aws-sdk-kms 1.55.0 → 1.56.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1028 -541
- data/lib/aws-sdk-kms/client_api.rb +67 -0
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/types.rb +468 -186
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-kms/types.rb
CHANGED
|
@@ -415,7 +415,7 @@ module Aws::KMS
|
|
|
415
415
|
# key_id: "KeyIdType", # required
|
|
416
416
|
# grantee_principal: "PrincipalIdType", # required
|
|
417
417
|
# retiring_principal: "PrincipalIdType",
|
|
418
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
|
|
418
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
|
|
419
419
|
# constraints: {
|
|
420
420
|
# encryption_context_subset: {
|
|
421
421
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
@@ -491,12 +491,13 @@ module Aws::KMS
|
|
|
491
491
|
# @!attribute [rw] operations
|
|
492
492
|
# A list of operations that the grant permits.
|
|
493
493
|
#
|
|
494
|
-
#
|
|
495
|
-
#
|
|
496
|
-
#
|
|
497
|
-
#
|
|
498
|
-
#
|
|
499
|
-
#
|
|
494
|
+
# This list must include only operations that are permitted in a
|
|
495
|
+
# grant. Also, the operation must be supported on the KMS key. For
|
|
496
|
+
# example, you cannot create a grant for a symmetric encryption KMS
|
|
497
|
+
# key that allows the Sign operation, or a grant for an asymmetric KMS
|
|
498
|
+
# key that allows the GenerateDataKey operation. If you try, KMS
|
|
499
|
+
# returns a `ValidationError` exception. For details, see [Grant
|
|
500
|
+
# operations][1] in the *Key Management Service Developer Guide*.
|
|
500
501
|
#
|
|
501
502
|
#
|
|
502
503
|
#
|
|
@@ -509,27 +510,39 @@ module Aws::KMS
|
|
|
509
510
|
# KMS supports the `EncryptionContextEquals` and
|
|
510
511
|
# `EncryptionContextSubset` grant constraints. Each constraint value
|
|
511
512
|
# can include up to 8 encryption context pairs. The encryption context
|
|
512
|
-
# value in each constraint cannot exceed 384 characters.
|
|
513
|
+
# value in each constraint cannot exceed 384 characters. For
|
|
514
|
+
# information about grant constraints, see [Using grant
|
|
515
|
+
# constraints][1] in the *Key Management Service Developer Guide*. For
|
|
516
|
+
# more information about encryption context, see [Encryption
|
|
517
|
+
# context][2] in the <i> <i>Key Management Service Developer Guide</i>
|
|
518
|
+
# </i>.
|
|
513
519
|
#
|
|
514
|
-
#
|
|
515
|
-
# the encryption context in the request matches
|
|
520
|
+
# The encryption context grant constraints allow the permissions in
|
|
521
|
+
# the grant only when the encryption context in the request matches
|
|
516
522
|
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
|
517
|
-
# the encryption context specified in this structure.
|
|
518
|
-
# about grant constraints, see [Using grant constraints][1] in the
|
|
519
|
-
# *Key Management Service Developer Guide*. For more information about
|
|
520
|
-
# encryption context, see [Encryption Context][2] in the <i> <i>Key
|
|
521
|
-
# Management Service Developer Guide</i> </i>.
|
|
523
|
+
# the encryption context specified in this structure.
|
|
522
524
|
#
|
|
523
525
|
# The encryption context grant constraints are supported only on
|
|
524
|
-
# operations that include an
|
|
525
|
-
#
|
|
526
|
-
# with
|
|
527
|
-
#
|
|
526
|
+
# [grant operations][3] that include an `EncryptionContext` parameter,
|
|
527
|
+
# such as cryptographic operations on symmetric encryption KMS keys.
|
|
528
|
+
# Grants with grant constraints can include the DescribeKey and
|
|
529
|
+
# RetireGrant operations, but the constraint doesn't apply to these
|
|
530
|
+
# operations. If a grant with a grant constraint includes the
|
|
531
|
+
# `CreateGrant` operation, the constraint requires that any grants
|
|
532
|
+
# created with the `CreateGrant` permission have an equally strict or
|
|
533
|
+
# stricter encryption context constraint.
|
|
534
|
+
#
|
|
535
|
+
# You cannot use an encryption context grant constraint for
|
|
536
|
+
# cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
|
|
537
|
+
# These keys don't support an encryption context.
|
|
538
|
+
#
|
|
539
|
+
#
|
|
528
540
|
#
|
|
529
541
|
#
|
|
530
542
|
#
|
|
531
543
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
|
532
544
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
545
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
|
533
546
|
# @return [Types::GrantConstraints]
|
|
534
547
|
#
|
|
535
548
|
# @!attribute [rw] grant_tokens
|
|
@@ -613,9 +626,9 @@ module Aws::KMS
|
|
|
613
626
|
# {
|
|
614
627
|
# policy: "PolicyType",
|
|
615
628
|
# description: "DescriptionType",
|
|
616
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
|
617
|
-
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
618
|
-
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
629
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
|
630
|
+
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
|
|
631
|
+
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
|
|
619
632
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
|
620
633
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
621
634
|
# bypass_policy_lockout_safety_check: false,
|
|
@@ -683,14 +696,17 @@ module Aws::KMS
|
|
|
683
696
|
# @!attribute [rw] key_usage
|
|
684
697
|
# Determines the [cryptographic operations][1] for which you can use
|
|
685
698
|
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
|
686
|
-
# is
|
|
687
|
-
#
|
|
699
|
+
# is optional when you are creating a symmetric encryption KMS key;
|
|
700
|
+
# otherwise, it is required. You can't change the `KeyUsage` value
|
|
701
|
+
# after the KMS key is created.
|
|
688
702
|
#
|
|
689
703
|
# Select only one valid value.
|
|
690
704
|
#
|
|
691
|
-
# * For symmetric KMS keys, omit the parameter or specify
|
|
705
|
+
# * For symmetric encryption KMS keys, omit the parameter or specify
|
|
692
706
|
# `ENCRYPT_DECRYPT`.
|
|
693
707
|
#
|
|
708
|
+
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
|
709
|
+
#
|
|
694
710
|
# * For asymmetric KMS keys with RSA key material, specify
|
|
695
711
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
696
712
|
#
|
|
@@ -715,33 +731,40 @@ module Aws::KMS
|
|
|
715
731
|
# Specifies the type of KMS key to create. The default value,
|
|
716
732
|
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit symmetric key
|
|
717
733
|
# for encryption and decryption. For help choosing a key spec for your
|
|
718
|
-
# KMS key, see [
|
|
719
|
-
#
|
|
734
|
+
# KMS key, see [Choosing a KMS key type][1] in the <i> <i>Key
|
|
735
|
+
# Management Service Developer Guide</i> </i>.
|
|
720
736
|
#
|
|
721
737
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
|
722
|
-
# key or an asymmetric key pair. It also determines the
|
|
723
|
-
#
|
|
724
|
-
#
|
|
725
|
-
#
|
|
726
|
-
#
|
|
727
|
-
#
|
|
728
|
-
#
|
|
729
|
-
#
|
|
730
|
-
# [Amazon Web Services services that are integrated with KMS][
|
|
731
|
-
# symmetric KMS keys to protect your data. These services
|
|
732
|
-
# support asymmetric KMS keys
|
|
733
|
-
# is symmetric or asymmetric, see [Identifying Symmetric and
|
|
734
|
-
# Asymmetric KMS keys][5] in the *Key Management Service Developer
|
|
735
|
-
# Guide*.
|
|
738
|
+
# key or an asymmetric key pair. It also determines the algorithms
|
|
739
|
+
# that the KMS key supports. You can't change the `KeySpec` after the
|
|
740
|
+
# KMS key is created. To further restrict the algorithms that can be
|
|
741
|
+
# used with the KMS key, use a condition key in its key policy or IAM
|
|
742
|
+
# policy. For more information, see [kms:EncryptionAlgorithm][2],
|
|
743
|
+
# [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
|
|
744
|
+
# <i>Key Management Service Developer Guide</i> </i>.
|
|
745
|
+
#
|
|
746
|
+
# [Amazon Web Services services that are integrated with KMS][5] use
|
|
747
|
+
# symmetric encryption KMS keys to protect your data. These services
|
|
748
|
+
# do not support asymmetric KMS keys or HMAC KMS keys.
|
|
736
749
|
#
|
|
737
750
|
# KMS supports the following key specs for KMS keys:
|
|
738
751
|
#
|
|
739
|
-
# * Symmetric key (default)
|
|
752
|
+
# * Symmetric encryption key (default)
|
|
740
753
|
#
|
|
741
754
|
# * `SYMMETRIC_DEFAULT` (AES-256-GCM)
|
|
742
755
|
#
|
|
743
756
|
# ^
|
|
744
757
|
#
|
|
758
|
+
# * HMAC keys (symmetric)
|
|
759
|
+
#
|
|
760
|
+
# * `HMAC_224`
|
|
761
|
+
#
|
|
762
|
+
# * `HMAC_256`
|
|
763
|
+
#
|
|
764
|
+
# * `HMAC_384`
|
|
765
|
+
#
|
|
766
|
+
# * `HMAC_512`
|
|
767
|
+
#
|
|
745
768
|
# * Asymmetric RSA key pairs
|
|
746
769
|
#
|
|
747
770
|
# * `RSA_2048`
|
|
@@ -767,11 +790,11 @@ module Aws::KMS
|
|
|
767
790
|
#
|
|
768
791
|
#
|
|
769
792
|
#
|
|
770
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose
|
|
793
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
|
|
771
794
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
|
|
772
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-
|
|
773
|
-
# [4]:
|
|
774
|
-
# [5]:
|
|
795
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
|
|
796
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
|
|
797
|
+
# [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
|
|
775
798
|
# @return [String]
|
|
776
799
|
#
|
|
777
800
|
# @!attribute [rw] origin
|
|
@@ -783,13 +806,13 @@ module Aws::KMS
|
|
|
783
806
|
# material), set the value to `EXTERNAL`. For more information about
|
|
784
807
|
# importing key material into KMS, see [Importing Key Material][1] in
|
|
785
808
|
# the *Key Management Service Developer Guide*. This value is valid
|
|
786
|
-
# only for symmetric KMS keys.
|
|
809
|
+
# only for symmetric encryption KMS keys.
|
|
787
810
|
#
|
|
788
811
|
# To create a KMS key in an KMS [custom key store][2] and create its
|
|
789
812
|
# key material in the associated CloudHSM cluster, set this value to
|
|
790
813
|
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
|
791
814
|
# to identify the custom key store. This value is valid only for
|
|
792
|
-
# symmetric KMS keys.
|
|
815
|
+
# symmetric encryption KMS keys.
|
|
793
816
|
#
|
|
794
817
|
#
|
|
795
818
|
#
|
|
@@ -805,9 +828,9 @@ module Aws::KMS
|
|
|
805
828
|
# associated with the custom key store must have at least two active
|
|
806
829
|
# HSMs, each in a different Availability Zone in the Region.
|
|
807
830
|
#
|
|
808
|
-
# This parameter is valid only for symmetric KMS keys
|
|
809
|
-
#
|
|
810
|
-
#
|
|
831
|
+
# This parameter is valid only for symmetric encryption KMS keys in a
|
|
832
|
+
# single Region. You cannot create any other type of KMS key in a
|
|
833
|
+
# custom key store.
|
|
811
834
|
#
|
|
812
835
|
# To find the ID of a custom key store, use the
|
|
813
836
|
# DescribeCustomKeyStores operation.
|
|
@@ -853,8 +876,8 @@ module Aws::KMS
|
|
|
853
876
|
# TagResource operation.
|
|
854
877
|
#
|
|
855
878
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
856
|
-
# KMS key. For details, see [
|
|
857
|
-
#
|
|
879
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
880
|
+
# Service Developer Guide*.
|
|
858
881
|
#
|
|
859
882
|
# </note>
|
|
860
883
|
#
|
|
@@ -895,7 +918,7 @@ module Aws::KMS
|
|
|
895
918
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
|
896
919
|
# a different Amazon Web Services Region without re-encrypting the
|
|
897
920
|
# data or making a cross-Region call. For more information about
|
|
898
|
-
# multi-Region keys, see [
|
|
921
|
+
# multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
|
|
899
922
|
# Management Service Developer Guide*.
|
|
900
923
|
#
|
|
901
924
|
# This value creates a *primary key*, not a replica. To create a
|
|
@@ -1170,17 +1193,20 @@ module Aws::KMS
|
|
|
1170
1193
|
# @!attribute [rw] encryption_context
|
|
1171
1194
|
# Specifies the encryption context to use when decrypting the data. An
|
|
1172
1195
|
# encryption context is valid only for [cryptographic operations][1]
|
|
1173
|
-
# with a symmetric KMS key. The standard asymmetric
|
|
1174
|
-
# algorithms that KMS uses do not
|
|
1196
|
+
# with a symmetric encryption KMS key. The standard asymmetric
|
|
1197
|
+
# encryption algorithms and HMAC algorithms that KMS uses do not
|
|
1198
|
+
# support an encryption context.
|
|
1175
1199
|
#
|
|
1176
1200
|
# An *encryption context* is a collection of non-secret key-value
|
|
1177
|
-
# pairs that
|
|
1201
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1178
1202
|
# encryption context to encrypt data, you must specify the same (an
|
|
1179
1203
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1180
|
-
# An encryption context is
|
|
1181
|
-
# KMS
|
|
1204
|
+
# An encryption context is supported only on operations with symmetric
|
|
1205
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1206
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1207
|
+
# recommended.
|
|
1182
1208
|
#
|
|
1183
|
-
# For more information, see [Encryption
|
|
1209
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1184
1210
|
# Management Service Developer Guide*.
|
|
1185
1211
|
#
|
|
1186
1212
|
#
|
|
@@ -1204,15 +1230,18 @@ module Aws::KMS
|
|
|
1204
1230
|
# @return [Array<String>]
|
|
1205
1231
|
#
|
|
1206
1232
|
# @!attribute [rw] key_id
|
|
1207
|
-
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1208
|
-
#
|
|
1233
|
+
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1234
|
+
#
|
|
1235
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
1236
|
+
# ciphertext. If you identify a different KMS key, the `Decrypt`
|
|
1237
|
+
# operation throws an `IncorrectKeyException`.
|
|
1209
1238
|
#
|
|
1210
1239
|
# This parameter is required only when the ciphertext was encrypted
|
|
1211
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
1212
|
-
# can get the KMS key from metadata that it adds to the
|
|
1213
|
-
# ciphertext blob. However, it is always recommended as a
|
|
1214
|
-
# practice. This practice ensures that you use the KMS key that
|
|
1215
|
-
# intend.
|
|
1240
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
1241
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
1242
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
1243
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
1244
|
+
# you intend.
|
|
1216
1245
|
#
|
|
1217
1246
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1218
1247
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1243,7 +1272,7 @@ module Aws::KMS
|
|
|
1243
1272
|
# This parameter is required only when the ciphertext was encrypted
|
|
1244
1273
|
# under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
|
|
1245
1274
|
# represents the only supported algorithm that is valid for symmetric
|
|
1246
|
-
# KMS keys.
|
|
1275
|
+
# encryption KMS keys.
|
|
1247
1276
|
# @return [String]
|
|
1248
1277
|
#
|
|
1249
1278
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
|
@@ -1570,9 +1599,10 @@ module Aws::KMS
|
|
|
1570
1599
|
# }
|
|
1571
1600
|
#
|
|
1572
1601
|
# @!attribute [rw] key_id
|
|
1573
|
-
# Identifies a symmetric KMS key. You cannot enable or
|
|
1574
|
-
# automatic rotation of [asymmetric KMS keys][1], KMS
|
|
1575
|
-
# [imported key material][
|
|
1602
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1603
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
1604
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
|
1605
|
+
# [custom key store][4].
|
|
1576
1606
|
#
|
|
1577
1607
|
# Specify the key ID or key ARN of the KMS key.
|
|
1578
1608
|
#
|
|
@@ -1589,8 +1619,9 @@ module Aws::KMS
|
|
|
1589
1619
|
#
|
|
1590
1620
|
#
|
|
1591
1621
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
|
1592
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1593
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1622
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1623
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1624
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1594
1625
|
# @return [String]
|
|
1595
1626
|
#
|
|
1596
1627
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
|
|
@@ -1678,11 +1709,11 @@ module Aws::KMS
|
|
|
1678
1709
|
# }
|
|
1679
1710
|
#
|
|
1680
1711
|
# @!attribute [rw] key_id
|
|
1681
|
-
# Identifies a symmetric KMS key. You cannot enable
|
|
1682
|
-
# of [asymmetric KMS keys][1], KMS keys
|
|
1683
|
-
# material][
|
|
1684
|
-
# disable automatic rotation of a set of
|
|
1685
|
-
# keys][
|
|
1712
|
+
# Identifies a symmetric encryption KMS key. You cannot enable
|
|
1713
|
+
# automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
|
|
1714
|
+
# KMS keys with [imported key material][3], or KMS keys in a [custom
|
|
1715
|
+
# key store][4]. To enable or disable automatic rotation of a set of
|
|
1716
|
+
# related [multi-Region keys][5], set the property on the primary key.
|
|
1686
1717
|
#
|
|
1687
1718
|
# Specify the key ID or key ARN of the KMS key.
|
|
1688
1719
|
#
|
|
@@ -1698,10 +1729,11 @@ module Aws::KMS
|
|
|
1698
1729
|
#
|
|
1699
1730
|
#
|
|
1700
1731
|
#
|
|
1701
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1702
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1703
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1704
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1732
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
1733
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1734
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1735
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1736
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
|
1705
1737
|
# @return [String]
|
|
1706
1738
|
#
|
|
1707
1739
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
|
@@ -1726,7 +1758,9 @@ module Aws::KMS
|
|
|
1726
1758
|
# }
|
|
1727
1759
|
#
|
|
1728
1760
|
# @!attribute [rw] key_id
|
|
1729
|
-
# Identifies the KMS key to use in the encryption operation.
|
|
1761
|
+
# Identifies the KMS key to use in the encryption operation. The KMS
|
|
1762
|
+
# key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
|
|
1763
|
+
# `KeyUsage` of a KMS key, use the DescribeKey operation.
|
|
1730
1764
|
#
|
|
1731
1765
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1732
1766
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1755,18 +1789,20 @@ module Aws::KMS
|
|
|
1755
1789
|
# @!attribute [rw] encryption_context
|
|
1756
1790
|
# Specifies the encryption context that will be used to encrypt the
|
|
1757
1791
|
# data. An encryption context is valid only for [cryptographic
|
|
1758
|
-
# operations][1] with a symmetric KMS key. The standard
|
|
1759
|
-
# encryption algorithms that KMS uses
|
|
1760
|
-
# context.
|
|
1792
|
+
# operations][1] with a symmetric encryption KMS key. The standard
|
|
1793
|
+
# asymmetric encryption algorithms and HMAC algorithms that KMS uses
|
|
1794
|
+
# do not support an encryption context.
|
|
1761
1795
|
#
|
|
1762
1796
|
# An *encryption context* is a collection of non-secret key-value
|
|
1763
|
-
# pairs that
|
|
1797
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1764
1798
|
# encryption context to encrypt data, you must specify the same (an
|
|
1765
1799
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1766
|
-
# An encryption context is
|
|
1767
|
-
# KMS
|
|
1800
|
+
# An encryption context is supported only on operations with symmetric
|
|
1801
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1802
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1803
|
+
# recommended.
|
|
1768
1804
|
#
|
|
1769
|
-
# For more information, see [Encryption
|
|
1805
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1770
1806
|
# Management Service Developer Guide*.
|
|
1771
1807
|
#
|
|
1772
1808
|
#
|
|
@@ -1795,9 +1831,9 @@ module Aws::KMS
|
|
|
1795
1831
|
# that you specify.
|
|
1796
1832
|
#
|
|
1797
1833
|
# This parameter is required only for asymmetric KMS keys. The default
|
|
1798
|
-
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1799
|
-
# keys. If you are using an asymmetric KMS key, we
|
|
1800
|
-
# RSAES\_OAEP\_SHA\_256.
|
|
1834
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1835
|
+
# encryption KMS keys. If you are using an asymmetric KMS key, we
|
|
1836
|
+
# recommend RSAES\_OAEP\_SHA\_256.
|
|
1801
1837
|
# @return [String]
|
|
1802
1838
|
#
|
|
1803
1839
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
|
@@ -1874,13 +1910,15 @@ module Aws::KMS
|
|
|
1874
1910
|
# the private key in the data key pair.
|
|
1875
1911
|
#
|
|
1876
1912
|
# An *encryption context* is a collection of non-secret key-value
|
|
1877
|
-
# pairs that
|
|
1913
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1878
1914
|
# encryption context to encrypt data, you must specify the same (an
|
|
1879
1915
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1880
|
-
# An encryption context is
|
|
1881
|
-
# KMS
|
|
1916
|
+
# An encryption context is supported only on operations with symmetric
|
|
1917
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1918
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1919
|
+
# recommended.
|
|
1882
1920
|
#
|
|
1883
|
-
# For more information, see [Encryption
|
|
1921
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
1884
1922
|
# Management Service Developer Guide*.
|
|
1885
1923
|
#
|
|
1886
1924
|
#
|
|
@@ -1889,10 +1927,10 @@ module Aws::KMS
|
|
|
1889
1927
|
# @return [Hash<String,String>]
|
|
1890
1928
|
#
|
|
1891
1929
|
# @!attribute [rw] key_id
|
|
1892
|
-
# Specifies the symmetric KMS key that encrypts the private
|
|
1893
|
-
# data key pair. You cannot specify an asymmetric KMS key
|
|
1894
|
-
# in a custom key store. To get the type and origin of
|
|
1895
|
-
# use the DescribeKey operation.
|
|
1930
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
1931
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
1932
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
1933
|
+
# your KMS key, use the DescribeKey operation.
|
|
1896
1934
|
#
|
|
1897
1935
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1898
1936
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1961,7 +1999,9 @@ module Aws::KMS
|
|
|
1961
1999
|
# @return [String]
|
|
1962
2000
|
#
|
|
1963
2001
|
# @!attribute [rw] public_key
|
|
1964
|
-
# The public key (in plaintext).
|
|
2002
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2003
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2004
|
+
# is not Base64-encoded.
|
|
1965
2005
|
# @return [String]
|
|
1966
2006
|
#
|
|
1967
2007
|
# @!attribute [rw] key_id
|
|
@@ -2006,13 +2046,15 @@ module Aws::KMS
|
|
|
2006
2046
|
# the private key in the data key pair.
|
|
2007
2047
|
#
|
|
2008
2048
|
# An *encryption context* is a collection of non-secret key-value
|
|
2009
|
-
# pairs that
|
|
2049
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2010
2050
|
# encryption context to encrypt data, you must specify the same (an
|
|
2011
2051
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2012
|
-
# An encryption context is
|
|
2013
|
-
# KMS
|
|
2052
|
+
# An encryption context is supported only on operations with symmetric
|
|
2053
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2054
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2055
|
+
# recommended.
|
|
2014
2056
|
#
|
|
2015
|
-
# For more information, see [Encryption
|
|
2057
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2016
2058
|
# Management Service Developer Guide*.
|
|
2017
2059
|
#
|
|
2018
2060
|
#
|
|
@@ -2021,10 +2063,10 @@ module Aws::KMS
|
|
|
2021
2063
|
# @return [Hash<String,String>]
|
|
2022
2064
|
#
|
|
2023
2065
|
# @!attribute [rw] key_id
|
|
2024
|
-
# Specifies the KMS key that encrypts the private
|
|
2025
|
-
# pair. You
|
|
2026
|
-
#
|
|
2027
|
-
#
|
|
2066
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
2067
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
2068
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
2069
|
+
# your KMS key, use the DescribeKey operation.
|
|
2028
2070
|
#
|
|
2029
2071
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2030
2072
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2087,7 +2129,9 @@ module Aws::KMS
|
|
|
2087
2129
|
# @return [String]
|
|
2088
2130
|
#
|
|
2089
2131
|
# @!attribute [rw] public_key
|
|
2090
|
-
# The public key (in plaintext).
|
|
2132
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2133
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2134
|
+
# is not Base64-encoded.
|
|
2091
2135
|
# @return [String]
|
|
2092
2136
|
#
|
|
2093
2137
|
# @!attribute [rw] key_id
|
|
@@ -2128,7 +2172,10 @@ module Aws::KMS
|
|
|
2128
2172
|
# }
|
|
2129
2173
|
#
|
|
2130
2174
|
# @!attribute [rw] key_id
|
|
2131
|
-
#
|
|
2175
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2176
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2177
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2178
|
+
# the DescribeKey operation.
|
|
2132
2179
|
#
|
|
2133
2180
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2134
2181
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2155,13 +2202,15 @@ module Aws::KMS
|
|
|
2155
2202
|
# the data key.
|
|
2156
2203
|
#
|
|
2157
2204
|
# An *encryption context* is a collection of non-secret key-value
|
|
2158
|
-
# pairs that
|
|
2205
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2159
2206
|
# encryption context to encrypt data, you must specify the same (an
|
|
2160
2207
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2161
|
-
# An encryption context is
|
|
2162
|
-
# KMS
|
|
2208
|
+
# An encryption context is supported only on operations with symmetric
|
|
2209
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2210
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2211
|
+
# recommended.
|
|
2163
2212
|
#
|
|
2164
|
-
# For more information, see [Encryption
|
|
2213
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2165
2214
|
# Management Service Developer Guide*.
|
|
2166
2215
|
#
|
|
2167
2216
|
#
|
|
@@ -2260,7 +2309,10 @@ module Aws::KMS
|
|
|
2260
2309
|
# }
|
|
2261
2310
|
#
|
|
2262
2311
|
# @!attribute [rw] key_id
|
|
2263
|
-
#
|
|
2312
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2313
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2314
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2315
|
+
# the DescribeKey operation.
|
|
2264
2316
|
#
|
|
2265
2317
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2266
2318
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2287,13 +2339,15 @@ module Aws::KMS
|
|
|
2287
2339
|
# the data key.
|
|
2288
2340
|
#
|
|
2289
2341
|
# An *encryption context* is a collection of non-secret key-value
|
|
2290
|
-
# pairs that
|
|
2342
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2291
2343
|
# encryption context to encrypt data, you must specify the same (an
|
|
2292
2344
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2293
|
-
# An encryption context is
|
|
2294
|
-
# KMS
|
|
2345
|
+
# An encryption context is supported only on operations with symmetric
|
|
2346
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2347
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2348
|
+
# recommended.
|
|
2295
2349
|
#
|
|
2296
|
-
# For more information, see [Encryption
|
|
2350
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2297
2351
|
# Management Service Developer Guide*.
|
|
2298
2352
|
#
|
|
2299
2353
|
#
|
|
@@ -2363,6 +2417,93 @@ module Aws::KMS
|
|
|
2363
2417
|
include Aws::Structure
|
|
2364
2418
|
end
|
|
2365
2419
|
|
|
2420
|
+
# @note When making an API call, you may pass GenerateMacRequest
|
|
2421
|
+
# data as a hash:
|
|
2422
|
+
#
|
|
2423
|
+
# {
|
|
2424
|
+
# message: "data", # required
|
|
2425
|
+
# key_id: "KeyIdType", # required
|
|
2426
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
2427
|
+
# grant_tokens: ["GrantTokenType"],
|
|
2428
|
+
# }
|
|
2429
|
+
#
|
|
2430
|
+
# @!attribute [rw] message
|
|
2431
|
+
# The message to be hashed. Specify a message of up to 4,096 bytes.
|
|
2432
|
+
#
|
|
2433
|
+
# `GenerateMac` and VerifyMac do not provide special handling for
|
|
2434
|
+
# message digests. If you generate an HMAC for a hash digest of a
|
|
2435
|
+
# message, you must verify the HMAC of the same hash digest.
|
|
2436
|
+
# @return [String]
|
|
2437
|
+
#
|
|
2438
|
+
# @!attribute [rw] key_id
|
|
2439
|
+
# The HMAC KMS key to use in the operation. The MAC algorithm computes
|
|
2440
|
+
# the HMAC for the message and the key as described in [RFC 2104][1].
|
|
2441
|
+
#
|
|
2442
|
+
# To identify an HMAC KMS key, use the DescribeKey operation and see
|
|
2443
|
+
# the `KeySpec` field in the response.
|
|
2444
|
+
#
|
|
2445
|
+
#
|
|
2446
|
+
#
|
|
2447
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
|
2448
|
+
# @return [String]
|
|
2449
|
+
#
|
|
2450
|
+
# @!attribute [rw] mac_algorithm
|
|
2451
|
+
# The MAC algorithm used in the operation.
|
|
2452
|
+
#
|
|
2453
|
+
# The algorithm must be compatible with the HMAC KMS key that you
|
|
2454
|
+
# specify. To find the MAC algorithms that your HMAC KMS key supports,
|
|
2455
|
+
# use the DescribeKey operation and see the `MacAlgorithms` field in
|
|
2456
|
+
# the `DescribeKey` response.
|
|
2457
|
+
# @return [String]
|
|
2458
|
+
#
|
|
2459
|
+
# @!attribute [rw] grant_tokens
|
|
2460
|
+
# A list of grant tokens.
|
|
2461
|
+
#
|
|
2462
|
+
# Use a grant token when your permission to call this operation comes
|
|
2463
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
2464
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
2465
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
2466
|
+
#
|
|
2467
|
+
#
|
|
2468
|
+
#
|
|
2469
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2470
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
2471
|
+
# @return [Array<String>]
|
|
2472
|
+
#
|
|
2473
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
|
|
2474
|
+
#
|
|
2475
|
+
class GenerateMacRequest < Struct.new(
|
|
2476
|
+
:message,
|
|
2477
|
+
:key_id,
|
|
2478
|
+
:mac_algorithm,
|
|
2479
|
+
:grant_tokens)
|
|
2480
|
+
SENSITIVE = [:message]
|
|
2481
|
+
include Aws::Structure
|
|
2482
|
+
end
|
|
2483
|
+
|
|
2484
|
+
# @!attribute [rw] mac
|
|
2485
|
+
# The hash-based message authentication code (HMAC) for the given
|
|
2486
|
+
# message, key, and MAC algorithm.
|
|
2487
|
+
# @return [String]
|
|
2488
|
+
#
|
|
2489
|
+
# @!attribute [rw] mac_algorithm
|
|
2490
|
+
# The MAC algorithm that was used to generate the HMAC.
|
|
2491
|
+
# @return [String]
|
|
2492
|
+
#
|
|
2493
|
+
# @!attribute [rw] key_id
|
|
2494
|
+
# The HMAC KMS key used in the operation.
|
|
2495
|
+
# @return [String]
|
|
2496
|
+
#
|
|
2497
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
|
|
2498
|
+
#
|
|
2499
|
+
class GenerateMacResponse < Struct.new(
|
|
2500
|
+
:mac,
|
|
2501
|
+
:mac_algorithm,
|
|
2502
|
+
:key_id)
|
|
2503
|
+
SENSITIVE = []
|
|
2504
|
+
include Aws::Structure
|
|
2505
|
+
end
|
|
2506
|
+
|
|
2366
2507
|
# @note When making an API call, you may pass GenerateRandomRequest
|
|
2367
2508
|
# data as a hash:
|
|
2368
2509
|
#
|
|
@@ -2513,8 +2654,9 @@ module Aws::KMS
|
|
|
2513
2654
|
# }
|
|
2514
2655
|
#
|
|
2515
2656
|
# @!attribute [rw] key_id
|
|
2516
|
-
# The identifier of the symmetric KMS key into which you
|
|
2517
|
-
# key material. The `Origin` of the KMS key must be
|
|
2657
|
+
# The identifier of the symmetric encryption KMS key into which you
|
|
2658
|
+
# will import key material. The `Origin` of the KMS key must be
|
|
2659
|
+
# `EXTERNAL`.
|
|
2518
2660
|
#
|
|
2519
2661
|
# Specify the key ID or key ARN of the KMS key.
|
|
2520
2662
|
#
|
|
@@ -2729,10 +2871,11 @@ module Aws::KMS
|
|
|
2729
2871
|
#
|
|
2730
2872
|
# KMS applies the grant constraints only to cryptographic operations
|
|
2731
2873
|
# that support an encryption context, that is, all cryptographic
|
|
2732
|
-
# operations with a [symmetric KMS key][3]. Grant constraints
|
|
2733
|
-
# applied to operations that do not support an encryption
|
|
2734
|
-
# as cryptographic operations with
|
|
2735
|
-
# operations, such as DescribeKey or
|
|
2874
|
+
# operations with a [symmetric encryption KMS key][3]. Grant constraints
|
|
2875
|
+
# are not applied to operations that do not support an encryption
|
|
2876
|
+
# context, such as cryptographic operations with HMAC KMS keys or
|
|
2877
|
+
# asymmetric KMS keys, and management operations, such as DescribeKey or
|
|
2878
|
+
# RetireGrant.
|
|
2736
2879
|
#
|
|
2737
2880
|
# In a cryptographic operation, the encryption context in the decryption
|
|
2738
2881
|
# operation must be an exact, case-sensitive match for the keys and
|
|
@@ -2880,10 +3023,13 @@ module Aws::KMS
|
|
|
2880
3023
|
# }
|
|
2881
3024
|
#
|
|
2882
3025
|
# @!attribute [rw] key_id
|
|
2883
|
-
# The identifier of the symmetric KMS key that receives the
|
|
2884
|
-
# key material.
|
|
2885
|
-
#
|
|
2886
|
-
#
|
|
3026
|
+
# The identifier of the symmetric encryption KMS key that receives the
|
|
3027
|
+
# imported key material. This must be the same KMS key specified in
|
|
3028
|
+
# the `KeyID` parameter of the corresponding GetParametersForImport
|
|
3029
|
+
# request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
|
|
3030
|
+
# perform this operation on an asymmetric KMS key, an HMAC KMS key, a
|
|
3031
|
+
# KMS key in a custom key store, or on a KMS key in a different Amazon
|
|
3032
|
+
# Web Services account
|
|
2887
3033
|
#
|
|
2888
3034
|
# Specify the key ID or key ARN of the KMS key.
|
|
2889
3035
|
#
|
|
@@ -2945,8 +3091,8 @@ module Aws::KMS
|
|
|
2945
3091
|
class ImportKeyMaterialResponse < Aws::EmptyStructure; end
|
|
2946
3092
|
|
|
2947
3093
|
# The request was rejected because the specified KMS key cannot decrypt
|
|
2948
|
-
# the data. The `KeyId` in a Decrypt request and the `SourceKeyId` in
|
|
2949
|
-
# ReEncrypt request must identify the same KMS key that was used to
|
|
3094
|
+
# the data. The `KeyId` in a `Decrypt` request and the `SourceKeyId` in
|
|
3095
|
+
# a `ReEncrypt` request must identify the same KMS key that was used to
|
|
2950
3096
|
# encrypt the ciphertext.
|
|
2951
3097
|
#
|
|
2952
3098
|
# @!attribute [rw] message
|
|
@@ -3095,9 +3241,11 @@ module Aws::KMS
|
|
|
3095
3241
|
# key `(KeySpec`).
|
|
3096
3242
|
#
|
|
3097
3243
|
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
|
3098
|
-
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3099
|
-
# the `KeyUsage` must be `SIGN_VERIFY`.
|
|
3100
|
-
#
|
|
3244
|
+
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3245
|
+
# messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
|
|
3246
|
+
# verifying message authentication codes (MACs), the `KeyUsage` must be
|
|
3247
|
+
# `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
|
|
3248
|
+
# DescribeKey operation.
|
|
3101
3249
|
#
|
|
3102
3250
|
# To find the encryption or signing algorithms supported for a
|
|
3103
3251
|
# particular KMS key, use the DescribeKey operation.
|
|
@@ -3141,6 +3289,22 @@ module Aws::KMS
|
|
|
3141
3289
|
include Aws::Structure
|
|
3142
3290
|
end
|
|
3143
3291
|
|
|
3292
|
+
# The request was rejected because the HMAC verification failed. HMAC
|
|
3293
|
+
# verification fails when the HMAC computed by using the specified
|
|
3294
|
+
# message, HMAC KMS key, and MAC algorithm does not match the HMAC
|
|
3295
|
+
# specified in the request.
|
|
3296
|
+
#
|
|
3297
|
+
# @!attribute [rw] message
|
|
3298
|
+
# @return [String]
|
|
3299
|
+
#
|
|
3300
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
|
|
3301
|
+
#
|
|
3302
|
+
class KMSInvalidMacException < Struct.new(
|
|
3303
|
+
:message)
|
|
3304
|
+
SENSITIVE = []
|
|
3305
|
+
include Aws::Structure
|
|
3306
|
+
end
|
|
3307
|
+
|
|
3144
3308
|
# The request was rejected because the signature verification failed.
|
|
3145
3309
|
# Signature verification fails when it cannot confirm that signature was
|
|
3146
3310
|
# produced by signing the specified message with the specified KMS key
|
|
@@ -3161,8 +3325,8 @@ module Aws::KMS
|
|
|
3161
3325
|
# is not valid for this request.
|
|
3162
3326
|
#
|
|
3163
3327
|
# For more information about how key state affects the use of a KMS key,
|
|
3164
|
-
# see [Key
|
|
3165
|
-
#
|
|
3328
|
+
# see [Key states of KMS keys][1] in the <i> <i>Key Management Service
|
|
3329
|
+
# Developer Guide</i> </i>.
|
|
3166
3330
|
#
|
|
3167
3331
|
#
|
|
3168
3332
|
#
|
|
@@ -3247,8 +3411,8 @@ module Aws::KMS
|
|
|
3247
3411
|
# The current status of the KMS key.
|
|
3248
3412
|
#
|
|
3249
3413
|
# For more information about how key state affects the use of a KMS
|
|
3250
|
-
# key, see [Key
|
|
3251
|
-
#
|
|
3414
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
3415
|
+
# Developer Guide*.
|
|
3252
3416
|
#
|
|
3253
3417
|
#
|
|
3254
3418
|
#
|
|
@@ -3355,9 +3519,8 @@ module Aws::KMS
|
|
|
3355
3519
|
# (`False`) key. This value is `True` for multi-Region primary and
|
|
3356
3520
|
# replica keys and `False` for regional KMS keys.
|
|
3357
3521
|
#
|
|
3358
|
-
# For more information about multi-Region keys, see [
|
|
3359
|
-
#
|
|
3360
|
-
# Guide*.
|
|
3522
|
+
# For more information about multi-Region keys, see [Multi-Region keys
|
|
3523
|
+
# in KMS][1] in the *Key Management Service Developer Guide*.
|
|
3361
3524
|
#
|
|
3362
3525
|
#
|
|
3363
3526
|
#
|
|
@@ -3402,6 +3565,14 @@ module Aws::KMS
|
|
|
3402
3565
|
# the deletion date appears in the `DeletionDate` field.
|
|
3403
3566
|
# @return [Integer]
|
|
3404
3567
|
#
|
|
3568
|
+
# @!attribute [rw] mac_algorithms
|
|
3569
|
+
# The message authentication code (MAC) algorithm that the HMAC KMS
|
|
3570
|
+
# key supports.
|
|
3571
|
+
#
|
|
3572
|
+
# This value is present only when the `KeyUsage` of the KMS key is
|
|
3573
|
+
# `GENERATE_VERIFY_MAC`.
|
|
3574
|
+
# @return [Array<String>]
|
|
3575
|
+
#
|
|
3405
3576
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
|
3406
3577
|
#
|
|
3407
3578
|
class KeyMetadata < Struct.new(
|
|
@@ -3426,7 +3597,8 @@ module Aws::KMS
|
|
|
3426
3597
|
:signing_algorithms,
|
|
3427
3598
|
:multi_region,
|
|
3428
3599
|
:multi_region_configuration,
|
|
3429
|
-
:pending_deletion_window_in_days
|
|
3600
|
+
:pending_deletion_window_in_days,
|
|
3601
|
+
:mac_algorithms)
|
|
3430
3602
|
SENSITIVE = []
|
|
3431
3603
|
include Aws::Structure
|
|
3432
3604
|
end
|
|
@@ -3834,8 +4006,8 @@ module Aws::KMS
|
|
|
3834
4006
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
|
3835
4007
|
#
|
|
3836
4008
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
3837
|
-
# KMS key. For details, see [
|
|
3838
|
-
#
|
|
4009
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4010
|
+
# Service Developer Guide*.
|
|
3839
4011
|
#
|
|
3840
4012
|
# </note>
|
|
3841
4013
|
#
|
|
@@ -4126,13 +4298,15 @@ module Aws::KMS
|
|
|
4126
4298
|
# ciphertext.
|
|
4127
4299
|
#
|
|
4128
4300
|
# An *encryption context* is a collection of non-secret key-value
|
|
4129
|
-
# pairs that
|
|
4301
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4130
4302
|
# encryption context to encrypt data, you must specify the same (an
|
|
4131
4303
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4132
|
-
# An encryption context is
|
|
4133
|
-
# KMS
|
|
4304
|
+
# An encryption context is supported only on operations with symmetric
|
|
4305
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4306
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4307
|
+
# recommended.
|
|
4134
4308
|
#
|
|
4135
|
-
# For more information, see [Encryption
|
|
4309
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4136
4310
|
# Management Service Developer Guide*.
|
|
4137
4311
|
#
|
|
4138
4312
|
#
|
|
@@ -4142,15 +4316,18 @@ module Aws::KMS
|
|
|
4142
4316
|
#
|
|
4143
4317
|
# @!attribute [rw] source_key_id
|
|
4144
4318
|
# Specifies the KMS key that KMS will use to decrypt the ciphertext
|
|
4145
|
-
# before it is re-encrypted.
|
|
4146
|
-
#
|
|
4319
|
+
# before it is re-encrypted.
|
|
4320
|
+
#
|
|
4321
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
4322
|
+
# ciphertext. If you identify a different KMS key, the `ReEncrypt`
|
|
4323
|
+
# operation throws an `IncorrectKeyException`.
|
|
4147
4324
|
#
|
|
4148
4325
|
# This parameter is required only when the ciphertext was encrypted
|
|
4149
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
4150
|
-
# can get the KMS key from metadata that it adds to the
|
|
4151
|
-
# ciphertext blob. However, it is always recommended as a
|
|
4152
|
-
# practice. This practice ensures that you use the KMS key that
|
|
4153
|
-
# intend.
|
|
4326
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
4327
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
4328
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
4329
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
4330
|
+
# you intend.
|
|
4154
4331
|
#
|
|
4155
4332
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4156
4333
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4174,9 +4351,9 @@ module Aws::KMS
|
|
|
4174
4351
|
#
|
|
4175
4352
|
# @!attribute [rw] destination_key_id
|
|
4176
4353
|
# A unique identifier for the KMS key that is used to reencrypt the
|
|
4177
|
-
# data. Specify a symmetric
|
|
4178
|
-
# value of `ENCRYPT_DECRYPT`. To find the
|
|
4179
|
-
# key, use the DescribeKey operation.
|
|
4354
|
+
# data. Specify a symmetric encryption KMS key or an asymmetric KMS
|
|
4355
|
+
# key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
|
|
4356
|
+
# `KeyUsage` value of a KMS key, use the DescribeKey operation.
|
|
4180
4357
|
#
|
|
4181
4358
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4182
4359
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4203,17 +4380,19 @@ module Aws::KMS
|
|
|
4203
4380
|
# data.
|
|
4204
4381
|
#
|
|
4205
4382
|
# A destination encryption context is valid only when the destination
|
|
4206
|
-
# KMS key is a symmetric KMS key. The standard ciphertext
|
|
4207
|
-
# asymmetric KMS keys does not include fields for metadata.
|
|
4383
|
+
# KMS key is a symmetric encryption KMS key. The standard ciphertext
|
|
4384
|
+
# format for asymmetric KMS keys does not include fields for metadata.
|
|
4208
4385
|
#
|
|
4209
4386
|
# An *encryption context* is a collection of non-secret key-value
|
|
4210
|
-
# pairs that
|
|
4387
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4211
4388
|
# encryption context to encrypt data, you must specify the same (an
|
|
4212
4389
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4213
|
-
# An encryption context is
|
|
4214
|
-
# KMS
|
|
4390
|
+
# An encryption context is supported only on operations with symmetric
|
|
4391
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4392
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4393
|
+
# recommended.
|
|
4215
4394
|
#
|
|
4216
|
-
# For more information, see [Encryption
|
|
4395
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4217
4396
|
# Management Service Developer Guide*.
|
|
4218
4397
|
#
|
|
4219
4398
|
#
|
|
@@ -4224,8 +4403,8 @@ module Aws::KMS
|
|
|
4224
4403
|
# @!attribute [rw] source_encryption_algorithm
|
|
4225
4404
|
# Specifies the encryption algorithm that KMS will use to decrypt the
|
|
4226
4405
|
# ciphertext before it is reencrypted. The default value,
|
|
4227
|
-
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4228
|
-
# keys.
|
|
4406
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4407
|
+
# encryption KMS keys.
|
|
4229
4408
|
#
|
|
4230
4409
|
# Specify the same algorithm that was used to encrypt the ciphertext.
|
|
4231
4410
|
# If you specify a different algorithm, the decrypt attempt fails.
|
|
@@ -4238,7 +4417,7 @@ module Aws::KMS
|
|
|
4238
4417
|
# Specifies the encryption algorithm that KMS will use to reecrypt the
|
|
4239
4418
|
# data after it has decrypted it. The default value,
|
|
4240
4419
|
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
|
4241
|
-
# symmetric KMS keys.
|
|
4420
|
+
# symmetric encryption KMS keys.
|
|
4242
4421
|
#
|
|
4243
4422
|
# This parameter is required only when the destination KMS key is an
|
|
4244
4423
|
# asymmetric KMS key.
|
|
@@ -4359,24 +4538,33 @@ module Aws::KMS
|
|
|
4359
4538
|
# [KMS service endpoints][1] in the *Amazon Web Services General
|
|
4360
4539
|
# Reference*.
|
|
4361
4540
|
#
|
|
4541
|
+
# <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
|
4542
|
+
# If you try to replicate an HMAC KMS key in an Amazon Web Services
|
|
4543
|
+
# Region in which HMAC keys are not supported, the `ReplicateKey`
|
|
4544
|
+
# operation returns an `UnsupportedOperationException`. For a list of
|
|
4545
|
+
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
|
4546
|
+
# KMS][2] in the *Key Management Service Developer Guide*.
|
|
4547
|
+
#
|
|
4548
|
+
# </note>
|
|
4549
|
+
#
|
|
4362
4550
|
# The replica must be in a different Amazon Web Services Region than
|
|
4363
4551
|
# its primary key and other replicas of that primary key, but in the
|
|
4364
4552
|
# same Amazon Web Services partition. KMS must be available in the
|
|
4365
4553
|
# replica Region. If the Region is not enabled by default, the Amazon
|
|
4366
|
-
# Web Services account must be enabled in the Region.
|
|
4367
|
-
#
|
|
4368
|
-
#
|
|
4369
|
-
#
|
|
4370
|
-
#
|
|
4371
|
-
#
|
|
4372
|
-
# the *Amazon Web Services General Reference*.
|
|
4554
|
+
# Web Services account must be enabled in the Region. For information
|
|
4555
|
+
# about Amazon Web Services partitions, see [Amazon Resource Names
|
|
4556
|
+
# (ARNs)][3] in the *Amazon Web Services General Reference*. For
|
|
4557
|
+
# information about enabling and disabling Regions, see [Enabling a
|
|
4558
|
+
# Region][4] and [Disabling a Region][5] in the *Amazon Web Services
|
|
4559
|
+
# General Reference*.
|
|
4373
4560
|
#
|
|
4374
4561
|
#
|
|
4375
4562
|
#
|
|
4376
4563
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
|
4377
|
-
# [2]: https://docs.aws.amazon.com/
|
|
4378
|
-
# [3]: https://docs.aws.amazon.com/general/latest/gr/
|
|
4379
|
-
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-
|
|
4564
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
4565
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
4566
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
|
4567
|
+
# [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
|
4380
4568
|
# @return [String]
|
|
4381
4569
|
#
|
|
4382
4570
|
# @!attribute [rw] policy
|
|
@@ -4455,8 +4643,8 @@ module Aws::KMS
|
|
|
4455
4643
|
# the TagResource operation.
|
|
4456
4644
|
#
|
|
4457
4645
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
4458
|
-
# KMS key. For details, see [
|
|
4459
|
-
#
|
|
4646
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4647
|
+
# Service Developer Guide*.
|
|
4460
4648
|
#
|
|
4461
4649
|
# </note>
|
|
4462
4650
|
#
|
|
@@ -4500,9 +4688,9 @@ module Aws::KMS
|
|
|
4500
4688
|
|
|
4501
4689
|
# @!attribute [rw] replica_key_metadata
|
|
4502
4690
|
# Displays details about the new replica key, including its Amazon
|
|
4503
|
-
# Resource Name ([key ARN][1]) and [
|
|
4504
|
-
# the ARN and Amazon Web Services Region of its primary
|
|
4505
|
-
# replica keys.
|
|
4691
|
+
# Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
|
|
4692
|
+
# also includes the ARN and Amazon Web Services Region of its primary
|
|
4693
|
+
# key and other replica keys.
|
|
4506
4694
|
#
|
|
4507
4695
|
#
|
|
4508
4696
|
#
|
|
@@ -4690,8 +4878,8 @@ module Aws::KMS
|
|
|
4690
4878
|
# The current status of the KMS key.
|
|
4691
4879
|
#
|
|
4692
4880
|
# For more information about how key state affects the use of a KMS
|
|
4693
|
-
# key, see [Key
|
|
4694
|
-
#
|
|
4881
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
4882
|
+
# Developer Guide*.
|
|
4695
4883
|
#
|
|
4696
4884
|
#
|
|
4697
4885
|
#
|
|
@@ -5194,6 +5382,100 @@ module Aws::KMS
|
|
|
5194
5382
|
include Aws::Structure
|
|
5195
5383
|
end
|
|
5196
5384
|
|
|
5385
|
+
# @note When making an API call, you may pass VerifyMacRequest
|
|
5386
|
+
# data as a hash:
|
|
5387
|
+
#
|
|
5388
|
+
# {
|
|
5389
|
+
# message: "data", # required
|
|
5390
|
+
# key_id: "KeyIdType", # required
|
|
5391
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
5392
|
+
# mac: "data", # required
|
|
5393
|
+
# grant_tokens: ["GrantTokenType"],
|
|
5394
|
+
# }
|
|
5395
|
+
#
|
|
5396
|
+
# @!attribute [rw] message
|
|
5397
|
+
# The message that will be used in the verification. Enter the same
|
|
5398
|
+
# message that was used to generate the HMAC.
|
|
5399
|
+
#
|
|
5400
|
+
# GenerateMac and `VerifyMac` do not provide special handling for
|
|
5401
|
+
# message digests. If you generated an HMAC for a hash digest of a
|
|
5402
|
+
# message, you must verify the HMAC for the same hash digest.
|
|
5403
|
+
# @return [String]
|
|
5404
|
+
#
|
|
5405
|
+
# @!attribute [rw] key_id
|
|
5406
|
+
# The KMS key that will be used in the verification.
|
|
5407
|
+
#
|
|
5408
|
+
# Enter a key ID of the KMS key that was used to generate the HMAC. If
|
|
5409
|
+
# you identify a different KMS key, the `VerifyMac` operation fails.
|
|
5410
|
+
# @return [String]
|
|
5411
|
+
#
|
|
5412
|
+
# @!attribute [rw] mac_algorithm
|
|
5413
|
+
# The MAC algorithm that will be used in the verification. Enter the
|
|
5414
|
+
# same MAC algorithm that was used to compute the HMAC. This algorithm
|
|
5415
|
+
# must be supported by the HMAC KMS key identified by the `KeyId`
|
|
5416
|
+
# parameter.
|
|
5417
|
+
# @return [String]
|
|
5418
|
+
#
|
|
5419
|
+
# @!attribute [rw] mac
|
|
5420
|
+
# The HMAC to verify. Enter the HMAC that was generated by the
|
|
5421
|
+
# GenerateMac operation when you specified the same message, HMAC KMS
|
|
5422
|
+
# key, and MAC algorithm as the values specified in this request.
|
|
5423
|
+
# @return [String]
|
|
5424
|
+
#
|
|
5425
|
+
# @!attribute [rw] grant_tokens
|
|
5426
|
+
# A list of grant tokens.
|
|
5427
|
+
#
|
|
5428
|
+
# Use a grant token when your permission to call this operation comes
|
|
5429
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
5430
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
5431
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
5432
|
+
#
|
|
5433
|
+
#
|
|
5434
|
+
#
|
|
5435
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
5436
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
5437
|
+
# @return [Array<String>]
|
|
5438
|
+
#
|
|
5439
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
|
|
5440
|
+
#
|
|
5441
|
+
class VerifyMacRequest < Struct.new(
|
|
5442
|
+
:message,
|
|
5443
|
+
:key_id,
|
|
5444
|
+
:mac_algorithm,
|
|
5445
|
+
:mac,
|
|
5446
|
+
:grant_tokens)
|
|
5447
|
+
SENSITIVE = [:message]
|
|
5448
|
+
include Aws::Structure
|
|
5449
|
+
end
|
|
5450
|
+
|
|
5451
|
+
# @!attribute [rw] key_id
|
|
5452
|
+
# The HMAC KMS key used in the verification.
|
|
5453
|
+
# @return [String]
|
|
5454
|
+
#
|
|
5455
|
+
# @!attribute [rw] mac_valid
|
|
5456
|
+
# A Boolean value that indicates whether the HMAC was verified. A
|
|
5457
|
+
# value of `True` indicates that the HMAC (`Mac`) was generated with
|
|
5458
|
+
# the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
|
|
5459
|
+
#
|
|
5460
|
+
# If the HMAC is not verified, the `VerifyMac` operation fails with a
|
|
5461
|
+
# `KMSInvalidMacException` exception. This exception indicates that
|
|
5462
|
+
# one or more of the inputs changed since the HMAC was computed.
|
|
5463
|
+
# @return [Boolean]
|
|
5464
|
+
#
|
|
5465
|
+
# @!attribute [rw] mac_algorithm
|
|
5466
|
+
# The MAC algorithm used in the verification.
|
|
5467
|
+
# @return [String]
|
|
5468
|
+
#
|
|
5469
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
|
|
5470
|
+
#
|
|
5471
|
+
class VerifyMacResponse < Struct.new(
|
|
5472
|
+
:key_id,
|
|
5473
|
+
:mac_valid,
|
|
5474
|
+
:mac_algorithm)
|
|
5475
|
+
SENSITIVE = []
|
|
5476
|
+
include Aws::Structure
|
|
5477
|
+
end
|
|
5478
|
+
|
|
5197
5479
|
# @note When making an API call, you may pass VerifyRequest
|
|
5198
5480
|
# data as a hash:
|
|
5199
5481
|
#
|