aws-sdk-kms 1.55.0 → 1.56.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1028 -541
- data/lib/aws-sdk-kms/client_api.rb +67 -0
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/types.rb +468 -186
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-kms/types.rb
CHANGED
|
@@ -415,7 +415,7 @@ module Aws::KMS
|
|
|
415
415
|
# key_id: "KeyIdType", # required
|
|
416
416
|
# grantee_principal: "PrincipalIdType", # required
|
|
417
417
|
# retiring_principal: "PrincipalIdType",
|
|
418
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
|
|
418
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
|
|
419
419
|
# constraints: {
|
|
420
420
|
# encryption_context_subset: {
|
|
421
421
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
@@ -491,12 +491,13 @@ module Aws::KMS
|
|
|
491
491
|
# @!attribute [rw] operations
|
|
492
492
|
# A list of operations that the grant permits.
|
|
493
493
|
#
|
|
494
|
-
#
|
|
495
|
-
#
|
|
496
|
-
#
|
|
497
|
-
#
|
|
498
|
-
#
|
|
499
|
-
#
|
|
494
|
+
# This list must include only operations that are permitted in a
|
|
495
|
+
# grant. Also, the operation must be supported on the KMS key. For
|
|
496
|
+
# example, you cannot create a grant for a symmetric encryption KMS
|
|
497
|
+
# key that allows the Sign operation, or a grant for an asymmetric KMS
|
|
498
|
+
# key that allows the GenerateDataKey operation. If you try, KMS
|
|
499
|
+
# returns a `ValidationError` exception. For details, see [Grant
|
|
500
|
+
# operations][1] in the *Key Management Service Developer Guide*.
|
|
500
501
|
#
|
|
501
502
|
#
|
|
502
503
|
#
|
|
@@ -509,27 +510,39 @@ module Aws::KMS
|
|
|
509
510
|
# KMS supports the `EncryptionContextEquals` and
|
|
510
511
|
# `EncryptionContextSubset` grant constraints. Each constraint value
|
|
511
512
|
# can include up to 8 encryption context pairs. The encryption context
|
|
512
|
-
# value in each constraint cannot exceed 384 characters.
|
|
513
|
+
# value in each constraint cannot exceed 384 characters. For
|
|
514
|
+
# information about grant constraints, see [Using grant
|
|
515
|
+
# constraints][1] in the *Key Management Service Developer Guide*. For
|
|
516
|
+
# more information about encryption context, see [Encryption
|
|
517
|
+
# context][2] in the <i> <i>Key Management Service Developer Guide</i>
|
|
518
|
+
# </i>.
|
|
513
519
|
#
|
|
514
|
-
#
|
|
515
|
-
# the encryption context in the request matches
|
|
520
|
+
# The encryption context grant constraints allow the permissions in
|
|
521
|
+
# the grant only when the encryption context in the request matches
|
|
516
522
|
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
|
517
|
-
# the encryption context specified in this structure.
|
|
518
|
-
# about grant constraints, see [Using grant constraints][1] in the
|
|
519
|
-
# *Key Management Service Developer Guide*. For more information about
|
|
520
|
-
# encryption context, see [Encryption Context][2] in the <i> <i>Key
|
|
521
|
-
# Management Service Developer Guide</i> </i>.
|
|
523
|
+
# the encryption context specified in this structure.
|
|
522
524
|
#
|
|
523
525
|
# The encryption context grant constraints are supported only on
|
|
524
|
-
# operations that include an
|
|
525
|
-
#
|
|
526
|
-
# with
|
|
527
|
-
#
|
|
526
|
+
# [grant operations][3] that include an `EncryptionContext` parameter,
|
|
527
|
+
# such as cryptographic operations on symmetric encryption KMS keys.
|
|
528
|
+
# Grants with grant constraints can include the DescribeKey and
|
|
529
|
+
# RetireGrant operations, but the constraint doesn't apply to these
|
|
530
|
+
# operations. If a grant with a grant constraint includes the
|
|
531
|
+
# `CreateGrant` operation, the constraint requires that any grants
|
|
532
|
+
# created with the `CreateGrant` permission have an equally strict or
|
|
533
|
+
# stricter encryption context constraint.
|
|
534
|
+
#
|
|
535
|
+
# You cannot use an encryption context grant constraint for
|
|
536
|
+
# cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
|
|
537
|
+
# These keys don't support an encryption context.
|
|
538
|
+
#
|
|
539
|
+
#
|
|
528
540
|
#
|
|
529
541
|
#
|
|
530
542
|
#
|
|
531
543
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
|
532
544
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
545
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
|
533
546
|
# @return [Types::GrantConstraints]
|
|
534
547
|
#
|
|
535
548
|
# @!attribute [rw] grant_tokens
|
|
@@ -613,9 +626,9 @@ module Aws::KMS
|
|
|
613
626
|
# {
|
|
614
627
|
# policy: "PolicyType",
|
|
615
628
|
# description: "DescriptionType",
|
|
616
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
|
617
|
-
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
618
|
-
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
629
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
|
630
|
+
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
|
|
631
|
+
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
|
|
619
632
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
|
620
633
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
621
634
|
# bypass_policy_lockout_safety_check: false,
|
|
@@ -683,14 +696,17 @@ module Aws::KMS
|
|
|
683
696
|
# @!attribute [rw] key_usage
|
|
684
697
|
# Determines the [cryptographic operations][1] for which you can use
|
|
685
698
|
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
|
686
|
-
# is
|
|
687
|
-
#
|
|
699
|
+
# is optional when you are creating a symmetric encryption KMS key;
|
|
700
|
+
# otherwise, it is required. You can't change the `KeyUsage` value
|
|
701
|
+
# after the KMS key is created.
|
|
688
702
|
#
|
|
689
703
|
# Select only one valid value.
|
|
690
704
|
#
|
|
691
|
-
# * For symmetric KMS keys, omit the parameter or specify
|
|
705
|
+
# * For symmetric encryption KMS keys, omit the parameter or specify
|
|
692
706
|
# `ENCRYPT_DECRYPT`.
|
|
693
707
|
#
|
|
708
|
+
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
|
709
|
+
#
|
|
694
710
|
# * For asymmetric KMS keys with RSA key material, specify
|
|
695
711
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
696
712
|
#
|
|
@@ -715,33 +731,40 @@ module Aws::KMS
|
|
|
715
731
|
# Specifies the type of KMS key to create. The default value,
|
|
716
732
|
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
|
|
717
733
|
# for encryption and decryption. For help choosing a key spec for your
|
|
718
|
-
# KMS key, see [
|
|
719
|
-
#
|
|
734
|
+
# KMS key, see [Choosing a KMS key type][1] in the <i> <i>Key
|
|
735
|
+
# Management Service Developer Guide</i> </i>.
|
|
720
736
|
#
|
|
721
737
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
|
722
|
-
# key or an asymmetric key pair. It also determines the
|
|
723
|
-
#
|
|
724
|
-
#
|
|
725
|
-
#
|
|
726
|
-
#
|
|
727
|
-
#
|
|
728
|
-
#
|
|
729
|
-
#
|
|
730
|
-
# [Amazon Web Services services that are integrated with KMS][
|
|
731
|
-
# symmetric KMS keys to protect your data. These services
|
|
732
|
-
# support asymmetric KMS keys
|
|
733
|
-
# is symmetric or asymmetric, see [Identifying Symmetric and
|
|
734
|
-
# Asymmetric KMS keys][5] in the *Key Management Service Developer
|
|
735
|
-
# Guide*.
|
|
738
|
+
# key or an asymmetric key pair. It also determines the algorithms
|
|
739
|
+
# that the KMS key supports. You can't change the `KeySpec` after the
|
|
740
|
+
# KMS key is created. To further restrict the algorithms that can be
|
|
741
|
+
# used with the KMS key, use a condition key in its key policy or IAM
|
|
742
|
+
# policy. For more information, see [kms:EncryptionAlgorithm][2],
|
|
743
|
+
# [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
|
|
744
|
+
# <i>Key Management Service Developer Guide</i> </i>.
|
|
745
|
+
#
|
|
746
|
+
# [Amazon Web Services services that are integrated with KMS][5] use
|
|
747
|
+
# symmetric encryption KMS keys to protect your data. These services
|
|
748
|
+
# do not support asymmetric KMS keys or HMAC KMS keys.
|
|
736
749
|
#
|
|
737
750
|
# KMS supports the following key specs for KMS keys:
|
|
738
751
|
#
|
|
739
|
-
# * Symmetric key (default)
|
|
752
|
+
# * Symmetric encryption key (default)
|
|
740
753
|
#
|
|
741
754
|
# * `SYMMETRIC_DEFAULT` (AES-256-GCM)
|
|
742
755
|
#
|
|
743
756
|
# ^
|
|
744
757
|
#
|
|
758
|
+
# * HMAC keys (symmetric)
|
|
759
|
+
#
|
|
760
|
+
# * `HMAC_224`
|
|
761
|
+
#
|
|
762
|
+
# * `HMAC_256`
|
|
763
|
+
#
|
|
764
|
+
# * `HMAC_384`
|
|
765
|
+
#
|
|
766
|
+
# * `HMAC_512`
|
|
767
|
+
#
|
|
745
768
|
# * Asymmetric RSA key pairs
|
|
746
769
|
#
|
|
747
770
|
# * `RSA_2048`
|
|
@@ -767,11 +790,11 @@ module Aws::KMS
|
|
|
767
790
|
#
|
|
768
791
|
#
|
|
769
792
|
#
|
|
770
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose
|
|
793
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
|
|
771
794
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
|
|
772
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-
|
|
773
|
-
# [4]:
|
|
774
|
-
# [5]:
|
|
795
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
|
|
796
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
|
|
797
|
+
# [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
|
|
775
798
|
# @return [String]
|
|
776
799
|
#
|
|
777
800
|
# @!attribute [rw] origin
|
|
@@ -783,13 +806,13 @@ module Aws::KMS
|
|
|
783
806
|
# material), set the value to `EXTERNAL`. For more information about
|
|
784
807
|
# importing key material into KMS, see [Importing Key Material][1] in
|
|
785
808
|
# the *Key Management Service Developer Guide*. This value is valid
|
|
786
|
-
# only for symmetric KMS keys.
|
|
809
|
+
# only for symmetric encryption KMS keys.
|
|
787
810
|
#
|
|
788
811
|
# To create a KMS key in an KMS [custom key store][2] and create its
|
|
789
812
|
# key material in the associated CloudHSM cluster, set this value to
|
|
790
813
|
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
|
791
814
|
# to identify the custom key store. This value is valid only for
|
|
792
|
-
# symmetric KMS keys.
|
|
815
|
+
# symmetric encryption KMS keys.
|
|
793
816
|
#
|
|
794
817
|
#
|
|
795
818
|
#
|
|
@@ -805,9 +828,9 @@ module Aws::KMS
|
|
|
805
828
|
# associated with the custom key store must have at least two active
|
|
806
829
|
# HSMs, each in a different Availability Zone in the Region.
|
|
807
830
|
#
|
|
808
|
-
# This parameter is valid only for symmetric KMS keys
|
|
809
|
-
#
|
|
810
|
-
#
|
|
831
|
+
# This parameter is valid only for symmetric encryption KMS keys in a
|
|
832
|
+
# single Region. You cannot create any other type of KMS key in a
|
|
833
|
+
# custom key store.
|
|
811
834
|
#
|
|
812
835
|
# To find the ID of a custom key store, use the
|
|
813
836
|
# DescribeCustomKeyStores operation.
|
|
@@ -853,8 +876,8 @@ module Aws::KMS
|
|
|
853
876
|
# TagResource operation.
|
|
854
877
|
#
|
|
855
878
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
856
|
-
# KMS key. For details, see [
|
|
857
|
-
#
|
|
879
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
880
|
+
# Service Developer Guide*.
|
|
858
881
|
#
|
|
859
882
|
# </note>
|
|
860
883
|
#
|
|
@@ -895,7 +918,7 @@ module Aws::KMS
|
|
|
895
918
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
|
896
919
|
# a different Amazon Web Services Region without re-encrypting the
|
|
897
920
|
# data or making a cross-Region call. For more information about
|
|
898
|
-
# multi-Region keys, see [
|
|
921
|
+
# multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
|
|
899
922
|
# Management Service Developer Guide*.
|
|
900
923
|
#
|
|
901
924
|
# This value creates a *primary key*, not a replica. To create a
|
|
@@ -1170,17 +1193,20 @@ module Aws::KMS
|
|
|
1170
1193
|
# @!attribute [rw] encryption_context
|
|
1171
1194
|
# Specifies the encryption context to use when decrypting the data. An
|
|
1172
1195
|
# encryption context is valid only for [cryptographic operations][1]
|
|
1173
|
-
# with a symmetric KMS key. The standard asymmetric
|
|
1174
|
-
# algorithms that KMS uses do not
|
|
1196
|
+
# with a symmetric encryption KMS key. The standard asymmetric
|
|
1197
|
+
# encryption algorithms and HMAC algorithms that KMS uses do not
|
|
1198
|
+
# support an encryption context.
|
|
1175
1199
|
#
|
|
1176
1200
|
# An *encryption context* is a collection of non-secret key-value
|
|
1177
|
-
# pairs that
|
|
1201
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1178
1202
|
# encryption context to encrypt data, you must specify the same (an
|
|
1179
1203
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1180
|
-
# An encryption context is
|
|
1181
|
-
# KMS
|
|
1204
|
+
# An encryption context is supported only on operations with symmetric
|
|
1205
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1206
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1207
|
+
# recommended.
|
|
1182
1208
|
#
|
|
1183
|
-
# For more information, see [Encryption
|
|
1209
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1184
1210
|
# Management Service Developer Guide*.
|
|
1185
1211
|
#
|
|
1186
1212
|
#
|
|
@@ -1204,15 +1230,18 @@ module Aws::KMS
|
|
|
1204
1230
|
# @return [Array<String>]
|
|
1205
1231
|
#
|
|
1206
1232
|
# @!attribute [rw] key_id
|
|
1207
|
-
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1208
|
-
#
|
|
1233
|
+
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1234
|
+
#
|
|
1235
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
1236
|
+
# ciphertext. If you identify a different KMS key, the `Decrypt`
|
|
1237
|
+
# operation throws an `IncorrectKeyException`.
|
|
1209
1238
|
#
|
|
1210
1239
|
# This parameter is required only when the ciphertext was encrypted
|
|
1211
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
1212
|
-
# can get the KMS key from metadata that it adds to the
|
|
1213
|
-
# ciphertext blob. However, it is always recommended as a
|
|
1214
|
-
# practice. This practice ensures that you use the KMS key that
|
|
1215
|
-
# intend.
|
|
1240
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
1241
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
1242
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
1243
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
1244
|
+
# you intend.
|
|
1216
1245
|
#
|
|
1217
1246
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1218
1247
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1243,7 +1272,7 @@ module Aws::KMS
|
|
|
1243
1272
|
# This parameter is required only when the ciphertext was encrypted
|
|
1244
1273
|
# under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
|
|
1245
1274
|
# represents the only supported algorithm that is valid for symmetric
|
|
1246
|
-
# KMS keys.
|
|
1275
|
+
# encryption KMS keys.
|
|
1247
1276
|
# @return [String]
|
|
1248
1277
|
#
|
|
1249
1278
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
|
@@ -1570,9 +1599,10 @@ module Aws::KMS
|
|
|
1570
1599
|
# }
|
|
1571
1600
|
#
|
|
1572
1601
|
# @!attribute [rw] key_id
|
|
1573
|
-
# Identifies a symmetric KMS key. You cannot enable or
|
|
1574
|
-
# automatic rotation of [asymmetric KMS keys][1], KMS
|
|
1575
|
-
# [imported key material][
|
|
1602
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1603
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
1604
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
|
1605
|
+
# [custom key store][4].
|
|
1576
1606
|
#
|
|
1577
1607
|
# Specify the key ID or key ARN of the KMS key.
|
|
1578
1608
|
#
|
|
@@ -1589,8 +1619,9 @@ module Aws::KMS
|
|
|
1589
1619
|
#
|
|
1590
1620
|
#
|
|
1591
1621
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
|
1592
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1593
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1622
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1623
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1624
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1594
1625
|
# @return [String]
|
|
1595
1626
|
#
|
|
1596
1627
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
|
|
@@ -1678,11 +1709,11 @@ module Aws::KMS
|
|
|
1678
1709
|
# }
|
|
1679
1710
|
#
|
|
1680
1711
|
# @!attribute [rw] key_id
|
|
1681
|
-
# Identifies a symmetric KMS key. You cannot enable
|
|
1682
|
-
# of [asymmetric KMS keys][1], KMS keys
|
|
1683
|
-
# material][
|
|
1684
|
-
# disable automatic rotation of a set of
|
|
1685
|
-
# keys][
|
|
1712
|
+
# Identifies a symmetric encryption KMS key. You cannot enable
|
|
1713
|
+
# automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
|
|
1714
|
+
# KMS keys with [imported key material][3], or KMS keys in a [custom
|
|
1715
|
+
# key store][4]. To enable or disable automatic rotation of a set of
|
|
1716
|
+
# related [multi-Region keys][5], set the property on the primary key.
|
|
1686
1717
|
#
|
|
1687
1718
|
# Specify the key ID or key ARN of the KMS key.
|
|
1688
1719
|
#
|
|
@@ -1698,10 +1729,11 @@ module Aws::KMS
|
|
|
1698
1729
|
#
|
|
1699
1730
|
#
|
|
1700
1731
|
#
|
|
1701
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1702
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1703
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1704
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1732
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
1733
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1734
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1735
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1736
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
|
1705
1737
|
# @return [String]
|
|
1706
1738
|
#
|
|
1707
1739
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
|
@@ -1726,7 +1758,9 @@ module Aws::KMS
|
|
|
1726
1758
|
# }
|
|
1727
1759
|
#
|
|
1728
1760
|
# @!attribute [rw] key_id
|
|
1729
|
-
# Identifies the KMS key to use in the encryption operation.
|
|
1761
|
+
# Identifies the KMS key to use in the encryption operation. The KMS
|
|
1762
|
+
# key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
|
|
1763
|
+
# `KeyUsage` of a KMS key, use the DescribeKey operation.
|
|
1730
1764
|
#
|
|
1731
1765
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1732
1766
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1755,18 +1789,20 @@ module Aws::KMS
|
|
|
1755
1789
|
# @!attribute [rw] encryption_context
|
|
1756
1790
|
# Specifies the encryption context that will be used to encrypt the
|
|
1757
1791
|
# data. An encryption context is valid only for [cryptographic
|
|
1758
|
-
# operations][1] with a symmetric KMS key. The standard
|
|
1759
|
-
# encryption algorithms that KMS uses
|
|
1760
|
-
# context.
|
|
1792
|
+
# operations][1] with a symmetric encryption KMS key. The standard
|
|
1793
|
+
# asymmetric encryption algorithms and HMAC algorithms that KMS uses
|
|
1794
|
+
# do not support an encryption context.
|
|
1761
1795
|
#
|
|
1762
1796
|
# An *encryption context* is a collection of non-secret key-value
|
|
1763
|
-
# pairs that
|
|
1797
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1764
1798
|
# encryption context to encrypt data, you must specify the same (an
|
|
1765
1799
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1766
|
-
# An encryption context is
|
|
1767
|
-
# KMS
|
|
1800
|
+
# An encryption context is supported only on operations with symmetric
|
|
1801
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1802
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1803
|
+
# recommended.
|
|
1768
1804
|
#
|
|
1769
|
-
# For more information, see [Encryption
|
|
1805
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1770
1806
|
# Management Service Developer Guide*.
|
|
1771
1807
|
#
|
|
1772
1808
|
#
|
|
@@ -1795,9 +1831,9 @@ module Aws::KMS
|
|
|
1795
1831
|
# that you specify.
|
|
1796
1832
|
#
|
|
1797
1833
|
# This parameter is required only for asymmetric KMS keys. The default
|
|
1798
|
-
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1799
|
-
# keys. If you are using an asymmetric KMS key, we
|
|
1800
|
-
# RSAES\_OAEP\_SHA\_256.
|
|
1834
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1835
|
+
# encryption KMS keys. If you are using an asymmetric KMS key, we
|
|
1836
|
+
# recommend RSAES\_OAEP\_SHA\_256.
|
|
1801
1837
|
# @return [String]
|
|
1802
1838
|
#
|
|
1803
1839
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
|
@@ -1874,13 +1910,15 @@ module Aws::KMS
|
|
|
1874
1910
|
# the private key in the data key pair.
|
|
1875
1911
|
#
|
|
1876
1912
|
# An *encryption context* is a collection of non-secret key-value
|
|
1877
|
-
# pairs that
|
|
1913
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1878
1914
|
# encryption context to encrypt data, you must specify the same (an
|
|
1879
1915
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1880
|
-
# An encryption context is
|
|
1881
|
-
# KMS
|
|
1916
|
+
# An encryption context is supported only on operations with symmetric
|
|
1917
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1918
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1919
|
+
# recommended.
|
|
1882
1920
|
#
|
|
1883
|
-
# For more information, see [Encryption
|
|
1921
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
1884
1922
|
# Management Service Developer Guide*.
|
|
1885
1923
|
#
|
|
1886
1924
|
#
|
|
@@ -1889,10 +1927,10 @@ module Aws::KMS
|
|
|
1889
1927
|
# @return [Hash<String,String>]
|
|
1890
1928
|
#
|
|
1891
1929
|
# @!attribute [rw] key_id
|
|
1892
|
-
# Specifies the symmetric KMS key that encrypts the private
|
|
1893
|
-
# data key pair. You cannot specify an asymmetric KMS key
|
|
1894
|
-
# in a custom key store. To get the type and origin of
|
|
1895
|
-
# use the DescribeKey operation.
|
|
1930
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
1931
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
1932
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
1933
|
+
# your KMS key, use the DescribeKey operation.
|
|
1896
1934
|
#
|
|
1897
1935
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1898
1936
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1961,7 +1999,9 @@ module Aws::KMS
|
|
|
1961
1999
|
# @return [String]
|
|
1962
2000
|
#
|
|
1963
2001
|
# @!attribute [rw] public_key
|
|
1964
|
-
# The public key (in plaintext).
|
|
2002
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2003
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2004
|
+
# is not Base64-encoded.
|
|
1965
2005
|
# @return [String]
|
|
1966
2006
|
#
|
|
1967
2007
|
# @!attribute [rw] key_id
|
|
@@ -2006,13 +2046,15 @@ module Aws::KMS
|
|
|
2006
2046
|
# the private key in the data key pair.
|
|
2007
2047
|
#
|
|
2008
2048
|
# An *encryption context* is a collection of non-secret key-value
|
|
2009
|
-
# pairs that
|
|
2049
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2010
2050
|
# encryption context to encrypt data, you must specify the same (an
|
|
2011
2051
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2012
|
-
# An encryption context is
|
|
2013
|
-
# KMS
|
|
2052
|
+
# An encryption context is supported only on operations with symmetric
|
|
2053
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2054
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2055
|
+
# recommended.
|
|
2014
2056
|
#
|
|
2015
|
-
# For more information, see [Encryption
|
|
2057
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2016
2058
|
# Management Service Developer Guide*.
|
|
2017
2059
|
#
|
|
2018
2060
|
#
|
|
@@ -2021,10 +2063,10 @@ module Aws::KMS
|
|
|
2021
2063
|
# @return [Hash<String,String>]
|
|
2022
2064
|
#
|
|
2023
2065
|
# @!attribute [rw] key_id
|
|
2024
|
-
# Specifies the KMS key that encrypts the private
|
|
2025
|
-
# pair. You
|
|
2026
|
-
#
|
|
2027
|
-
#
|
|
2066
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
2067
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
2068
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
2069
|
+
# your KMS key, use the DescribeKey operation.
|
|
2028
2070
|
#
|
|
2029
2071
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2030
2072
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2087,7 +2129,9 @@ module Aws::KMS
|
|
|
2087
2129
|
# @return [String]
|
|
2088
2130
|
#
|
|
2089
2131
|
# @!attribute [rw] public_key
|
|
2090
|
-
# The public key (in plaintext).
|
|
2132
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2133
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2134
|
+
# is not Base64-encoded.
|
|
2091
2135
|
# @return [String]
|
|
2092
2136
|
#
|
|
2093
2137
|
# @!attribute [rw] key_id
|
|
@@ -2128,7 +2172,10 @@ module Aws::KMS
|
|
|
2128
2172
|
# }
|
|
2129
2173
|
#
|
|
2130
2174
|
# @!attribute [rw] key_id
|
|
2131
|
-
#
|
|
2175
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2176
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2177
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2178
|
+
# the DescribeKey operation.
|
|
2132
2179
|
#
|
|
2133
2180
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2134
2181
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2155,13 +2202,15 @@ module Aws::KMS
|
|
|
2155
2202
|
# the data key.
|
|
2156
2203
|
#
|
|
2157
2204
|
# An *encryption context* is a collection of non-secret key-value
|
|
2158
|
-
# pairs that
|
|
2205
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2159
2206
|
# encryption context to encrypt data, you must specify the same (an
|
|
2160
2207
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2161
|
-
# An encryption context is
|
|
2162
|
-
# KMS
|
|
2208
|
+
# An encryption context is supported only on operations with symmetric
|
|
2209
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2210
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2211
|
+
# recommended.
|
|
2163
2212
|
#
|
|
2164
|
-
# For more information, see [Encryption
|
|
2213
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2165
2214
|
# Management Service Developer Guide*.
|
|
2166
2215
|
#
|
|
2167
2216
|
#
|
|
@@ -2260,7 +2309,10 @@ module Aws::KMS
|
|
|
2260
2309
|
# }
|
|
2261
2310
|
#
|
|
2262
2311
|
# @!attribute [rw] key_id
|
|
2263
|
-
#
|
|
2312
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2313
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2314
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2315
|
+
# the DescribeKey operation.
|
|
2264
2316
|
#
|
|
2265
2317
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2266
2318
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2287,13 +2339,15 @@ module Aws::KMS
|
|
|
2287
2339
|
# the data key.
|
|
2288
2340
|
#
|
|
2289
2341
|
# An *encryption context* is a collection of non-secret key-value
|
|
2290
|
-
# pairs that
|
|
2342
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2291
2343
|
# encryption context to encrypt data, you must specify the same (an
|
|
2292
2344
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2293
|
-
# An encryption context is
|
|
2294
|
-
# KMS
|
|
2345
|
+
# An encryption context is supported only on operations with symmetric
|
|
2346
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2347
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2348
|
+
# recommended.
|
|
2295
2349
|
#
|
|
2296
|
-
# For more information, see [Encryption
|
|
2350
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2297
2351
|
# Management Service Developer Guide*.
|
|
2298
2352
|
#
|
|
2299
2353
|
#
|
|
@@ -2363,6 +2417,93 @@ module Aws::KMS
|
|
|
2363
2417
|
include Aws::Structure
|
|
2364
2418
|
end
|
|
2365
2419
|
|
|
2420
|
+
# @note When making an API call, you may pass GenerateMacRequest
|
|
2421
|
+
# data as a hash:
|
|
2422
|
+
#
|
|
2423
|
+
# {
|
|
2424
|
+
# message: "data", # required
|
|
2425
|
+
# key_id: "KeyIdType", # required
|
|
2426
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
2427
|
+
# grant_tokens: ["GrantTokenType"],
|
|
2428
|
+
# }
|
|
2429
|
+
#
|
|
2430
|
+
# @!attribute [rw] message
|
|
2431
|
+
# The message to be hashed. Specify a message of up to 4,096 bytes.
|
|
2432
|
+
#
|
|
2433
|
+
# `GenerateMac` and VerifyMac do not provide special handling for
|
|
2434
|
+
# message digests. If you generate an HMAC for a hash digest of a
|
|
2435
|
+
# message, you must verify the HMAC of the same hash digest.
|
|
2436
|
+
# @return [String]
|
|
2437
|
+
#
|
|
2438
|
+
# @!attribute [rw] key_id
|
|
2439
|
+
# The HMAC KMS key to use in the operation. The MAC algorithm computes
|
|
2440
|
+
# the HMAC for the message and the key as described in [RFC 2104][1].
|
|
2441
|
+
#
|
|
2442
|
+
# To identify an HMAC KMS key, use the DescribeKey operation and see
|
|
2443
|
+
# the `KeySpec` field in the response.
|
|
2444
|
+
#
|
|
2445
|
+
#
|
|
2446
|
+
#
|
|
2447
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
|
2448
|
+
# @return [String]
|
|
2449
|
+
#
|
|
2450
|
+
# @!attribute [rw] mac_algorithm
|
|
2451
|
+
# The MAC algorithm used in the operation.
|
|
2452
|
+
#
|
|
2453
|
+
# The algorithm must be compatible with the HMAC KMS key that you
|
|
2454
|
+
# specify. To find the MAC algorithms that your HMAC KMS key supports,
|
|
2455
|
+
# use the DescribeKey operation and see the `MacAlgorithms` field in
|
|
2456
|
+
# the `DescribeKey` response.
|
|
2457
|
+
# @return [String]
|
|
2458
|
+
#
|
|
2459
|
+
# @!attribute [rw] grant_tokens
|
|
2460
|
+
# A list of grant tokens.
|
|
2461
|
+
#
|
|
2462
|
+
# Use a grant token when your permission to call this operation comes
|
|
2463
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
2464
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
2465
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
2466
|
+
#
|
|
2467
|
+
#
|
|
2468
|
+
#
|
|
2469
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2470
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
2471
|
+
# @return [Array<String>]
|
|
2472
|
+
#
|
|
2473
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
|
|
2474
|
+
#
|
|
2475
|
+
class GenerateMacRequest < Struct.new(
|
|
2476
|
+
:message,
|
|
2477
|
+
:key_id,
|
|
2478
|
+
:mac_algorithm,
|
|
2479
|
+
:grant_tokens)
|
|
2480
|
+
SENSITIVE = [:message]
|
|
2481
|
+
include Aws::Structure
|
|
2482
|
+
end
|
|
2483
|
+
|
|
2484
|
+
# @!attribute [rw] mac
|
|
2485
|
+
# The hash-based message authentication code (HMAC) for the given
|
|
2486
|
+
# message, key, and MAC algorithm.
|
|
2487
|
+
# @return [String]
|
|
2488
|
+
#
|
|
2489
|
+
# @!attribute [rw] mac_algorithm
|
|
2490
|
+
# The MAC algorithm that was used to generate the HMAC.
|
|
2491
|
+
# @return [String]
|
|
2492
|
+
#
|
|
2493
|
+
# @!attribute [rw] key_id
|
|
2494
|
+
# The HMAC KMS key used in the operation.
|
|
2495
|
+
# @return [String]
|
|
2496
|
+
#
|
|
2497
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
|
|
2498
|
+
#
|
|
2499
|
+
class GenerateMacResponse < Struct.new(
|
|
2500
|
+
:mac,
|
|
2501
|
+
:mac_algorithm,
|
|
2502
|
+
:key_id)
|
|
2503
|
+
SENSITIVE = []
|
|
2504
|
+
include Aws::Structure
|
|
2505
|
+
end
|
|
2506
|
+
|
|
2366
2507
|
# @note When making an API call, you may pass GenerateRandomRequest
|
|
2367
2508
|
# data as a hash:
|
|
2368
2509
|
#
|
|
@@ -2513,8 +2654,9 @@ module Aws::KMS
|
|
|
2513
2654
|
# }
|
|
2514
2655
|
#
|
|
2515
2656
|
# @!attribute [rw] key_id
|
|
2516
|
-
# The identifier of the symmetric KMS key into which you
|
|
2517
|
-
# key material. The `Origin` of the KMS key must be
|
|
2657
|
+
# The identifier of the symmetric encryption KMS key into which you
|
|
2658
|
+
# will import key material. The `Origin` of the KMS key must be
|
|
2659
|
+
# `EXTERNAL`.
|
|
2518
2660
|
#
|
|
2519
2661
|
# Specify the key ID or key ARN of the KMS key.
|
|
2520
2662
|
#
|
|
@@ -2729,10 +2871,11 @@ module Aws::KMS
|
|
|
2729
2871
|
#
|
|
2730
2872
|
# KMS applies the grant constraints only to cryptographic operations
|
|
2731
2873
|
# that support an encryption context, that is, all cryptographic
|
|
2732
|
-
# operations with a [symmetric KMS key][3]. Grant constraints
|
|
2733
|
-
# applied to operations that do not support an encryption
|
|
2734
|
-
# as cryptographic operations with
|
|
2735
|
-
# operations, such as DescribeKey or
|
|
2874
|
+
# operations with a [symmetric encryption KMS key][3]. Grant constraints
|
|
2875
|
+
# are not applied to operations that do not support an encryption
|
|
2876
|
+
# context, such as cryptographic operations with HMAC KMS keys or
|
|
2877
|
+
# asymmetric KMS keys, and management operations, such as DescribeKey or
|
|
2878
|
+
# RetireGrant.
|
|
2736
2879
|
#
|
|
2737
2880
|
# In a cryptographic operation, the encryption context in the decryption
|
|
2738
2881
|
# operation must be an exact, case-sensitive match for the keys and
|
|
@@ -2880,10 +3023,13 @@ module Aws::KMS
|
|
|
2880
3023
|
# }
|
|
2881
3024
|
#
|
|
2882
3025
|
# @!attribute [rw] key_id
|
|
2883
|
-
# The identifier of the symmetric KMS key that receives the
|
|
2884
|
-
# key material.
|
|
2885
|
-
#
|
|
2886
|
-
#
|
|
3026
|
+
# The identifier of the symmetric encryption KMS key that receives the
|
|
3027
|
+
# imported key material. This must be the same KMS key specified in
|
|
3028
|
+
# the `KeyID` parameter of the corresponding GetParametersForImport
|
|
3029
|
+
# request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
|
|
3030
|
+
# perform this operation on an asymmetric KMS key, an HMAC KMS key, a
|
|
3031
|
+
# KMS key in a custom key store, or on a KMS key in a different Amazon
|
|
3032
|
+
# Web Services account
|
|
2887
3033
|
#
|
|
2888
3034
|
# Specify the key ID or key ARN of the KMS key.
|
|
2889
3035
|
#
|
|
@@ -2945,8 +3091,8 @@ module Aws::KMS
|
|
|
2945
3091
|
class ImportKeyMaterialResponse < Aws::EmptyStructure; end
|
|
2946
3092
|
|
|
2947
3093
|
# The request was rejected because the specified KMS key cannot decrypt
|
|
2948
|
-
# the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in
|
|
2949
|
-
# ReEncrypt request must identify the same KMS key that was used to
|
|
3094
|
+
# the data. The `KeyId` in a `Decrypt` request and the `SourceKeyId` in
|
|
3095
|
+
# a `ReEncrypt` request must identify the same KMS key that was used to
|
|
2950
3096
|
# encrypt the ciphertext.
|
|
2951
3097
|
#
|
|
2952
3098
|
# @!attribute [rw] message
|
|
@@ -3095,9 +3241,11 @@ module Aws::KMS
|
|
|
3095
3241
|
# key `(KeySpec`).
|
|
3096
3242
|
#
|
|
3097
3243
|
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
|
3098
|
-
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3099
|
-
# the `KeyUsage` must be `SIGN_VERIFY`.
|
|
3100
|
-
#
|
|
3244
|
+
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3245
|
+
# messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
|
|
3246
|
+
# verifying message authentication codes (MACs), the `KeyUsage` must be
|
|
3247
|
+
# `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
|
|
3248
|
+
# DescribeKey operation.
|
|
3101
3249
|
#
|
|
3102
3250
|
# To find the encryption or signing algorithms supported for a
|
|
3103
3251
|
# particular KMS key, use the DescribeKey operation.
|
|
@@ -3141,6 +3289,22 @@ module Aws::KMS
|
|
|
3141
3289
|
include Aws::Structure
|
|
3142
3290
|
end
|
|
3143
3291
|
|
|
3292
|
+
# The request was rejected because the HMAC verification failed. HMAC
|
|
3293
|
+
# verification fails when the HMAC computed by using the specified
|
|
3294
|
+
# message, HMAC KMS key, and MAC algorithm does not match the HMAC
|
|
3295
|
+
# specified in the request.
|
|
3296
|
+
#
|
|
3297
|
+
# @!attribute [rw] message
|
|
3298
|
+
# @return [String]
|
|
3299
|
+
#
|
|
3300
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
|
|
3301
|
+
#
|
|
3302
|
+
class KMSInvalidMacException < Struct.new(
|
|
3303
|
+
:message)
|
|
3304
|
+
SENSITIVE = []
|
|
3305
|
+
include Aws::Structure
|
|
3306
|
+
end
|
|
3307
|
+
|
|
3144
3308
|
# The request was rejected because the signature verification failed.
|
|
3145
3309
|
# Signature verification fails when it cannot confirm that signature was
|
|
3146
3310
|
# produced by signing the specified message with the specified KMS key
|
|
@@ -3161,8 +3325,8 @@ module Aws::KMS
|
|
|
3161
3325
|
# is not valid for this request.
|
|
3162
3326
|
#
|
|
3163
3327
|
# For more information about how key state affects the use of a KMS key,
|
|
3164
|
-
# see [Key
|
|
3165
|
-
#
|
|
3328
|
+
# see [Key states of KMS keys][1] in the <i> <i>Key Management Service
|
|
3329
|
+
# Developer Guide</i> </i>.
|
|
3166
3330
|
#
|
|
3167
3331
|
#
|
|
3168
3332
|
#
|
|
@@ -3247,8 +3411,8 @@ module Aws::KMS
|
|
|
3247
3411
|
# The current status of the KMS key.
|
|
3248
3412
|
#
|
|
3249
3413
|
# For more information about how key state affects the use of a KMS
|
|
3250
|
-
# key, see [Key
|
|
3251
|
-
#
|
|
3414
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
3415
|
+
# Developer Guide*.
|
|
3252
3416
|
#
|
|
3253
3417
|
#
|
|
3254
3418
|
#
|
|
@@ -3355,9 +3519,8 @@ module Aws::KMS
|
|
|
3355
3519
|
# (`False`) key. This value is `True` for multi-Region primary and
|
|
3356
3520
|
# replica keys and `False` for regional KMS keys.
|
|
3357
3521
|
#
|
|
3358
|
-
# For more information about multi-Region keys, see [
|
|
3359
|
-
#
|
|
3360
|
-
# Guide*.
|
|
3522
|
+
# For more information about multi-Region keys, see [Multi-Region keys
|
|
3523
|
+
# in KMS][1] in the *Key Management Service Developer Guide*.
|
|
3361
3524
|
#
|
|
3362
3525
|
#
|
|
3363
3526
|
#
|
|
@@ -3402,6 +3565,14 @@ module Aws::KMS
|
|
|
3402
3565
|
# the deletion date appears in the `DeletionDate` field.
|
|
3403
3566
|
# @return [Integer]
|
|
3404
3567
|
#
|
|
3568
|
+
# @!attribute [rw] mac_algorithms
|
|
3569
|
+
# The message authentication code (MAC) algorithm that the HMAC KMS
|
|
3570
|
+
# key supports.
|
|
3571
|
+
#
|
|
3572
|
+
# This value is present only when the `KeyUsage` of the KMS key is
|
|
3573
|
+
# `GENERATE_VERIFY_MAC`.
|
|
3574
|
+
# @return [Array<String>]
|
|
3575
|
+
#
|
|
3405
3576
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
|
3406
3577
|
#
|
|
3407
3578
|
class KeyMetadata < Struct.new(
|
|
@@ -3426,7 +3597,8 @@ module Aws::KMS
|
|
|
3426
3597
|
:signing_algorithms,
|
|
3427
3598
|
:multi_region,
|
|
3428
3599
|
:multi_region_configuration,
|
|
3429
|
-
:pending_deletion_window_in_days
|
|
3600
|
+
:pending_deletion_window_in_days,
|
|
3601
|
+
:mac_algorithms)
|
|
3430
3602
|
SENSITIVE = []
|
|
3431
3603
|
include Aws::Structure
|
|
3432
3604
|
end
|
|
@@ -3834,8 +4006,8 @@ module Aws::KMS
|
|
|
3834
4006
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
|
3835
4007
|
#
|
|
3836
4008
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
3837
|
-
# KMS key. For details, see [
|
|
3838
|
-
#
|
|
4009
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4010
|
+
# Service Developer Guide*.
|
|
3839
4011
|
#
|
|
3840
4012
|
# </note>
|
|
3841
4013
|
#
|
|
@@ -4126,13 +4298,15 @@ module Aws::KMS
|
|
|
4126
4298
|
# ciphertext.
|
|
4127
4299
|
#
|
|
4128
4300
|
# An *encryption context* is a collection of non-secret key-value
|
|
4129
|
-
# pairs that
|
|
4301
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4130
4302
|
# encryption context to encrypt data, you must specify the same (an
|
|
4131
4303
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4132
|
-
# An encryption context is
|
|
4133
|
-
# KMS
|
|
4304
|
+
# An encryption context is supported only on operations with symmetric
|
|
4305
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4306
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4307
|
+
# recommended.
|
|
4134
4308
|
#
|
|
4135
|
-
# For more information, see [Encryption
|
|
4309
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4136
4310
|
# Management Service Developer Guide*.
|
|
4137
4311
|
#
|
|
4138
4312
|
#
|
|
@@ -4142,15 +4316,18 @@ module Aws::KMS
|
|
|
4142
4316
|
#
|
|
4143
4317
|
# @!attribute [rw] source_key_id
|
|
4144
4318
|
# Specifies the KMS key that KMS will use to decrypt the ciphertext
|
|
4145
|
-
# before it is re-encrypted.
|
|
4146
|
-
#
|
|
4319
|
+
# before it is re-encrypted.
|
|
4320
|
+
#
|
|
4321
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
4322
|
+
# ciphertext. If you identify a different KMS key, the `ReEncrypt`
|
|
4323
|
+
# operation throws an `IncorrectKeyException`.
|
|
4147
4324
|
#
|
|
4148
4325
|
# This parameter is required only when the ciphertext was encrypted
|
|
4149
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
4150
|
-
# can get the KMS key from metadata that it adds to the
|
|
4151
|
-
# ciphertext blob. However, it is always recommended as a
|
|
4152
|
-
# practice. This practice ensures that you use the KMS key that
|
|
4153
|
-
# intend.
|
|
4326
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
4327
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
4328
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
4329
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
4330
|
+
# you intend.
|
|
4154
4331
|
#
|
|
4155
4332
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4156
4333
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4174,9 +4351,9 @@ module Aws::KMS
|
|
|
4174
4351
|
#
|
|
4175
4352
|
# @!attribute [rw] destination_key_id
|
|
4176
4353
|
# A unique identifier for the KMS key that is used to reencrypt the
|
|
4177
|
-
# data. Specify a symmetric
|
|
4178
|
-
# value of `ENCRYPT_DECRYPT`. To find the
|
|
4179
|
-
# key, use the DescribeKey operation.
|
|
4354
|
+
# data. Specify a symmetric encryption KMS key or an asymmetric KMS
|
|
4355
|
+
# key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
|
|
4356
|
+
# `KeyUsage` value of a KMS key, use the DescribeKey operation.
|
|
4180
4357
|
#
|
|
4181
4358
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4182
4359
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4203,17 +4380,19 @@ module Aws::KMS
|
|
|
4203
4380
|
# data.
|
|
4204
4381
|
#
|
|
4205
4382
|
# A destination encryption context is valid only when the destination
|
|
4206
|
-
# KMS key is a symmetric KMS key. The standard ciphertext
|
|
4207
|
-
# asymmetric KMS keys does not include fields for metadata.
|
|
4383
|
+
# KMS key is a symmetric encryption KMS key. The standard ciphertext
|
|
4384
|
+
# format for asymmetric KMS keys does not include fields for metadata.
|
|
4208
4385
|
#
|
|
4209
4386
|
# An *encryption context* is a collection of non-secret key-value
|
|
4210
|
-
# pairs that
|
|
4387
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4211
4388
|
# encryption context to encrypt data, you must specify the same (an
|
|
4212
4389
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4213
|
-
# An encryption context is
|
|
4214
|
-
# KMS
|
|
4390
|
+
# An encryption context is supported only on operations with symmetric
|
|
4391
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4392
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4393
|
+
# recommended.
|
|
4215
4394
|
#
|
|
4216
|
-
# For more information, see [Encryption
|
|
4395
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4217
4396
|
# Management Service Developer Guide*.
|
|
4218
4397
|
#
|
|
4219
4398
|
#
|
|
@@ -4224,8 +4403,8 @@ module Aws::KMS
|
|
|
4224
4403
|
# @!attribute [rw] source_encryption_algorithm
|
|
4225
4404
|
# Specifies the encryption algorithm that KMS will use to decrypt the
|
|
4226
4405
|
# ciphertext before it is reencrypted. The default value,
|
|
4227
|
-
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4228
|
-
# keys.
|
|
4406
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4407
|
+
# encryption KMS keys.
|
|
4229
4408
|
#
|
|
4230
4409
|
# Specify the same algorithm that was used to encrypt the ciphertext.
|
|
4231
4410
|
# If you specify a different algorithm, the decrypt attempt fails.
|
|
@@ -4238,7 +4417,7 @@ module Aws::KMS
|
|
|
4238
4417
|
# Specifies the encryption algorithm that KMS will use to reecrypt the
|
|
4239
4418
|
# data after it has decrypted it. The default value,
|
|
4240
4419
|
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
|
4241
|
-
# symmetric KMS keys.
|
|
4420
|
+
# symmetric encryption KMS keys.
|
|
4242
4421
|
#
|
|
4243
4422
|
# This parameter is required only when the destination KMS key is an
|
|
4244
4423
|
# asymmetric KMS key.
|
|
@@ -4359,24 +4538,33 @@ module Aws::KMS
|
|
|
4359
4538
|
# [KMS service endpoints][1] in the *Amazon Web Services General
|
|
4360
4539
|
# Reference*.
|
|
4361
4540
|
#
|
|
4541
|
+
# <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
|
4542
|
+
# If you try to replicate an HMAC KMS key in an Amazon Web Services
|
|
4543
|
+
# Region in which HMAC keys are not supported, the `ReplicateKey`
|
|
4544
|
+
# operation returns an `UnsupportedOperationException`. For a list of
|
|
4545
|
+
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
|
4546
|
+
# KMS][2] in the *Key Management Service Developer Guide*.
|
|
4547
|
+
#
|
|
4548
|
+
# </note>
|
|
4549
|
+
#
|
|
4362
4550
|
# The replica must be in a different Amazon Web Services Region than
|
|
4363
4551
|
# its primary key and other replicas of that primary key, but in the
|
|
4364
4552
|
# same Amazon Web Services partition. KMS must be available in the
|
|
4365
4553
|
# replica Region. If the Region is not enabled by default, the Amazon
|
|
4366
|
-
# Web Services account must be enabled in the Region.
|
|
4367
|
-
#
|
|
4368
|
-
#
|
|
4369
|
-
#
|
|
4370
|
-
#
|
|
4371
|
-
#
|
|
4372
|
-
# the *Amazon Web Services General Reference*.
|
|
4554
|
+
# Web Services account must be enabled in the Region. For information
|
|
4555
|
+
# about Amazon Web Services partitions, see [Amazon Resource Names
|
|
4556
|
+
# (ARNs)][3] in the *Amazon Web Services General Reference*. For
|
|
4557
|
+
# information about enabling and disabling Regions, see [Enabling a
|
|
4558
|
+
# Region][4] and [Disabling a Region][5] in the *Amazon Web Services
|
|
4559
|
+
# General Reference*.
|
|
4373
4560
|
#
|
|
4374
4561
|
#
|
|
4375
4562
|
#
|
|
4376
4563
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
|
4377
|
-
# [2]: https://docs.aws.amazon.com/
|
|
4378
|
-
# [3]: https://docs.aws.amazon.com/general/latest/gr/
|
|
4379
|
-
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-
|
|
4564
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
4565
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
4566
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
|
4567
|
+
# [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
|
4380
4568
|
# @return [String]
|
|
4381
4569
|
#
|
|
4382
4570
|
# @!attribute [rw] policy
|
|
@@ -4455,8 +4643,8 @@ module Aws::KMS
|
|
|
4455
4643
|
# the TagResource operation.
|
|
4456
4644
|
#
|
|
4457
4645
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
4458
|
-
# KMS key. For details, see [
|
|
4459
|
-
#
|
|
4646
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4647
|
+
# Service Developer Guide*.
|
|
4460
4648
|
#
|
|
4461
4649
|
# </note>
|
|
4462
4650
|
#
|
|
@@ -4500,9 +4688,9 @@ module Aws::KMS
|
|
|
4500
4688
|
|
|
4501
4689
|
# @!attribute [rw] replica_key_metadata
|
|
4502
4690
|
# Displays details about the new replica key, including its Amazon
|
|
4503
|
-
# Resource Name ([key ARN][1]) and [
|
|
4504
|
-
# the ARN and Amazon Web Services Region of its primary
|
|
4505
|
-
# replica keys.
|
|
4691
|
+
# Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
|
|
4692
|
+
# also includes the ARN and Amazon Web Services Region of its primary
|
|
4693
|
+
# key and other replica keys.
|
|
4506
4694
|
#
|
|
4507
4695
|
#
|
|
4508
4696
|
#
|
|
@@ -4690,8 +4878,8 @@ module Aws::KMS
|
|
|
4690
4878
|
# The current status of the KMS key.
|
|
4691
4879
|
#
|
|
4692
4880
|
# For more information about how key state affects the use of a KMS
|
|
4693
|
-
# key, see [Key
|
|
4694
|
-
#
|
|
4881
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
4882
|
+
# Developer Guide*.
|
|
4695
4883
|
#
|
|
4696
4884
|
#
|
|
4697
4885
|
#
|
|
@@ -5194,6 +5382,100 @@ module Aws::KMS
|
|
|
5194
5382
|
include Aws::Structure
|
|
5195
5383
|
end
|
|
5196
5384
|
|
|
5385
|
+
# @note When making an API call, you may pass VerifyMacRequest
|
|
5386
|
+
# data as a hash:
|
|
5387
|
+
#
|
|
5388
|
+
# {
|
|
5389
|
+
# message: "data", # required
|
|
5390
|
+
# key_id: "KeyIdType", # required
|
|
5391
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
5392
|
+
# mac: "data", # required
|
|
5393
|
+
# grant_tokens: ["GrantTokenType"],
|
|
5394
|
+
# }
|
|
5395
|
+
#
|
|
5396
|
+
# @!attribute [rw] message
|
|
5397
|
+
# The message that will be used in the verification. Enter the same
|
|
5398
|
+
# message that was used to generate the HMAC.
|
|
5399
|
+
#
|
|
5400
|
+
# GenerateMac and `VerifyMac` do not provide special handling for
|
|
5401
|
+
# message digests. If you generated an HMAC for a hash digest of a
|
|
5402
|
+
# message, you must verify the HMAC for the same hash digest.
|
|
5403
|
+
# @return [String]
|
|
5404
|
+
#
|
|
5405
|
+
# @!attribute [rw] key_id
|
|
5406
|
+
# The KMS key that will be used in the verification.
|
|
5407
|
+
#
|
|
5408
|
+
# Enter a key ID of the KMS key that was used to generate the HMAC. If
|
|
5409
|
+
# you identify a different KMS key, the `VerifyMac` operation fails.
|
|
5410
|
+
# @return [String]
|
|
5411
|
+
#
|
|
5412
|
+
# @!attribute [rw] mac_algorithm
|
|
5413
|
+
# The MAC algorithm that will be used in the verification. Enter the
|
|
5414
|
+
# same MAC algorithm that was used to compute the HMAC. This algorithm
|
|
5415
|
+
# must be supported by the HMAC KMS key identified by the `KeyId`
|
|
5416
|
+
# parameter.
|
|
5417
|
+
# @return [String]
|
|
5418
|
+
#
|
|
5419
|
+
# @!attribute [rw] mac
|
|
5420
|
+
# The HMAC to verify. Enter the HMAC that was generated by the
|
|
5421
|
+
# GenerateMac operation when you specified the same message, HMAC KMS
|
|
5422
|
+
# key, and MAC algorithm as the values specified in this request.
|
|
5423
|
+
# @return [String]
|
|
5424
|
+
#
|
|
5425
|
+
# @!attribute [rw] grant_tokens
|
|
5426
|
+
# A list of grant tokens.
|
|
5427
|
+
#
|
|
5428
|
+
# Use a grant token when your permission to call this operation comes
|
|
5429
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
5430
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
5431
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
5432
|
+
#
|
|
5433
|
+
#
|
|
5434
|
+
#
|
|
5435
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
5436
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
5437
|
+
# @return [Array<String>]
|
|
5438
|
+
#
|
|
5439
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
|
|
5440
|
+
#
|
|
5441
|
+
class VerifyMacRequest < Struct.new(
|
|
5442
|
+
:message,
|
|
5443
|
+
:key_id,
|
|
5444
|
+
:mac_algorithm,
|
|
5445
|
+
:mac,
|
|
5446
|
+
:grant_tokens)
|
|
5447
|
+
SENSITIVE = [:message]
|
|
5448
|
+
include Aws::Structure
|
|
5449
|
+
end
|
|
5450
|
+
|
|
5451
|
+
# @!attribute [rw] key_id
|
|
5452
|
+
# The HMAC KMS key used in the verification.
|
|
5453
|
+
# @return [String]
|
|
5454
|
+
#
|
|
5455
|
+
# @!attribute [rw] mac_valid
|
|
5456
|
+
# A Boolean value that indicates whether the HMAC was verified. A
|
|
5457
|
+
# value of `True` indicates that the HMAC (`Mac`) was generated with
|
|
5458
|
+
# the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
|
|
5459
|
+
#
|
|
5460
|
+
# If the HMAC is not verified, the `VerifyMac` operation fails with a
|
|
5461
|
+
# `KMSInvalidMacException` exception. This exception indicates that
|
|
5462
|
+
# one or more of the inputs changed since the HMAC was computed.
|
|
5463
|
+
# @return [Boolean]
|
|
5464
|
+
#
|
|
5465
|
+
# @!attribute [rw] mac_algorithm
|
|
5466
|
+
# The MAC algorithm used in the verification.
|
|
5467
|
+
# @return [String]
|
|
5468
|
+
#
|
|
5469
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
|
|
5470
|
+
#
|
|
5471
|
+
class VerifyMacResponse < Struct.new(
|
|
5472
|
+
:key_id,
|
|
5473
|
+
:mac_valid,
|
|
5474
|
+
:mac_algorithm)
|
|
5475
|
+
SENSITIVE = []
|
|
5476
|
+
include Aws::Structure
|
|
5477
|
+
end
|
|
5478
|
+
|
|
5197
5479
|
# @note When making an API call, you may pass VerifyRequest
|
|
5198
5480
|
# data as a hash:
|
|
5199
5481
|
#
|