will be a replica key.
|
@@ -5194,18 +5985,102 @@ module Aws::KMS
|
|
5194
5985
|
include Aws::Structure
|
5195
5986
|
end
|
5196
5987
|
|
5197
|
-
#
|
5198
|
-
#
|
5988
|
+
# @!attribute [rw] message
|
5989
|
+
# The message that will be used in the verification. Enter the same
|
5990
|
+
# message that was used to generate the HMAC.
|
5199
5991
|
#
|
5200
|
-
#
|
5201
|
-
#
|
5202
|
-
#
|
5203
|
-
#
|
5204
|
-
# signature: "data", # required
|
5205
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
5206
|
-
# grant_tokens: ["GrantTokenType"],
|
5207
|
-
# }
|
5992
|
+
# GenerateMac and `VerifyMac` do not provide special handling for
|
5993
|
+
# message digests. If you generated an HMAC for a hash digest of a
|
5994
|
+
# message, you must verify the HMAC for the same hash digest.
|
5995
|
+
# @return [String]
|
5208
5996
|
#
|
5997
|
+
# @!attribute [rw] key_id
|
5998
|
+
# The KMS key that will be used in the verification.
|
5999
|
+
#
|
6000
|
+
# Enter a key ID of the KMS key that was used to generate the HMAC. If
|
6001
|
+
# you identify a different KMS key, the `VerifyMac` operation fails.
|
6002
|
+
# @return [String]
|
6003
|
+
#
|
6004
|
+
# @!attribute [rw] mac_algorithm
|
6005
|
+
# The MAC algorithm that will be used in the verification. Enter the
|
6006
|
+
# same MAC algorithm that was used to compute the HMAC. This algorithm
|
6007
|
+
# must be supported by the HMAC KMS key identified by the `KeyId`
|
6008
|
+
# parameter.
|
6009
|
+
# @return [String]
|
6010
|
+
#
|
6011
|
+
# @!attribute [rw] mac
|
6012
|
+
# The HMAC to verify. Enter the HMAC that was generated by the
|
6013
|
+
# GenerateMac operation when you specified the same message, HMAC KMS
|
6014
|
+
# key, and MAC algorithm as the values specified in this request.
|
6015
|
+
# @return [String]
|
6016
|
+
#
|
6017
|
+
# @!attribute [rw] grant_tokens
|
6018
|
+
# A list of grant tokens.
|
6019
|
+
#
|
6020
|
+
# Use a grant token when your permission to call this operation comes
|
6021
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
6022
|
+
# For more information, see [Grant token][1] and [Using a grant
|
6023
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
6024
|
+
#
|
6025
|
+
#
|
6026
|
+
#
|
6027
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
6028
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
6029
|
+
# @return [Array<String>]
|
6030
|
+
#
|
6031
|
+
# @!attribute [rw] dry_run
|
6032
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
6033
|
+
# parameter.
|
6034
|
+
#
|
6035
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
6036
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
6037
|
+
#
|
6038
|
+
#
|
6039
|
+
#
|
6040
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
6041
|
+
# @return [Boolean]
|
6042
|
+
#
|
6043
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
|
6044
|
+
#
|
6045
|
+
class VerifyMacRequest < Struct.new(
|
6046
|
+
:message,
|
6047
|
+
:key_id,
|
6048
|
+
:mac_algorithm,
|
6049
|
+
:mac,
|
6050
|
+
:grant_tokens,
|
6051
|
+
:dry_run)
|
6052
|
+
SENSITIVE = [:message]
|
6053
|
+
include Aws::Structure
|
6054
|
+
end
|
6055
|
+
|
6056
|
+
# @!attribute [rw] key_id
|
6057
|
+
# The HMAC KMS key used in the verification.
|
6058
|
+
# @return [String]
|
6059
|
+
#
|
6060
|
+
# @!attribute [rw] mac_valid
|
6061
|
+
# A Boolean value that indicates whether the HMAC was verified. A
|
6062
|
+
# value of `True` indicates that the HMAC (`Mac`) was generated with
|
6063
|
+
# the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
|
6064
|
+
#
|
6065
|
+
# If the HMAC is not verified, the `VerifyMac` operation fails with a
|
6066
|
+
# `KMSInvalidMacException` exception. This exception indicates that
|
6067
|
+
# one or more of the inputs changed since the HMAC was computed.
|
6068
|
+
# @return [Boolean]
|
6069
|
+
#
|
6070
|
+
# @!attribute [rw] mac_algorithm
|
6071
|
+
# The MAC algorithm used in the verification.
|
6072
|
+
# @return [String]
|
6073
|
+
#
|
6074
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
|
6075
|
+
#
|
6076
|
+
class VerifyMacResponse < Struct.new(
|
6077
|
+
:key_id,
|
6078
|
+
:mac_valid,
|
6079
|
+
:mac_algorithm)
|
6080
|
+
SENSITIVE = []
|
6081
|
+
include Aws::Structure
|
6082
|
+
end
|
6083
|
+
|
5209
6084
|
# @!attribute [rw] key_id
|
5210
6085
|
# Identifies the asymmetric KMS key that will be used to verify the
|
5211
6086
|
# signature. This must be the same KMS key that was used to generate
|
@@ -5243,14 +6118,48 @@ module Aws::KMS
|
|
5243
6118
|
# @return [String]
|
5244
6119
|
#
|
5245
6120
|
# @!attribute [rw] message_type
|
5246
|
-
# Tells KMS whether the value of the `Message` parameter
|
5247
|
-
#
|
5248
|
-
#
|
6121
|
+
# Tells KMS whether the value of the `Message` parameter should be
|
6122
|
+
# hashed as part of the signing algorithm. Use `RAW` for unhashed
|
6123
|
+
# messages; use `DIGEST` for message digests, which are already
|
6124
|
+
# hashed.
|
6125
|
+
#
|
6126
|
+
# When the value of `MessageType` is `RAW`, KMS uses the standard
|
6127
|
+
# signing algorithm, which begins with a hash function. When the value
|
6128
|
+
# is `DIGEST`, KMS skips the hashing step in the signing algorithm.
|
5249
6129
|
#
|
5250
6130
|
# Use the `DIGEST` value only when the value of the `Message`
|
5251
|
-
# parameter is a message digest. If you use the `DIGEST` value with
|
5252
|
-
#
|
6131
|
+
# parameter is a message digest. If you use the `DIGEST` value with an
|
6132
|
+
# unhashed message, the security of the verification operation can be
|
5253
6133
|
# compromised.
|
6134
|
+
#
|
6135
|
+
# When the value of `MessageType`is `DIGEST`, the length of the
|
6136
|
+
# `Message` value must match the length of hashed messages for the
|
6137
|
+
# specified signing algorithm.
|
6138
|
+
#
|
6139
|
+
# You can submit a message digest and omit the `MessageType` or
|
6140
|
+
# specify `RAW` so the digest is hashed again while signing. However,
|
6141
|
+
# if the signed message is hashed once while signing, but twice while
|
6142
|
+
# verifying, verification fails, even when the message hasn't
|
6143
|
+
# changed.
|
6144
|
+
#
|
6145
|
+
# The hashing algorithm in that `Verify` uses is based on the
|
6146
|
+
# `SigningAlgorithm` value.
|
6147
|
+
#
|
6148
|
+
# * Signing algorithms that end in SHA\_256 use the SHA\_256 hashing
|
6149
|
+
# algorithm.
|
6150
|
+
#
|
6151
|
+
# * Signing algorithms that end in SHA\_384 use the SHA\_384 hashing
|
6152
|
+
# algorithm.
|
6153
|
+
#
|
6154
|
+
# * Signing algorithms that end in SHA\_512 use the SHA\_512 hashing
|
6155
|
+
# algorithm.
|
6156
|
+
#
|
6157
|
+
# * SM2DSA uses the SM3 hashing algorithm. For details, see [Offline
|
6158
|
+
# verification with SM2 key pairs][1].
|
6159
|
+
#
|
6160
|
+
#
|
6161
|
+
#
|
6162
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
|
5254
6163
|
# @return [String]
|
5255
6164
|
#
|
5256
6165
|
# @!attribute [rw] signature
|
@@ -5276,6 +6185,18 @@ module Aws::KMS
|
|
5276
6185
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
5277
6186
|
# @return [Array<String>]
|
5278
6187
|
#
|
6188
|
+
# @!attribute [rw] dry_run
|
6189
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
6190
|
+
# parameter.
|
6191
|
+
#
|
6192
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
6193
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
6194
|
+
#
|
6195
|
+
#
|
6196
|
+
#
|
6197
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
6198
|
+
# @return [Boolean]
|
6199
|
+
#
|
5279
6200
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
|
5280
6201
|
#
|
5281
6202
|
class VerifyRequest < Struct.new(
|
@@ -5284,7 +6205,8 @@ module Aws::KMS
|
|
5284
6205
|
:message_type,
|
5285
6206
|
:signature,
|
5286
6207
|
:signing_algorithm,
|
5287
|
-
:grant_tokens
|
6208
|
+
:grant_tokens,
|
6209
|
+
:dry_run)
|
5288
6210
|
SENSITIVE = [:message]
|
5289
6211
|
include Aws::Structure
|
5290
6212
|
end
|
@@ -5320,5 +6242,324 @@ module Aws::KMS
|
|
5320
6242
|
include Aws::Structure
|
5321
6243
|
end
|
5322
6244
|
|
6245
|
+
# The request was rejected because the (`XksKeyId`) is already
|
6246
|
+
# associated with a KMS key in this external key store. Each KMS key in
|
6247
|
+
# an external key store must be associated with a different external
|
6248
|
+
# key.
|
6249
|
+
#
|
6250
|
+
# @!attribute [rw] message
|
6251
|
+
# @return [String]
|
6252
|
+
#
|
6253
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyAlreadyInUseException AWS API Documentation
|
6254
|
+
#
|
6255
|
+
class XksKeyAlreadyInUseException < Struct.new(
|
6256
|
+
:message)
|
6257
|
+
SENSITIVE = []
|
6258
|
+
include Aws::Structure
|
6259
|
+
end
|
6260
|
+
|
6261
|
+
# Information about the [external key ][1]that is associated with a KMS
|
6262
|
+
# key in an external key store.
|
6263
|
+
#
|
6264
|
+
# This element appears in a CreateKey or DescribeKey response only for a
|
6265
|
+
# KMS key in an external key store.
|
6266
|
+
#
|
6267
|
+
# The *external key* is a symmetric encryption key that is hosted by an
|
6268
|
+
# external key manager outside of Amazon Web Services. When you use the
|
6269
|
+
# KMS key in an external key store in a cryptographic operation, the
|
6270
|
+
# cryptographic operation is performed in the external key manager using
|
6271
|
+
# the specified external key. For more information, see [External
|
6272
|
+
# key][1] in the *Key Management Service Developer Guide*.
|
6273
|
+
#
|
6274
|
+
#
|
6275
|
+
#
|
6276
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
6277
|
+
#
|
6278
|
+
# @!attribute [rw] id
|
6279
|
+
# The ID of the external key in its external key manager. This is the
|
6280
|
+
# ID that the external key store proxy uses to identify the external
|
6281
|
+
# key.
|
6282
|
+
# @return [String]
|
6283
|
+
#
|
6284
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyConfigurationType AWS API Documentation
|
6285
|
+
#
|
6286
|
+
class XksKeyConfigurationType < Struct.new(
|
6287
|
+
:id)
|
6288
|
+
SENSITIVE = []
|
6289
|
+
include Aws::Structure
|
6290
|
+
end
|
6291
|
+
|
6292
|
+
# The request was rejected because the external key specified by the
|
6293
|
+
# `XksKeyId` parameter did not meet the configuration requirements for
|
6294
|
+
# an external key store.
|
6295
|
+
#
|
6296
|
+
# The external key must be an AES-256 symmetric key that is enabled and
|
6297
|
+
# performs encryption and decryption.
|
6298
|
+
#
|
6299
|
+
# @!attribute [rw] message
|
6300
|
+
# @return [String]
|
6301
|
+
#
|
6302
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyInvalidConfigurationException AWS API Documentation
|
6303
|
+
#
|
6304
|
+
class XksKeyInvalidConfigurationException < Struct.new(
|
6305
|
+
:message)
|
6306
|
+
SENSITIVE = []
|
6307
|
+
include Aws::Structure
|
6308
|
+
end
|
6309
|
+
|
6310
|
+
# The request was rejected because the external key store proxy could
|
6311
|
+
# not find the external key. This exception is thrown when the value of
|
6312
|
+
# the `XksKeyId` parameter doesn't identify a key in the external key
|
6313
|
+
# manager associated with the external key proxy.
|
6314
|
+
#
|
6315
|
+
# Verify that the `XksKeyId` represents an existing key in the external
|
6316
|
+
# key manager. Use the key identifier that the external key store proxy
|
6317
|
+
# uses to identify the key. For details, see the documentation provided
|
6318
|
+
# with your external key store proxy or key manager.
|
6319
|
+
#
|
6320
|
+
# @!attribute [rw] message
|
6321
|
+
# @return [String]
|
6322
|
+
#
|
6323
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyNotFoundException AWS API Documentation
|
6324
|
+
#
|
6325
|
+
class XksKeyNotFoundException < Struct.new(
|
6326
|
+
:message)
|
6327
|
+
SENSITIVE = []
|
6328
|
+
include Aws::Structure
|
6329
|
+
end
|
6330
|
+
|
6331
|
+
# KMS uses the authentication credential to sign requests that it sends
|
6332
|
+
# to the external key store proxy (XKS proxy) on your behalf. You
|
6333
|
+
# establish these credentials on your external key store proxy and
|
6334
|
+
# report them to KMS.
|
6335
|
+
#
|
6336
|
+
# The `XksProxyAuthenticationCredential` includes two required elements.
|
6337
|
+
#
|
6338
|
+
# @!attribute [rw] access_key_id
|
6339
|
+
# A unique identifier for the raw secret access key.
|
6340
|
+
# @return [String]
|
6341
|
+
#
|
6342
|
+
# @!attribute [rw] raw_secret_access_key
|
6343
|
+
# A secret string of 43-64 characters. Valid characters are a-z, A-Z,
|
6344
|
+
# 0-9, /, +, and =.
|
6345
|
+
# @return [String]
|
6346
|
+
#
|
6347
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyAuthenticationCredentialType AWS API Documentation
|
6348
|
+
#
|
6349
|
+
class XksProxyAuthenticationCredentialType < Struct.new(
|
6350
|
+
:access_key_id,
|
6351
|
+
:raw_secret_access_key)
|
6352
|
+
SENSITIVE = [:access_key_id, :raw_secret_access_key]
|
6353
|
+
include Aws::Structure
|
6354
|
+
end
|
6355
|
+
|
6356
|
+
# Detailed information about the external key store proxy (XKS proxy).
|
6357
|
+
# Your external key store proxy translates KMS requests into a format
|
6358
|
+
# that your external key manager can understand. These fields appear in
|
6359
|
+
# a DescribeCustomKeyStores response only when the `CustomKeyStoreType`
|
6360
|
+
# is `EXTERNAL_KEY_STORE`.
|
6361
|
+
#
|
6362
|
+
# @!attribute [rw] connectivity
|
6363
|
+
# Indicates whether the external key store proxy uses a public
|
6364
|
+
# endpoint or an Amazon VPC endpoint service to communicate with KMS.
|
6365
|
+
# @return [String]
|
6366
|
+
#
|
6367
|
+
# @!attribute [rw] access_key_id
|
6368
|
+
# The part of the external key store [proxy authentication
|
6369
|
+
# credential][1] that uniquely identifies the secret access key.
|
6370
|
+
#
|
6371
|
+
#
|
6372
|
+
#
|
6373
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential
|
6374
|
+
# @return [String]
|
6375
|
+
#
|
6376
|
+
# @!attribute [rw] uri_endpoint
|
6377
|
+
# The URI endpoint for the external key store proxy.
|
6378
|
+
#
|
6379
|
+
# If the external key store proxy has a public endpoint, it is
|
6380
|
+
# displayed here.
|
6381
|
+
#
|
6382
|
+
# If the external key store proxy uses an Amazon VPC endpoint service
|
6383
|
+
# name, this field displays the private DNS name associated with the
|
6384
|
+
# VPC endpoint service.
|
6385
|
+
# @return [String]
|
6386
|
+
#
|
6387
|
+
# @!attribute [rw] uri_path
|
6388
|
+
# The path to the external key store proxy APIs.
|
6389
|
+
# @return [String]
|
6390
|
+
#
|
6391
|
+
# @!attribute [rw] vpc_endpoint_service_name
|
6392
|
+
# The Amazon VPC endpoint service used to communicate with the
|
6393
|
+
# external key store proxy. This field appears only when the external
|
6394
|
+
# key store proxy uses an Amazon VPC endpoint service to communicate
|
6395
|
+
# with KMS.
|
6396
|
+
# @return [String]
|
6397
|
+
#
|
6398
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
|
6399
|
+
#
|
6400
|
+
class XksProxyConfigurationType < Struct.new(
|
6401
|
+
:connectivity,
|
6402
|
+
:access_key_id,
|
6403
|
+
:uri_endpoint,
|
6404
|
+
:uri_path,
|
6405
|
+
:vpc_endpoint_service_name)
|
6406
|
+
SENSITIVE = [:access_key_id]
|
6407
|
+
include Aws::Structure
|
6408
|
+
end
|
6409
|
+
|
6410
|
+
# The request was rejected because the proxy credentials failed to
|
6411
|
+
# authenticate to the specified external key store proxy. The specified
|
6412
|
+
# external key store proxy rejected a status request from KMS due to
|
6413
|
+
# invalid credentials. This can indicate an error in the credentials or
|
6414
|
+
# in the identification of the external key store proxy.
|
6415
|
+
#
|
6416
|
+
# @!attribute [rw] message
|
6417
|
+
# @return [String]
|
6418
|
+
#
|
6419
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyIncorrectAuthenticationCredentialException AWS API Documentation
|
6420
|
+
#
|
6421
|
+
class XksProxyIncorrectAuthenticationCredentialException < Struct.new(
|
6422
|
+
:message)
|
6423
|
+
SENSITIVE = []
|
6424
|
+
include Aws::Structure
|
6425
|
+
end
|
6426
|
+
|
6427
|
+
# The request was rejected because the Amazon VPC endpoint service
|
6428
|
+
# configuration does not fulfill the requirements for an external key
|
6429
|
+
# store proxy. For details, see the exception message.
|
6430
|
+
#
|
6431
|
+
# @!attribute [rw] message
|
6432
|
+
# @return [String]
|
6433
|
+
#
|
6434
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidConfigurationException AWS API Documentation
|
6435
|
+
#
|
6436
|
+
class XksProxyInvalidConfigurationException < Struct.new(
|
6437
|
+
:message)
|
6438
|
+
SENSITIVE = []
|
6439
|
+
include Aws::Structure
|
6440
|
+
end
|
6441
|
+
|
6442
|
+
# KMS cannot interpret the response it received from the external key
|
6443
|
+
# store proxy. The problem might be a poorly constructed response, but
|
6444
|
+
# it could also be a transient network issue. If you see this error
|
6445
|
+
# repeatedly, report it to the proxy vendor.
|
6446
|
+
#
|
6447
|
+
# @!attribute [rw] message
|
6448
|
+
# @return [String]
|
6449
|
+
#
|
6450
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidResponseException AWS API Documentation
|
6451
|
+
#
|
6452
|
+
class XksProxyInvalidResponseException < Struct.new(
|
6453
|
+
:message)
|
6454
|
+
SENSITIVE = []
|
6455
|
+
include Aws::Structure
|
6456
|
+
end
|
6457
|
+
|
6458
|
+
# The request was rejected because the concatenation of the
|
6459
|
+
# `XksProxyUriEndpoint` is already associated with an external key store
|
6460
|
+
# in the Amazon Web Services account and Region. Each external key store
|
6461
|
+
# in an account and Region must use a unique external key store proxy
|
6462
|
+
# address.
|
6463
|
+
#
|
6464
|
+
# @!attribute [rw] message
|
6465
|
+
# @return [String]
|
6466
|
+
#
|
6467
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriEndpointInUseException AWS API Documentation
|
6468
|
+
#
|
6469
|
+
class XksProxyUriEndpointInUseException < Struct.new(
|
6470
|
+
:message)
|
6471
|
+
SENSITIVE = []
|
6472
|
+
include Aws::Structure
|
6473
|
+
end
|
6474
|
+
|
6475
|
+
# The request was rejected because the concatenation of the
|
6476
|
+
# `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
|
6477
|
+
# an external key store in the Amazon Web Services account and Region.
|
6478
|
+
# Each external key store in an account and Region must use a unique
|
6479
|
+
# external key store proxy API address.
|
6480
|
+
#
|
6481
|
+
# @!attribute [rw] message
|
6482
|
+
# @return [String]
|
6483
|
+
#
|
6484
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriInUseException AWS API Documentation
|
6485
|
+
#
|
6486
|
+
class XksProxyUriInUseException < Struct.new(
|
6487
|
+
:message)
|
6488
|
+
SENSITIVE = []
|
6489
|
+
include Aws::Structure
|
6490
|
+
end
|
6491
|
+
|
6492
|
+
# KMS was unable to reach the specified `XksProxyUriPath`. The path must
|
6493
|
+
# be reachable before you create the external key store or update its
|
6494
|
+
# settings.
|
6495
|
+
#
|
6496
|
+
# This exception is also thrown when the external key store proxy
|
6497
|
+
# response to a `GetHealthStatus` request indicates that all external
|
6498
|
+
# key manager instances are unavailable.
|
6499
|
+
#
|
6500
|
+
# @!attribute [rw] message
|
6501
|
+
# @return [String]
|
6502
|
+
#
|
6503
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriUnreachableException AWS API Documentation
|
6504
|
+
#
|
6505
|
+
class XksProxyUriUnreachableException < Struct.new(
|
6506
|
+
:message)
|
6507
|
+
SENSITIVE = []
|
6508
|
+
include Aws::Structure
|
6509
|
+
end
|
6510
|
+
|
6511
|
+
# The request was rejected because the specified Amazon VPC endpoint
|
6512
|
+
# service is already associated with an external key store in the Amazon
|
6513
|
+
# Web Services account and Region. Each external key store in an Amazon
|
6514
|
+
# Web Services account and Region must use a different Amazon VPC
|
6515
|
+
# endpoint service.
|
6516
|
+
#
|
6517
|
+
# @!attribute [rw] message
|
6518
|
+
# @return [String]
|
6519
|
+
#
|
6520
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInUseException AWS API Documentation
|
6521
|
+
#
|
6522
|
+
class XksProxyVpcEndpointServiceInUseException < Struct.new(
|
6523
|
+
:message)
|
6524
|
+
SENSITIVE = []
|
6525
|
+
include Aws::Structure
|
6526
|
+
end
|
6527
|
+
|
6528
|
+
# The request was rejected because the Amazon VPC endpoint service
|
6529
|
+
# configuration does not fulfill the requirements for an external key
|
6530
|
+
# store proxy. For details, see the exception message and [review the
|
6531
|
+
# requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
|
6532
|
+
# for Amazon VPC endpoint service connectivity for an external key
|
6533
|
+
# store.
|
6534
|
+
#
|
6535
|
+
# @!attribute [rw] message
|
6536
|
+
# @return [String]
|
6537
|
+
#
|
6538
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInvalidConfigurationException AWS API Documentation
|
6539
|
+
#
|
6540
|
+
class XksProxyVpcEndpointServiceInvalidConfigurationException < Struct.new(
|
6541
|
+
:message)
|
6542
|
+
SENSITIVE = []
|
6543
|
+
include Aws::Structure
|
6544
|
+
end
|
6545
|
+
|
6546
|
+
# The request was rejected because KMS could not find the specified VPC
|
6547
|
+
# endpoint service. Use DescribeCustomKeyStores to verify the VPC
|
6548
|
+
# endpoint service name for the external key store. Also, confirm that
|
6549
|
+
# the `Allow principals` list for the VPC endpoint service includes the
|
6550
|
+
# KMS service principal for the Region, such as
|
6551
|
+
# `cks.kms.us-east-1.amazonaws.com`.
|
6552
|
+
#
|
6553
|
+
# @!attribute [rw] message
|
6554
|
+
# @return [String]
|
6555
|
+
#
|
6556
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceNotFoundException AWS API Documentation
|
6557
|
+
#
|
6558
|
+
class XksProxyVpcEndpointServiceNotFoundException < Struct.new(
|
6559
|
+
:message)
|
6560
|
+
SENSITIVE = []
|
6561
|
+
include Aws::Structure
|
6562
|
+
end
|
6563
|
+
|
5323
6564
|
end
|
5324
6565
|
end
|