aws-sdk-kms 1.55.0 → 1.58.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1296 -621
- data/lib/aws-sdk-kms/client_api.rb +91 -3
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/types.rb +576 -234
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-kms/types.rb
CHANGED
|
@@ -338,9 +338,9 @@ module Aws::KMS
|
|
|
338
338
|
#
|
|
339
339
|
# {
|
|
340
340
|
# custom_key_store_name: "CustomKeyStoreNameType", # required
|
|
341
|
-
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
|
342
|
-
# trust_anchor_certificate: "TrustAnchorCertificateType",
|
|
343
|
-
# key_store_password: "KeyStorePasswordType",
|
|
341
|
+
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
|
342
|
+
# trust_anchor_certificate: "TrustAnchorCertificateType",
|
|
343
|
+
# key_store_password: "KeyStorePasswordType",
|
|
344
344
|
# }
|
|
345
345
|
#
|
|
346
346
|
# @!attribute [rw] custom_key_store_name
|
|
@@ -415,7 +415,7 @@ module Aws::KMS
|
|
|
415
415
|
# key_id: "KeyIdType", # required
|
|
416
416
|
# grantee_principal: "PrincipalIdType", # required
|
|
417
417
|
# retiring_principal: "PrincipalIdType",
|
|
418
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
|
|
418
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
|
|
419
419
|
# constraints: {
|
|
420
420
|
# encryption_context_subset: {
|
|
421
421
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
@@ -491,12 +491,13 @@ module Aws::KMS
|
|
|
491
491
|
# @!attribute [rw] operations
|
|
492
492
|
# A list of operations that the grant permits.
|
|
493
493
|
#
|
|
494
|
-
#
|
|
495
|
-
#
|
|
496
|
-
#
|
|
497
|
-
#
|
|
498
|
-
#
|
|
499
|
-
#
|
|
494
|
+
# This list must include only operations that are permitted in a
|
|
495
|
+
# grant. Also, the operation must be supported on the KMS key. For
|
|
496
|
+
# example, you cannot create a grant for a symmetric encryption KMS
|
|
497
|
+
# key that allows the Sign operation, or a grant for an asymmetric KMS
|
|
498
|
+
# key that allows the GenerateDataKey operation. If you try, KMS
|
|
499
|
+
# returns a `ValidationError` exception. For details, see [Grant
|
|
500
|
+
# operations][1] in the *Key Management Service Developer Guide*.
|
|
500
501
|
#
|
|
501
502
|
#
|
|
502
503
|
#
|
|
@@ -509,27 +510,39 @@ module Aws::KMS
|
|
|
509
510
|
# KMS supports the `EncryptionContextEquals` and
|
|
510
511
|
# `EncryptionContextSubset` grant constraints. Each constraint value
|
|
511
512
|
# can include up to 8 encryption context pairs. The encryption context
|
|
512
|
-
# value in each constraint cannot exceed 384 characters.
|
|
513
|
+
# value in each constraint cannot exceed 384 characters. For
|
|
514
|
+
# information about grant constraints, see [Using grant
|
|
515
|
+
# constraints][1] in the *Key Management Service Developer Guide*. For
|
|
516
|
+
# more information about encryption context, see [Encryption
|
|
517
|
+
# context][2] in the <i> <i>Key Management Service Developer Guide</i>
|
|
518
|
+
# </i>.
|
|
513
519
|
#
|
|
514
|
-
#
|
|
515
|
-
# the encryption context in the request matches
|
|
520
|
+
# The encryption context grant constraints allow the permissions in
|
|
521
|
+
# the grant only when the encryption context in the request matches
|
|
516
522
|
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
|
517
|
-
# the encryption context specified in this structure.
|
|
518
|
-
# about grant constraints, see [Using grant constraints][1] in the
|
|
519
|
-
# *Key Management Service Developer Guide*. For more information about
|
|
520
|
-
# encryption context, see [Encryption Context][2] in the <i> <i>Key
|
|
521
|
-
# Management Service Developer Guide</i> </i>.
|
|
523
|
+
# the encryption context specified in this structure.
|
|
522
524
|
#
|
|
523
525
|
# The encryption context grant constraints are supported only on
|
|
524
|
-
# operations that include an
|
|
525
|
-
#
|
|
526
|
-
# with
|
|
527
|
-
#
|
|
526
|
+
# [grant operations][3] that include an `EncryptionContext` parameter,
|
|
527
|
+
# such as cryptographic operations on symmetric encryption KMS keys.
|
|
528
|
+
# Grants with grant constraints can include the DescribeKey and
|
|
529
|
+
# RetireGrant operations, but the constraint doesn't apply to these
|
|
530
|
+
# operations. If a grant with a grant constraint includes the
|
|
531
|
+
# `CreateGrant` operation, the constraint requires that any grants
|
|
532
|
+
# created with the `CreateGrant` permission have an equally strict or
|
|
533
|
+
# stricter encryption context constraint.
|
|
534
|
+
#
|
|
535
|
+
# You cannot use an encryption context grant constraint for
|
|
536
|
+
# cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
|
|
537
|
+
# These keys don't support an encryption context.
|
|
538
|
+
#
|
|
539
|
+
#
|
|
528
540
|
#
|
|
529
541
|
#
|
|
530
542
|
#
|
|
531
543
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
|
532
544
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
545
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
|
533
546
|
# @return [Types::GrantConstraints]
|
|
534
547
|
#
|
|
535
548
|
# @!attribute [rw] grant_tokens
|
|
@@ -613,9 +626,9 @@ module Aws::KMS
|
|
|
613
626
|
# {
|
|
614
627
|
# policy: "PolicyType",
|
|
615
628
|
# description: "DescriptionType",
|
|
616
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
|
617
|
-
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
618
|
-
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
|
629
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
|
630
|
+
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
631
|
+
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
619
632
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
|
620
633
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
621
634
|
# bypass_policy_lockout_safety_check: false,
|
|
@@ -629,16 +642,19 @@ module Aws::KMS
|
|
|
629
642
|
# }
|
|
630
643
|
#
|
|
631
644
|
# @!attribute [rw] policy
|
|
632
|
-
# The key policy to attach to the KMS key.
|
|
645
|
+
# The key policy to attach to the KMS key. If you do not specify a key
|
|
646
|
+
# policy, KMS attaches a default key policy to the KMS key. For more
|
|
647
|
+
# information, see [Default key policy][1] in the *Key Management
|
|
648
|
+
# Service Developer Guide*.
|
|
633
649
|
#
|
|
634
650
|
# If you provide a key policy, it must meet the following criteria:
|
|
635
651
|
#
|
|
636
|
-
# * If you don't set `BypassPolicyLockoutSafetyCheck` to
|
|
652
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to `True`, the
|
|
637
653
|
# key policy must allow the principal that is making the `CreateKey`
|
|
638
654
|
# request to make a subsequent PutKeyPolicy request on the KMS key.
|
|
639
655
|
# This reduces the risk that the KMS key becomes unmanageable. For
|
|
640
656
|
# more information, refer to the scenario in the [Default Key
|
|
641
|
-
# Policy][
|
|
657
|
+
# Policy][2] section of the <i> <i>Key Management Service Developer
|
|
642
658
|
# Guide</i> </i>.
|
|
643
659
|
#
|
|
644
660
|
# * Each statement in the key policy must contain one or more
|
|
@@ -648,25 +664,33 @@ module Aws::KMS
|
|
|
648
664
|
# enforce a delay before including the new principal in a key policy
|
|
649
665
|
# because the new principal might not be immediately visible to KMS.
|
|
650
666
|
# For more information, see [Changes that I make are not always
|
|
651
|
-
# immediately visible][
|
|
667
|
+
# immediately visible][3] in the *Amazon Web Services Identity and
|
|
652
668
|
# Access Management User Guide*.
|
|
653
669
|
#
|
|
654
|
-
#
|
|
655
|
-
# policy to the KMS key. For more information, see [Default Key
|
|
656
|
-
# Policy][3] in the *Key Management Service Developer Guide*.
|
|
670
|
+
# A key policy document can include only the following characters:
|
|
657
671
|
#
|
|
658
|
-
#
|
|
672
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
673
|
+
# through the end of the ASCII character range.
|
|
659
674
|
#
|
|
660
|
-
#
|
|
661
|
-
#
|
|
662
|
-
# Management User Guide</i> </i>.
|
|
675
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
676
|
+
# character set (through `\u00FF`).
|
|
663
677
|
#
|
|
678
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
679
|
+
# (`\u000D`) special characters
|
|
664
680
|
#
|
|
681
|
+
# For information about key policies, see [Key policies in KMS][4] in
|
|
682
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
683
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
684
|
+
# Reference][5] in the <i> <i>Identity and Access Management User
|
|
685
|
+
# Guide</i> </i>.
|
|
665
686
|
#
|
|
666
|
-
#
|
|
667
|
-
#
|
|
668
|
-
# [
|
|
669
|
-
# [
|
|
687
|
+
#
|
|
688
|
+
#
|
|
689
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
690
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
691
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
692
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
693
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
670
694
|
# @return [String]
|
|
671
695
|
#
|
|
672
696
|
# @!attribute [rw] description
|
|
@@ -683,20 +707,26 @@ module Aws::KMS
|
|
|
683
707
|
# @!attribute [rw] key_usage
|
|
684
708
|
# Determines the [cryptographic operations][1] for which you can use
|
|
685
709
|
# the KMS key. The default value is `ENCRYPT_DECRYPT`. This parameter
|
|
686
|
-
# is
|
|
687
|
-
#
|
|
710
|
+
# is optional when you are creating a symmetric encryption KMS key;
|
|
711
|
+
# otherwise, it is required. You can't change the `KeyUsage` value
|
|
712
|
+
# after the KMS key is created.
|
|
688
713
|
#
|
|
689
714
|
# Select only one valid value.
|
|
690
715
|
#
|
|
691
|
-
# * For symmetric KMS keys, omit the parameter or specify
|
|
716
|
+
# * For symmetric encryption KMS keys, omit the parameter or specify
|
|
692
717
|
# `ENCRYPT_DECRYPT`.
|
|
693
718
|
#
|
|
719
|
+
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
|
720
|
+
#
|
|
694
721
|
# * For asymmetric KMS keys with RSA key material, specify
|
|
695
722
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
696
723
|
#
|
|
697
724
|
# * For asymmetric KMS keys with ECC key material, specify
|
|
698
725
|
# `SIGN_VERIFY`.
|
|
699
726
|
#
|
|
727
|
+
# * For asymmetric KMS keys with SM2 key material (China Regions
|
|
728
|
+
# only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
729
|
+
#
|
|
700
730
|
#
|
|
701
731
|
#
|
|
702
732
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
|
@@ -713,35 +743,45 @@ module Aws::KMS
|
|
|
713
743
|
#
|
|
714
744
|
# @!attribute [rw] key_spec
|
|
715
745
|
# Specifies the type of KMS key to create. The default value,
|
|
716
|
-
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit
|
|
717
|
-
# for encryption and decryption
|
|
718
|
-
#
|
|
719
|
-
#
|
|
746
|
+
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key
|
|
747
|
+
# that is used for encryption and decryption, except in China Regions,
|
|
748
|
+
# where it creates a 128-bit symmetric key that uses SM4 encryption.
|
|
749
|
+
# For help choosing a key spec for your KMS key, see [Choosing a KMS
|
|
750
|
+
# key type][1] in the <i> <i>Key Management Service Developer
|
|
751
|
+
# Guide</i> </i>.
|
|
720
752
|
#
|
|
721
753
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
|
722
|
-
# key or an asymmetric key pair. It also determines the
|
|
723
|
-
# algorithms
|
|
724
|
-
#
|
|
725
|
-
#
|
|
726
|
-
#
|
|
727
|
-
#
|
|
728
|
-
# the <i> <i>Key Management Service Developer
|
|
729
|
-
#
|
|
730
|
-
#
|
|
731
|
-
#
|
|
732
|
-
#
|
|
733
|
-
#
|
|
734
|
-
# Asymmetric KMS keys][5] in the *Key Management Service Developer
|
|
735
|
-
# Guide*.
|
|
754
|
+
# key or an asymmetric key pair. It also determines the cryptographic
|
|
755
|
+
# algorithms that the KMS key supports. You can't change the
|
|
756
|
+
# `KeySpec` after the KMS key is created. To further restrict the
|
|
757
|
+
# algorithms that can be used with the KMS key, use a condition key in
|
|
758
|
+
# its key policy or IAM policy. For more information, see
|
|
759
|
+
# [kms:EncryptionAlgorithm][2], [kms:MacAlgorithm][3] or [kms:Signing
|
|
760
|
+
# Algorithm][4] in the <i> <i>Key Management Service Developer
|
|
761
|
+
# Guide</i> </i>.
|
|
762
|
+
#
|
|
763
|
+
# [Amazon Web Services services that are integrated with KMS][5] use
|
|
764
|
+
# symmetric encryption KMS keys to protect your data. These services
|
|
765
|
+
# do not support asymmetric KMS keys or HMAC KMS keys.
|
|
736
766
|
#
|
|
737
767
|
# KMS supports the following key specs for KMS keys:
|
|
738
768
|
#
|
|
739
|
-
# * Symmetric key (default)
|
|
769
|
+
# * Symmetric encryption key (default)
|
|
740
770
|
#
|
|
741
|
-
# * `SYMMETRIC_DEFAULT`
|
|
771
|
+
# * `SYMMETRIC_DEFAULT`
|
|
742
772
|
#
|
|
743
773
|
# ^
|
|
744
774
|
#
|
|
775
|
+
# * HMAC keys (symmetric)
|
|
776
|
+
#
|
|
777
|
+
# * `HMAC_224`
|
|
778
|
+
#
|
|
779
|
+
# * `HMAC_256`
|
|
780
|
+
#
|
|
781
|
+
# * `HMAC_384`
|
|
782
|
+
#
|
|
783
|
+
# * `HMAC_512`
|
|
784
|
+
#
|
|
745
785
|
# * Asymmetric RSA key pairs
|
|
746
786
|
#
|
|
747
787
|
# * `RSA_2048`
|
|
@@ -765,13 +805,19 @@ module Aws::KMS
|
|
|
765
805
|
#
|
|
766
806
|
# ^
|
|
767
807
|
#
|
|
808
|
+
# * SM2 key pairs (China Regions only)
|
|
809
|
+
#
|
|
810
|
+
# * `SM2`
|
|
811
|
+
#
|
|
812
|
+
# ^
|
|
813
|
+
#
|
|
768
814
|
#
|
|
769
815
|
#
|
|
770
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose
|
|
816
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
|
|
771
817
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm
|
|
772
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-
|
|
773
|
-
# [4]:
|
|
774
|
-
# [5]:
|
|
818
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithm
|
|
819
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm
|
|
820
|
+
# [5]: http://aws.amazon.com/kms/features/#AWS_Service_Integration
|
|
775
821
|
# @return [String]
|
|
776
822
|
#
|
|
777
823
|
# @!attribute [rw] origin
|
|
@@ -783,13 +829,13 @@ module Aws::KMS
|
|
|
783
829
|
# material), set the value to `EXTERNAL`. For more information about
|
|
784
830
|
# importing key material into KMS, see [Importing Key Material][1] in
|
|
785
831
|
# the *Key Management Service Developer Guide*. This value is valid
|
|
786
|
-
# only for symmetric KMS keys.
|
|
832
|
+
# only for symmetric encryption KMS keys.
|
|
787
833
|
#
|
|
788
834
|
# To create a KMS key in an KMS [custom key store][2] and create its
|
|
789
835
|
# key material in the associated CloudHSM cluster, set this value to
|
|
790
836
|
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
|
791
837
|
# to identify the custom key store. This value is valid only for
|
|
792
|
-
# symmetric KMS keys.
|
|
838
|
+
# symmetric encryption KMS keys.
|
|
793
839
|
#
|
|
794
840
|
#
|
|
795
841
|
#
|
|
@@ -805,9 +851,9 @@ module Aws::KMS
|
|
|
805
851
|
# associated with the custom key store must have at least two active
|
|
806
852
|
# HSMs, each in a different Availability Zone in the Region.
|
|
807
853
|
#
|
|
808
|
-
# This parameter is valid only for symmetric KMS keys
|
|
809
|
-
#
|
|
810
|
-
#
|
|
854
|
+
# This parameter is valid only for symmetric encryption KMS keys in a
|
|
855
|
+
# single Region. You cannot create any other type of KMS key in a
|
|
856
|
+
# custom key store.
|
|
811
857
|
#
|
|
812
858
|
# To find the ID of a custom key store, use the
|
|
813
859
|
# DescribeCustomKeyStores operation.
|
|
@@ -815,7 +861,7 @@ module Aws::KMS
|
|
|
815
861
|
# The response includes the custom key store ID and the ID of the
|
|
816
862
|
# CloudHSM cluster.
|
|
817
863
|
#
|
|
818
|
-
# This operation is part of the [
|
|
864
|
+
# This operation is part of the [custom key store feature][1] feature
|
|
819
865
|
# in KMS, which combines the convenience and extensive integration of
|
|
820
866
|
# KMS with the isolation and control of a single-tenant key store.
|
|
821
867
|
#
|
|
@@ -853,8 +899,8 @@ module Aws::KMS
|
|
|
853
899
|
# TagResource operation.
|
|
854
900
|
#
|
|
855
901
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
856
|
-
# KMS key. For details, see [
|
|
857
|
-
#
|
|
902
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
903
|
+
# Service Developer Guide*.
|
|
858
904
|
#
|
|
859
905
|
# </note>
|
|
860
906
|
#
|
|
@@ -895,15 +941,16 @@ module Aws::KMS
|
|
|
895
941
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
|
896
942
|
# a different Amazon Web Services Region without re-encrypting the
|
|
897
943
|
# data or making a cross-Region call. For more information about
|
|
898
|
-
# multi-Region keys, see [
|
|
944
|
+
# multi-Region keys, see [Multi-Region keys in KMS][1] in the *Key
|
|
899
945
|
# Management Service Developer Guide*.
|
|
900
946
|
#
|
|
901
947
|
# This value creates a *primary key*, not a replica. To create a
|
|
902
948
|
# *replica key*, use the ReplicateKey operation.
|
|
903
949
|
#
|
|
904
|
-
# You can create a
|
|
905
|
-
#
|
|
906
|
-
# you cannot create a multi-Region key
|
|
950
|
+
# You can create a multi-Region version of a symmetric encryption KMS
|
|
951
|
+
# key, an HMAC KMS key, an asymmetric KMS key, or a KMS key with
|
|
952
|
+
# imported key material. However, you cannot create a multi-Region key
|
|
953
|
+
# in a custom key store.
|
|
907
954
|
#
|
|
908
955
|
#
|
|
909
956
|
#
|
|
@@ -1160,7 +1207,7 @@ module Aws::KMS
|
|
|
1160
1207
|
# },
|
|
1161
1208
|
# grant_tokens: ["GrantTokenType"],
|
|
1162
1209
|
# key_id: "KeyIdType",
|
|
1163
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
1210
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
1164
1211
|
# }
|
|
1165
1212
|
#
|
|
1166
1213
|
# @!attribute [rw] ciphertext_blob
|
|
@@ -1170,17 +1217,20 @@ module Aws::KMS
|
|
|
1170
1217
|
# @!attribute [rw] encryption_context
|
|
1171
1218
|
# Specifies the encryption context to use when decrypting the data. An
|
|
1172
1219
|
# encryption context is valid only for [cryptographic operations][1]
|
|
1173
|
-
# with a symmetric KMS key. The standard asymmetric
|
|
1174
|
-
# algorithms that KMS uses do not
|
|
1220
|
+
# with a symmetric encryption KMS key. The standard asymmetric
|
|
1221
|
+
# encryption algorithms and HMAC algorithms that KMS uses do not
|
|
1222
|
+
# support an encryption context.
|
|
1175
1223
|
#
|
|
1176
1224
|
# An *encryption context* is a collection of non-secret key-value
|
|
1177
|
-
# pairs that
|
|
1225
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1178
1226
|
# encryption context to encrypt data, you must specify the same (an
|
|
1179
1227
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1180
|
-
# An encryption context is
|
|
1181
|
-
# KMS
|
|
1228
|
+
# An encryption context is supported only on operations with symmetric
|
|
1229
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1230
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1231
|
+
# recommended.
|
|
1182
1232
|
#
|
|
1183
|
-
# For more information, see [Encryption
|
|
1233
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1184
1234
|
# Management Service Developer Guide*.
|
|
1185
1235
|
#
|
|
1186
1236
|
#
|
|
@@ -1204,15 +1254,18 @@ module Aws::KMS
|
|
|
1204
1254
|
# @return [Array<String>]
|
|
1205
1255
|
#
|
|
1206
1256
|
# @!attribute [rw] key_id
|
|
1207
|
-
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1208
|
-
#
|
|
1257
|
+
# Specifies the KMS key that KMS uses to decrypt the ciphertext.
|
|
1258
|
+
#
|
|
1259
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
1260
|
+
# ciphertext. If you identify a different KMS key, the `Decrypt`
|
|
1261
|
+
# operation throws an `IncorrectKeyException`.
|
|
1209
1262
|
#
|
|
1210
1263
|
# This parameter is required only when the ciphertext was encrypted
|
|
1211
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
1212
|
-
# can get the KMS key from metadata that it adds to the
|
|
1213
|
-
# ciphertext blob. However, it is always recommended as a
|
|
1214
|
-
# practice. This practice ensures that you use the KMS key that
|
|
1215
|
-
# intend.
|
|
1264
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
1265
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
1266
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
1267
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
1268
|
+
# you intend.
|
|
1216
1269
|
#
|
|
1217
1270
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1218
1271
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1243,7 +1296,7 @@ module Aws::KMS
|
|
|
1243
1296
|
# This parameter is required only when the ciphertext was encrypted
|
|
1244
1297
|
# under an asymmetric KMS key. The default value, `SYMMETRIC_DEFAULT`,
|
|
1245
1298
|
# represents the only supported algorithm that is valid for symmetric
|
|
1246
|
-
# KMS keys.
|
|
1299
|
+
# encryption KMS keys.
|
|
1247
1300
|
# @return [String]
|
|
1248
1301
|
#
|
|
1249
1302
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
|
@@ -1570,9 +1623,10 @@ module Aws::KMS
|
|
|
1570
1623
|
# }
|
|
1571
1624
|
#
|
|
1572
1625
|
# @!attribute [rw] key_id
|
|
1573
|
-
# Identifies a symmetric KMS key. You cannot enable or
|
|
1574
|
-
# automatic rotation of [asymmetric KMS keys][1], KMS
|
|
1575
|
-
# [imported key material][
|
|
1626
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1627
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
1628
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
|
1629
|
+
# [custom key store][4].
|
|
1576
1630
|
#
|
|
1577
1631
|
# Specify the key ID or key ARN of the KMS key.
|
|
1578
1632
|
#
|
|
@@ -1589,8 +1643,9 @@ module Aws::KMS
|
|
|
1589
1643
|
#
|
|
1590
1644
|
#
|
|
1591
1645
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
|
1592
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1593
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1646
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1647
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1648
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1594
1649
|
# @return [String]
|
|
1595
1650
|
#
|
|
1596
1651
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotationRequest AWS API Documentation
|
|
@@ -1678,11 +1733,12 @@ module Aws::KMS
|
|
|
1678
1733
|
# }
|
|
1679
1734
|
#
|
|
1680
1735
|
# @!attribute [rw] key_id
|
|
1681
|
-
# Identifies a symmetric KMS key. You cannot enable
|
|
1682
|
-
# of [asymmetric KMS keys][1],
|
|
1683
|
-
#
|
|
1684
|
-
#
|
|
1685
|
-
#
|
|
1736
|
+
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1737
|
+
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
1738
|
+
# keys][2], KMS keys with [imported key material][3], or KMS keys in a
|
|
1739
|
+
# [custom key store][4]. The key rotation status of these KMS keys is
|
|
1740
|
+
# always `false`. To enable or disable automatic rotation of a set of
|
|
1741
|
+
# related [multi-Region keys][5], set the property on the primary key.
|
|
1686
1742
|
#
|
|
1687
1743
|
# Specify the key ID or key ARN of the KMS key.
|
|
1688
1744
|
#
|
|
@@ -1698,10 +1754,11 @@ module Aws::KMS
|
|
|
1698
1754
|
#
|
|
1699
1755
|
#
|
|
1700
1756
|
#
|
|
1701
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1702
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1703
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1704
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1757
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
1758
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1759
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1760
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1761
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
|
1705
1762
|
# @return [String]
|
|
1706
1763
|
#
|
|
1707
1764
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotationRequest AWS API Documentation
|
|
@@ -1722,11 +1779,13 @@ module Aws::KMS
|
|
|
1722
1779
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1723
1780
|
# },
|
|
1724
1781
|
# grant_tokens: ["GrantTokenType"],
|
|
1725
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
1782
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
1726
1783
|
# }
|
|
1727
1784
|
#
|
|
1728
1785
|
# @!attribute [rw] key_id
|
|
1729
|
-
# Identifies the KMS key to use in the encryption operation.
|
|
1786
|
+
# Identifies the KMS key to use in the encryption operation. The KMS
|
|
1787
|
+
# key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
|
|
1788
|
+
# `KeyUsage` of a KMS key, use the DescribeKey operation.
|
|
1730
1789
|
#
|
|
1731
1790
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1732
1791
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1755,18 +1814,20 @@ module Aws::KMS
|
|
|
1755
1814
|
# @!attribute [rw] encryption_context
|
|
1756
1815
|
# Specifies the encryption context that will be used to encrypt the
|
|
1757
1816
|
# data. An encryption context is valid only for [cryptographic
|
|
1758
|
-
# operations][1] with a symmetric KMS key. The standard
|
|
1759
|
-
# encryption algorithms that KMS uses
|
|
1760
|
-
# context.
|
|
1817
|
+
# operations][1] with a symmetric encryption KMS key. The standard
|
|
1818
|
+
# asymmetric encryption algorithms and HMAC algorithms that KMS uses
|
|
1819
|
+
# do not support an encryption context.
|
|
1761
1820
|
#
|
|
1762
1821
|
# An *encryption context* is a collection of non-secret key-value
|
|
1763
|
-
# pairs that
|
|
1822
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1764
1823
|
# encryption context to encrypt data, you must specify the same (an
|
|
1765
1824
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1766
|
-
# An encryption context is
|
|
1767
|
-
# KMS
|
|
1825
|
+
# An encryption context is supported only on operations with symmetric
|
|
1826
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1827
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1828
|
+
# recommended.
|
|
1768
1829
|
#
|
|
1769
|
-
# For more information, see [Encryption
|
|
1830
|
+
# For more information, see [Encryption context][2] in the *Key
|
|
1770
1831
|
# Management Service Developer Guide*.
|
|
1771
1832
|
#
|
|
1772
1833
|
#
|
|
@@ -1795,9 +1856,9 @@ module Aws::KMS
|
|
|
1795
1856
|
# that you specify.
|
|
1796
1857
|
#
|
|
1797
1858
|
# This parameter is required only for asymmetric KMS keys. The default
|
|
1798
|
-
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1799
|
-
# keys. If you are using an asymmetric KMS key, we
|
|
1800
|
-
# RSAES\_OAEP\_SHA\_256.
|
|
1859
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1860
|
+
# encryption KMS keys. If you are using an asymmetric KMS key, we
|
|
1861
|
+
# recommend RSAES\_OAEP\_SHA\_256.
|
|
1801
1862
|
# @return [String]
|
|
1802
1863
|
#
|
|
1803
1864
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
|
@@ -1865,7 +1926,7 @@ module Aws::KMS
|
|
|
1865
1926
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1866
1927
|
# },
|
|
1867
1928
|
# key_id: "KeyIdType", # required
|
|
1868
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
|
1929
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
1869
1930
|
# grant_tokens: ["GrantTokenType"],
|
|
1870
1931
|
# }
|
|
1871
1932
|
#
|
|
@@ -1874,13 +1935,15 @@ module Aws::KMS
|
|
|
1874
1935
|
# the private key in the data key pair.
|
|
1875
1936
|
#
|
|
1876
1937
|
# An *encryption context* is a collection of non-secret key-value
|
|
1877
|
-
# pairs that
|
|
1938
|
+
# pairs that represent additional authenticated data. When you use an
|
|
1878
1939
|
# encryption context to encrypt data, you must specify the same (an
|
|
1879
1940
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
1880
|
-
# An encryption context is
|
|
1881
|
-
# KMS
|
|
1941
|
+
# An encryption context is supported only on operations with symmetric
|
|
1942
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
1943
|
+
# keys, an encryption context is optional, but it is strongly
|
|
1944
|
+
# recommended.
|
|
1882
1945
|
#
|
|
1883
|
-
# For more information, see [Encryption
|
|
1946
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
1884
1947
|
# Management Service Developer Guide*.
|
|
1885
1948
|
#
|
|
1886
1949
|
#
|
|
@@ -1889,10 +1952,10 @@ module Aws::KMS
|
|
|
1889
1952
|
# @return [Hash<String,String>]
|
|
1890
1953
|
#
|
|
1891
1954
|
# @!attribute [rw] key_id
|
|
1892
|
-
# Specifies the symmetric KMS key that encrypts the private
|
|
1893
|
-
# data key pair. You cannot specify an asymmetric KMS key
|
|
1894
|
-
# in a custom key store. To get the type and origin of
|
|
1895
|
-
# use the DescribeKey operation.
|
|
1955
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
1956
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
1957
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
1958
|
+
# your KMS key, use the DescribeKey operation.
|
|
1896
1959
|
#
|
|
1897
1960
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
1898
1961
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -1917,10 +1980,12 @@ module Aws::KMS
|
|
|
1917
1980
|
# @!attribute [rw] key_pair_spec
|
|
1918
1981
|
# Determines the type of data key pair that is generated.
|
|
1919
1982
|
#
|
|
1920
|
-
# The KMS rule that restricts the use of asymmetric RSA
|
|
1921
|
-
# encrypt and decrypt or to sign and verify (but not both),
|
|
1922
|
-
# rule that permits you to use ECC KMS keys only to sign and
|
|
1923
|
-
# are not effective on data key pairs, which are used outside
|
|
1983
|
+
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
|
|
1984
|
+
# keys to encrypt and decrypt or to sign and verify (but not both),
|
|
1985
|
+
# and the rule that permits you to use ECC KMS keys only to sign and
|
|
1986
|
+
# verify, are not effective on data key pairs, which are used outside
|
|
1987
|
+
# of KMS. The SM2 key spec is only available in China Regions. RSA and
|
|
1988
|
+
# ECC asymmetric key pairs are also available in China Regions.
|
|
1924
1989
|
# @return [String]
|
|
1925
1990
|
#
|
|
1926
1991
|
# @!attribute [rw] grant_tokens
|
|
@@ -1961,7 +2026,9 @@ module Aws::KMS
|
|
|
1961
2026
|
# @return [String]
|
|
1962
2027
|
#
|
|
1963
2028
|
# @!attribute [rw] public_key
|
|
1964
|
-
# The public key (in plaintext).
|
|
2029
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2030
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2031
|
+
# is not Base64-encoded.
|
|
1965
2032
|
# @return [String]
|
|
1966
2033
|
#
|
|
1967
2034
|
# @!attribute [rw] key_id
|
|
@@ -1997,7 +2064,7 @@ module Aws::KMS
|
|
|
1997
2064
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1998
2065
|
# },
|
|
1999
2066
|
# key_id: "KeyIdType", # required
|
|
2000
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
|
2067
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
2001
2068
|
# grant_tokens: ["GrantTokenType"],
|
|
2002
2069
|
# }
|
|
2003
2070
|
#
|
|
@@ -2006,13 +2073,15 @@ module Aws::KMS
|
|
|
2006
2073
|
# the private key in the data key pair.
|
|
2007
2074
|
#
|
|
2008
2075
|
# An *encryption context* is a collection of non-secret key-value
|
|
2009
|
-
# pairs that
|
|
2076
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2010
2077
|
# encryption context to encrypt data, you must specify the same (an
|
|
2011
2078
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2012
|
-
# An encryption context is
|
|
2013
|
-
# KMS
|
|
2079
|
+
# An encryption context is supported only on operations with symmetric
|
|
2080
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2081
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2082
|
+
# recommended.
|
|
2014
2083
|
#
|
|
2015
|
-
# For more information, see [Encryption
|
|
2084
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2016
2085
|
# Management Service Developer Guide*.
|
|
2017
2086
|
#
|
|
2018
2087
|
#
|
|
@@ -2021,10 +2090,10 @@ module Aws::KMS
|
|
|
2021
2090
|
# @return [Hash<String,String>]
|
|
2022
2091
|
#
|
|
2023
2092
|
# @!attribute [rw] key_id
|
|
2024
|
-
# Specifies the KMS key that encrypts the private
|
|
2025
|
-
# pair. You
|
|
2026
|
-
#
|
|
2027
|
-
#
|
|
2093
|
+
# Specifies the symmetric encryption KMS key that encrypts the private
|
|
2094
|
+
# key in the data key pair. You cannot specify an asymmetric KMS key
|
|
2095
|
+
# or a KMS key in a custom key store. To get the type and origin of
|
|
2096
|
+
# your KMS key, use the DescribeKey operation.
|
|
2028
2097
|
#
|
|
2029
2098
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2030
2099
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2049,10 +2118,12 @@ module Aws::KMS
|
|
|
2049
2118
|
# @!attribute [rw] key_pair_spec
|
|
2050
2119
|
# Determines the type of data key pair that is generated.
|
|
2051
2120
|
#
|
|
2052
|
-
# The KMS rule that restricts the use of asymmetric RSA
|
|
2053
|
-
# encrypt and decrypt or to sign and verify (but not both),
|
|
2054
|
-
# rule that permits you to use ECC KMS keys only to sign and
|
|
2055
|
-
# are not effective on data key pairs, which are used outside
|
|
2121
|
+
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS
|
|
2122
|
+
# keys to encrypt and decrypt or to sign and verify (but not both),
|
|
2123
|
+
# and the rule that permits you to use ECC KMS keys only to sign and
|
|
2124
|
+
# verify, are not effective on data key pairs, which are used outside
|
|
2125
|
+
# of KMS. The SM2 key spec is only available in China Regions. RSA and
|
|
2126
|
+
# ECC asymmetric key pairs are also available in China Regions.
|
|
2056
2127
|
# @return [String]
|
|
2057
2128
|
#
|
|
2058
2129
|
# @!attribute [rw] grant_tokens
|
|
@@ -2087,7 +2158,9 @@ module Aws::KMS
|
|
|
2087
2158
|
# @return [String]
|
|
2088
2159
|
#
|
|
2089
2160
|
# @!attribute [rw] public_key
|
|
2090
|
-
# The public key (in plaintext).
|
|
2161
|
+
# The public key (in plaintext). When you use the HTTP API or the
|
|
2162
|
+
# Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
|
|
2163
|
+
# is not Base64-encoded.
|
|
2091
2164
|
# @return [String]
|
|
2092
2165
|
#
|
|
2093
2166
|
# @!attribute [rw] key_id
|
|
@@ -2128,7 +2201,10 @@ module Aws::KMS
|
|
|
2128
2201
|
# }
|
|
2129
2202
|
#
|
|
2130
2203
|
# @!attribute [rw] key_id
|
|
2131
|
-
#
|
|
2204
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2205
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2206
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2207
|
+
# the DescribeKey operation.
|
|
2132
2208
|
#
|
|
2133
2209
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2134
2210
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2155,13 +2231,15 @@ module Aws::KMS
|
|
|
2155
2231
|
# the data key.
|
|
2156
2232
|
#
|
|
2157
2233
|
# An *encryption context* is a collection of non-secret key-value
|
|
2158
|
-
# pairs that
|
|
2234
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2159
2235
|
# encryption context to encrypt data, you must specify the same (an
|
|
2160
2236
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2161
|
-
# An encryption context is
|
|
2162
|
-
# KMS
|
|
2237
|
+
# An encryption context is supported only on operations with symmetric
|
|
2238
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2239
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2240
|
+
# recommended.
|
|
2163
2241
|
#
|
|
2164
|
-
# For more information, see [Encryption
|
|
2242
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2165
2243
|
# Management Service Developer Guide*.
|
|
2166
2244
|
#
|
|
2167
2245
|
#
|
|
@@ -2260,7 +2338,10 @@ module Aws::KMS
|
|
|
2260
2338
|
# }
|
|
2261
2339
|
#
|
|
2262
2340
|
# @!attribute [rw] key_id
|
|
2263
|
-
#
|
|
2341
|
+
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2342
|
+
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
2343
|
+
# custom key store. To get the type and origin of your KMS key, use
|
|
2344
|
+
# the DescribeKey operation.
|
|
2264
2345
|
#
|
|
2265
2346
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
2266
2347
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -2287,13 +2368,15 @@ module Aws::KMS
|
|
|
2287
2368
|
# the data key.
|
|
2288
2369
|
#
|
|
2289
2370
|
# An *encryption context* is a collection of non-secret key-value
|
|
2290
|
-
# pairs that
|
|
2371
|
+
# pairs that represent additional authenticated data. When you use an
|
|
2291
2372
|
# encryption context to encrypt data, you must specify the same (an
|
|
2292
2373
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
2293
|
-
# An encryption context is
|
|
2294
|
-
# KMS
|
|
2374
|
+
# An encryption context is supported only on operations with symmetric
|
|
2375
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
2376
|
+
# keys, an encryption context is optional, but it is strongly
|
|
2377
|
+
# recommended.
|
|
2295
2378
|
#
|
|
2296
|
-
# For more information, see [Encryption
|
|
2379
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
2297
2380
|
# Management Service Developer Guide*.
|
|
2298
2381
|
#
|
|
2299
2382
|
#
|
|
@@ -2363,6 +2446,93 @@ module Aws::KMS
|
|
|
2363
2446
|
include Aws::Structure
|
|
2364
2447
|
end
|
|
2365
2448
|
|
|
2449
|
+
# @note When making an API call, you may pass GenerateMacRequest
|
|
2450
|
+
# data as a hash:
|
|
2451
|
+
#
|
|
2452
|
+
# {
|
|
2453
|
+
# message: "data", # required
|
|
2454
|
+
# key_id: "KeyIdType", # required
|
|
2455
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
2456
|
+
# grant_tokens: ["GrantTokenType"],
|
|
2457
|
+
# }
|
|
2458
|
+
#
|
|
2459
|
+
# @!attribute [rw] message
|
|
2460
|
+
# The message to be hashed. Specify a message of up to 4,096 bytes.
|
|
2461
|
+
#
|
|
2462
|
+
# `GenerateMac` and VerifyMac do not provide special handling for
|
|
2463
|
+
# message digests. If you generate an HMAC for a hash digest of a
|
|
2464
|
+
# message, you must verify the HMAC of the same hash digest.
|
|
2465
|
+
# @return [String]
|
|
2466
|
+
#
|
|
2467
|
+
# @!attribute [rw] key_id
|
|
2468
|
+
# The HMAC KMS key to use in the operation. The MAC algorithm computes
|
|
2469
|
+
# the HMAC for the message and the key as described in [RFC 2104][1].
|
|
2470
|
+
#
|
|
2471
|
+
# To identify an HMAC KMS key, use the DescribeKey operation and see
|
|
2472
|
+
# the `KeySpec` field in the response.
|
|
2473
|
+
#
|
|
2474
|
+
#
|
|
2475
|
+
#
|
|
2476
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
|
2477
|
+
# @return [String]
|
|
2478
|
+
#
|
|
2479
|
+
# @!attribute [rw] mac_algorithm
|
|
2480
|
+
# The MAC algorithm used in the operation.
|
|
2481
|
+
#
|
|
2482
|
+
# The algorithm must be compatible with the HMAC KMS key that you
|
|
2483
|
+
# specify. To find the MAC algorithms that your HMAC KMS key supports,
|
|
2484
|
+
# use the DescribeKey operation and see the `MacAlgorithms` field in
|
|
2485
|
+
# the `DescribeKey` response.
|
|
2486
|
+
# @return [String]
|
|
2487
|
+
#
|
|
2488
|
+
# @!attribute [rw] grant_tokens
|
|
2489
|
+
# A list of grant tokens.
|
|
2490
|
+
#
|
|
2491
|
+
# Use a grant token when your permission to call this operation comes
|
|
2492
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
2493
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
2494
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
2495
|
+
#
|
|
2496
|
+
#
|
|
2497
|
+
#
|
|
2498
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
2499
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
2500
|
+
# @return [Array<String>]
|
|
2501
|
+
#
|
|
2502
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
|
|
2503
|
+
#
|
|
2504
|
+
class GenerateMacRequest < Struct.new(
|
|
2505
|
+
:message,
|
|
2506
|
+
:key_id,
|
|
2507
|
+
:mac_algorithm,
|
|
2508
|
+
:grant_tokens)
|
|
2509
|
+
SENSITIVE = [:message]
|
|
2510
|
+
include Aws::Structure
|
|
2511
|
+
end
|
|
2512
|
+
|
|
2513
|
+
# @!attribute [rw] mac
|
|
2514
|
+
# The hash-based message authentication code (HMAC) for the given
|
|
2515
|
+
# message, key, and MAC algorithm.
|
|
2516
|
+
# @return [String]
|
|
2517
|
+
#
|
|
2518
|
+
# @!attribute [rw] mac_algorithm
|
|
2519
|
+
# The MAC algorithm that was used to generate the HMAC.
|
|
2520
|
+
# @return [String]
|
|
2521
|
+
#
|
|
2522
|
+
# @!attribute [rw] key_id
|
|
2523
|
+
# The HMAC KMS key used in the operation.
|
|
2524
|
+
# @return [String]
|
|
2525
|
+
#
|
|
2526
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacResponse AWS API Documentation
|
|
2527
|
+
#
|
|
2528
|
+
class GenerateMacResponse < Struct.new(
|
|
2529
|
+
:mac,
|
|
2530
|
+
:mac_algorithm,
|
|
2531
|
+
:key_id)
|
|
2532
|
+
SENSITIVE = []
|
|
2533
|
+
include Aws::Structure
|
|
2534
|
+
end
|
|
2535
|
+
|
|
2366
2536
|
# @note When making an API call, you may pass GenerateRandomRequest
|
|
2367
2537
|
# data as a hash:
|
|
2368
2538
|
#
|
|
@@ -2372,7 +2542,7 @@ module Aws::KMS
|
|
|
2372
2542
|
# }
|
|
2373
2543
|
#
|
|
2374
2544
|
# @!attribute [rw] number_of_bytes
|
|
2375
|
-
# The length of the byte string.
|
|
2545
|
+
# The length of the random byte string. This parameter is required.
|
|
2376
2546
|
# @return [Integer]
|
|
2377
2547
|
#
|
|
2378
2548
|
# @!attribute [rw] custom_key_store_id
|
|
@@ -2513,8 +2683,9 @@ module Aws::KMS
|
|
|
2513
2683
|
# }
|
|
2514
2684
|
#
|
|
2515
2685
|
# @!attribute [rw] key_id
|
|
2516
|
-
# The identifier of the symmetric KMS key into which you
|
|
2517
|
-
# key material. The `Origin` of the KMS key must be
|
|
2686
|
+
# The identifier of the symmetric encryption KMS key into which you
|
|
2687
|
+
# will import key material. The `Origin` of the KMS key must be
|
|
2688
|
+
# `EXTERNAL`.
|
|
2518
2689
|
#
|
|
2519
2690
|
# Specify the key ID or key ARN of the KMS key.
|
|
2520
2691
|
#
|
|
@@ -2729,10 +2900,11 @@ module Aws::KMS
|
|
|
2729
2900
|
#
|
|
2730
2901
|
# KMS applies the grant constraints only to cryptographic operations
|
|
2731
2902
|
# that support an encryption context, that is, all cryptographic
|
|
2732
|
-
# operations with a [symmetric KMS key][3]. Grant constraints
|
|
2733
|
-
# applied to operations that do not support an encryption
|
|
2734
|
-
# as cryptographic operations with
|
|
2735
|
-
# operations, such as DescribeKey or
|
|
2903
|
+
# operations with a [symmetric encryption KMS key][3]. Grant constraints
|
|
2904
|
+
# are not applied to operations that do not support an encryption
|
|
2905
|
+
# context, such as cryptographic operations with HMAC KMS keys or
|
|
2906
|
+
# asymmetric KMS keys, and management operations, such as DescribeKey or
|
|
2907
|
+
# RetireGrant.
|
|
2736
2908
|
#
|
|
2737
2909
|
# In a cryptographic operation, the encryption context in the decryption
|
|
2738
2910
|
# operation must be an exact, case-sensitive match for the keys and
|
|
@@ -2880,10 +3052,13 @@ module Aws::KMS
|
|
|
2880
3052
|
# }
|
|
2881
3053
|
#
|
|
2882
3054
|
# @!attribute [rw] key_id
|
|
2883
|
-
# The identifier of the symmetric KMS key that receives the
|
|
2884
|
-
# key material.
|
|
2885
|
-
#
|
|
2886
|
-
#
|
|
3055
|
+
# The identifier of the symmetric encryption KMS key that receives the
|
|
3056
|
+
# imported key material. This must be the same KMS key specified in
|
|
3057
|
+
# the `KeyID` parameter of the corresponding GetParametersForImport
|
|
3058
|
+
# request. The `Origin` of the KMS key must be `EXTERNAL`. You cannot
|
|
3059
|
+
# perform this operation on an asymmetric KMS key, an HMAC KMS key, a
|
|
3060
|
+
# KMS key in a custom key store, or on a KMS key in a different Amazon
|
|
3061
|
+
# Web Services account
|
|
2887
3062
|
#
|
|
2888
3063
|
# Specify the key ID or key ARN of the KMS key.
|
|
2889
3064
|
#
|
|
@@ -3095,9 +3270,11 @@ module Aws::KMS
|
|
|
3095
3270
|
# key `(KeySpec`).
|
|
3096
3271
|
#
|
|
3097
3272
|
# For encrypting, decrypting, re-encrypting, and generating data keys,
|
|
3098
|
-
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3099
|
-
# the `KeyUsage` must be `SIGN_VERIFY`.
|
|
3100
|
-
#
|
|
3273
|
+
# the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
|
|
3274
|
+
# messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
|
|
3275
|
+
# verifying message authentication codes (MACs), the `KeyUsage` must be
|
|
3276
|
+
# `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
|
|
3277
|
+
# DescribeKey operation.
|
|
3101
3278
|
#
|
|
3102
3279
|
# To find the encryption or signing algorithms supported for a
|
|
3103
3280
|
# particular KMS key, use the DescribeKey operation.
|
|
@@ -3141,6 +3318,22 @@ module Aws::KMS
|
|
|
3141
3318
|
include Aws::Structure
|
|
3142
3319
|
end
|
|
3143
3320
|
|
|
3321
|
+
# The request was rejected because the HMAC verification failed. HMAC
|
|
3322
|
+
# verification fails when the HMAC computed by using the specified
|
|
3323
|
+
# message, HMAC KMS key, and MAC algorithm does not match the HMAC
|
|
3324
|
+
# specified in the request.
|
|
3325
|
+
#
|
|
3326
|
+
# @!attribute [rw] message
|
|
3327
|
+
# @return [String]
|
|
3328
|
+
#
|
|
3329
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KMSInvalidMacException AWS API Documentation
|
|
3330
|
+
#
|
|
3331
|
+
class KMSInvalidMacException < Struct.new(
|
|
3332
|
+
:message)
|
|
3333
|
+
SENSITIVE = []
|
|
3334
|
+
include Aws::Structure
|
|
3335
|
+
end
|
|
3336
|
+
|
|
3144
3337
|
# The request was rejected because the signature verification failed.
|
|
3145
3338
|
# Signature verification fails when it cannot confirm that signature was
|
|
3146
3339
|
# produced by signing the specified message with the specified KMS key
|
|
@@ -3161,8 +3354,8 @@ module Aws::KMS
|
|
|
3161
3354
|
# is not valid for this request.
|
|
3162
3355
|
#
|
|
3163
3356
|
# For more information about how key state affects the use of a KMS key,
|
|
3164
|
-
# see [Key
|
|
3165
|
-
#
|
|
3357
|
+
# see [Key states of KMS keys][1] in the <i> <i>Key Management Service
|
|
3358
|
+
# Developer Guide</i> </i>.
|
|
3166
3359
|
#
|
|
3167
3360
|
#
|
|
3168
3361
|
#
|
|
@@ -3247,8 +3440,8 @@ module Aws::KMS
|
|
|
3247
3440
|
# The current status of the KMS key.
|
|
3248
3441
|
#
|
|
3249
3442
|
# For more information about how key state affects the use of a KMS
|
|
3250
|
-
# key, see [Key
|
|
3251
|
-
#
|
|
3443
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
3444
|
+
# Developer Guide*.
|
|
3252
3445
|
#
|
|
3253
3446
|
#
|
|
3254
3447
|
#
|
|
@@ -3355,9 +3548,8 @@ module Aws::KMS
|
|
|
3355
3548
|
# (`False`) key. This value is `True` for multi-Region primary and
|
|
3356
3549
|
# replica keys and `False` for regional KMS keys.
|
|
3357
3550
|
#
|
|
3358
|
-
# For more information about multi-Region keys, see [
|
|
3359
|
-
#
|
|
3360
|
-
# Guide*.
|
|
3551
|
+
# For more information about multi-Region keys, see [Multi-Region keys
|
|
3552
|
+
# in KMS][1] in the *Key Management Service Developer Guide*.
|
|
3361
3553
|
#
|
|
3362
3554
|
#
|
|
3363
3555
|
#
|
|
@@ -3402,6 +3594,14 @@ module Aws::KMS
|
|
|
3402
3594
|
# the deletion date appears in the `DeletionDate` field.
|
|
3403
3595
|
# @return [Integer]
|
|
3404
3596
|
#
|
|
3597
|
+
# @!attribute [rw] mac_algorithms
|
|
3598
|
+
# The message authentication code (MAC) algorithm that the HMAC KMS
|
|
3599
|
+
# key supports.
|
|
3600
|
+
#
|
|
3601
|
+
# This value is present only when the `KeyUsage` of the KMS key is
|
|
3602
|
+
# `GENERATE_VERIFY_MAC`.
|
|
3603
|
+
# @return [Array<String>]
|
|
3604
|
+
#
|
|
3405
3605
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
|
3406
3606
|
#
|
|
3407
3607
|
class KeyMetadata < Struct.new(
|
|
@@ -3426,7 +3626,8 @@ module Aws::KMS
|
|
|
3426
3626
|
:signing_algorithms,
|
|
3427
3627
|
:multi_region,
|
|
3428
3628
|
:multi_region_configuration,
|
|
3429
|
-
:pending_deletion_window_in_days
|
|
3629
|
+
:pending_deletion_window_in_days,
|
|
3630
|
+
:mac_algorithms)
|
|
3430
3631
|
SENSITIVE = []
|
|
3431
3632
|
include Aws::Structure
|
|
3432
3633
|
end
|
|
@@ -3834,8 +4035,8 @@ module Aws::KMS
|
|
|
3834
4035
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
|
3835
4036
|
#
|
|
3836
4037
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
3837
|
-
# KMS key. For details, see [
|
|
3838
|
-
#
|
|
4038
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4039
|
+
# Service Developer Guide*.
|
|
3839
4040
|
#
|
|
3840
4041
|
# </note>
|
|
3841
4042
|
#
|
|
@@ -4054,15 +4255,29 @@ module Aws::KMS
|
|
|
4054
4255
|
# immediately visible][2] in the *Amazon Web Services Identity and
|
|
4055
4256
|
# Access Management User Guide*.
|
|
4056
4257
|
#
|
|
4057
|
-
#
|
|
4058
|
-
#
|
|
4059
|
-
#
|
|
4258
|
+
# A key policy document can include only the following characters:
|
|
4259
|
+
#
|
|
4260
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
4261
|
+
# through the end of the ASCII character range.
|
|
4262
|
+
#
|
|
4263
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
4264
|
+
# character set (through `\u00FF`).
|
|
4265
|
+
#
|
|
4266
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
4267
|
+
# (`\u000D`) special characters
|
|
4268
|
+
#
|
|
4269
|
+
# For information about key policies, see [Key policies in KMS][3] in
|
|
4270
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
4271
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
4272
|
+
# Reference][4] in the <i> <i>Identity and Access Management User
|
|
4273
|
+
# Guide</i> </i>.
|
|
4060
4274
|
#
|
|
4061
4275
|
#
|
|
4062
4276
|
#
|
|
4063
4277
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
4064
4278
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
4065
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
4279
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
4280
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
4066
4281
|
# @return [String]
|
|
4067
4282
|
#
|
|
4068
4283
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
|
@@ -4111,8 +4326,8 @@ module Aws::KMS
|
|
|
4111
4326
|
# destination_encryption_context: {
|
|
4112
4327
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
4113
4328
|
# },
|
|
4114
|
-
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
4115
|
-
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
4329
|
+
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
4330
|
+
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
4116
4331
|
# grant_tokens: ["GrantTokenType"],
|
|
4117
4332
|
# }
|
|
4118
4333
|
#
|
|
@@ -4126,13 +4341,15 @@ module Aws::KMS
|
|
|
4126
4341
|
# ciphertext.
|
|
4127
4342
|
#
|
|
4128
4343
|
# An *encryption context* is a collection of non-secret key-value
|
|
4129
|
-
# pairs that
|
|
4344
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4130
4345
|
# encryption context to encrypt data, you must specify the same (an
|
|
4131
4346
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4132
|
-
# An encryption context is
|
|
4133
|
-
# KMS
|
|
4347
|
+
# An encryption context is supported only on operations with symmetric
|
|
4348
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4349
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4350
|
+
# recommended.
|
|
4134
4351
|
#
|
|
4135
|
-
# For more information, see [Encryption
|
|
4352
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4136
4353
|
# Management Service Developer Guide*.
|
|
4137
4354
|
#
|
|
4138
4355
|
#
|
|
@@ -4142,15 +4359,18 @@ module Aws::KMS
|
|
|
4142
4359
|
#
|
|
4143
4360
|
# @!attribute [rw] source_key_id
|
|
4144
4361
|
# Specifies the KMS key that KMS will use to decrypt the ciphertext
|
|
4145
|
-
# before it is re-encrypted.
|
|
4146
|
-
#
|
|
4362
|
+
# before it is re-encrypted.
|
|
4363
|
+
#
|
|
4364
|
+
# Enter a key ID of the KMS key that was used to encrypt the
|
|
4365
|
+
# ciphertext. If you identify a different KMS key, the `ReEncrypt`
|
|
4366
|
+
# operation throws an `IncorrectKeyException`.
|
|
4147
4367
|
#
|
|
4148
4368
|
# This parameter is required only when the ciphertext was encrypted
|
|
4149
|
-
# under an asymmetric KMS key. If you used a symmetric
|
|
4150
|
-
# can get the KMS key from metadata that it adds to the
|
|
4151
|
-
# ciphertext blob. However, it is always recommended as a
|
|
4152
|
-
# practice. This practice ensures that you use the KMS key that
|
|
4153
|
-
# intend.
|
|
4369
|
+
# under an asymmetric KMS key. If you used a symmetric encryption KMS
|
|
4370
|
+
# key, KMS can get the KMS key from metadata that it adds to the
|
|
4371
|
+
# symmetric ciphertext blob. However, it is always recommended as a
|
|
4372
|
+
# best practice. This practice ensures that you use the KMS key that
|
|
4373
|
+
# you intend.
|
|
4154
4374
|
#
|
|
4155
4375
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4156
4376
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4174,9 +4394,9 @@ module Aws::KMS
|
|
|
4174
4394
|
#
|
|
4175
4395
|
# @!attribute [rw] destination_key_id
|
|
4176
4396
|
# A unique identifier for the KMS key that is used to reencrypt the
|
|
4177
|
-
# data. Specify a symmetric
|
|
4178
|
-
# value of `ENCRYPT_DECRYPT`. To find the
|
|
4179
|
-
# key, use the DescribeKey operation.
|
|
4397
|
+
# data. Specify a symmetric encryption KMS key or an asymmetric KMS
|
|
4398
|
+
# key with a `KeyUsage` value of `ENCRYPT_DECRYPT`. To find the
|
|
4399
|
+
# `KeyUsage` value of a KMS key, use the DescribeKey operation.
|
|
4180
4400
|
#
|
|
4181
4401
|
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
4182
4402
|
# ARN. When using an alias name, prefix it with `"alias/"`. To specify
|
|
@@ -4203,17 +4423,19 @@ module Aws::KMS
|
|
|
4203
4423
|
# data.
|
|
4204
4424
|
#
|
|
4205
4425
|
# A destination encryption context is valid only when the destination
|
|
4206
|
-
# KMS key is a symmetric KMS key. The standard ciphertext
|
|
4207
|
-
# asymmetric KMS keys does not include fields for metadata.
|
|
4426
|
+
# KMS key is a symmetric encryption KMS key. The standard ciphertext
|
|
4427
|
+
# format for asymmetric KMS keys does not include fields for metadata.
|
|
4208
4428
|
#
|
|
4209
4429
|
# An *encryption context* is a collection of non-secret key-value
|
|
4210
|
-
# pairs that
|
|
4430
|
+
# pairs that represent additional authenticated data. When you use an
|
|
4211
4431
|
# encryption context to encrypt data, you must specify the same (an
|
|
4212
4432
|
# exact case-sensitive match) encryption context to decrypt the data.
|
|
4213
|
-
# An encryption context is
|
|
4214
|
-
# KMS
|
|
4433
|
+
# An encryption context is supported only on operations with symmetric
|
|
4434
|
+
# encryption KMS keys. On operations with symmetric encryption KMS
|
|
4435
|
+
# keys, an encryption context is optional, but it is strongly
|
|
4436
|
+
# recommended.
|
|
4215
4437
|
#
|
|
4216
|
-
# For more information, see [Encryption
|
|
4438
|
+
# For more information, see [Encryption context][1] in the *Key
|
|
4217
4439
|
# Management Service Developer Guide*.
|
|
4218
4440
|
#
|
|
4219
4441
|
#
|
|
@@ -4224,8 +4446,8 @@ module Aws::KMS
|
|
|
4224
4446
|
# @!attribute [rw] source_encryption_algorithm
|
|
4225
4447
|
# Specifies the encryption algorithm that KMS will use to decrypt the
|
|
4226
4448
|
# ciphertext before it is reencrypted. The default value,
|
|
4227
|
-
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4228
|
-
# keys.
|
|
4449
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric
|
|
4450
|
+
# encryption KMS keys.
|
|
4229
4451
|
#
|
|
4230
4452
|
# Specify the same algorithm that was used to encrypt the ciphertext.
|
|
4231
4453
|
# If you specify a different algorithm, the decrypt attempt fails.
|
|
@@ -4238,7 +4460,7 @@ module Aws::KMS
|
|
|
4238
4460
|
# Specifies the encryption algorithm that KMS will use to reecrypt the
|
|
4239
4461
|
# data after it has decrypted it. The default value,
|
|
4240
4462
|
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
|
4241
|
-
# symmetric KMS keys.
|
|
4463
|
+
# symmetric encryption KMS keys.
|
|
4242
4464
|
#
|
|
4243
4465
|
# This parameter is required only when the destination KMS key is an
|
|
4244
4466
|
# asymmetric KMS key.
|
|
@@ -4359,24 +4581,33 @@ module Aws::KMS
|
|
|
4359
4581
|
# [KMS service endpoints][1] in the *Amazon Web Services General
|
|
4360
4582
|
# Reference*.
|
|
4361
4583
|
#
|
|
4584
|
+
# <note markdown="1"> HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
|
4585
|
+
# If you try to replicate an HMAC KMS key in an Amazon Web Services
|
|
4586
|
+
# Region in which HMAC keys are not supported, the `ReplicateKey`
|
|
4587
|
+
# operation returns an `UnsupportedOperationException`. For a list of
|
|
4588
|
+
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
|
4589
|
+
# KMS][2] in the *Key Management Service Developer Guide*.
|
|
4590
|
+
#
|
|
4591
|
+
# </note>
|
|
4592
|
+
#
|
|
4362
4593
|
# The replica must be in a different Amazon Web Services Region than
|
|
4363
4594
|
# its primary key and other replicas of that primary key, but in the
|
|
4364
4595
|
# same Amazon Web Services partition. KMS must be available in the
|
|
4365
4596
|
# replica Region. If the Region is not enabled by default, the Amazon
|
|
4366
|
-
# Web Services account must be enabled in the Region.
|
|
4367
|
-
#
|
|
4368
|
-
#
|
|
4369
|
-
#
|
|
4370
|
-
#
|
|
4371
|
-
#
|
|
4372
|
-
# the *Amazon Web Services General Reference*.
|
|
4597
|
+
# Web Services account must be enabled in the Region. For information
|
|
4598
|
+
# about Amazon Web Services partitions, see [Amazon Resource Names
|
|
4599
|
+
# (ARNs)][3] in the *Amazon Web Services General Reference*. For
|
|
4600
|
+
# information about enabling and disabling Regions, see [Enabling a
|
|
4601
|
+
# Region][4] and [Disabling a Region][5] in the *Amazon Web Services
|
|
4602
|
+
# General Reference*.
|
|
4373
4603
|
#
|
|
4374
4604
|
#
|
|
4375
4605
|
#
|
|
4376
4606
|
# [1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
|
|
4377
|
-
# [2]: https://docs.aws.amazon.com/
|
|
4378
|
-
# [3]: https://docs.aws.amazon.com/general/latest/gr/
|
|
4379
|
-
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-
|
|
4607
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
4608
|
+
# [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
4609
|
+
# [4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
|
|
4610
|
+
# [5]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
|
|
4380
4611
|
# @return [String]
|
|
4381
4612
|
#
|
|
4382
4613
|
# @!attribute [rw] policy
|
|
@@ -4408,13 +4639,30 @@ module Aws::KMS
|
|
|
4408
4639
|
# immediately visible][3] in the <i> <i>Identity and Access
|
|
4409
4640
|
# Management User Guide</i> </i>.
|
|
4410
4641
|
#
|
|
4411
|
-
#
|
|
4642
|
+
# A key policy document can include only the following characters:
|
|
4643
|
+
#
|
|
4644
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
4645
|
+
# through the end of the ASCII character range.
|
|
4646
|
+
#
|
|
4647
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
4648
|
+
# character set (through `\u00FF`).
|
|
4649
|
+
#
|
|
4650
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
4651
|
+
# (`\u000D`) special characters
|
|
4652
|
+
#
|
|
4653
|
+
# For information about key policies, see [Key policies in KMS][4] in
|
|
4654
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
4655
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
4656
|
+
# Reference][5] in the <i> <i>Identity and Access Management User
|
|
4657
|
+
# Guide</i> </i>.
|
|
4412
4658
|
#
|
|
4413
4659
|
#
|
|
4414
4660
|
#
|
|
4415
4661
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
4416
4662
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
4417
4663
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
4664
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
4665
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
4418
4666
|
# @return [String]
|
|
4419
4667
|
#
|
|
4420
4668
|
# @!attribute [rw] bypass_policy_lockout_safety_check
|
|
@@ -4455,8 +4703,8 @@ module Aws::KMS
|
|
|
4455
4703
|
# the TagResource operation.
|
|
4456
4704
|
#
|
|
4457
4705
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
4458
|
-
# KMS key. For details, see [
|
|
4459
|
-
#
|
|
4706
|
+
# KMS key. For details, see [ABAC in KMS][1] in the *Key Management
|
|
4707
|
+
# Service Developer Guide*.
|
|
4460
4708
|
#
|
|
4461
4709
|
# </note>
|
|
4462
4710
|
#
|
|
@@ -4500,9 +4748,9 @@ module Aws::KMS
|
|
|
4500
4748
|
|
|
4501
4749
|
# @!attribute [rw] replica_key_metadata
|
|
4502
4750
|
# Displays details about the new replica key, including its Amazon
|
|
4503
|
-
# Resource Name ([key ARN][1]) and [
|
|
4504
|
-
# the ARN and Amazon Web Services Region of its primary
|
|
4505
|
-
# replica keys.
|
|
4751
|
+
# Resource Name ([key ARN][1]) and [Key states of KMS keys][2]. It
|
|
4752
|
+
# also includes the ARN and Amazon Web Services Region of its primary
|
|
4753
|
+
# key and other replica keys.
|
|
4506
4754
|
#
|
|
4507
4755
|
#
|
|
4508
4756
|
#
|
|
@@ -4652,7 +4900,7 @@ module Aws::KMS
|
|
|
4652
4900
|
# The waiting period, specified in number of days. After the waiting
|
|
4653
4901
|
# period ends, KMS deletes the KMS key.
|
|
4654
4902
|
#
|
|
4655
|
-
# If the KMS key is a multi-Region primary key with
|
|
4903
|
+
# If the KMS key is a multi-Region primary key with replica keys, the
|
|
4656
4904
|
# waiting period begins when the last of its replica keys is deleted.
|
|
4657
4905
|
# Otherwise, the waiting period begins immediately.
|
|
4658
4906
|
#
|
|
@@ -4690,8 +4938,8 @@ module Aws::KMS
|
|
|
4690
4938
|
# The current status of the KMS key.
|
|
4691
4939
|
#
|
|
4692
4940
|
# For more information about how key state affects the use of a KMS
|
|
4693
|
-
# key, see [Key
|
|
4694
|
-
#
|
|
4941
|
+
# key, see [Key states of KMS keys][1] in the *Key Management Service
|
|
4942
|
+
# Developer Guide*.
|
|
4695
4943
|
#
|
|
4696
4944
|
#
|
|
4697
4945
|
#
|
|
@@ -4725,7 +4973,7 @@ module Aws::KMS
|
|
|
4725
4973
|
# message: "data", # required
|
|
4726
4974
|
# message_type: "RAW", # accepts RAW, DIGEST
|
|
4727
4975
|
# grant_tokens: ["GrantTokenType"],
|
|
4728
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
|
4976
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
4729
4977
|
# }
|
|
4730
4978
|
#
|
|
4731
4979
|
# @!attribute [rw] key_id
|
|
@@ -5006,8 +5254,8 @@ module Aws::KMS
|
|
|
5006
5254
|
# @!attribute [rw] alias_name
|
|
5007
5255
|
# Identifies the alias that is changing its KMS key. This value must
|
|
5008
5256
|
# begin with `alias/` followed by the alias name, such as
|
|
5009
|
-
# `alias/ExampleAlias`. You cannot use UpdateAlias to change the
|
|
5010
|
-
# name.
|
|
5257
|
+
# `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the
|
|
5258
|
+
# alias name.
|
|
5011
5259
|
# @return [String]
|
|
5012
5260
|
#
|
|
5013
5261
|
# @!attribute [rw] target_key_id
|
|
@@ -5194,6 +5442,100 @@ module Aws::KMS
|
|
|
5194
5442
|
include Aws::Structure
|
|
5195
5443
|
end
|
|
5196
5444
|
|
|
5445
|
+
# @note When making an API call, you may pass VerifyMacRequest
|
|
5446
|
+
# data as a hash:
|
|
5447
|
+
#
|
|
5448
|
+
# {
|
|
5449
|
+
# message: "data", # required
|
|
5450
|
+
# key_id: "KeyIdType", # required
|
|
5451
|
+
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
5452
|
+
# mac: "data", # required
|
|
5453
|
+
# grant_tokens: ["GrantTokenType"],
|
|
5454
|
+
# }
|
|
5455
|
+
#
|
|
5456
|
+
# @!attribute [rw] message
|
|
5457
|
+
# The message that will be used in the verification. Enter the same
|
|
5458
|
+
# message that was used to generate the HMAC.
|
|
5459
|
+
#
|
|
5460
|
+
# GenerateMac and `VerifyMac` do not provide special handling for
|
|
5461
|
+
# message digests. If you generated an HMAC for a hash digest of a
|
|
5462
|
+
# message, you must verify the HMAC for the same hash digest.
|
|
5463
|
+
# @return [String]
|
|
5464
|
+
#
|
|
5465
|
+
# @!attribute [rw] key_id
|
|
5466
|
+
# The KMS key that will be used in the verification.
|
|
5467
|
+
#
|
|
5468
|
+
# Enter a key ID of the KMS key that was used to generate the HMAC. If
|
|
5469
|
+
# you identify a different KMS key, the `VerifyMac` operation fails.
|
|
5470
|
+
# @return [String]
|
|
5471
|
+
#
|
|
5472
|
+
# @!attribute [rw] mac_algorithm
|
|
5473
|
+
# The MAC algorithm that will be used in the verification. Enter the
|
|
5474
|
+
# same MAC algorithm that was used to compute the HMAC. This algorithm
|
|
5475
|
+
# must be supported by the HMAC KMS key identified by the `KeyId`
|
|
5476
|
+
# parameter.
|
|
5477
|
+
# @return [String]
|
|
5478
|
+
#
|
|
5479
|
+
# @!attribute [rw] mac
|
|
5480
|
+
# The HMAC to verify. Enter the HMAC that was generated by the
|
|
5481
|
+
# GenerateMac operation when you specified the same message, HMAC KMS
|
|
5482
|
+
# key, and MAC algorithm as the values specified in this request.
|
|
5483
|
+
# @return [String]
|
|
5484
|
+
#
|
|
5485
|
+
# @!attribute [rw] grant_tokens
|
|
5486
|
+
# A list of grant tokens.
|
|
5487
|
+
#
|
|
5488
|
+
# Use a grant token when your permission to call this operation comes
|
|
5489
|
+
# from a new grant that has not yet achieved *eventual consistency*.
|
|
5490
|
+
# For more information, see [Grant token][1] and [Using a grant
|
|
5491
|
+
# token][2] in the *Key Management Service Developer Guide*.
|
|
5492
|
+
#
|
|
5493
|
+
#
|
|
5494
|
+
#
|
|
5495
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
5496
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
5497
|
+
# @return [Array<String>]
|
|
5498
|
+
#
|
|
5499
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
|
|
5500
|
+
#
|
|
5501
|
+
class VerifyMacRequest < Struct.new(
|
|
5502
|
+
:message,
|
|
5503
|
+
:key_id,
|
|
5504
|
+
:mac_algorithm,
|
|
5505
|
+
:mac,
|
|
5506
|
+
:grant_tokens)
|
|
5507
|
+
SENSITIVE = [:message]
|
|
5508
|
+
include Aws::Structure
|
|
5509
|
+
end
|
|
5510
|
+
|
|
5511
|
+
# @!attribute [rw] key_id
|
|
5512
|
+
# The HMAC KMS key used in the verification.
|
|
5513
|
+
# @return [String]
|
|
5514
|
+
#
|
|
5515
|
+
# @!attribute [rw] mac_valid
|
|
5516
|
+
# A Boolean value that indicates whether the HMAC was verified. A
|
|
5517
|
+
# value of `True` indicates that the HMAC (`Mac`) was generated with
|
|
5518
|
+
# the specified `Message`, HMAC KMS key (`KeyID`) and `MacAlgorithm.`.
|
|
5519
|
+
#
|
|
5520
|
+
# If the HMAC is not verified, the `VerifyMac` operation fails with a
|
|
5521
|
+
# `KMSInvalidMacException` exception. This exception indicates that
|
|
5522
|
+
# one or more of the inputs changed since the HMAC was computed.
|
|
5523
|
+
# @return [Boolean]
|
|
5524
|
+
#
|
|
5525
|
+
# @!attribute [rw] mac_algorithm
|
|
5526
|
+
# The MAC algorithm used in the verification.
|
|
5527
|
+
# @return [String]
|
|
5528
|
+
#
|
|
5529
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacResponse AWS API Documentation
|
|
5530
|
+
#
|
|
5531
|
+
class VerifyMacResponse < Struct.new(
|
|
5532
|
+
:key_id,
|
|
5533
|
+
:mac_valid,
|
|
5534
|
+
:mac_algorithm)
|
|
5535
|
+
SENSITIVE = []
|
|
5536
|
+
include Aws::Structure
|
|
5537
|
+
end
|
|
5538
|
+
|
|
5197
5539
|
# @note When making an API call, you may pass VerifyRequest
|
|
5198
5540
|
# data as a hash:
|
|
5199
5541
|
#
|
|
@@ -5202,7 +5544,7 @@ module Aws::KMS
|
|
|
5202
5544
|
# message: "data", # required
|
|
5203
5545
|
# message_type: "RAW", # accepts RAW, DIGEST
|
|
5204
5546
|
# signature: "data", # required
|
|
5205
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
|
5547
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
5206
5548
|
# grant_tokens: ["GrantTokenType"],
|
|
5207
5549
|
# }
|
|
5208
5550
|
#
|