aws-sdk-kms 1.54.0 → 1.57.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1169 -549
- data/lib/aws-sdk-kms/client_api.rb +67 -0
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/types.rb +524 -204
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +4 -4
data/lib/aws-sdk-kms/types.rb
CHANGED
|
@@ -415,7 +415,7 @@ module Aws::KMS
|
|
|
415
415
|
# key_id: "KeyIdType", # required
|
|
416
416
|
# grantee_principal: "PrincipalIdType", # required
|
|
417
417
|
# retiring_principal: "PrincipalIdType",
|
|
418
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
|
|
418
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
|
|
419
419
|
# constraints: {
|
|
420
420
|
# encryption_context_subset: {
|
|
421
421
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
@@ -491,12 +491,13 @@ module Aws::KMS
|
|
|
491
491
|
# @!attribute [rw] operations
|
|
492
492
|
# A list of operations that the grant permits.
|
|
493
493
|
#
|
|
494
|
-
#
|
|
495
|
-
#
|
|
496
|
-
#
|
|
497
|
-
#
|
|
498
|
-
#
|
|
499
|
-
#
|
|
494
|
+
# This list must include only operations that are permitted in a
|
|
495
|
+
# grant. Also, the operation must be supported on the KMS key. For
|
|
496
|
+
# example, you cannot create a grant for a symmetric encryption KMS
|
|
497
|
+
# key that allows the Sign operation, or a grant for an asymmetric KMS
|
|
498
|
+
# key that allows the GenerateDataKey operation. If you try, KMS
|
|
499
|
+
# returns a `ValidationError` exception. For details, see [Grant
|
|
500
|
+
# operations][1] in the *Key Management Service Developer Guide*.
|
|
500
501
|
#
|
|
501
502
|
#
|
|
502
503
|
#
|
|
@@ -509,27 +510,39 @@ module Aws::KMS
|
|
|
509
510
|
# KMS supports the `EncryptionContextEquals` and
|
|
510
511
|
# `EncryptionContextSubset` grant constraints. Each constraint value
|
|
511
512
|
# can include up to 8 encryption context pairs. The encryption context
|
|
512
|
-
# value in each constraint cannot exceed 384 characters.
|
|
513
|
+
# value in each constraint cannot exceed 384 characters. For
|
|
514
|
+
# information about grant constraints, see [Using grant
|
|
515
|
+
# constraints][1] in the *Key Management Service Developer Guide*. For
|
|
516
|
+
# more information about encryption context, see [Encryption
|
|
517
|
+
# context][2] in the <i> <i>Key Management Service Developer Guide</i>
|
|
518
|
+
# </i>.
|
|
513
519
|
#
|
|
514
|
-
#
|
|
515
|
-
# the encryption context in the request matches
|
|
520
|
+
# The encryption context grant constraints allow the permissions in
|
|
521
|
+
# the grant only when the encryption context in the request matches
|
|
516
522
|
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
|
517
|
-
# the encryption context specified in this structure.
|
|
518
|
-
# about grant constraints, see [Using grant constraints][1] in the
|
|
519
|
-
# *Key Management Service Developer Guide*. For more information about
|
|
520
|
-
# encryption context, see [Encryption Context][2] in the <i> <i>Key
|
|
521
|
-
# Management Service Developer Guide</i> </i>.
|
|
523
|
+
# the encryption context specified in this structure.
|
|
522
524
|
#
|
|
523
525
|
# The encryption context grant constraints are supported only on
|
|
524
|
-
# operations that include an
|
|
525
|
-
#
|
|
526
|
-
# with
|
|
527
|
-
#
|
|
526
|
+
# [grant operations][3] that include an `EncryptionContext` parameter,
|
|
527
|
+
# such as cryptographic operations on symmetric encryption KMS keys.
|
|
528
|
+
# Grants with grant constraints can include the DescribeKey and
|
|
529
|
+
# RetireGrant operations, but the constraint doesn't apply to these
|
|
530
|
+
# operations. If a grant with a grant constraint includes the
|
|
531
|
+
# `CreateGrant` operation, the constraint requires that any grants
|
|
532
|
+
# created with the `CreateGrant` permission have an equally strict or
|
|
533
|
+
# stricter encryption context constraint.
|
|
534
|
+
#
|
|
535
|
+
# You cannot use an encryption context grant constraint for
|
|
536
|
+
# cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
|
|
537
|
+
# These keys don't support an encryption context.
|
|
538
|
+
#
|
|
539
|
+
#
|
|
528
540
|
#
|
|
529
541
|
#
|
|
530
542
|
#
|
|
531
543
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
|
532
544
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
545
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
|
533
546
|
# @return [Types::GrantConstraints]
|
|
534
547
|
#
|
|
535
548
|
# @!attribute [rw] grant_tokens
|
|
@@ -613,9 +626,9 @@ module Aws::KMS
|
|
|
613
626
|
# {
|
|
614
627
|
# policy: "PolicyType",
|
|
615
628
|
# description: "DescriptionType",
|
|
616
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
|
617
|
-
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
618
|
-
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
629
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
|
630
|
+
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
|
|
631
|
+
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
|
|
619
632
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
|
620
633
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
621
634
|
# bypass_policy_lockout_safety_check: false,
|
|
@@ -629,16 +642,19 @@ module Aws::KMS
|
|
|
629
642
|
# }
|
|
630
643
|
#
|
|
631
644
|
# @!attribute [rw] policy
|
|
632
|
-
# The key policy to attach to the KMS key.
|
|
645
|
+
# The key policy to attach to the KMS key. If you do not specify a key
|
|
646
|
+
# policy, KMS attaches a default key policy to the KMS key. For more
|
|
647
|
+
# information, see [Default key policy][1] in the *Key Management
|
|
648
|
+
# Service Developer Guide*.
|
|
633
649
|
#
|
|
634
650
|
# If you provide a key policy, it must meet the following criteria:
|
|
635
651
|
#
|
|
636
|
-
# * If you don't set `BypassPolicyLockoutSafetyCheck` to
|
|
652
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to `True`, the
|
|
637
653
|
# key policy must allow the principal that is making the `CreateKey`
|
|
638
654
|
# request to make a subsequent PutKeyPolicy request on the KMS key.
|
|
639
655
|
# This reduces the risk that the KMS key becomes unmanageable. For
|
|
640
656
|
# more information, refer to the scenario in the [Default Key
|
|
641
|
-
# Policy][
|
|
657
|
+
# Policy][2] section of the <i> <i>Key Management Service Developer
|
|
642
658
|
# Guide</i> </i>.
|
|
643
659
|
#
|
|
644
660
|
# * Each statement in the key policy must contain one or more
|
|
@@ -648,14 +664,23 @@ module Aws::KMS
|
|
|
648
664
|
# enforce a delay before including the new principal in a key policy
|
|
649
665
|
# because the new principal might not be immediately visible to KMS.
|
|
650
666
|
# For more information, see [Changes that I make are not always
|
|
651
|
-
# immediately visible][
|
|
667
|
+
# immediately visible][3] in the *Amazon Web Services Identity and
|
|
652
668
|
# Access Management User Guide*.
|
|
653
669
|
#
|
|
654
|
-
#
|
|
655
|
-
#
|
|
656
|
-
#
|
|
670
|
+
# A key policy document must conform to the following rules.
|
|
671
|
+
#
|
|
672
|
+
# * Up to 32 kilobytes (32768 bytes)
|
|
657
673
|
#
|
|
658
|
-
#
|
|
674
|
+
# * Must be UTF-8 encoded
|
|
675
|
+
#
|
|
676
|
+
# * The only Unicode characters that are permitted in a key policy
|
|
677
|
+
# document are the horizontal tab (U+0009), linefeed (U+000A),
|
|
678
|
+
# carriage return (U+000D), and characters in the range U+0020 to
|
|
679
|
+
# U+00FF.
|
|
680
|
+
#
|
|
681
|
+
# * The `Sid` element in a key policy statement can include spaces.
|
|
682
|
+
# (Spaces are prohibited in the `Sid` element of an IAM policy
|
|
683
|
+
# document.)
|
|
659
684
|
#
|
|
660
685
|
# For help writing and formatting a JSON policy document, see the [IAM
|
|
661
686
|
# JSON Policy Reference][4] in the <i> <i>Identity and Access
|
|
@@ -663,9 +688,9 @@ module Aws::KMS
|
|
|
663
688
|
#
|
|
664
689
|
#
|
|
665
690
|
#
|
|
666
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
667
|
-
# [2]: https://docs.aws.amazon.com/
|
|
668
|
-
# [3]: https://docs.aws.amazon.com/
|
|
691
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
692
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
693
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
669
694
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
670
695
|
# @return [String]
|
|
671
696
|
#
|
|
@@ -683,14 +708,17 @@ module Aws::KMS
|
|
|
683
708
|
# @!attribute [rw] key_usage
|
|
684
709
|
# Determines the [cryptographic operations][1] for which you can use
|
|
685
710
|
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
|
686
|
-
# is
|
|
687
|
-
#
|
|
711
|
+
# is optional when you are creating a symmetric encryption KMS key;
|
|
712
|
+
# otherwise, it is required. You can't change the `KeyUsage` value
|
|
713
|
+
# after the KMS key is created.
|
|
688
714
|
#
|
|
689
715
|
# Select only one valid value.
|
|
690
716
|
#
|
|
691
|
-
# * For symmetric KMS keys, omit the parameter or specify
|
|
717
|
+
# * For symmetric encryption KMS keys, omit the parameter or specify
|
|
692
718
|
# `ENCRYPT_DECRYPT`.
|
|
693
719
|
#
|
|
720
|
+
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
|
721
|
+
#
|
|
694
722
|
# * For asymmetric KMS keys with RSA key material, specify
|
|
695
723
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
696
724
|
#
|
|
@@ -715,33 +743,41 @@ module Aws::KMS
|
|
|
715
743
|
# Specifies the type of KMS key to create. The default value,
|
|
716
744
|
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
|
|
717
745
|
# for encryption and decryption. For help choosing a key spec for your
|
|
718
|
-
# KMS key, see [
|
|
719
|
-
#
|
|
746
|
+
# KMS key, see [Choosing a KMS key type][1] in the <i> <i>Key
|
|
747
|
+
# Management Service Developer Guide</i> </i>.
|
|
720
748
|
#
|
|
721
749
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
|
722
|
-
# key or an asymmetric key pair. It also determines the
|
|
723
|
-
# algorithms
|
|
724
|
-
#
|
|
725
|
-
#
|
|
726
|
-
#
|
|
727
|
-
#
|
|
728
|
-
# the <i> <i>Key Management Service Developer
|
|
729
|
-
#
|
|
730
|
-
#
|
|
731
|
-
#
|
|
732
|
-
#
|
|
733
|
-
#
|
|
734
|
-
# Asymmetric KMS keys][5] in the *Key Management Service Developer
|
|
735
|
-
# Guide*.
|
|
750
|
+
# key or an asymmetric key pair. It also determines the cryptographic
|
|
751
|
+
# algorithms that the KMS key supports. You can't change the
|
|
752
|
+
# `KeySpec` after the KMS key is created. To further restrict the
|
|
753
|
+
# algorithms that can be used with the KMS key, use a condition key in
|
|
754
|
+
# its key policy or IAM policy. For more information, see
|
|
755
|
+
# [kms:EncryptionAlgorithm][2], [kms:MacAlgorithm][3] or [kms:Signing
|
|
756
|
+
# Algorithm][4] in the <i> <i>Key Management Service Developer
|
|
757
|
+
# Guide</i> </i>.
|
|
758
|
+
#
|
|
759
|
+
# [Amazon Web Services services that are integrated with KMS][5] use
|
|
760
|
+
# symmetric encryption KMS keys to protect your data. These services
|
|
761
|
+
# do not support asymmetric KMS keys or HMAC KMS keys.
|
|
736
762
|
#
|
|
737
763
|
# KMS supports the following key specs for KMS keys:
|
|
738
764
|
#
|
|
739
|
-
# * Symmetric key (default)
|
|
765
|
+
# * Symmetric encryption key (default)
|
|
740
766
|
#
|
|
741
767
|
# * `SYMMETRIC_DEFAULT` (AES-256-GCM)
|
|
742
768
|
#
|
|
743
769
|
# ^
|
|
744
770
|
#
|
|
771
|
+
# * HMAC keys (symmetric)
|
|
772
|
+
#
|
|
773
|
+
# * `HMAC_224`
|
|
774
|
+
#
|
|
775
|
+
# * `HMAC_256`
|
|
776
|
+
#
|
|
777
|
+
# * `HMAC_384`
|
|
778
|
+
#
|
|
779
|
+
# * `HMAC_512`
|
|
780
|
+
#
|
|
745
781
|
# * Asymmetric RSA key pairs
|
|
746
782
|
#
|
|
747
783
|
# * `RSA_2048`
|
|
@@ -767,11 +803,11 @@ module Aws::KMS
|
|
|
767
803
|
#
|
|
768
804
|
#
|
|
769
805
|
#
|
|
770
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose
|
|
806
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
|
|
771
807
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
|
|
772
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-
|
|
773
|
-
# [4]:
|
|
774
|
-
# [5]:
|
|
808
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
|
|
809
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
|
|
810
|
+
# [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
|
|
775
811
|
# @return [String]
|
|
776
812
|
#
|
|
777
813
|
# @!attribute [rw] origin
|
|
@@ -783,13 +819,13 @@ module Aws::KMS
|
|
|
783
819
|
# material), set the value to `EXTERNAL`. For more information about
|
|
784
820
|
# importing key material into KMS, see [Importing Key Material][1] in
|
|
785
821
|
# the *Key Management Service Developer Guide*. This value is valid
|
|
786
|
-
# only for symmetric KMS keys.
|
|
822
|
+
# only for symmetric encryption KMS keys.
|
|
787
823
|
#
|
|
788
824
|
# To create a KMS key in an KMS [custom key store][2] and create its
|
|
789
825
|
# key material in the associated CloudHSM cluster, set this value to
|
|
790
826
|
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
|
791
827
|
# to identify the custom key store. This value is valid only for
|
|
792
|
-
# symmetric KMS keys.
|
|
828
|
+
# symmetric encryption KMS keys.
|
|
793
829
|
#
|
|
794
830
|
#
|
|
795
831
|
#
|
|
@@ -805,9 +841,9 @@ module Aws::KMS
|
|
|
805
841
|
# associated with the custom key store must have at least two active
|
|
806
842
|
# HSMs, each in a different Availability Zone in the Region.
|
|
807
843
|
#
|
|
808
|
-
# This parameter is valid only for symmetric KMS keys
|
|
809
|
-
#
|
|
810
|
-
#
|
|
844
|
+
# This parameter is valid only for symmetric encryption KMS keys in a
|
|
845
|
+
# single Region. You cannot create any other type of KMS key in a
|
|
846
|
+
# custom key store.
|
|
811
847
|
#
|
|
812
848
|
# To find the ID of a custom key store, use the
|
|
813
849
|
# DescribeCustomKeyStores operation.
|
|
@@ -853,8 +889,8 @@ module Aws::KMS
|
|
|
853
889
|
# TagResource operation.
|
|
854
890
|
#
|
|
855
891
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
856
|
-
# KMS key. For details, see [
|
|
857
|
-
#
|
|
892
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
893
|
+
# Service Developer Guide*.
|
|
858
894
|
#
|
|
859
895
|
# </note>
|
|
860
896
|
#
|
|
@@ -895,15 +931,16 @@ module Aws::KMS
|
|
|
895
931
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
|
896
932
|
# a different Amazon Web Services Region without re-encrypting the
|
|
897
933
|
# data or making a cross-Region call. For more information about
|
|
898
|
-
# multi-Region keys, see [
|
|
934
|
+
# multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
|
|
899
935
|
# Management Service Developer Guide*.
|
|
900
936
|
#
|
|
901
937
|
# This value creates a *primary key*, not a replica. To create a
|
|
902
938
|
# *replica key*, use the ReplicateKey operation.
|
|
903
939
|
#
|
|
904
|
-
# You can create a
|
|
905
|
-
#
|
|
906
|
-
# you cannot create a multi-Region key
|
|
940
|
+
# You can create a multi-Region version of a symmetric encryption KMS
|
|
941
|
+
# key, an HMAC KMS key, an asymmetric KMS key, or a KMS key with
|
|
942
|
+
# imported key material. However, you cannot create a multi-Region key
|
|
943
|
+
# in a custom key store.
|
|
907
944
|
#
|
|
908
945
|
#
|
|
909
946
|
#
|
|
@@ -1170,17 +1207,20 @@ module Aws::KMS
|
|
|
1170
1207
|
# @!attribute [rw] encryption_context
|
|
1171
1208
|
# Specifies the encryption context to use when decrypting the data. An
|
|
1172
1209
|
# encryption context is valid only for [cryptographic operations][1]
|
|
1173
|
-
# with a symmetric KMS key. The standard asymmetric
|
|
1174
|
-
# algorithms that KMS uses do not
|
|
1210
|
+
# with a symmetric encryption KMS key. The standard asymmetric
|
|
1211
|
+
# encryption algorithms and HMAC algorithms that KMS uses do not
|
|
1212
|
+
# support an encryption context.
|
|
1175
1213
|
#
|
|
1176
1214
|
# An *encryption context* is a collection of non-secret key-value
|
|
1177
|
-
# pairs that
|
|
1215
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1178
1216
|
# encryption context to encrypt data, you must specify the same (an
|
|
1179
1217
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1180
|
-
# An encryption context is
|
|
1181
|
-
# KMS
|
|
1218
|
+
# An encryption context is supported only on operations with symmetric
|
|
1219
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1220
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1221
|
+
# recommended.
|
|
1182
1222
|
#
|
|
1183
|
-
# For more information, see [Encryption
|
|
1223
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1184
1224
|
# Management Service Developer Guide*.
|
|
1185
1225
|
#
|
|
1186
1226
|
#
|
|
@@ -1204,15 +1244,18 @@ module Aws::KMS
|
|
|
1204
1244
|
# @return [Array<String>]
|
|
1205
1245
|
#
|
|
1206
1246
|
# @!attribute [rw] key_id
|
|
1207
|
-
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1208
|
-
#
|
|
1247
|
+
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1248
|
+
#
|
|
1249
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
1250
|
+
# ciphertext. If you identify a different KMS key, the `Decrypt`
|
|
1251
|
+
# operation throws an `IncorrectKeyException`.
|
|
1209
1252
|
#
|
|
1210
1253
|
# This parameter is required only when the ciphertext was encrypted
|
|
1211
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
1212
|
-
# can get the KMS key from metadata that it adds to the
|
|
1213
|
-
# ciphertext blob. However, it is always recommended as a
|
|
1214
|
-
# practice. This practice ensures that you use the KMS key that
|
|
1215
|
-
# intend.
|
|
1254
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
1255
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
1256
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
1257
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
1258
|
+
# you intend.
|
|
1216
1259
|
#
|
|
1217
1260
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1218
1261
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1243,7 +1286,7 @@ module Aws::KMS
|
|
|
1243
1286
|
# This parameter is required only when the ciphertext was encrypted
|
|
1244
1287
|
# under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
|
|
1245
1288
|
# represents the only supported algorithm that is valid for symmetric
|
|
1246
|
-
# KMS keys.
|
|
1289
|
+
# encryption KMS keys.
|
|
1247
1290
|
# @return [String]
|
|
1248
1291
|
#
|
|
1249
1292
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
|
@@ -1570,9 +1613,10 @@ module Aws::KMS
|
|
|
1570
1613
|
# }
|
|
1571
1614
|
#
|
|
1572
1615
|
# @!attribute [rw] key_id
|
|
1573
|
-
# Identifies a symmetric KMS key. You cannot enable or
|
|
1574
|
-
# automatic rotation of [asymmetric KMS keys][1], KMS
|
|
1575
|
-
# [imported key material][
|
|
1616
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1617
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
1618
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
|
1619
|
+
# [custom key store][4].
|
|
1576
1620
|
#
|
|
1577
1621
|
# Specify the key ID or key ARN of the KMS key.
|
|
1578
1622
|
#
|
|
@@ -1589,8 +1633,9 @@ module Aws::KMS
|
|
|
1589
1633
|
#
|
|
1590
1634
|
#
|
|
1591
1635
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
|
1592
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1593
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1636
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1637
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1638
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1594
1639
|
# @return [String]
|
|
1595
1640
|
#
|
|
1596
1641
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
|
|
@@ -1678,11 +1723,12 @@ module Aws::KMS
|
|
|
1678
1723
|
# }
|
|
1679
1724
|
#
|
|
1680
1725
|
# @!attribute [rw] key_id
|
|
1681
|
-
# Identifies a symmetric KMS key. You cannot enable
|
|
1682
|
-
# of [asymmetric KMS keys][1],
|
|
1683
|
-
#
|
|
1684
|
-
#
|
|
1685
|
-
#
|
|
1726
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1727
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
1728
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
|
1729
|
+
# [custom key store][4]. The key rotation status of these KMS keys is
|
|
1730
|
+
# always `false`. To enable or disable automatic rotation of a set of
|
|
1731
|
+
# related [multi-Region keys][5], set the property on the primary key.
|
|
1686
1732
|
#
|
|
1687
1733
|
# Specify the key ID or key ARN of the KMS key.
|
|
1688
1734
|
#
|
|
@@ -1698,10 +1744,11 @@ module Aws::KMS
|
|
|
1698
1744
|
#
|
|
1699
1745
|
#
|
|
1700
1746
|
#
|
|
1701
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1702
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1703
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1704
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1747
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
1748
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1749
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1750
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1751
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
|
1705
1752
|
# @return [String]
|
|
1706
1753
|
#
|
|
1707
1754
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
|
@@ -1726,7 +1773,9 @@ module Aws::KMS
|
|
|
1726
1773
|
# }
|
|
1727
1774
|
#
|
|
1728
1775
|
# @!attribute [rw] key_id
|
|
1729
|
-
# Identifies the KMS key to use in the encryption operation.
|
|
1776
|
+
# Identifies the KMS key to use in the encryption operation. The KMS
|
|
1777
|
+
# key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
|
|
1778
|
+
# `KeyUsage` of a KMS key, use the DescribeKey operation.
|
|
1730
1779
|
#
|
|
1731
1780
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1732
1781
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1755,18 +1804,20 @@ module Aws::KMS
|
|
|
1755
1804
|
# @!attribute [rw] encryption_context
|
|
1756
1805
|
# Specifies the encryption context that will be used to encrypt the
|
|
1757
1806
|
# data. An encryption context is valid only for [cryptographic
|
|
1758
|
-
# operations][1] with a symmetric KMS key. The standard
|
|
1759
|
-
# encryption algorithms that KMS uses
|
|
1760
|
-
# context.
|
|
1807
|
+
# operations][1] with a symmetric encryption KMS key. The standard
|
|
1808
|
+
# asymmetric encryption algorithms and HMAC algorithms that KMS uses
|
|
1809
|
+
# do not support an encryption context.
|
|
1761
1810
|
#
|
|
1762
1811
|
# An *encryption context* is a collection of non-secret key-value
|
|
1763
|
-
# pairs that
|
|
1812
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1764
1813
|
# encryption context to encrypt data, you must specify the same (an
|
|
1765
1814
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1766
|
-
# An encryption context is
|
|
1767
|
-
# KMS
|
|
1815
|
+
# An encryption context is supported only on operations with symmetric
|
|
1816
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1817
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1818
|
+
# recommended.
|
|
1768
1819
|
#
|
|
1769
|
-
# For more information, see [Encryption
|
|
1820
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1770
1821
|
# Management Service Developer Guide*.
|
|
1771
1822
|
#
|
|
1772
1823
|
#
|
|
@@ -1795,9 +1846,9 @@ module Aws::KMS
|
|
|
1795
1846
|
# that you specify.
|
|
1796
1847
|
#
|
|
1797
1848
|
# This parameter is required only for asymmetric KMS keys. The default
|
|
1798
|
-
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1799
|
-
# keys. If you are using an asymmetric KMS key, we
|
|
1800
|
-
# RSAES\_OAEP\_SHA\_256.
|
|
1849
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1850
|
+
# encryption KMS keys. If you are using an asymmetric KMS key, we
|
|
1851
|
+
# recommend RSAES\_OAEP\_SHA\_256.
|
|
1801
1852
|
# @return [String]
|
|
1802
1853
|
#
|
|
1803
1854
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
|
@@ -1874,13 +1925,15 @@ module Aws::KMS
|
|
|
1874
1925
|
# the private key in the data key pair.
|
|
1875
1926
|
#
|
|
1876
1927
|
# An *encryption context* is a collection of non-secret key-value
|
|
1877
|
-
# pairs that
|
|
1928
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1878
1929
|
# encryption context to encrypt data, you must specify the same (an
|
|
1879
1930
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1880
|
-
# An encryption context is
|
|
1881
|
-
# KMS
|
|
1931
|
+
# An encryption context is supported only on operations with symmetric
|
|
1932
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1933
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1934
|
+
# recommended.
|
|
1882
1935
|
#
|
|
1883
|
-
# For more information, see [Encryption
|
|
1936
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
1884
1937
|
# Management Service Developer Guide*.
|
|
1885
1938
|
#
|
|
1886
1939
|
#
|
|
@@ -1889,10 +1942,10 @@ module Aws::KMS
|
|
|
1889
1942
|
# @return [Hash<String,String>]
|
|
1890
1943
|
#
|
|
1891
1944
|
# @!attribute [rw] key_id
|
|
1892
|
-
# Specifies the symmetric KMS key that encrypts the private
|
|
1893
|
-
# data key pair. You cannot specify an asymmetric KMS key
|
|
1894
|
-
# in a custom key store. To get the type and origin of
|
|
1895
|
-
# use the DescribeKey operation.
|
|
1945
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
1946
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
1947
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
1948
|
+
# your KMS key, use the DescribeKey operation.
|
|
1896
1949
|
#
|
|
1897
1950
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1898
1951
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1961,7 +2014,9 @@ module Aws::KMS
|
|
|
1961
2014
|
# @return [String]
|
|
1962
2015
|
#
|
|
1963
2016
|
# @!attribute [rw] public_key
|
|
1964
|
-
# The public key (in plaintext).
|
|
2017
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2018
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2019
|
+
# is not Base64-encoded.
|
|
1965
2020
|
# @return [String]
|
|
1966
2021
|
#
|
|
1967
2022
|
# @!attribute [rw] key_id
|
|
@@ -2006,13 +2061,15 @@ module Aws::KMS
|
|
|
2006
2061
|
# the private key in the data key pair.
|
|
2007
2062
|
#
|
|
2008
2063
|
# An *encryption context* is a collection of non-secret key-value
|
|
2009
|
-
# pairs that
|
|
2064
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2010
2065
|
# encryption context to encrypt data, you must specify the same (an
|
|
2011
2066
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2012
|
-
# An encryption context is
|
|
2013
|
-
# KMS
|
|
2067
|
+
# An encryption context is supported only on operations with symmetric
|
|
2068
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2069
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2070
|
+
# recommended.
|
|
2014
2071
|
#
|
|
2015
|
-
# For more information, see [Encryption
|
|
2072
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2016
2073
|
# Management Service Developer Guide*.
|
|
2017
2074
|
#
|
|
2018
2075
|
#
|
|
@@ -2021,10 +2078,10 @@ module Aws::KMS
|
|
|
2021
2078
|
# @return [Hash<String,String>]
|
|
2022
2079
|
#
|
|
2023
2080
|
# @!attribute [rw] key_id
|
|
2024
|
-
# Specifies the KMS key that encrypts the private
|
|
2025
|
-
# pair. You
|
|
2026
|
-
#
|
|
2027
|
-
#
|
|
2081
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
2082
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
2083
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
2084
|
+
# your KMS key, use the DescribeKey operation.
|
|
2028
2085
|
#
|
|
2029
2086
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2030
2087
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2087,7 +2144,9 @@ module Aws::KMS
|
|
|
2087
2144
|
# @return [String]
|
|
2088
2145
|
#
|
|
2089
2146
|
# @!attribute [rw] public_key
|
|
2090
|
-
# The public key (in plaintext).
|
|
2147
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2148
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2149
|
+
# is not Base64-encoded.
|
|
2091
2150
|
# @return [String]
|
|
2092
2151
|
#
|
|
2093
2152
|
# @!attribute [rw] key_id
|
|
@@ -2128,7 +2187,10 @@ module Aws::KMS
|
|
|
2128
2187
|
# }
|
|
2129
2188
|
#
|
|
2130
2189
|
# @!attribute [rw] key_id
|
|
2131
|
-
#
|
|
2190
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2191
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2192
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2193
|
+
# the DescribeKey operation.
|
|
2132
2194
|
#
|
|
2133
2195
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2134
2196
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2155,13 +2217,15 @@ module Aws::KMS
|
|
|
2155
2217
|
# the data key.
|
|
2156
2218
|
#
|
|
2157
2219
|
# An *encryption context* is a collection of non-secret key-value
|
|
2158
|
-
# pairs that
|
|
2220
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2159
2221
|
# encryption context to encrypt data, you must specify the same (an
|
|
2160
2222
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2161
|
-
# An encryption context is
|
|
2162
|
-
# KMS
|
|
2223
|
+
# An encryption context is supported only on operations with symmetric
|
|
2224
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2225
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2226
|
+
# recommended.
|
|
2163
2227
|
#
|
|
2164
|
-
# For more information, see [Encryption
|
|
2228
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2165
2229
|
# Management Service Developer Guide*.
|
|
2166
2230
|
#
|
|
2167
2231
|
#
|
|
@@ -2260,7 +2324,10 @@ module Aws::KMS
|
|
|
2260
2324
|
# }
|
|
2261
2325
|
#
|
|
2262
2326
|
# @!attribute [rw] key_id
|
|
2263
|
-
#
|
|
2327
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2328
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2329
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2330
|
+
# the DescribeKey operation.
|
|
2264
2331
|
#
|
|
2265
2332
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2266
2333
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2287,13 +2354,15 @@ module Aws::KMS
|
|
|
2287
2354
|
# the data key.
|
|
2288
2355
|
#
|
|
2289
2356
|
# An *encryption context* is a collection of non-secret key-value
|
|
2290
|
-
# pairs that
|
|
2357
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2291
2358
|
# encryption context to encrypt data, you must specify the same (an
|
|
2292
2359
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2293
|
-
# An encryption context is
|
|
2294
|
-
# KMS
|
|
2360
|
+
# An encryption context is supported only on operations with symmetric
|
|
2361
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2362
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2363
|
+
# recommended.
|
|
2295
2364
|
#
|
|
2296
|
-
# For more information, see [Encryption
|
|
2365
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2297
2366
|
# Management Service Developer Guide*.
|
|
2298
2367
|
#
|
|
2299
2368
|
#
|
|
@@ -2363,6 +2432,93 @@ module Aws::KMS
|
|
|
2363
2432
|
include Aws::Structure
|
|
2364
2433
|
end
|
|
2365
2434
|
|
|
2435
|
+
# @note When making an API call, you may pass GenerateMacRequest
|
|
2436
|
+
# data as a hash:
|
|
2437
|
+
#
|
|
2438
|
+
# {
|
|
2439
|
+
# message: "data", # required
|
|
2440
|
+
# key_id: "KeyIdType", # required
|
|
2441
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
2442
|
+
# grant_tokens: ["GrantTokenType"],
|
|
2443
|
+
# }
|
|
2444
|
+
#
|
|
2445
|
+
# @!attribute [rw] message
|
|
2446
|
+
# The message to be hashed. Specify a message of up to 4,096 bytes.
|
|
2447
|
+
#
|
|
2448
|
+
# `GenerateMac` and VerifyMac do not provide special handling for
|
|
2449
|
+
# message digests. If you generate an HMAC for a hash digest of a
|
|
2450
|
+
# message, you must verify the HMAC of the same hash digest.
|
|
2451
|
+
# @return [String]
|
|
2452
|
+
#
|
|
2453
|
+
# @!attribute [rw] key_id
|
|
2454
|
+
# The HMAC KMS key to use in the operation. The MAC algorithm computes
|
|
2455
|
+
# the HMAC for the message and the key as described in [RFC 2104][1].
|
|
2456
|
+
#
|
|
2457
|
+
# To identify an HMAC KMS key, use the DescribeKey operation and see
|
|
2458
|
+
# the `KeySpec` field in the response.
|
|
2459
|
+
#
|
|
2460
|
+
#
|
|
2461
|
+
#
|
|
2462
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
|
2463
|
+
# @return [String]
|
|
2464
|
+
#
|
|
2465
|
+
# @!attribute [rw] mac_algorithm
|
|
2466
|
+
# The MAC algorithm used in the operation.
|
|
2467
|
+
#
|
|
2468
|
+
# The algorithm must be compatible with the HMAC KMS key that you
|
|
2469
|
+
# specify. To find the MAC algorithms that your HMAC KMS key supports,
|
|
2470
|
+
# use the DescribeKey operation and see the `MacAlgorithms` field in
|
|
2471
|
+
# the `DescribeKey` response.
|
|
2472
|
+
# @return [String]
|
|
2473
|
+
#
|
|
2474
|
+
# @!attribute [rw] grant_tokens
|
|
2475
|
+
# A list of grant tokens.
|
|
2476
|
+
#
|
|
2477
|
+
# Use a grant token when your permission to call this operation comes
|
|
2478
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
2479
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
2480
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
2481
|
+
#
|
|
2482
|
+
#
|
|
2483
|
+
#
|
|
2484
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2485
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
2486
|
+
# @return [Array<String>]
|
|
2487
|
+
#
|
|
2488
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
|
|
2489
|
+
#
|
|
2490
|
+
class GenerateMacRequest < Struct.new(
|
|
2491
|
+
:message,
|
|
2492
|
+
:key_id,
|
|
2493
|
+
:mac_algorithm,
|
|
2494
|
+
:grant_tokens)
|
|
2495
|
+
SENSITIVE = [:message]
|
|
2496
|
+
include Aws::Structure
|
|
2497
|
+
end
|
|
2498
|
+
|
|
2499
|
+
# @!attribute [rw] mac
|
|
2500
|
+
# The hash-based message authentication code (HMAC) for the given
|
|
2501
|
+
# message, key, and MAC algorithm.
|
|
2502
|
+
# @return [String]
|
|
2503
|
+
#
|
|
2504
|
+
# @!attribute [rw] mac_algorithm
|
|
2505
|
+
# The MAC algorithm that was used to generate the HMAC.
|
|
2506
|
+
# @return [String]
|
|
2507
|
+
#
|
|
2508
|
+
# @!attribute [rw] key_id
|
|
2509
|
+
# The HMAC KMS key used in the operation.
|
|
2510
|
+
# @return [String]
|
|
2511
|
+
#
|
|
2512
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
|
|
2513
|
+
#
|
|
2514
|
+
class GenerateMacResponse < Struct.new(
|
|
2515
|
+
:mac,
|
|
2516
|
+
:mac_algorithm,
|
|
2517
|
+
:key_id)
|
|
2518
|
+
SENSITIVE = []
|
|
2519
|
+
include Aws::Structure
|
|
2520
|
+
end
|
|
2521
|
+
|
|
2366
2522
|
# @note When making an API call, you may pass GenerateRandomRequest
|
|
2367
2523
|
# data as a hash:
|
|
2368
2524
|
#
|
|
@@ -2513,8 +2669,9 @@ module Aws::KMS
|
|
|
2513
2669
|
# }
|
|
2514
2670
|
#
|
|
2515
2671
|
# @!attribute [rw] key_id
|
|
2516
|
-
# The identifier of the symmetric KMS key into which you
|
|
2517
|
-
# key material. The `Origin` of the KMS key must be
|
|
2672
|
+
# The identifier of the symmetric encryption KMS key into which you
|
|
2673
|
+
# will import key material. The `Origin` of the KMS key must be
|
|
2674
|
+
# `EXTERNAL`.
|
|
2518
2675
|
#
|
|
2519
2676
|
# Specify the key ID or key ARN of the KMS key.
|
|
2520
2677
|
#
|
|
@@ -2729,10 +2886,11 @@ module Aws::KMS
|
|
|
2729
2886
|
#
|
|
2730
2887
|
# KMS applies the grant constraints only to cryptographic operations
|
|
2731
2888
|
# that support an encryption context, that is, all cryptographic
|
|
2732
|
-
# operations with a [symmetric KMS key][3]. Grant constraints
|
|
2733
|
-
# applied to operations that do not support an encryption
|
|
2734
|
-
# as cryptographic operations with
|
|
2735
|
-
# operations, such as DescribeKey or
|
|
2889
|
+
# operations with a [symmetric encryption KMS key][3]. Grant constraints
|
|
2890
|
+
# are not applied to operations that do not support an encryption
|
|
2891
|
+
# context, such as cryptographic operations with HMAC KMS keys or
|
|
2892
|
+
# asymmetric KMS keys, and management operations, such as DescribeKey or
|
|
2893
|
+
# RetireGrant.
|
|
2736
2894
|
#
|
|
2737
2895
|
# In a cryptographic operation, the encryption context in the decryption
|
|
2738
2896
|
# operation must be an exact, case-sensitive match for the keys and
|
|
@@ -2880,10 +3038,13 @@ module Aws::KMS
|
|
|
2880
3038
|
# }
|
|
2881
3039
|
#
|
|
2882
3040
|
# @!attribute [rw] key_id
|
|
2883
|
-
# The identifier of the symmetric KMS key that receives the
|
|
2884
|
-
# key material.
|
|
2885
|
-
#
|
|
2886
|
-
#
|
|
3041
|
+
# The identifier of the symmetric encryption KMS key that receives the
|
|
3042
|
+
# imported key material. This must be the same KMS key specified in
|
|
3043
|
+
# the `KeyID` parameter of the corresponding GetParametersForImport
|
|
3044
|
+
# request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
|
|
3045
|
+
# perform this operation on an asymmetric KMS key, an HMAC KMS key, a
|
|
3046
|
+
# KMS key in a custom key store, or on a KMS key in a different Amazon
|
|
3047
|
+
# Web Services account
|
|
2887
3048
|
#
|
|
2888
3049
|
# Specify the key ID or key ARN of the KMS key.
|
|
2889
3050
|
#
|
|
@@ -3095,9 +3256,11 @@ module Aws::KMS
|
|
|
3095
3256
|
# key `(KeySpec`).
|
|
3096
3257
|
#
|
|
3097
3258
|
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
|
3098
|
-
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3099
|
-
# the `KeyUsage` must be `SIGN_VERIFY`.
|
|
3100
|
-
#
|
|
3259
|
+
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3260
|
+
# messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
|
|
3261
|
+
# verifying message authentication codes (MACs), the `KeyUsage` must be
|
|
3262
|
+
# `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
|
|
3263
|
+
# DescribeKey operation.
|
|
3101
3264
|
#
|
|
3102
3265
|
# To find the encryption or signing algorithms supported for a
|
|
3103
3266
|
# particular KMS key, use the DescribeKey operation.
|
|
@@ -3141,6 +3304,22 @@ module Aws::KMS
|
|
|
3141
3304
|
include Aws::Structure
|
|
3142
3305
|
end
|
|
3143
3306
|
|
|
3307
|
+
# The request was rejected because the HMAC verification failed. HMAC
|
|
3308
|
+
# verification fails when the HMAC computed by using the specified
|
|
3309
|
+
# message, HMAC KMS key, and MAC algorithm does not match the HMAC
|
|
3310
|
+
# specified in the request.
|
|
3311
|
+
#
|
|
3312
|
+
# @!attribute [rw] message
|
|
3313
|
+
# @return [String]
|
|
3314
|
+
#
|
|
3315
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
|
|
3316
|
+
#
|
|
3317
|
+
class KMSInvalidMacException < Struct.new(
|
|
3318
|
+
:message)
|
|
3319
|
+
SENSITIVE = []
|
|
3320
|
+
include Aws::Structure
|
|
3321
|
+
end
|
|
3322
|
+
|
|
3144
3323
|
# The request was rejected because the signature verification failed.
|
|
3145
3324
|
# Signature verification fails when it cannot confirm that signature was
|
|
3146
3325
|
# produced by signing the specified message with the specified KMS key
|
|
@@ -3161,8 +3340,8 @@ module Aws::KMS
|
|
|
3161
3340
|
# is not valid for this request.
|
|
3162
3341
|
#
|
|
3163
3342
|
# For more information about how key state affects the use of a KMS key,
|
|
3164
|
-
# see [Key
|
|
3165
|
-
#
|
|
3343
|
+
# see [Key states of KMS keys][1] in the <i> <i>Key Management Service
|
|
3344
|
+
# Developer Guide</i> </i>.
|
|
3166
3345
|
#
|
|
3167
3346
|
#
|
|
3168
3347
|
#
|
|
@@ -3247,8 +3426,8 @@ module Aws::KMS
|
|
|
3247
3426
|
# The current status of the KMS key.
|
|
3248
3427
|
#
|
|
3249
3428
|
# For more information about how key state affects the use of a KMS
|
|
3250
|
-
# key, see [Key
|
|
3251
|
-
#
|
|
3429
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
3430
|
+
# Developer Guide*.
|
|
3252
3431
|
#
|
|
3253
3432
|
#
|
|
3254
3433
|
#
|
|
@@ -3355,9 +3534,8 @@ module Aws::KMS
|
|
|
3355
3534
|
# (`False`) key. This value is `True` for multi-Region primary and
|
|
3356
3535
|
# replica keys and `False` for regional KMS keys.
|
|
3357
3536
|
#
|
|
3358
|
-
# For more information about multi-Region keys, see [
|
|
3359
|
-
#
|
|
3360
|
-
# Guide*.
|
|
3537
|
+
# For more information about multi-Region keys, see [Multi-Region keys
|
|
3538
|
+
# in KMS][1] in the *Key Management Service Developer Guide*.
|
|
3361
3539
|
#
|
|
3362
3540
|
#
|
|
3363
3541
|
#
|
|
@@ -3402,6 +3580,14 @@ module Aws::KMS
|
|
|
3402
3580
|
# the deletion date appears in the `DeletionDate` field.
|
|
3403
3581
|
# @return [Integer]
|
|
3404
3582
|
#
|
|
3583
|
+
# @!attribute [rw] mac_algorithms
|
|
3584
|
+
# The message authentication code (MAC) algorithm that the HMAC KMS
|
|
3585
|
+
# key supports.
|
|
3586
|
+
#
|
|
3587
|
+
# This value is present only when the `KeyUsage` of the KMS key is
|
|
3588
|
+
# `GENERATE_VERIFY_MAC`.
|
|
3589
|
+
# @return [Array<String>]
|
|
3590
|
+
#
|
|
3405
3591
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
|
3406
3592
|
#
|
|
3407
3593
|
class KeyMetadata < Struct.new(
|
|
@@ -3426,7 +3612,8 @@ module Aws::KMS
|
|
|
3426
3612
|
:signing_algorithms,
|
|
3427
3613
|
:multi_region,
|
|
3428
3614
|
:multi_region_configuration,
|
|
3429
|
-
:pending_deletion_window_in_days
|
|
3615
|
+
:pending_deletion_window_in_days,
|
|
3616
|
+
:mac_algorithms)
|
|
3430
3617
|
SENSITIVE = []
|
|
3431
3618
|
include Aws::Structure
|
|
3432
3619
|
end
|
|
@@ -3834,8 +4021,8 @@ module Aws::KMS
|
|
|
3834
4021
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
|
3835
4022
|
#
|
|
3836
4023
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
3837
|
-
# KMS key. For details, see [
|
|
3838
|
-
#
|
|
4024
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4025
|
+
# Service Developer Guide*.
|
|
3839
4026
|
#
|
|
3840
4027
|
# </note>
|
|
3841
4028
|
#
|
|
@@ -4054,15 +4241,25 @@ module Aws::KMS
|
|
|
4054
4241
|
# immediately visible][2] in the *Amazon Web Services Identity and
|
|
4055
4242
|
# Access Management User Guide*.
|
|
4056
4243
|
#
|
|
4057
|
-
#
|
|
4058
|
-
#
|
|
4059
|
-
#
|
|
4244
|
+
# A key policy document must conform to the following rules.
|
|
4245
|
+
#
|
|
4246
|
+
# * Up to 32 kilobytes (32768 bytes)
|
|
4247
|
+
#
|
|
4248
|
+
# * Must be UTF-8 encoded
|
|
4249
|
+
#
|
|
4250
|
+
# * The only Unicode characters that are permitted in a key policy
|
|
4251
|
+
# document are the horizontal tab (U+0009), linefeed (U+000A),
|
|
4252
|
+
# carriage return (U+000D), and characters in the range U+0020 to
|
|
4253
|
+
# U+00FF.
|
|
4254
|
+
#
|
|
4255
|
+
# * The `Sid` element in a key policy statement can include spaces.
|
|
4256
|
+
# (Spaces are prohibited in the `Sid` element of an IAM policy
|
|
4257
|
+
# document.)
|
|
4060
4258
|
#
|
|
4061
4259
|
#
|
|
4062
4260
|
#
|
|
4063
4261
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
4064
4262
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
4065
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
|
|
4066
4263
|
# @return [String]
|
|
4067
4264
|
#
|
|
4068
4265
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
|
@@ -4126,13 +4323,15 @@ module Aws::KMS
|
|
|
4126
4323
|
# ciphertext.
|
|
4127
4324
|
#
|
|
4128
4325
|
# An *encryption context* is a collection of non-secret key-value
|
|
4129
|
-
# pairs that
|
|
4326
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4130
4327
|
# encryption context to encrypt data, you must specify the same (an
|
|
4131
4328
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4132
|
-
# An encryption context is
|
|
4133
|
-
# KMS
|
|
4329
|
+
# An encryption context is supported only on operations with symmetric
|
|
4330
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4331
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4332
|
+
# recommended.
|
|
4134
4333
|
#
|
|
4135
|
-
# For more information, see [Encryption
|
|
4334
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4136
4335
|
# Management Service Developer Guide*.
|
|
4137
4336
|
#
|
|
4138
4337
|
#
|
|
@@ -4142,15 +4341,18 @@ module Aws::KMS
|
|
|
4142
4341
|
#
|
|
4143
4342
|
# @!attribute [rw] source_key_id
|
|
4144
4343
|
# Specifies the KMS key that KMS will use to decrypt the ciphertext
|
|
4145
|
-
# before it is re-encrypted.
|
|
4146
|
-
#
|
|
4344
|
+
# before it is re-encrypted.
|
|
4345
|
+
#
|
|
4346
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
4347
|
+
# ciphertext. If you identify a different KMS key, the `ReEncrypt`
|
|
4348
|
+
# operation throws an `IncorrectKeyException`.
|
|
4147
4349
|
#
|
|
4148
4350
|
# This parameter is required only when the ciphertext was encrypted
|
|
4149
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
4150
|
-
# can get the KMS key from metadata that it adds to the
|
|
4151
|
-
# ciphertext blob. However, it is always recommended as a
|
|
4152
|
-
# practice. This practice ensures that you use the KMS key that
|
|
4153
|
-
# intend.
|
|
4351
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
4352
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
4353
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
4354
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
4355
|
+
# you intend.
|
|
4154
4356
|
#
|
|
4155
4357
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4156
4358
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4174,9 +4376,9 @@ module Aws::KMS
|
|
|
4174
4376
|
#
|
|
4175
4377
|
# @!attribute [rw] destination_key_id
|
|
4176
4378
|
# A unique identifier for the KMS key that is used to reencrypt the
|
|
4177
|
-
# data. Specify a symmetric
|
|
4178
|
-
# value of `ENCRYPT_DECRYPT`. To find the
|
|
4179
|
-
# key, use the DescribeKey operation.
|
|
4379
|
+
# data. Specify a symmetric encryption KMS key or an asymmetric KMS
|
|
4380
|
+
# key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
|
|
4381
|
+
# `KeyUsage` value of a KMS key, use the DescribeKey operation.
|
|
4180
4382
|
#
|
|
4181
4383
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4182
4384
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4203,17 +4405,19 @@ module Aws::KMS
|
|
|
4203
4405
|
# data.
|
|
4204
4406
|
#
|
|
4205
4407
|
# A destination encryption context is valid only when the destination
|
|
4206
|
-
# KMS key is a symmetric KMS key. The standard ciphertext
|
|
4207
|
-
# asymmetric KMS keys does not include fields for metadata.
|
|
4408
|
+
# KMS key is a symmetric encryption KMS key. The standard ciphertext
|
|
4409
|
+
# format for asymmetric KMS keys does not include fields for metadata.
|
|
4208
4410
|
#
|
|
4209
4411
|
# An *encryption context* is a collection of non-secret key-value
|
|
4210
|
-
# pairs that
|
|
4412
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4211
4413
|
# encryption context to encrypt data, you must specify the same (an
|
|
4212
4414
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4213
|
-
# An encryption context is
|
|
4214
|
-
# KMS
|
|
4415
|
+
# An encryption context is supported only on operations with symmetric
|
|
4416
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4417
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4418
|
+
# recommended.
|
|
4215
4419
|
#
|
|
4216
|
-
# For more information, see [Encryption
|
|
4420
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4217
4421
|
# Management Service Developer Guide*.
|
|
4218
4422
|
#
|
|
4219
4423
|
#
|
|
@@ -4224,8 +4428,8 @@ module Aws::KMS
|
|
|
4224
4428
|
# @!attribute [rw] source_encryption_algorithm
|
|
4225
4429
|
# Specifies the encryption algorithm that KMS will use to decrypt the
|
|
4226
4430
|
# ciphertext before it is reencrypted. The default value,
|
|
4227
|
-
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4228
|
-
# keys.
|
|
4431
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4432
|
+
# encryption KMS keys.
|
|
4229
4433
|
#
|
|
4230
4434
|
# Specify the same algorithm that was used to encrypt the ciphertext.
|
|
4231
4435
|
# If you specify a different algorithm, the decrypt attempt fails.
|
|
@@ -4238,7 +4442,7 @@ module Aws::KMS
|
|
|
4238
4442
|
# Specifies the encryption algorithm that KMS will use to reecrypt the
|
|
4239
4443
|
# data after it has decrypted it. The default value,
|
|
4240
4444
|
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
|
4241
|
-
# symmetric KMS keys.
|
|
4445
|
+
# symmetric encryption KMS keys.
|
|
4242
4446
|
#
|
|
4243
4447
|
# This parameter is required only when the destination KMS key is an
|
|
4244
4448
|
# asymmetric KMS key.
|
|
@@ -4359,24 +4563,33 @@ module Aws::KMS
|
|
|
4359
4563
|
# [KMS service endpoints][1] in the *Amazon Web Services General
|
|
4360
4564
|
# Reference*.
|
|
4361
4565
|
#
|
|
4566
|
+
# <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
|
4567
|
+
# If you try to replicate an HMAC KMS key in an Amazon Web Services
|
|
4568
|
+
# Region in which HMAC keys are not supported, the `ReplicateKey`
|
|
4569
|
+
# operation returns an `UnsupportedOperationException`. For a list of
|
|
4570
|
+
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
|
4571
|
+
# KMS][2] in the *Key Management Service Developer Guide*.
|
|
4572
|
+
#
|
|
4573
|
+
# </note>
|
|
4574
|
+
#
|
|
4362
4575
|
# The replica must be in a different Amazon Web Services Region than
|
|
4363
4576
|
# its primary key and other replicas of that primary key, but in the
|
|
4364
4577
|
# same Amazon Web Services partition. KMS must be available in the
|
|
4365
4578
|
# replica Region. If the Region is not enabled by default, the Amazon
|
|
4366
|
-
# Web Services account must be enabled in the Region.
|
|
4367
|
-
#
|
|
4368
|
-
#
|
|
4369
|
-
#
|
|
4370
|
-
#
|
|
4371
|
-
#
|
|
4372
|
-
# the *Amazon Web Services General Reference*.
|
|
4579
|
+
# Web Services account must be enabled in the Region. For information
|
|
4580
|
+
# about Amazon Web Services partitions, see [Amazon Resource Names
|
|
4581
|
+
# (ARNs)][3] in the *Amazon Web Services General Reference*. For
|
|
4582
|
+
# information about enabling and disabling Regions, see [Enabling a
|
|
4583
|
+
# Region][4] and [Disabling a Region][5] in the *Amazon Web Services
|
|
4584
|
+
# General Reference*.
|
|
4373
4585
|
#
|
|
4374
4586
|
#
|
|
4375
4587
|
#
|
|
4376
4588
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
|
4377
|
-
# [2]: https://docs.aws.amazon.com/
|
|
4378
|
-
# [3]: https://docs.aws.amazon.com/general/latest/gr/
|
|
4379
|
-
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-
|
|
4589
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
4590
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
4591
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
|
4592
|
+
# [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
|
4380
4593
|
# @return [String]
|
|
4381
4594
|
#
|
|
4382
4595
|
# @!attribute [rw] policy
|
|
@@ -4408,7 +4621,20 @@ module Aws::KMS
|
|
|
4408
4621
|
# immediately visible][3] in the <i> <i>Identity and Access
|
|
4409
4622
|
# Management User Guide</i> </i>.
|
|
4410
4623
|
#
|
|
4411
|
-
#
|
|
4624
|
+
# A key policy document must conform to the following rules.
|
|
4625
|
+
#
|
|
4626
|
+
# * Up to 32 kilobytes (32768 bytes)
|
|
4627
|
+
#
|
|
4628
|
+
# * Must be UTF-8 encoded
|
|
4629
|
+
#
|
|
4630
|
+
# * The only Unicode characters that are permitted in a key policy
|
|
4631
|
+
# document are the horizontal tab (U+0009), linefeed (U+000A),
|
|
4632
|
+
# carriage return (U+000D), and characters in the range U+0020 to
|
|
4633
|
+
# U+00FF.
|
|
4634
|
+
#
|
|
4635
|
+
# * The `Sid` element in a key policy statement can include spaces.
|
|
4636
|
+
# (Spaces are prohibited in the `Sid` element of an IAM policy
|
|
4637
|
+
# document.)
|
|
4412
4638
|
#
|
|
4413
4639
|
#
|
|
4414
4640
|
#
|
|
@@ -4455,8 +4681,8 @@ module Aws::KMS
|
|
|
4455
4681
|
# the TagResource operation.
|
|
4456
4682
|
#
|
|
4457
4683
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
4458
|
-
# KMS key. For details, see [
|
|
4459
|
-
#
|
|
4684
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4685
|
+
# Service Developer Guide*.
|
|
4460
4686
|
#
|
|
4461
4687
|
# </note>
|
|
4462
4688
|
#
|
|
@@ -4500,9 +4726,9 @@ module Aws::KMS
|
|
|
4500
4726
|
|
|
4501
4727
|
# @!attribute [rw] replica_key_metadata
|
|
4502
4728
|
# Displays details about the new replica key, including its Amazon
|
|
4503
|
-
# Resource Name ([key ARN][1]) and [
|
|
4504
|
-
# the ARN and Amazon Web Services Region of its primary
|
|
4505
|
-
# replica keys.
|
|
4729
|
+
# Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
|
|
4730
|
+
# also includes the ARN and Amazon Web Services Region of its primary
|
|
4731
|
+
# key and other replica keys.
|
|
4506
4732
|
#
|
|
4507
4733
|
#
|
|
4508
4734
|
#
|
|
@@ -4652,7 +4878,7 @@ module Aws::KMS
|
|
|
4652
4878
|
# The waiting period, specified in number of days. After the waiting
|
|
4653
4879
|
# period ends, KMS deletes the KMS key.
|
|
4654
4880
|
#
|
|
4655
|
-
# If the KMS key is a multi-Region primary key with
|
|
4881
|
+
# If the KMS key is a multi-Region primary key with replica keys, the
|
|
4656
4882
|
# waiting period begins when the last of its replica keys is deleted.
|
|
4657
4883
|
# Otherwise, the waiting period begins immediately.
|
|
4658
4884
|
#
|
|
@@ -4690,8 +4916,8 @@ module Aws::KMS
|
|
|
4690
4916
|
# The current status of the KMS key.
|
|
4691
4917
|
#
|
|
4692
4918
|
# For more information about how key state affects the use of a KMS
|
|
4693
|
-
# key, see [Key
|
|
4694
|
-
#
|
|
4919
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
4920
|
+
# Developer Guide*.
|
|
4695
4921
|
#
|
|
4696
4922
|
#
|
|
4697
4923
|
#
|
|
@@ -5194,6 +5420,100 @@ module Aws::KMS
|
|
|
5194
5420
|
include Aws::Structure
|
|
5195
5421
|
end
|
|
5196
5422
|
|
|
5423
|
+
# @note When making an API call, you may pass VerifyMacRequest
|
|
5424
|
+
# data as a hash:
|
|
5425
|
+
#
|
|
5426
|
+
# {
|
|
5427
|
+
# message: "data", # required
|
|
5428
|
+
# key_id: "KeyIdType", # required
|
|
5429
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
5430
|
+
# mac: "data", # required
|
|
5431
|
+
# grant_tokens: ["GrantTokenType"],
|
|
5432
|
+
# }
|
|
5433
|
+
#
|
|
5434
|
+
# @!attribute [rw] message
|
|
5435
|
+
# The message that will be used in the verification. Enter the same
|
|
5436
|
+
# message that was used to generate the HMAC.
|
|
5437
|
+
#
|
|
5438
|
+
# GenerateMac and `VerifyMac` do not provide special handling for
|
|
5439
|
+
# message digests. If you generated an HMAC for a hash digest of a
|
|
5440
|
+
# message, you must verify the HMAC for the same hash digest.
|
|
5441
|
+
# @return [String]
|
|
5442
|
+
#
|
|
5443
|
+
# @!attribute [rw] key_id
|
|
5444
|
+
# The KMS key that will be used in the verification.
|
|
5445
|
+
#
|
|
5446
|
+
# Enter a key ID of the KMS key that was used to generate the HMAC. If
|
|
5447
|
+
# you identify a different KMS key, the `VerifyMac` operation fails.
|
|
5448
|
+
# @return [String]
|
|
5449
|
+
#
|
|
5450
|
+
# @!attribute [rw] mac_algorithm
|
|
5451
|
+
# The MAC algorithm that will be used in the verification. Enter the
|
|
5452
|
+
# same MAC algorithm that was used to compute the HMAC. This algorithm
|
|
5453
|
+
# must be supported by the HMAC KMS key identified by the `KeyId`
|
|
5454
|
+
# parameter.
|
|
5455
|
+
# @return [String]
|
|
5456
|
+
#
|
|
5457
|
+
# @!attribute [rw] mac
|
|
5458
|
+
# The HMAC to verify. Enter the HMAC that was generated by the
|
|
5459
|
+
# GenerateMac operation when you specified the same message, HMAC KMS
|
|
5460
|
+
# key, and MAC algorithm as the values specified in this request.
|
|
5461
|
+
# @return [String]
|
|
5462
|
+
#
|
|
5463
|
+
# @!attribute [rw] grant_tokens
|
|
5464
|
+
# A list of grant tokens.
|
|
5465
|
+
#
|
|
5466
|
+
# Use a grant token when your permission to call this operation comes
|
|
5467
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
5468
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
5469
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
5470
|
+
#
|
|
5471
|
+
#
|
|
5472
|
+
#
|
|
5473
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
5474
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
5475
|
+
# @return [Array<String>]
|
|
5476
|
+
#
|
|
5477
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
|
|
5478
|
+
#
|
|
5479
|
+
class VerifyMacRequest < Struct.new(
|
|
5480
|
+
:message,
|
|
5481
|
+
:key_id,
|
|
5482
|
+
:mac_algorithm,
|
|
5483
|
+
:mac,
|
|
5484
|
+
:grant_tokens)
|
|
5485
|
+
SENSITIVE = [:message]
|
|
5486
|
+
include Aws::Structure
|
|
5487
|
+
end
|
|
5488
|
+
|
|
5489
|
+
# @!attribute [rw] key_id
|
|
5490
|
+
# The HMAC KMS key used in the verification.
|
|
5491
|
+
# @return [String]
|
|
5492
|
+
#
|
|
5493
|
+
# @!attribute [rw] mac_valid
|
|
5494
|
+
# A Boolean value that indicates whether the HMAC was verified. A
|
|
5495
|
+
# value of `True` indicates that the HMAC (`Mac`) was generated with
|
|
5496
|
+
# the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
|
|
5497
|
+
#
|
|
5498
|
+
# If the HMAC is not verified, the `VerifyMac` operation fails with a
|
|
5499
|
+
# `KMSInvalidMacException` exception. This exception indicates that
|
|
5500
|
+
# one or more of the inputs changed since the HMAC was computed.
|
|
5501
|
+
# @return [Boolean]
|
|
5502
|
+
#
|
|
5503
|
+
# @!attribute [rw] mac_algorithm
|
|
5504
|
+
# The MAC algorithm used in the verification.
|
|
5505
|
+
# @return [String]
|
|
5506
|
+
#
|
|
5507
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
|
|
5508
|
+
#
|
|
5509
|
+
class VerifyMacResponse < Struct.new(
|
|
5510
|
+
:key_id,
|
|
5511
|
+
:mac_valid,
|
|
5512
|
+
:mac_algorithm)
|
|
5513
|
+
SENSITIVE = []
|
|
5514
|
+
include Aws::Structure
|
|
5515
|
+
end
|
|
5516
|
+
|
|
5197
5517
|
# @note When making an API call, you may pass VerifyRequest
|
|
5198
5518
|
# data as a hash:
|
|
5199
5519
|
#
|