aws-sdk-kms 1.55.0 → 1.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1296 -621
- data/lib/aws-sdk-kms/client_api.rb +91 -3
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/types.rb +576 -234
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-kms/types.rb
CHANGED
|
@@ -338,9 +338,9 @@ module Aws::KMS
|
|
|
338
338
|
#
|
|
339
339
|
# {
|
|
340
340
|
# custom_key_store_name: "CustomKeyStoreNameType", # required
|
|
341
|
-
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
|
342
|
-
# trust_anchor_certificate: "TrustAnchorCertificateType",
|
|
343
|
-
# key_store_password: "KeyStorePasswordType",
|
|
341
|
+
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
|
342
|
+
# trust_anchor_certificate: "TrustAnchorCertificateType",
|
|
343
|
+
# key_store_password: "KeyStorePasswordType",
|
|
344
344
|
# }
|
|
345
345
|
#
|
|
346
346
|
# @!attribute [rw] custom_key_store_name
|
|
@@ -415,7 +415,7 @@ module Aws::KMS
|
|
|
415
415
|
# key_id: "KeyIdType", # required
|
|
416
416
|
# grantee_principal: "PrincipalIdType", # required
|
|
417
417
|
# retiring_principal: "PrincipalIdType",
|
|
418
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
|
|
418
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
|
|
419
419
|
# constraints: {
|
|
420
420
|
# encryption_context_subset: {
|
|
421
421
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
@@ -491,12 +491,13 @@ module Aws::KMS
|
|
|
491
491
|
# @!attribute [rw] operations
|
|
492
492
|
# A list of operations that the grant permits.
|
|
493
493
|
#
|
|
494
|
-
#
|
|
495
|
-
#
|
|
496
|
-
#
|
|
497
|
-
#
|
|
498
|
-
#
|
|
499
|
-
#
|
|
494
|
+
# This list must include only operations that are permitted in a
|
|
495
|
+
# grant. Also, the operation must be supported on the KMS key. For
|
|
496
|
+
# example, you cannot create a grant for a symmetric encryption KMS
|
|
497
|
+
# key that allows the Sign operation, or a grant for an asymmetric KMS
|
|
498
|
+
# key that allows the GenerateDataKey operation. If you try, KMS
|
|
499
|
+
# returns a `ValidationError` exception. For details, see [Grant
|
|
500
|
+
# operations][1] in the *Key Management Service Developer Guide*.
|
|
500
501
|
#
|
|
501
502
|
#
|
|
502
503
|
#
|
|
@@ -509,27 +510,39 @@ module Aws::KMS
|
|
|
509
510
|
# KMS supports the `EncryptionContextEquals` and
|
|
510
511
|
# `EncryptionContextSubset` grant constraints. Each constraint value
|
|
511
512
|
# can include up to 8 encryption context pairs. The encryption context
|
|
512
|
-
# value in each constraint cannot exceed 384 characters.
|
|
513
|
+
# value in each constraint cannot exceed 384 characters. For
|
|
514
|
+
# information about grant constraints, see [Using grant
|
|
515
|
+
# constraints][1] in the *Key Management Service Developer Guide*. For
|
|
516
|
+
# more information about encryption context, see [Encryption
|
|
517
|
+
# context][2] in the <i> <i>Key Management Service Developer Guide</i>
|
|
518
|
+
# </i>.
|
|
513
519
|
#
|
|
514
|
-
#
|
|
515
|
-
# the encryption context in the request matches
|
|
520
|
+
# The encryption context grant constraints allow the permissions in
|
|
521
|
+
# the grant only when the encryption context in the request matches
|
|
516
522
|
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
|
517
|
-
# the encryption context specified in this structure.
|
|
518
|
-
# about grant constraints, see [Using grant constraints][1] in the
|
|
519
|
-
# *Key Management Service Developer Guide*. For more information about
|
|
520
|
-
# encryption context, see [Encryption Context][2] in the <i> <i>Key
|
|
521
|
-
# Management Service Developer Guide</i> </i>.
|
|
523
|
+
# the encryption context specified in this structure.
|
|
522
524
|
#
|
|
523
525
|
# The encryption context grant constraints are supported only on
|
|
524
|
-
# operations that include an
|
|
525
|
-
#
|
|
526
|
-
# with
|
|
527
|
-
#
|
|
526
|
+
# [grant operations][3] that include an `EncryptionContext` parameter,
|
|
527
|
+
# such as cryptographic operations on symmetric encryption KMS keys.
|
|
528
|
+
# Grants with grant constraints can include the DescribeKey and
|
|
529
|
+
# RetireGrant operations, but the constraint doesn't apply to these
|
|
530
|
+
# operations. If a grant with a grant constraint includes the
|
|
531
|
+
# `CreateGrant` operation, the constraint requires that any grants
|
|
532
|
+
# created with the `CreateGrant` permission have an equally strict or
|
|
533
|
+
# stricter encryption context constraint.
|
|
534
|
+
#
|
|
535
|
+
# You cannot use an encryption context grant constraint for
|
|
536
|
+
# cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
|
|
537
|
+
# These keys don't support an encryption context.
|
|
538
|
+
#
|
|
539
|
+
#
|
|
528
540
|
#
|
|
529
541
|
#
|
|
530
542
|
#
|
|
531
543
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
|
532
544
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
545
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
|
533
546
|
# @return [Types::GrantConstraints]
|
|
534
547
|
#
|
|
535
548
|
# @!attribute [rw] grant_tokens
|
|
@@ -613,9 +626,9 @@ module Aws::KMS
|
|
|
613
626
|
# {
|
|
614
627
|
# policy: "PolicyType",
|
|
615
628
|
# description: "DescriptionType",
|
|
616
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
|
617
|
-
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
618
|
-
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
629
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
|
630
|
+
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
631
|
+
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
619
632
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
|
620
633
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
621
634
|
# bypass_policy_lockout_safety_check: false,
|
|
@@ -629,16 +642,19 @@ module Aws::KMS
|
|
|
629
642
|
# }
|
|
630
643
|
#
|
|
631
644
|
# @!attribute [rw] policy
|
|
632
|
-
# The key policy to attach to the KMS key.
|
|
645
|
+
# The key policy to attach to the KMS key. If you do not specify a key
|
|
646
|
+
# policy, KMS attaches a default key policy to the KMS key. For more
|
|
647
|
+
# information, see [Default key policy][1] in the *Key Management
|
|
648
|
+
# Service Developer Guide*.
|
|
633
649
|
#
|
|
634
650
|
# If you provide a key policy, it must meet the following criteria:
|
|
635
651
|
#
|
|
636
|
-
# * If you don't set `BypassPolicyLockoutSafetyCheck` to
|
|
652
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to `True`, the
|
|
637
653
|
# key policy must allow the principal that is making the `CreateKey`
|
|
638
654
|
# request to make a subsequent PutKeyPolicy request on the KMS key.
|
|
639
655
|
# This reduces the risk that the KMS key becomes unmanageable. For
|
|
640
656
|
# more information, refer to the scenario in the [Default Key
|
|
641
|
-
# Policy][
|
|
657
|
+
# Policy][2] section of the <i> <i>Key Management Service Developer
|
|
642
658
|
# Guide</i> </i>.
|
|
643
659
|
#
|
|
644
660
|
# * Each statement in the key policy must contain one or more
|
|
@@ -648,25 +664,33 @@ module Aws::KMS
|
|
|
648
664
|
# enforce a delay before including the new principal in a key policy
|
|
649
665
|
# because the new principal might not be immediately visible to KMS.
|
|
650
666
|
# For more information, see [Changes that I make are not always
|
|
651
|
-
# immediately visible][
|
|
667
|
+
# immediately visible][3] in the *Amazon Web Services Identity and
|
|
652
668
|
# Access Management User Guide*.
|
|
653
669
|
#
|
|
654
|
-
#
|
|
655
|
-
# policy to the KMS key. For more information, see [Default Key
|
|
656
|
-
# Policy][3] in the *Key Management Service Developer Guide*.
|
|
670
|
+
# A key policy document can include only the following characters:
|
|
657
671
|
#
|
|
658
|
-
#
|
|
672
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
673
|
+
# through the end of the ASCII character range.
|
|
659
674
|
#
|
|
660
|
-
#
|
|
661
|
-
#
|
|
662
|
-
# Management User Guide</i> </i>.
|
|
675
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
676
|
+
# character set (through `\u00FF`).
|
|
663
677
|
#
|
|
678
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
679
|
+
# (`\u000D`) special characters
|
|
664
680
|
#
|
|
681
|
+
# For information about key policies, see [Key policies in KMS][4] in
|
|
682
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
683
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
684
|
+
# Reference][5] in the <i> <i>Identity and Access Management User
|
|
685
|
+
# Guide</i> </i>.
|
|
665
686
|
#
|
|
666
|
-
#
|
|
667
|
-
#
|
|
668
|
-
# [
|
|
669
|
-
# [
|
|
687
|
+
#
|
|
688
|
+
#
|
|
689
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
690
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
691
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
692
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
693
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
670
694
|
# @return [String]
|
|
671
695
|
#
|
|
672
696
|
# @!attribute [rw] description
|
|
@@ -683,20 +707,26 @@ module Aws::KMS
|
|
|
683
707
|
# @!attribute [rw] key_usage
|
|
684
708
|
# Determines the [cryptographic operations][1] for which you can use
|
|
685
709
|
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
|
686
|
-
# is
|
|
687
|
-
#
|
|
710
|
+
# is optional when you are creating a symmetric encryption KMS key;
|
|
711
|
+
# otherwise, it is required. You can't change the `KeyUsage` value
|
|
712
|
+
# after the KMS key is created.
|
|
688
713
|
#
|
|
689
714
|
# Select only one valid value.
|
|
690
715
|
#
|
|
691
|
-
# * For symmetric KMS keys, omit the parameter or specify
|
|
716
|
+
# * For symmetric encryption KMS keys, omit the parameter or specify
|
|
692
717
|
# `ENCRYPT_DECRYPT`.
|
|
693
718
|
#
|
|
719
|
+
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
|
720
|
+
#
|
|
694
721
|
# * For asymmetric KMS keys with RSA key material, specify
|
|
695
722
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
696
723
|
#
|
|
697
724
|
# * For asymmetric KMS keys with ECC key material, specify
|
|
698
725
|
# `SIGN_VERIFY`.
|
|
699
726
|
#
|
|
727
|
+
# * For asymmetric KMS keys with SM2 key material (China Regions
|
|
728
|
+
# only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
729
|
+
#
|
|
700
730
|
#
|
|
701
731
|
#
|
|
702
732
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
|
@@ -713,35 +743,45 @@ module Aws::KMS
|
|
|
713
743
|
#
|
|
714
744
|
# @!attribute [rw] key_spec
|
|
715
745
|
# Specifies the type of KMS key to create. The default value,
|
|
716
|
-
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit
|
|
717
|
-
# for encryption and decryption
|
|
718
|
-
#
|
|
719
|
-
#
|
|
746
|
+
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key
|
|
747
|
+
# that is used for encryption and decryption, except in China Regions,
|
|
748
|
+
# where it creates a 128-bit symmetric key that uses SM4 encryption.
|
|
749
|
+
# For help choosing a key spec for your KMS key, see [Choosing a KMS
|
|
750
|
+
# key type][1] in the <i> <i>Key Management Service Developer
|
|
751
|
+
# Guide</i> </i>.
|
|
720
752
|
#
|
|
721
753
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
|
722
|
-
# key or an asymmetric key pair. It also determines the
|
|
723
|
-
# algorithms
|
|
724
|
-
#
|
|
725
|
-
#
|
|
726
|
-
#
|
|
727
|
-
#
|
|
728
|
-
# the <i> <i>Key Management Service Developer
|
|
729
|
-
#
|
|
730
|
-
#
|
|
731
|
-
#
|
|
732
|
-
#
|
|
733
|
-
#
|
|
734
|
-
# Asymmetric KMS keys][5] in the *Key Management Service Developer
|
|
735
|
-
# Guide*.
|
|
754
|
+
# key or an asymmetric key pair. It also determines the cryptographic
|
|
755
|
+
# algorithms that the KMS key supports. You can't change the
|
|
756
|
+
# `KeySpec` after the KMS key is created. To further restrict the
|
|
757
|
+
# algorithms that can be used with the KMS key, use a condition key in
|
|
758
|
+
# its key policy or IAM policy. For more information, see
|
|
759
|
+
# [kms:EncryptionAlgorithm][2], [kms:MacAlgorithm][3] or [kms:Signing
|
|
760
|
+
# Algorithm][4] in the <i> <i>Key Management Service Developer
|
|
761
|
+
# Guide</i> </i>.
|
|
762
|
+
#
|
|
763
|
+
# [Amazon Web Services services that are integrated with KMS][5] use
|
|
764
|
+
# symmetric encryption KMS keys to protect your data. These services
|
|
765
|
+
# do not support asymmetric KMS keys or HMAC KMS keys.
|
|
736
766
|
#
|
|
737
767
|
# KMS supports the following key specs for KMS keys:
|
|
738
768
|
#
|
|
739
|
-
# * Symmetric key (default)
|
|
769
|
+
# * Symmetric encryption key (default)
|
|
740
770
|
#
|
|
741
|
-
# * `SYMMETRIC_DEFAULT`
|
|
771
|
+
# * `SYMMETRIC_DEFAULT`
|
|
742
772
|
#
|
|
743
773
|
# ^
|
|
744
774
|
#
|
|
775
|
+
# * HMAC keys (symmetric)
|
|
776
|
+
#
|
|
777
|
+
# * `HMAC_224`
|
|
778
|
+
#
|
|
779
|
+
# * `HMAC_256`
|
|
780
|
+
#
|
|
781
|
+
# * `HMAC_384`
|
|
782
|
+
#
|
|
783
|
+
# * `HMAC_512`
|
|
784
|
+
#
|
|
745
785
|
# * Asymmetric RSA key pairs
|
|
746
786
|
#
|
|
747
787
|
# * `RSA_2048`
|
|
@@ -765,13 +805,19 @@ module Aws::KMS
|
|
|
765
805
|
#
|
|
766
806
|
# ^
|
|
767
807
|
#
|
|
808
|
+
# * SM2 key pairs (China Regions only)
|
|
809
|
+
#
|
|
810
|
+
# * `SM2`
|
|
811
|
+
#
|
|
812
|
+
# ^
|
|
813
|
+
#
|
|
768
814
|
#
|
|
769
815
|
#
|
|
770
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose
|
|
816
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
|
|
771
817
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
|
|
772
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-
|
|
773
|
-
# [4]:
|
|
774
|
-
# [5]:
|
|
818
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
|
|
819
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
|
|
820
|
+
# [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
|
|
775
821
|
# @return [String]
|
|
776
822
|
#
|
|
777
823
|
# @!attribute [rw] origin
|
|
@@ -783,13 +829,13 @@ module Aws::KMS
|
|
|
783
829
|
# material), set the value to `EXTERNAL`. For more information about
|
|
784
830
|
# importing key material into KMS, see [Importing Key Material][1] in
|
|
785
831
|
# the *Key Management Service Developer Guide*. This value is valid
|
|
786
|
-
# only for symmetric KMS keys.
|
|
832
|
+
# only for symmetric encryption KMS keys.
|
|
787
833
|
#
|
|
788
834
|
# To create a KMS key in an KMS [custom key store][2] and create its
|
|
789
835
|
# key material in the associated CloudHSM cluster, set this value to
|
|
790
836
|
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
|
791
837
|
# to identify the custom key store. This value is valid only for
|
|
792
|
-
# symmetric KMS keys.
|
|
838
|
+
# symmetric encryption KMS keys.
|
|
793
839
|
#
|
|
794
840
|
#
|
|
795
841
|
#
|
|
@@ -805,9 +851,9 @@ module Aws::KMS
|
|
|
805
851
|
# associated with the custom key store must have at least two active
|
|
806
852
|
# HSMs, each in a different Availability Zone in the Region.
|
|
807
853
|
#
|
|
808
|
-
# This parameter is valid only for symmetric KMS keys
|
|
809
|
-
#
|
|
810
|
-
#
|
|
854
|
+
# This parameter is valid only for symmetric encryption KMS keys in a
|
|
855
|
+
# single Region. You cannot create any other type of KMS key in a
|
|
856
|
+
# custom key store.
|
|
811
857
|
#
|
|
812
858
|
# To find the ID of a custom key store, use the
|
|
813
859
|
# DescribeCustomKeyStores operation.
|
|
@@ -815,7 +861,7 @@ module Aws::KMS
|
|
|
815
861
|
# The response includes the custom key store ID and the ID of the
|
|
816
862
|
# CloudHSM cluster.
|
|
817
863
|
#
|
|
818
|
-
# This operation is part of the [
|
|
864
|
+
# This operation is part of the [custom key store feature][1] feature
|
|
819
865
|
# in KMS, which combines the convenience and extensive integration of
|
|
820
866
|
# KMS with the isolation and control of a single-tenant key store.
|
|
821
867
|
#
|
|
@@ -853,8 +899,8 @@ module Aws::KMS
|
|
|
853
899
|
# TagResource operation.
|
|
854
900
|
#
|
|
855
901
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
856
|
-
# KMS key. For details, see [
|
|
857
|
-
#
|
|
902
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
903
|
+
# Service Developer Guide*.
|
|
858
904
|
#
|
|
859
905
|
# </note>
|
|
860
906
|
#
|
|
@@ -895,15 +941,16 @@ module Aws::KMS
|
|
|
895
941
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
|
896
942
|
# a different Amazon Web Services Region without re-encrypting the
|
|
897
943
|
# data or making a cross-Region call. For more information about
|
|
898
|
-
# multi-Region keys, see [
|
|
944
|
+
# multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
|
|
899
945
|
# Management Service Developer Guide*.
|
|
900
946
|
#
|
|
901
947
|
# This value creates a *primary key*, not a replica. To create a
|
|
902
948
|
# *replica key*, use the ReplicateKey operation.
|
|
903
949
|
#
|
|
904
|
-
# You can create a
|
|
905
|
-
#
|
|
906
|
-
# you cannot create a multi-Region key
|
|
950
|
+
# You can create a multi-Region version of a symmetric encryption KMS
|
|
951
|
+
# key, an HMAC KMS key, an asymmetric KMS key, or a KMS key with
|
|
952
|
+
# imported key material. However, you cannot create a multi-Region key
|
|
953
|
+
# in a custom key store.
|
|
907
954
|
#
|
|
908
955
|
#
|
|
909
956
|
#
|
|
@@ -1160,7 +1207,7 @@ module Aws::KMS
|
|
|
1160
1207
|
# },
|
|
1161
1208
|
# grant_tokens: ["GrantTokenType"],
|
|
1162
1209
|
# key_id: "KeyIdType",
|
|
1163
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
1210
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
1164
1211
|
# }
|
|
1165
1212
|
#
|
|
1166
1213
|
# @!attribute [rw] ciphertext_blob
|
|
@@ -1170,17 +1217,20 @@ module Aws::KMS
|
|
|
1170
1217
|
# @!attribute [rw] encryption_context
|
|
1171
1218
|
# Specifies the encryption context to use when decrypting the data. An
|
|
1172
1219
|
# encryption context is valid only for [cryptographic operations][1]
|
|
1173
|
-
# with a symmetric KMS key. The standard asymmetric
|
|
1174
|
-
# algorithms that KMS uses do not
|
|
1220
|
+
# with a symmetric encryption KMS key. The standard asymmetric
|
|
1221
|
+
# encryption algorithms and HMAC algorithms that KMS uses do not
|
|
1222
|
+
# support an encryption context.
|
|
1175
1223
|
#
|
|
1176
1224
|
# An *encryption context* is a collection of non-secret key-value
|
|
1177
|
-
# pairs that
|
|
1225
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1178
1226
|
# encryption context to encrypt data, you must specify the same (an
|
|
1179
1227
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1180
|
-
# An encryption context is
|
|
1181
|
-
# KMS
|
|
1228
|
+
# An encryption context is supported only on operations with symmetric
|
|
1229
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1230
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1231
|
+
# recommended.
|
|
1182
1232
|
#
|
|
1183
|
-
# For more information, see [Encryption
|
|
1233
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1184
1234
|
# Management Service Developer Guide*.
|
|
1185
1235
|
#
|
|
1186
1236
|
#
|
|
@@ -1204,15 +1254,18 @@ module Aws::KMS
|
|
|
1204
1254
|
# @return [Array<String>]
|
|
1205
1255
|
#
|
|
1206
1256
|
# @!attribute [rw] key_id
|
|
1207
|
-
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1208
|
-
#
|
|
1257
|
+
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1258
|
+
#
|
|
1259
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
1260
|
+
# ciphertext. If you identify a different KMS key, the `Decrypt`
|
|
1261
|
+
# operation throws an `IncorrectKeyException`.
|
|
1209
1262
|
#
|
|
1210
1263
|
# This parameter is required only when the ciphertext was encrypted
|
|
1211
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
1212
|
-
# can get the KMS key from metadata that it adds to the
|
|
1213
|
-
# ciphertext blob. However, it is always recommended as a
|
|
1214
|
-
# practice. This practice ensures that you use the KMS key that
|
|
1215
|
-
# intend.
|
|
1264
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
1265
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
1266
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
1267
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
1268
|
+
# you intend.
|
|
1216
1269
|
#
|
|
1217
1270
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1218
1271
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1243,7 +1296,7 @@ module Aws::KMS
|
|
|
1243
1296
|
# This parameter is required only when the ciphertext was encrypted
|
|
1244
1297
|
# under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
|
|
1245
1298
|
# represents the only supported algorithm that is valid for symmetric
|
|
1246
|
-
# KMS keys.
|
|
1299
|
+
# encryption KMS keys.
|
|
1247
1300
|
# @return [String]
|
|
1248
1301
|
#
|
|
1249
1302
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
|
@@ -1570,9 +1623,10 @@ module Aws::KMS
|
|
|
1570
1623
|
# }
|
|
1571
1624
|
#
|
|
1572
1625
|
# @!attribute [rw] key_id
|
|
1573
|
-
# Identifies a symmetric KMS key. You cannot enable or
|
|
1574
|
-
# automatic rotation of [asymmetric KMS keys][1], KMS
|
|
1575
|
-
# [imported key material][
|
|
1626
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1627
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
1628
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
|
1629
|
+
# [custom key store][4].
|
|
1576
1630
|
#
|
|
1577
1631
|
# Specify the key ID or key ARN of the KMS key.
|
|
1578
1632
|
#
|
|
@@ -1589,8 +1643,9 @@ module Aws::KMS
|
|
|
1589
1643
|
#
|
|
1590
1644
|
#
|
|
1591
1645
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
|
1592
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1593
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1646
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1647
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1648
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1594
1649
|
# @return [String]
|
|
1595
1650
|
#
|
|
1596
1651
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
|
|
@@ -1678,11 +1733,12 @@ module Aws::KMS
|
|
|
1678
1733
|
# }
|
|
1679
1734
|
#
|
|
1680
1735
|
# @!attribute [rw] key_id
|
|
1681
|
-
# Identifies a symmetric KMS key. You cannot enable
|
|
1682
|
-
# of [asymmetric KMS keys][1],
|
|
1683
|
-
#
|
|
1684
|
-
#
|
|
1685
|
-
#
|
|
1736
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1737
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
1738
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
|
1739
|
+
# [custom key store][4]. The key rotation status of these KMS keys is
|
|
1740
|
+
# always `false`. To enable or disable automatic rotation of a set of
|
|
1741
|
+
# related [multi-Region keys][5], set the property on the primary key.
|
|
1686
1742
|
#
|
|
1687
1743
|
# Specify the key ID or key ARN of the KMS key.
|
|
1688
1744
|
#
|
|
@@ -1698,10 +1754,11 @@ module Aws::KMS
|
|
|
1698
1754
|
#
|
|
1699
1755
|
#
|
|
1700
1756
|
#
|
|
1701
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1702
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1703
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1704
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1757
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
1758
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1759
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1760
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1761
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
|
1705
1762
|
# @return [String]
|
|
1706
1763
|
#
|
|
1707
1764
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
|
@@ -1722,11 +1779,13 @@ module Aws::KMS
|
|
|
1722
1779
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1723
1780
|
# },
|
|
1724
1781
|
# grant_tokens: ["GrantTokenType"],
|
|
1725
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
1782
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
1726
1783
|
# }
|
|
1727
1784
|
#
|
|
1728
1785
|
# @!attribute [rw] key_id
|
|
1729
|
-
# Identifies the KMS key to use in the encryption operation.
|
|
1786
|
+
# Identifies the KMS key to use in the encryption operation. The KMS
|
|
1787
|
+
# key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
|
|
1788
|
+
# `KeyUsage` of a KMS key, use the DescribeKey operation.
|
|
1730
1789
|
#
|
|
1731
1790
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1732
1791
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1755,18 +1814,20 @@ module Aws::KMS
|
|
|
1755
1814
|
# @!attribute [rw] encryption_context
|
|
1756
1815
|
# Specifies the encryption context that will be used to encrypt the
|
|
1757
1816
|
# data. An encryption context is valid only for [cryptographic
|
|
1758
|
-
# operations][1] with a symmetric KMS key. The standard
|
|
1759
|
-
# encryption algorithms that KMS uses
|
|
1760
|
-
# context.
|
|
1817
|
+
# operations][1] with a symmetric encryption KMS key. The standard
|
|
1818
|
+
# asymmetric encryption algorithms and HMAC algorithms that KMS uses
|
|
1819
|
+
# do not support an encryption context.
|
|
1761
1820
|
#
|
|
1762
1821
|
# An *encryption context* is a collection of non-secret key-value
|
|
1763
|
-
# pairs that
|
|
1822
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1764
1823
|
# encryption context to encrypt data, you must specify the same (an
|
|
1765
1824
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1766
|
-
# An encryption context is
|
|
1767
|
-
# KMS
|
|
1825
|
+
# An encryption context is supported only on operations with symmetric
|
|
1826
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1827
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1828
|
+
# recommended.
|
|
1768
1829
|
#
|
|
1769
|
-
# For more information, see [Encryption
|
|
1830
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1770
1831
|
# Management Service Developer Guide*.
|
|
1771
1832
|
#
|
|
1772
1833
|
#
|
|
@@ -1795,9 +1856,9 @@ module Aws::KMS
|
|
|
1795
1856
|
# that you specify.
|
|
1796
1857
|
#
|
|
1797
1858
|
# This parameter is required only for asymmetric KMS keys. The default
|
|
1798
|
-
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1799
|
-
# keys. If you are using an asymmetric KMS key, we
|
|
1800
|
-
# RSAES\_OAEP\_SHA\_256.
|
|
1859
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1860
|
+
# encryption KMS keys. If you are using an asymmetric KMS key, we
|
|
1861
|
+
# recommend RSAES\_OAEP\_SHA\_256.
|
|
1801
1862
|
# @return [String]
|
|
1802
1863
|
#
|
|
1803
1864
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
|
@@ -1865,7 +1926,7 @@ module Aws::KMS
|
|
|
1865
1926
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1866
1927
|
# },
|
|
1867
1928
|
# key_id: "KeyIdType", # required
|
|
1868
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
|
1929
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
1869
1930
|
# grant_tokens: ["GrantTokenType"],
|
|
1870
1931
|
# }
|
|
1871
1932
|
#
|
|
@@ -1874,13 +1935,15 @@ module Aws::KMS
|
|
|
1874
1935
|
# the private key in the data key pair.
|
|
1875
1936
|
#
|
|
1876
1937
|
# An *encryption context* is a collection of non-secret key-value
|
|
1877
|
-
# pairs that
|
|
1938
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1878
1939
|
# encryption context to encrypt data, you must specify the same (an
|
|
1879
1940
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1880
|
-
# An encryption context is
|
|
1881
|
-
# KMS
|
|
1941
|
+
# An encryption context is supported only on operations with symmetric
|
|
1942
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1943
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1944
|
+
# recommended.
|
|
1882
1945
|
#
|
|
1883
|
-
# For more information, see [Encryption
|
|
1946
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
1884
1947
|
# Management Service Developer Guide*.
|
|
1885
1948
|
#
|
|
1886
1949
|
#
|
|
@@ -1889,10 +1952,10 @@ module Aws::KMS
|
|
|
1889
1952
|
# @return [Hash<String,String>]
|
|
1890
1953
|
#
|
|
1891
1954
|
# @!attribute [rw] key_id
|
|
1892
|
-
# Specifies the symmetric KMS key that encrypts the private
|
|
1893
|
-
# data key pair. You cannot specify an asymmetric KMS key
|
|
1894
|
-
# in a custom key store. To get the type and origin of
|
|
1895
|
-
# use the DescribeKey operation.
|
|
1955
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
1956
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
1957
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
1958
|
+
# your KMS key, use the DescribeKey operation.
|
|
1896
1959
|
#
|
|
1897
1960
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1898
1961
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1917,10 +1980,12 @@ module Aws::KMS
|
|
|
1917
1980
|
# @!attribute [rw] key_pair_spec
|
|
1918
1981
|
# Determines the type of data key pair that is generated.
|
|
1919
1982
|
#
|
|
1920
|
-
# The KMS rule that restricts the use of asymmetric RSA
|
|
1921
|
-
# encrypt and decrypt or to sign and verify (but not both),
|
|
1922
|
-
# rule that permits you to use ECC KMS keys only to sign and
|
|
1923
|
-
# are not effective on data key pairs, which are used outside
|
|
1983
|
+
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
|
|
1984
|
+
# keys to encrypt and decrypt or to sign and verify (but not both),
|
|
1985
|
+
# and the rule that permits you to use ECC KMS keys only to sign and
|
|
1986
|
+
# verify, are not effective on data key pairs, which are used outside
|
|
1987
|
+
# of KMS. The SM2 key spec is only available in China Regions. RSA and
|
|
1988
|
+
# ECC asymmetric key pairs are also available in China Regions.
|
|
1924
1989
|
# @return [String]
|
|
1925
1990
|
#
|
|
1926
1991
|
# @!attribute [rw] grant_tokens
|
|
@@ -1961,7 +2026,9 @@ module Aws::KMS
|
|
|
1961
2026
|
# @return [String]
|
|
1962
2027
|
#
|
|
1963
2028
|
# @!attribute [rw] public_key
|
|
1964
|
-
# The public key (in plaintext).
|
|
2029
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2030
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2031
|
+
# is not Base64-encoded.
|
|
1965
2032
|
# @return [String]
|
|
1966
2033
|
#
|
|
1967
2034
|
# @!attribute [rw] key_id
|
|
@@ -1997,7 +2064,7 @@ module Aws::KMS
|
|
|
1997
2064
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1998
2065
|
# },
|
|
1999
2066
|
# key_id: "KeyIdType", # required
|
|
2000
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
|
2067
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
2001
2068
|
# grant_tokens: ["GrantTokenType"],
|
|
2002
2069
|
# }
|
|
2003
2070
|
#
|
|
@@ -2006,13 +2073,15 @@ module Aws::KMS
|
|
|
2006
2073
|
# the private key in the data key pair.
|
|
2007
2074
|
#
|
|
2008
2075
|
# An *encryption context* is a collection of non-secret key-value
|
|
2009
|
-
# pairs that
|
|
2076
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2010
2077
|
# encryption context to encrypt data, you must specify the same (an
|
|
2011
2078
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2012
|
-
# An encryption context is
|
|
2013
|
-
# KMS
|
|
2079
|
+
# An encryption context is supported only on operations with symmetric
|
|
2080
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2081
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2082
|
+
# recommended.
|
|
2014
2083
|
#
|
|
2015
|
-
# For more information, see [Encryption
|
|
2084
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2016
2085
|
# Management Service Developer Guide*.
|
|
2017
2086
|
#
|
|
2018
2087
|
#
|
|
@@ -2021,10 +2090,10 @@ module Aws::KMS
|
|
|
2021
2090
|
# @return [Hash<String,String>]
|
|
2022
2091
|
#
|
|
2023
2092
|
# @!attribute [rw] key_id
|
|
2024
|
-
# Specifies the KMS key that encrypts the private
|
|
2025
|
-
# pair. You
|
|
2026
|
-
#
|
|
2027
|
-
#
|
|
2093
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
2094
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
2095
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
2096
|
+
# your KMS key, use the DescribeKey operation.
|
|
2028
2097
|
#
|
|
2029
2098
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2030
2099
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2049,10 +2118,12 @@ module Aws::KMS
|
|
|
2049
2118
|
# @!attribute [rw] key_pair_spec
|
|
2050
2119
|
# Determines the type of data key pair that is generated.
|
|
2051
2120
|
#
|
|
2052
|
-
# The KMS rule that restricts the use of asymmetric RSA
|
|
2053
|
-
# encrypt and decrypt or to sign and verify (but not both),
|
|
2054
|
-
# rule that permits you to use ECC KMS keys only to sign and
|
|
2055
|
-
# are not effective on data key pairs, which are used outside
|
|
2121
|
+
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
|
|
2122
|
+
# keys to encrypt and decrypt or to sign and verify (but not both),
|
|
2123
|
+
# and the rule that permits you to use ECC KMS keys only to sign and
|
|
2124
|
+
# verify, are not effective on data key pairs, which are used outside
|
|
2125
|
+
# of KMS. The SM2 key spec is only available in China Regions. RSA and
|
|
2126
|
+
# ECC asymmetric key pairs are also available in China Regions.
|
|
2056
2127
|
# @return [String]
|
|
2057
2128
|
#
|
|
2058
2129
|
# @!attribute [rw] grant_tokens
|
|
@@ -2087,7 +2158,9 @@ module Aws::KMS
|
|
|
2087
2158
|
# @return [String]
|
|
2088
2159
|
#
|
|
2089
2160
|
# @!attribute [rw] public_key
|
|
2090
|
-
# The public key (in plaintext).
|
|
2161
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2162
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2163
|
+
# is not Base64-encoded.
|
|
2091
2164
|
# @return [String]
|
|
2092
2165
|
#
|
|
2093
2166
|
# @!attribute [rw] key_id
|
|
@@ -2128,7 +2201,10 @@ module Aws::KMS
|
|
|
2128
2201
|
# }
|
|
2129
2202
|
#
|
|
2130
2203
|
# @!attribute [rw] key_id
|
|
2131
|
-
#
|
|
2204
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2205
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2206
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2207
|
+
# the DescribeKey operation.
|
|
2132
2208
|
#
|
|
2133
2209
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2134
2210
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2155,13 +2231,15 @@ module Aws::KMS
|
|
|
2155
2231
|
# the data key.
|
|
2156
2232
|
#
|
|
2157
2233
|
# An *encryption context* is a collection of non-secret key-value
|
|
2158
|
-
# pairs that
|
|
2234
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2159
2235
|
# encryption context to encrypt data, you must specify the same (an
|
|
2160
2236
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2161
|
-
# An encryption context is
|
|
2162
|
-
# KMS
|
|
2237
|
+
# An encryption context is supported only on operations with symmetric
|
|
2238
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2239
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2240
|
+
# recommended.
|
|
2163
2241
|
#
|
|
2164
|
-
# For more information, see [Encryption
|
|
2242
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2165
2243
|
# Management Service Developer Guide*.
|
|
2166
2244
|
#
|
|
2167
2245
|
#
|
|
@@ -2260,7 +2338,10 @@ module Aws::KMS
|
|
|
2260
2338
|
# }
|
|
2261
2339
|
#
|
|
2262
2340
|
# @!attribute [rw] key_id
|
|
2263
|
-
#
|
|
2341
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2342
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2343
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2344
|
+
# the DescribeKey operation.
|
|
2264
2345
|
#
|
|
2265
2346
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2266
2347
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2287,13 +2368,15 @@ module Aws::KMS
|
|
|
2287
2368
|
# the data key.
|
|
2288
2369
|
#
|
|
2289
2370
|
# An *encryption context* is a collection of non-secret key-value
|
|
2290
|
-
# pairs that
|
|
2371
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2291
2372
|
# encryption context to encrypt data, you must specify the same (an
|
|
2292
2373
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2293
|
-
# An encryption context is
|
|
2294
|
-
# KMS
|
|
2374
|
+
# An encryption context is supported only on operations with symmetric
|
|
2375
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2376
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2377
|
+
# recommended.
|
|
2295
2378
|
#
|
|
2296
|
-
# For more information, see [Encryption
|
|
2379
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2297
2380
|
# Management Service Developer Guide*.
|
|
2298
2381
|
#
|
|
2299
2382
|
#
|
|
@@ -2363,6 +2446,93 @@ module Aws::KMS
|
|
|
2363
2446
|
include Aws::Structure
|
|
2364
2447
|
end
|
|
2365
2448
|
|
|
2449
|
+
# @note When making an API call, you may pass GenerateMacRequest
|
|
2450
|
+
# data as a hash:
|
|
2451
|
+
#
|
|
2452
|
+
# {
|
|
2453
|
+
# message: "data", # required
|
|
2454
|
+
# key_id: "KeyIdType", # required
|
|
2455
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
2456
|
+
# grant_tokens: ["GrantTokenType"],
|
|
2457
|
+
# }
|
|
2458
|
+
#
|
|
2459
|
+
# @!attribute [rw] message
|
|
2460
|
+
# The message to be hashed. Specify a message of up to 4,096 bytes.
|
|
2461
|
+
#
|
|
2462
|
+
# `GenerateMac` and VerifyMac do not provide special handling for
|
|
2463
|
+
# message digests. If you generate an HMAC for a hash digest of a
|
|
2464
|
+
# message, you must verify the HMAC of the same hash digest.
|
|
2465
|
+
# @return [String]
|
|
2466
|
+
#
|
|
2467
|
+
# @!attribute [rw] key_id
|
|
2468
|
+
# The HMAC KMS key to use in the operation. The MAC algorithm computes
|
|
2469
|
+
# the HMAC for the message and the key as described in [RFC 2104][1].
|
|
2470
|
+
#
|
|
2471
|
+
# To identify an HMAC KMS key, use the DescribeKey operation and see
|
|
2472
|
+
# the `KeySpec` field in the response.
|
|
2473
|
+
#
|
|
2474
|
+
#
|
|
2475
|
+
#
|
|
2476
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
|
2477
|
+
# @return [String]
|
|
2478
|
+
#
|
|
2479
|
+
# @!attribute [rw] mac_algorithm
|
|
2480
|
+
# The MAC algorithm used in the operation.
|
|
2481
|
+
#
|
|
2482
|
+
# The algorithm must be compatible with the HMAC KMS key that you
|
|
2483
|
+
# specify. To find the MAC algorithms that your HMAC KMS key supports,
|
|
2484
|
+
# use the DescribeKey operation and see the `MacAlgorithms` field in
|
|
2485
|
+
# the `DescribeKey` response.
|
|
2486
|
+
# @return [String]
|
|
2487
|
+
#
|
|
2488
|
+
# @!attribute [rw] grant_tokens
|
|
2489
|
+
# A list of grant tokens.
|
|
2490
|
+
#
|
|
2491
|
+
# Use a grant token when your permission to call this operation comes
|
|
2492
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
2493
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
2494
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
2495
|
+
#
|
|
2496
|
+
#
|
|
2497
|
+
#
|
|
2498
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2499
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
2500
|
+
# @return [Array<String>]
|
|
2501
|
+
#
|
|
2502
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
|
|
2503
|
+
#
|
|
2504
|
+
class GenerateMacRequest < Struct.new(
|
|
2505
|
+
:message,
|
|
2506
|
+
:key_id,
|
|
2507
|
+
:mac_algorithm,
|
|
2508
|
+
:grant_tokens)
|
|
2509
|
+
SENSITIVE = [:message]
|
|
2510
|
+
include Aws::Structure
|
|
2511
|
+
end
|
|
2512
|
+
|
|
2513
|
+
# @!attribute [rw] mac
|
|
2514
|
+
# The hash-based message authentication code (HMAC) for the given
|
|
2515
|
+
# message, key, and MAC algorithm.
|
|
2516
|
+
# @return [String]
|
|
2517
|
+
#
|
|
2518
|
+
# @!attribute [rw] mac_algorithm
|
|
2519
|
+
# The MAC algorithm that was used to generate the HMAC.
|
|
2520
|
+
# @return [String]
|
|
2521
|
+
#
|
|
2522
|
+
# @!attribute [rw] key_id
|
|
2523
|
+
# The HMAC KMS key used in the operation.
|
|
2524
|
+
# @return [String]
|
|
2525
|
+
#
|
|
2526
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
|
|
2527
|
+
#
|
|
2528
|
+
class GenerateMacResponse < Struct.new(
|
|
2529
|
+
:mac,
|
|
2530
|
+
:mac_algorithm,
|
|
2531
|
+
:key_id)
|
|
2532
|
+
SENSITIVE = []
|
|
2533
|
+
include Aws::Structure
|
|
2534
|
+
end
|
|
2535
|
+
|
|
2366
2536
|
# @note When making an API call, you may pass GenerateRandomRequest
|
|
2367
2537
|
# data as a hash:
|
|
2368
2538
|
#
|
|
@@ -2372,7 +2542,7 @@ module Aws::KMS
|
|
|
2372
2542
|
# }
|
|
2373
2543
|
#
|
|
2374
2544
|
# @!attribute [rw] number_of_bytes
|
|
2375
|
-
# The length of the byte string.
|
|
2545
|
+
# The length of the random byte string. This parameter is required.
|
|
2376
2546
|
# @return [Integer]
|
|
2377
2547
|
#
|
|
2378
2548
|
# @!attribute [rw] custom_key_store_id
|
|
@@ -2513,8 +2683,9 @@ module Aws::KMS
|
|
|
2513
2683
|
# }
|
|
2514
2684
|
#
|
|
2515
2685
|
# @!attribute [rw] key_id
|
|
2516
|
-
# The identifier of the symmetric KMS key into which you
|
|
2517
|
-
# key material. The `Origin` of the KMS key must be
|
|
2686
|
+
# The identifier of the symmetric encryption KMS key into which you
|
|
2687
|
+
# will import key material. The `Origin` of the KMS key must be
|
|
2688
|
+
# `EXTERNAL`.
|
|
2518
2689
|
#
|
|
2519
2690
|
# Specify the key ID or key ARN of the KMS key.
|
|
2520
2691
|
#
|
|
@@ -2729,10 +2900,11 @@ module Aws::KMS
|
|
|
2729
2900
|
#
|
|
2730
2901
|
# KMS applies the grant constraints only to cryptographic operations
|
|
2731
2902
|
# that support an encryption context, that is, all cryptographic
|
|
2732
|
-
# operations with a [symmetric KMS key][3]. Grant constraints
|
|
2733
|
-
# applied to operations that do not support an encryption
|
|
2734
|
-
# as cryptographic operations with
|
|
2735
|
-
# operations, such as DescribeKey or
|
|
2903
|
+
# operations with a [symmetric encryption KMS key][3]. Grant constraints
|
|
2904
|
+
# are not applied to operations that do not support an encryption
|
|
2905
|
+
# context, such as cryptographic operations with HMAC KMS keys or
|
|
2906
|
+
# asymmetric KMS keys, and management operations, such as DescribeKey or
|
|
2907
|
+
# RetireGrant.
|
|
2736
2908
|
#
|
|
2737
2909
|
# In a cryptographic operation, the encryption context in the decryption
|
|
2738
2910
|
# operation must be an exact, case-sensitive match for the keys and
|
|
@@ -2880,10 +3052,13 @@ module Aws::KMS
|
|
|
2880
3052
|
# }
|
|
2881
3053
|
#
|
|
2882
3054
|
# @!attribute [rw] key_id
|
|
2883
|
-
# The identifier of the symmetric KMS key that receives the
|
|
2884
|
-
# key material.
|
|
2885
|
-
#
|
|
2886
|
-
#
|
|
3055
|
+
# The identifier of the symmetric encryption KMS key that receives the
|
|
3056
|
+
# imported key material. This must be the same KMS key specified in
|
|
3057
|
+
# the `KeyID` parameter of the corresponding GetParametersForImport
|
|
3058
|
+
# request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
|
|
3059
|
+
# perform this operation on an asymmetric KMS key, an HMAC KMS key, a
|
|
3060
|
+
# KMS key in a custom key store, or on a KMS key in a different Amazon
|
|
3061
|
+
# Web Services account
|
|
2887
3062
|
#
|
|
2888
3063
|
# Specify the key ID or key ARN of the KMS key.
|
|
2889
3064
|
#
|
|
@@ -3095,9 +3270,11 @@ module Aws::KMS
|
|
|
3095
3270
|
# key `(KeySpec`).
|
|
3096
3271
|
#
|
|
3097
3272
|
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
|
3098
|
-
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3099
|
-
# the `KeyUsage` must be `SIGN_VERIFY`.
|
|
3100
|
-
#
|
|
3273
|
+
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3274
|
+
# messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
|
|
3275
|
+
# verifying message authentication codes (MACs), the `KeyUsage` must be
|
|
3276
|
+
# `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
|
|
3277
|
+
# DescribeKey operation.
|
|
3101
3278
|
#
|
|
3102
3279
|
# To find the encryption or signing algorithms supported for a
|
|
3103
3280
|
# particular KMS key, use the DescribeKey operation.
|
|
@@ -3141,6 +3318,22 @@ module Aws::KMS
|
|
|
3141
3318
|
include Aws::Structure
|
|
3142
3319
|
end
|
|
3143
3320
|
|
|
3321
|
+
# The request was rejected because the HMAC verification failed. HMAC
|
|
3322
|
+
# verification fails when the HMAC computed by using the specified
|
|
3323
|
+
# message, HMAC KMS key, and MAC algorithm does not match the HMAC
|
|
3324
|
+
# specified in the request.
|
|
3325
|
+
#
|
|
3326
|
+
# @!attribute [rw] message
|
|
3327
|
+
# @return [String]
|
|
3328
|
+
#
|
|
3329
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
|
|
3330
|
+
#
|
|
3331
|
+
class KMSInvalidMacException < Struct.new(
|
|
3332
|
+
:message)
|
|
3333
|
+
SENSITIVE = []
|
|
3334
|
+
include Aws::Structure
|
|
3335
|
+
end
|
|
3336
|
+
|
|
3144
3337
|
# The request was rejected because the signature verification failed.
|
|
3145
3338
|
# Signature verification fails when it cannot confirm that signature was
|
|
3146
3339
|
# produced by signing the specified message with the specified KMS key
|
|
@@ -3161,8 +3354,8 @@ module Aws::KMS
|
|
|
3161
3354
|
# is not valid for this request.
|
|
3162
3355
|
#
|
|
3163
3356
|
# For more information about how key state affects the use of a KMS key,
|
|
3164
|
-
# see [Key
|
|
3165
|
-
#
|
|
3357
|
+
# see [Key states of KMS keys][1] in the <i> <i>Key Management Service
|
|
3358
|
+
# Developer Guide</i> </i>.
|
|
3166
3359
|
#
|
|
3167
3360
|
#
|
|
3168
3361
|
#
|
|
@@ -3247,8 +3440,8 @@ module Aws::KMS
|
|
|
3247
3440
|
# The current status of the KMS key.
|
|
3248
3441
|
#
|
|
3249
3442
|
# For more information about how key state affects the use of a KMS
|
|
3250
|
-
# key, see [Key
|
|
3251
|
-
#
|
|
3443
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
3444
|
+
# Developer Guide*.
|
|
3252
3445
|
#
|
|
3253
3446
|
#
|
|
3254
3447
|
#
|
|
@@ -3355,9 +3548,8 @@ module Aws::KMS
|
|
|
3355
3548
|
# (`False`) key. This value is `True` for multi-Region primary and
|
|
3356
3549
|
# replica keys and `False` for regional KMS keys.
|
|
3357
3550
|
#
|
|
3358
|
-
# For more information about multi-Region keys, see [
|
|
3359
|
-
#
|
|
3360
|
-
# Guide*.
|
|
3551
|
+
# For more information about multi-Region keys, see [Multi-Region keys
|
|
3552
|
+
# in KMS][1] in the *Key Management Service Developer Guide*.
|
|
3361
3553
|
#
|
|
3362
3554
|
#
|
|
3363
3555
|
#
|
|
@@ -3402,6 +3594,14 @@ module Aws::KMS
|
|
|
3402
3594
|
# the deletion date appears in the `DeletionDate` field.
|
|
3403
3595
|
# @return [Integer]
|
|
3404
3596
|
#
|
|
3597
|
+
# @!attribute [rw] mac_algorithms
|
|
3598
|
+
# The message authentication code (MAC) algorithm that the HMAC KMS
|
|
3599
|
+
# key supports.
|
|
3600
|
+
#
|
|
3601
|
+
# This value is present only when the `KeyUsage` of the KMS key is
|
|
3602
|
+
# `GENERATE_VERIFY_MAC`.
|
|
3603
|
+
# @return [Array<String>]
|
|
3604
|
+
#
|
|
3405
3605
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
|
3406
3606
|
#
|
|
3407
3607
|
class KeyMetadata < Struct.new(
|
|
@@ -3426,7 +3626,8 @@ module Aws::KMS
|
|
|
3426
3626
|
:signing_algorithms,
|
|
3427
3627
|
:multi_region,
|
|
3428
3628
|
:multi_region_configuration,
|
|
3429
|
-
:pending_deletion_window_in_days
|
|
3629
|
+
:pending_deletion_window_in_days,
|
|
3630
|
+
:mac_algorithms)
|
|
3430
3631
|
SENSITIVE = []
|
|
3431
3632
|
include Aws::Structure
|
|
3432
3633
|
end
|
|
@@ -3834,8 +4035,8 @@ module Aws::KMS
|
|
|
3834
4035
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
|
3835
4036
|
#
|
|
3836
4037
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
3837
|
-
# KMS key. For details, see [
|
|
3838
|
-
#
|
|
4038
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4039
|
+
# Service Developer Guide*.
|
|
3839
4040
|
#
|
|
3840
4041
|
# </note>
|
|
3841
4042
|
#
|
|
@@ -4054,15 +4255,29 @@ module Aws::KMS
|
|
|
4054
4255
|
# immediately visible][2] in the *Amazon Web Services Identity and
|
|
4055
4256
|
# Access Management User Guide*.
|
|
4056
4257
|
#
|
|
4057
|
-
#
|
|
4058
|
-
#
|
|
4059
|
-
#
|
|
4258
|
+
# A key policy document can include only the following characters:
|
|
4259
|
+
#
|
|
4260
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
4261
|
+
# through the end of the ASCII character range.
|
|
4262
|
+
#
|
|
4263
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
4264
|
+
# character set (through `\u00FF`).
|
|
4265
|
+
#
|
|
4266
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
4267
|
+
# (`\u000D`) special characters
|
|
4268
|
+
#
|
|
4269
|
+
# For information about key policies, see [Key policies in KMS][3] in
|
|
4270
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
4271
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
4272
|
+
# Reference][4] in the <i> <i>Identity and Access Management User
|
|
4273
|
+
# Guide</i> </i>.
|
|
4060
4274
|
#
|
|
4061
4275
|
#
|
|
4062
4276
|
#
|
|
4063
4277
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
4064
4278
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
4065
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
4279
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
4280
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
4066
4281
|
# @return [String]
|
|
4067
4282
|
#
|
|
4068
4283
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
|
@@ -4111,8 +4326,8 @@ module Aws::KMS
|
|
|
4111
4326
|
# destination_encryption_context: {
|
|
4112
4327
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
4113
4328
|
# },
|
|
4114
|
-
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
4115
|
-
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
4329
|
+
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
4330
|
+
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
4116
4331
|
# grant_tokens: ["GrantTokenType"],
|
|
4117
4332
|
# }
|
|
4118
4333
|
#
|
|
@@ -4126,13 +4341,15 @@ module Aws::KMS
|
|
|
4126
4341
|
# ciphertext.
|
|
4127
4342
|
#
|
|
4128
4343
|
# An *encryption context* is a collection of non-secret key-value
|
|
4129
|
-
# pairs that
|
|
4344
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4130
4345
|
# encryption context to encrypt data, you must specify the same (an
|
|
4131
4346
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4132
|
-
# An encryption context is
|
|
4133
|
-
# KMS
|
|
4347
|
+
# An encryption context is supported only on operations with symmetric
|
|
4348
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4349
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4350
|
+
# recommended.
|
|
4134
4351
|
#
|
|
4135
|
-
# For more information, see [Encryption
|
|
4352
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4136
4353
|
# Management Service Developer Guide*.
|
|
4137
4354
|
#
|
|
4138
4355
|
#
|
|
@@ -4142,15 +4359,18 @@ module Aws::KMS
|
|
|
4142
4359
|
#
|
|
4143
4360
|
# @!attribute [rw] source_key_id
|
|
4144
4361
|
# Specifies the KMS key that KMS will use to decrypt the ciphertext
|
|
4145
|
-
# before it is re-encrypted.
|
|
4146
|
-
#
|
|
4362
|
+
# before it is re-encrypted.
|
|
4363
|
+
#
|
|
4364
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
4365
|
+
# ciphertext. If you identify a different KMS key, the `ReEncrypt`
|
|
4366
|
+
# operation throws an `IncorrectKeyException`.
|
|
4147
4367
|
#
|
|
4148
4368
|
# This parameter is required only when the ciphertext was encrypted
|
|
4149
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
4150
|
-
# can get the KMS key from metadata that it adds to the
|
|
4151
|
-
# ciphertext blob. However, it is always recommended as a
|
|
4152
|
-
# practice. This practice ensures that you use the KMS key that
|
|
4153
|
-
# intend.
|
|
4369
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
4370
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
4371
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
4372
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
4373
|
+
# you intend.
|
|
4154
4374
|
#
|
|
4155
4375
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4156
4376
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4174,9 +4394,9 @@ module Aws::KMS
|
|
|
4174
4394
|
#
|
|
4175
4395
|
# @!attribute [rw] destination_key_id
|
|
4176
4396
|
# A unique identifier for the KMS key that is used to reencrypt the
|
|
4177
|
-
# data. Specify a symmetric
|
|
4178
|
-
# value of `ENCRYPT_DECRYPT`. To find the
|
|
4179
|
-
# key, use the DescribeKey operation.
|
|
4397
|
+
# data. Specify a symmetric encryption KMS key or an asymmetric KMS
|
|
4398
|
+
# key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
|
|
4399
|
+
# `KeyUsage` value of a KMS key, use the DescribeKey operation.
|
|
4180
4400
|
#
|
|
4181
4401
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4182
4402
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4203,17 +4423,19 @@ module Aws::KMS
|
|
|
4203
4423
|
# data.
|
|
4204
4424
|
#
|
|
4205
4425
|
# A destination encryption context is valid only when the destination
|
|
4206
|
-
# KMS key is a symmetric KMS key. The standard ciphertext
|
|
4207
|
-
# asymmetric KMS keys does not include fields for metadata.
|
|
4426
|
+
# KMS key is a symmetric encryption KMS key. The standard ciphertext
|
|
4427
|
+
# format for asymmetric KMS keys does not include fields for metadata.
|
|
4208
4428
|
#
|
|
4209
4429
|
# An *encryption context* is a collection of non-secret key-value
|
|
4210
|
-
# pairs that
|
|
4430
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4211
4431
|
# encryption context to encrypt data, you must specify the same (an
|
|
4212
4432
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4213
|
-
# An encryption context is
|
|
4214
|
-
# KMS
|
|
4433
|
+
# An encryption context is supported only on operations with symmetric
|
|
4434
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4435
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4436
|
+
# recommended.
|
|
4215
4437
|
#
|
|
4216
|
-
# For more information, see [Encryption
|
|
4438
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4217
4439
|
# Management Service Developer Guide*.
|
|
4218
4440
|
#
|
|
4219
4441
|
#
|
|
@@ -4224,8 +4446,8 @@ module Aws::KMS
|
|
|
4224
4446
|
# @!attribute [rw] source_encryption_algorithm
|
|
4225
4447
|
# Specifies the encryption algorithm that KMS will use to decrypt the
|
|
4226
4448
|
# ciphertext before it is reencrypted. The default value,
|
|
4227
|
-
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4228
|
-
# keys.
|
|
4449
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4450
|
+
# encryption KMS keys.
|
|
4229
4451
|
#
|
|
4230
4452
|
# Specify the same algorithm that was used to encrypt the ciphertext.
|
|
4231
4453
|
# If you specify a different algorithm, the decrypt attempt fails.
|
|
@@ -4238,7 +4460,7 @@ module Aws::KMS
|
|
|
4238
4460
|
# Specifies the encryption algorithm that KMS will use to reecrypt the
|
|
4239
4461
|
# data after it has decrypted it. The default value,
|
|
4240
4462
|
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
|
4241
|
-
# symmetric KMS keys.
|
|
4463
|
+
# symmetric encryption KMS keys.
|
|
4242
4464
|
#
|
|
4243
4465
|
# This parameter is required only when the destination KMS key is an
|
|
4244
4466
|
# asymmetric KMS key.
|
|
@@ -4359,24 +4581,33 @@ module Aws::KMS
|
|
|
4359
4581
|
# [KMS service endpoints][1] in the *Amazon Web Services General
|
|
4360
4582
|
# Reference*.
|
|
4361
4583
|
#
|
|
4584
|
+
# <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
|
4585
|
+
# If you try to replicate an HMAC KMS key in an Amazon Web Services
|
|
4586
|
+
# Region in which HMAC keys are not supported, the `ReplicateKey`
|
|
4587
|
+
# operation returns an `UnsupportedOperationException`. For a list of
|
|
4588
|
+
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
|
4589
|
+
# KMS][2] in the *Key Management Service Developer Guide*.
|
|
4590
|
+
#
|
|
4591
|
+
# </note>
|
|
4592
|
+
#
|
|
4362
4593
|
# The replica must be in a different Amazon Web Services Region than
|
|
4363
4594
|
# its primary key and other replicas of that primary key, but in the
|
|
4364
4595
|
# same Amazon Web Services partition. KMS must be available in the
|
|
4365
4596
|
# replica Region. If the Region is not enabled by default, the Amazon
|
|
4366
|
-
# Web Services account must be enabled in the Region.
|
|
4367
|
-
#
|
|
4368
|
-
#
|
|
4369
|
-
#
|
|
4370
|
-
#
|
|
4371
|
-
#
|
|
4372
|
-
# the *Amazon Web Services General Reference*.
|
|
4597
|
+
# Web Services account must be enabled in the Region. For information
|
|
4598
|
+
# about Amazon Web Services partitions, see [Amazon Resource Names
|
|
4599
|
+
# (ARNs)][3] in the *Amazon Web Services General Reference*. For
|
|
4600
|
+
# information about enabling and disabling Regions, see [Enabling a
|
|
4601
|
+
# Region][4] and [Disabling a Region][5] in the *Amazon Web Services
|
|
4602
|
+
# General Reference*.
|
|
4373
4603
|
#
|
|
4374
4604
|
#
|
|
4375
4605
|
#
|
|
4376
4606
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
|
4377
|
-
# [2]: https://docs.aws.amazon.com/
|
|
4378
|
-
# [3]: https://docs.aws.amazon.com/general/latest/gr/
|
|
4379
|
-
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-
|
|
4607
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
4608
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
4609
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
|
4610
|
+
# [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
|
4380
4611
|
# @return [String]
|
|
4381
4612
|
#
|
|
4382
4613
|
# @!attribute [rw] policy
|
|
@@ -4408,13 +4639,30 @@ module Aws::KMS
|
|
|
4408
4639
|
# immediately visible][3] in the <i> <i>Identity and Access
|
|
4409
4640
|
# Management User Guide</i> </i>.
|
|
4410
4641
|
#
|
|
4411
|
-
#
|
|
4642
|
+
# A key policy document can include only the following characters:
|
|
4643
|
+
#
|
|
4644
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
4645
|
+
# through the end of the ASCII character range.
|
|
4646
|
+
#
|
|
4647
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
4648
|
+
# character set (through `\u00FF`).
|
|
4649
|
+
#
|
|
4650
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
4651
|
+
# (`\u000D`) special characters
|
|
4652
|
+
#
|
|
4653
|
+
# For information about key policies, see [Key policies in KMS][4] in
|
|
4654
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
4655
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
4656
|
+
# Reference][5] in the <i> <i>Identity and Access Management User
|
|
4657
|
+
# Guide</i> </i>.
|
|
4412
4658
|
#
|
|
4413
4659
|
#
|
|
4414
4660
|
#
|
|
4415
4661
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
4416
4662
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
4417
4663
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
4664
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
4665
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
4418
4666
|
# @return [String]
|
|
4419
4667
|
#
|
|
4420
4668
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
|
@@ -4455,8 +4703,8 @@ module Aws::KMS
|
|
|
4455
4703
|
# the TagResource operation.
|
|
4456
4704
|
#
|
|
4457
4705
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
4458
|
-
# KMS key. For details, see [
|
|
4459
|
-
#
|
|
4706
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4707
|
+
# Service Developer Guide*.
|
|
4460
4708
|
#
|
|
4461
4709
|
# </note>
|
|
4462
4710
|
#
|
|
@@ -4500,9 +4748,9 @@ module Aws::KMS
|
|
|
4500
4748
|
|
|
4501
4749
|
# @!attribute [rw] replica_key_metadata
|
|
4502
4750
|
# Displays details about the new replica key, including its Amazon
|
|
4503
|
-
# Resource Name ([key ARN][1]) and [
|
|
4504
|
-
# the ARN and Amazon Web Services Region of its primary
|
|
4505
|
-
# replica keys.
|
|
4751
|
+
# Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
|
|
4752
|
+
# also includes the ARN and Amazon Web Services Region of its primary
|
|
4753
|
+
# key and other replica keys.
|
|
4506
4754
|
#
|
|
4507
4755
|
#
|
|
4508
4756
|
#
|
|
@@ -4652,7 +4900,7 @@ module Aws::KMS
|
|
|
4652
4900
|
# The waiting period, specified in number of days. After the waiting
|
|
4653
4901
|
# period ends, KMS deletes the KMS key.
|
|
4654
4902
|
#
|
|
4655
|
-
# If the KMS key is a multi-Region primary key with
|
|
4903
|
+
# If the KMS key is a multi-Region primary key with replica keys, the
|
|
4656
4904
|
# waiting period begins when the last of its replica keys is deleted.
|
|
4657
4905
|
# Otherwise, the waiting period begins immediately.
|
|
4658
4906
|
#
|
|
@@ -4690,8 +4938,8 @@ module Aws::KMS
|
|
|
4690
4938
|
# The current status of the KMS key.
|
|
4691
4939
|
#
|
|
4692
4940
|
# For more information about how key state affects the use of a KMS
|
|
4693
|
-
# key, see [Key
|
|
4694
|
-
#
|
|
4941
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
4942
|
+
# Developer Guide*.
|
|
4695
4943
|
#
|
|
4696
4944
|
#
|
|
4697
4945
|
#
|
|
@@ -4725,7 +4973,7 @@ module Aws::KMS
|
|
|
4725
4973
|
# message: "data", # required
|
|
4726
4974
|
# message_type: "RAW", # accepts RAW, DIGEST
|
|
4727
4975
|
# grant_tokens: ["GrantTokenType"],
|
|
4728
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
|
4976
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
4729
4977
|
# }
|
|
4730
4978
|
#
|
|
4731
4979
|
# @!attribute [rw] key_id
|
|
@@ -5006,8 +5254,8 @@ module Aws::KMS
|
|
|
5006
5254
|
# @!attribute [rw] alias_name
|
|
5007
5255
|
# Identifies the alias that is changing its KMS key. This value must
|
|
5008
5256
|
# begin with `alias/` followed by the alias name, such as
|
|
5009
|
-
# `alias/ExampleAlias`. You cannot use UpdateAlias to change the
|
|
5010
|
-
# name.
|
|
5257
|
+
# `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the
|
|
5258
|
+
# alias name.
|
|
5011
5259
|
# @return [String]
|
|
5012
5260
|
#
|
|
5013
5261
|
# @!attribute [rw] target_key_id
|
|
@@ -5194,6 +5442,100 @@ module Aws::KMS
|
|
|
5194
5442
|
include Aws::Structure
|
|
5195
5443
|
end
|
|
5196
5444
|
|
|
5445
|
+
# @note When making an API call, you may pass VerifyMacRequest
|
|
5446
|
+
# data as a hash:
|
|
5447
|
+
#
|
|
5448
|
+
# {
|
|
5449
|
+
# message: "data", # required
|
|
5450
|
+
# key_id: "KeyIdType", # required
|
|
5451
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
5452
|
+
# mac: "data", # required
|
|
5453
|
+
# grant_tokens: ["GrantTokenType"],
|
|
5454
|
+
# }
|
|
5455
|
+
#
|
|
5456
|
+
# @!attribute [rw] message
|
|
5457
|
+
# The message that will be used in the verification. Enter the same
|
|
5458
|
+
# message that was used to generate the HMAC.
|
|
5459
|
+
#
|
|
5460
|
+
# GenerateMac and `VerifyMac` do not provide special handling for
|
|
5461
|
+
# message digests. If you generated an HMAC for a hash digest of a
|
|
5462
|
+
# message, you must verify the HMAC for the same hash digest.
|
|
5463
|
+
# @return [String]
|
|
5464
|
+
#
|
|
5465
|
+
# @!attribute [rw] key_id
|
|
5466
|
+
# The KMS key that will be used in the verification.
|
|
5467
|
+
#
|
|
5468
|
+
# Enter a key ID of the KMS key that was used to generate the HMAC. If
|
|
5469
|
+
# you identify a different KMS key, the `VerifyMac` operation fails.
|
|
5470
|
+
# @return [String]
|
|
5471
|
+
#
|
|
5472
|
+
# @!attribute [rw] mac_algorithm
|
|
5473
|
+
# The MAC algorithm that will be used in the verification. Enter the
|
|
5474
|
+
# same MAC algorithm that was used to compute the HMAC. This algorithm
|
|
5475
|
+
# must be supported by the HMAC KMS key identified by the `KeyId`
|
|
5476
|
+
# parameter.
|
|
5477
|
+
# @return [String]
|
|
5478
|
+
#
|
|
5479
|
+
# @!attribute [rw] mac
|
|
5480
|
+
# The HMAC to verify. Enter the HMAC that was generated by the
|
|
5481
|
+
# GenerateMac operation when you specified the same message, HMAC KMS
|
|
5482
|
+
# key, and MAC algorithm as the values specified in this request.
|
|
5483
|
+
# @return [String]
|
|
5484
|
+
#
|
|
5485
|
+
# @!attribute [rw] grant_tokens
|
|
5486
|
+
# A list of grant tokens.
|
|
5487
|
+
#
|
|
5488
|
+
# Use a grant token when your permission to call this operation comes
|
|
5489
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
5490
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
5491
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
5492
|
+
#
|
|
5493
|
+
#
|
|
5494
|
+
#
|
|
5495
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
5496
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
5497
|
+
# @return [Array<String>]
|
|
5498
|
+
#
|
|
5499
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
|
|
5500
|
+
#
|
|
5501
|
+
class VerifyMacRequest < Struct.new(
|
|
5502
|
+
:message,
|
|
5503
|
+
:key_id,
|
|
5504
|
+
:mac_algorithm,
|
|
5505
|
+
:mac,
|
|
5506
|
+
:grant_tokens)
|
|
5507
|
+
SENSITIVE = [:message]
|
|
5508
|
+
include Aws::Structure
|
|
5509
|
+
end
|
|
5510
|
+
|
|
5511
|
+
# @!attribute [rw] key_id
|
|
5512
|
+
# The HMAC KMS key used in the verification.
|
|
5513
|
+
# @return [String]
|
|
5514
|
+
#
|
|
5515
|
+
# @!attribute [rw] mac_valid
|
|
5516
|
+
# A Boolean value that indicates whether the HMAC was verified. A
|
|
5517
|
+
# value of `True` indicates that the HMAC (`Mac`) was generated with
|
|
5518
|
+
# the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
|
|
5519
|
+
#
|
|
5520
|
+
# If the HMAC is not verified, the `VerifyMac` operation fails with a
|
|
5521
|
+
# `KMSInvalidMacException` exception. This exception indicates that
|
|
5522
|
+
# one or more of the inputs changed since the HMAC was computed.
|
|
5523
|
+
# @return [Boolean]
|
|
5524
|
+
#
|
|
5525
|
+
# @!attribute [rw] mac_algorithm
|
|
5526
|
+
# The MAC algorithm used in the verification.
|
|
5527
|
+
# @return [String]
|
|
5528
|
+
#
|
|
5529
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
|
|
5530
|
+
#
|
|
5531
|
+
class VerifyMacResponse < Struct.new(
|
|
5532
|
+
:key_id,
|
|
5533
|
+
:mac_valid,
|
|
5534
|
+
:mac_algorithm)
|
|
5535
|
+
SENSITIVE = []
|
|
5536
|
+
include Aws::Structure
|
|
5537
|
+
end
|
|
5538
|
+
|
|
5197
5539
|
# @note When making an API call, you may pass VerifyRequest
|
|
5198
5540
|
# data as a hash:
|
|
5199
5541
|
#
|
|
@@ -5202,7 +5544,7 @@ module Aws::KMS
|
|
|
5202
5544
|
# message: "data", # required
|
|
5203
5545
|
# message_type: "RAW", # accepts RAW, DIGEST
|
|
5204
5546
|
# signature: "data", # required
|
|
5205
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
|
5547
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
5206
5548
|
# grant_tokens: ["GrantTokenType"],
|
|
5207
5549
|
# }
|
|
5208
5550
|
#
|