aws-sdk-kms 1.57.0 → 1.58.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +211 -154
- data/lib/aws-sdk-kms/client_api.rb +24 -3
- data/lib/aws-sdk-kms/types.rb +87 -65
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-kms/client.rb
CHANGED
|
@@ -674,7 +674,7 @@ module Aws::KMS
|
|
|
674
674
|
# Creates a [custom key store][1] that is associated with an [CloudHSM
|
|
675
675
|
# cluster][2] that you own and manage.
|
|
676
676
|
#
|
|
677
|
-
# This operation is part of the [
|
|
677
|
+
# This operation is part of the [custom key store feature][1] feature in
|
|
678
678
|
# KMS, which combines the convenience and extensive integration of KMS
|
|
679
679
|
# with the isolation and control of a single-tenant key store.
|
|
680
680
|
#
|
|
@@ -724,7 +724,7 @@ module Aws::KMS
|
|
|
724
724
|
# Specifies a friendly name for the custom key store. The name must be
|
|
725
725
|
# unique in your Amazon Web Services account.
|
|
726
726
|
#
|
|
727
|
-
# @option params [
|
|
727
|
+
# @option params [String] :cloud_hsm_cluster_id
|
|
728
728
|
# Identifies the CloudHSM cluster for the custom key store. Enter the
|
|
729
729
|
# cluster ID of any active CloudHSM cluster that is not already
|
|
730
730
|
# associated with a custom key store. To find the cluster ID, use the
|
|
@@ -734,7 +734,7 @@ module Aws::KMS
|
|
|
734
734
|
#
|
|
735
735
|
# [1]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
|
736
736
|
#
|
|
737
|
-
# @option params [
|
|
737
|
+
# @option params [String] :trust_anchor_certificate
|
|
738
738
|
# Enter the content of the trust anchor certificate for the cluster.
|
|
739
739
|
# This is the content of the `customerCA.crt` file that you created when
|
|
740
740
|
# you [initialized the cluster][1].
|
|
@@ -743,7 +743,7 @@ module Aws::KMS
|
|
|
743
743
|
#
|
|
744
744
|
# [1]: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html
|
|
745
745
|
#
|
|
746
|
-
# @option params [
|
|
746
|
+
# @option params [String] :key_store_password
|
|
747
747
|
# Enter the password of the [ `kmsuser` crypto user (CU) account][1] in
|
|
748
748
|
# the specified CloudHSM cluster. KMS logs into the cluster as this user
|
|
749
749
|
# to manage key material on your behalf.
|
|
@@ -783,9 +783,9 @@ module Aws::KMS
|
|
|
783
783
|
#
|
|
784
784
|
# resp = client.create_custom_key_store({
|
|
785
785
|
# custom_key_store_name: "CustomKeyStoreNameType", # required
|
|
786
|
-
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
|
787
|
-
# trust_anchor_certificate: "TrustAnchorCertificateType",
|
|
788
|
-
# key_store_password: "KeyStorePasswordType",
|
|
786
|
+
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
|
787
|
+
# trust_anchor_certificate: "TrustAnchorCertificateType",
|
|
788
|
+
# key_store_password: "KeyStorePasswordType",
|
|
789
789
|
# })
|
|
790
790
|
#
|
|
791
791
|
# @example Response structure
|
|
@@ -1079,7 +1079,9 @@ module Aws::KMS
|
|
|
1079
1079
|
# : To create a symmetric encryption KMS key, you aren't required to
|
|
1080
1080
|
# specify any parameters. The default value for `KeySpec`,
|
|
1081
1081
|
# `SYMMETRIC_DEFAULT`, and the default value for `KeyUsage`,
|
|
1082
|
-
# `ENCRYPT_DECRYPT`, create a symmetric encryption KMS key.
|
|
1082
|
+
# `ENCRYPT_DECRYPT`, create a symmetric encryption KMS key. For
|
|
1083
|
+
# technical details, see [ SYMMETRIC\_DEFAULT key spec][2] in the *Key
|
|
1084
|
+
# Management Service Developer Guide*.
|
|
1083
1085
|
#
|
|
1084
1086
|
# If you need a key for basic encryption and decryption or you are
|
|
1085
1087
|
# creating a KMS key to protect your resources in an Amazon Web
|
|
@@ -1100,15 +1102,16 @@ module Aws::KMS
|
|
|
1100
1102
|
# to encrypt and decrypt or sign and verify. You can't change these
|
|
1101
1103
|
# properties after the KMS key is created.
|
|
1102
1104
|
#
|
|
1103
|
-
# Asymmetric KMS keys contain an RSA key pair
|
|
1104
|
-
#
|
|
1105
|
-
# leaves KMS unencrypted. However, you
|
|
1106
|
-
# operation to download the public key so it
|
|
1107
|
-
# KMS. KMS keys with RSA key pairs can
|
|
1108
|
-
# data or sign and verify messages (but
|
|
1109
|
-
# key pairs can be used only to sign and
|
|
1110
|
-
# information about asymmetric KMS keys, see
|
|
1111
|
-
# in the *Key Management Service Developer
|
|
1105
|
+
# Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC)
|
|
1106
|
+
# key pair, or an SM2 key pair (China Regions only). The private key
|
|
1107
|
+
# in an asymmetric KMS key never leaves KMS unencrypted. However, you
|
|
1108
|
+
# can use the GetPublicKey operation to download the public key so it
|
|
1109
|
+
# can be used outside of KMS. KMS keys with RSA or SM2 key pairs can
|
|
1110
|
+
# be used to encrypt or decrypt data or sign and verify messages (but
|
|
1111
|
+
# not both). KMS keys with ECC key pairs can be used only to sign and
|
|
1112
|
+
# verify messages. For information about asymmetric KMS keys, see
|
|
1113
|
+
# [Asymmetric KMS keys][3] in the *Key Management Service Developer
|
|
1114
|
+
# Guide*.
|
|
1112
1115
|
#
|
|
1113
1116
|
#
|
|
1114
1117
|
#
|
|
@@ -1130,7 +1133,7 @@ module Aws::KMS
|
|
|
1130
1133
|
# Region in which HMAC keys are not supported, the `CreateKey`
|
|
1131
1134
|
# operation returns an `UnsupportedOperationException`. For a list of
|
|
1132
1135
|
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
|
1133
|
-
# KMS][
|
|
1136
|
+
# KMS][4] in the *Key Management Service Developer Guide*.
|
|
1134
1137
|
#
|
|
1135
1138
|
#
|
|
1136
1139
|
#
|
|
@@ -1158,7 +1161,7 @@ module Aws::KMS
|
|
|
1158
1161
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
|
1159
1162
|
# a different Amazon Web Services Region without re-encrypting the
|
|
1160
1163
|
# data or making a cross-Region call. For more information about
|
|
1161
|
-
# multi-Region keys, see [Multi-Region keys in KMS][
|
|
1164
|
+
# multi-Region keys, see [Multi-Region keys in KMS][5] in the *Key
|
|
1162
1165
|
# Management Service Developer Guide*.
|
|
1163
1166
|
#
|
|
1164
1167
|
#
|
|
@@ -1170,7 +1173,7 @@ module Aws::KMS
|
|
|
1170
1173
|
# token, and use the public key to encrypt your key material. Then,
|
|
1171
1174
|
# use ImportKeyMaterial with your import token to import the key
|
|
1172
1175
|
# material. For step-by-step instructions, see [Importing Key
|
|
1173
|
-
# Material][
|
|
1176
|
+
# Material][6] in the <i> <i>Key Management Service Developer
|
|
1174
1177
|
# Guide</i> </i>.
|
|
1175
1178
|
#
|
|
1176
1179
|
# This feature supports only symmetric encryption KMS keys, including
|
|
@@ -1182,14 +1185,14 @@ module Aws::KMS
|
|
|
1182
1185
|
# the `MultiRegion` parameter with a value of `True`. To create
|
|
1183
1186
|
# replicas of the multi-Region primary key, use the ReplicateKey
|
|
1184
1187
|
# operation. For more information about multi-Region keys, see
|
|
1185
|
-
# [Multi-Region keys in KMS][
|
|
1188
|
+
# [Multi-Region keys in KMS][5] in the *Key Management Service
|
|
1186
1189
|
# Developer Guide*.
|
|
1187
1190
|
#
|
|
1188
1191
|
#
|
|
1189
1192
|
#
|
|
1190
1193
|
# Custom key store
|
|
1191
1194
|
#
|
|
1192
|
-
# : To create a symmetric encryption KMS key in a [custom key store][
|
|
1195
|
+
# : To create a symmetric encryption KMS key in a [custom key store][7],
|
|
1193
1196
|
# use the `CustomKeyStoreId` parameter to specify the custom key
|
|
1194
1197
|
# store. You must also use the `Origin` parameter with a value of
|
|
1195
1198
|
# `AWS_CLOUDHSM`. The CloudHSM cluster that is associated with the
|
|
@@ -1199,16 +1202,16 @@ module Aws::KMS
|
|
|
1199
1202
|
# Custom key stores support only symmetric encryption KMS keys. You
|
|
1200
1203
|
# cannot create an HMAC KMS key or an asymmetric KMS key in a custom
|
|
1201
1204
|
# key store. For information about custom key stores in KMS see
|
|
1202
|
-
# [Custom key stores in KMS][
|
|
1205
|
+
# [Custom key stores in KMS][7] in the <i> <i>Key Management Service
|
|
1203
1206
|
# Developer Guide</i> </i>.
|
|
1204
1207
|
#
|
|
1205
1208
|
# **Cross-account use**\: No. You cannot use this operation to create a
|
|
1206
1209
|
# KMS key in a different Amazon Web Services account.
|
|
1207
1210
|
#
|
|
1208
|
-
# **Required permissions**\: [kms:CreateKey][
|
|
1209
|
-
# `Tags` parameter, [kms:TagResource][
|
|
1211
|
+
# **Required permissions**\: [kms:CreateKey][8] (IAM policy). To use the
|
|
1212
|
+
# `Tags` parameter, [kms:TagResource][8] (IAM policy). For examples and
|
|
1210
1213
|
# information about related permissions, see [Allow a user to create KMS
|
|
1211
|
-
# keys][
|
|
1214
|
+
# keys][9] in the *Key Management Service Developer Guide*.
|
|
1212
1215
|
#
|
|
1213
1216
|
# **Related operations:**
|
|
1214
1217
|
#
|
|
@@ -1221,13 +1224,14 @@ module Aws::KMS
|
|
|
1221
1224
|
#
|
|
1222
1225
|
#
|
|
1223
1226
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
|
|
1224
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1225
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1226
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1227
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1228
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1229
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1230
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1227
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-symmetric-default
|
|
1228
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
1229
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
|
1230
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
|
1231
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1232
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1233
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
1234
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
|
1231
1235
|
#
|
|
1232
1236
|
# @option params [String] :policy
|
|
1233
1237
|
# The key policy to attach to the KMS key. If you do not specify a key
|
|
@@ -1255,31 +1259,30 @@ module Aws::KMS
|
|
|
1255
1259
|
# visible][3] in the *Amazon Web Services Identity and Access
|
|
1256
1260
|
# Management User Guide*.
|
|
1257
1261
|
#
|
|
1258
|
-
# A key policy document
|
|
1259
|
-
#
|
|
1260
|
-
# * Up to 32 kilobytes (32768 bytes)
|
|
1262
|
+
# A key policy document can include only the following characters:
|
|
1261
1263
|
#
|
|
1262
|
-
# *
|
|
1264
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
1265
|
+
# through the end of the ASCII character range.
|
|
1263
1266
|
#
|
|
1264
|
-
# *
|
|
1265
|
-
#
|
|
1266
|
-
# carriage return (U+000D), and characters in the range U+0020 to
|
|
1267
|
-
# U+00FF.
|
|
1267
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
1268
|
+
# character set (through `\u00FF`).
|
|
1268
1269
|
#
|
|
1269
|
-
# * The `
|
|
1270
|
-
# (
|
|
1271
|
-
# document.)
|
|
1270
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
1271
|
+
# (`\u000D`) special characters
|
|
1272
1272
|
#
|
|
1273
|
-
# For
|
|
1274
|
-
#
|
|
1275
|
-
#
|
|
1273
|
+
# For information about key policies, see [Key policies in KMS][4] in
|
|
1274
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
1275
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
1276
|
+
# Reference][5] in the <i> <i>Identity and Access Management User
|
|
1277
|
+
# Guide</i> </i>.
|
|
1276
1278
|
#
|
|
1277
1279
|
#
|
|
1278
1280
|
#
|
|
1279
1281
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
1280
1282
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
1281
1283
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
1282
|
-
# [4]: https://docs.aws.amazon.com/
|
|
1284
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
1285
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
1283
1286
|
#
|
|
1284
1287
|
# @option params [String] :description
|
|
1285
1288
|
# A description of the KMS key.
|
|
@@ -1311,6 +1314,9 @@ module Aws::KMS
|
|
|
1311
1314
|
# * For asymmetric KMS keys with ECC key material, specify
|
|
1312
1315
|
# `SIGN_VERIFY`.
|
|
1313
1316
|
#
|
|
1317
|
+
# * For asymmetric KMS keys with SM2 key material (China Regions only),
|
|
1318
|
+
# specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
1319
|
+
#
|
|
1314
1320
|
#
|
|
1315
1321
|
#
|
|
1316
1322
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
|
@@ -1325,10 +1331,11 @@ module Aws::KMS
|
|
|
1325
1331
|
#
|
|
1326
1332
|
# @option params [String] :key_spec
|
|
1327
1333
|
# Specifies the type of KMS key to create. The default value,
|
|
1328
|
-
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit
|
|
1329
|
-
# for encryption and decryption
|
|
1330
|
-
#
|
|
1331
|
-
#
|
|
1334
|
+
# `SYMMETRIC_DEFAULT`, creates a KMS key with a 256-bit AES-GCM key that
|
|
1335
|
+
# is used for encryption and decryption, except in China Regions, where
|
|
1336
|
+
# it creates a 128-bit symmetric key that uses SM4 encryption. For help
|
|
1337
|
+
# choosing a key spec for your KMS key, see [Choosing a KMS key type][1]
|
|
1338
|
+
# in the <i> <i>Key Management Service Developer Guide</i> </i>.
|
|
1332
1339
|
#
|
|
1333
1340
|
# The `KeySpec` determines whether the KMS key contains a symmetric key
|
|
1334
1341
|
# or an asymmetric key pair. It also determines the cryptographic
|
|
@@ -1347,7 +1354,7 @@ module Aws::KMS
|
|
|
1347
1354
|
#
|
|
1348
1355
|
# * Symmetric encryption key (default)
|
|
1349
1356
|
#
|
|
1350
|
-
# * `SYMMETRIC_DEFAULT`
|
|
1357
|
+
# * `SYMMETRIC_DEFAULT`
|
|
1351
1358
|
#
|
|
1352
1359
|
# ^
|
|
1353
1360
|
#
|
|
@@ -1383,6 +1390,12 @@ module Aws::KMS
|
|
|
1383
1390
|
#
|
|
1384
1391
|
# ^
|
|
1385
1392
|
#
|
|
1393
|
+
# * SM2 key pairs (China Regions only)
|
|
1394
|
+
#
|
|
1395
|
+
# * `SM2`
|
|
1396
|
+
#
|
|
1397
|
+
# ^
|
|
1398
|
+
#
|
|
1386
1399
|
#
|
|
1387
1400
|
#
|
|
1388
1401
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-choose
|
|
@@ -1431,7 +1444,7 @@ module Aws::KMS
|
|
|
1431
1444
|
# The response includes the custom key store ID and the ID of the
|
|
1432
1445
|
# CloudHSM cluster.
|
|
1433
1446
|
#
|
|
1434
|
-
# This operation is part of the [
|
|
1447
|
+
# This operation is part of the [custom key store feature][1] feature in
|
|
1435
1448
|
# KMS, which combines the convenience and extensive integration of KMS
|
|
1436
1449
|
# with the isolation and control of a single-tenant key store.
|
|
1437
1450
|
#
|
|
@@ -1767,8 +1780,8 @@ module Aws::KMS
|
|
|
1767
1780
|
# policy: "PolicyType",
|
|
1768
1781
|
# description: "DescriptionType",
|
|
1769
1782
|
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
|
1770
|
-
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
|
|
1771
|
-
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512
|
|
1783
|
+
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
1784
|
+
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
1772
1785
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
|
1773
1786
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
1774
1787
|
# bypass_policy_lockout_safety_check: false,
|
|
@@ -1798,12 +1811,12 @@ module Aws::KMS
|
|
|
1798
1811
|
# resp.key_metadata.cloud_hsm_cluster_id #=> String
|
|
1799
1812
|
# resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
|
1800
1813
|
# resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
|
1801
|
-
# resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
|
|
1802
|
-
# resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
|
|
1814
|
+
# resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
1815
|
+
# resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
1803
1816
|
# resp.key_metadata.encryption_algorithms #=> Array
|
|
1804
|
-
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
|
1817
|
+
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
1805
1818
|
# resp.key_metadata.signing_algorithms #=> Array
|
|
1806
|
-
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
|
1819
|
+
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
1807
1820
|
# resp.key_metadata.multi_region #=> Boolean
|
|
1808
1821
|
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
|
1809
1822
|
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
|
@@ -2024,14 +2037,14 @@ module Aws::KMS
|
|
|
2024
2037
|
# },
|
|
2025
2038
|
# grant_tokens: ["GrantTokenType"],
|
|
2026
2039
|
# key_id: "KeyIdType",
|
|
2027
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
2040
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
2028
2041
|
# })
|
|
2029
2042
|
#
|
|
2030
2043
|
# @example Response structure
|
|
2031
2044
|
#
|
|
2032
2045
|
# resp.key_id #=> String
|
|
2033
2046
|
# resp.plaintext #=> String
|
|
2034
|
-
# resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
|
2047
|
+
# resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
2035
2048
|
#
|
|
2036
2049
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt AWS API Documentation
|
|
2037
2050
|
#
|
|
@@ -2120,15 +2133,15 @@ module Aws::KMS
|
|
|
2120
2133
|
# CloudHSM cluster that is associated with the custom key store, or
|
|
2121
2134
|
# affect any users or keys in the cluster.
|
|
2122
2135
|
#
|
|
2123
|
-
# The custom key store that you delete cannot contain any KMS [
|
|
2124
|
-
#
|
|
2125
|
-
#
|
|
2126
|
-
#
|
|
2127
|
-
#
|
|
2128
|
-
#
|
|
2129
|
-
#
|
|
2130
|
-
#
|
|
2131
|
-
#
|
|
2136
|
+
# The custom key store that you delete cannot contain any [KMS keys][2].
|
|
2137
|
+
# Before deleting the key store, verify that you will never need to use
|
|
2138
|
+
# any of the KMS keys in the key store for any [cryptographic
|
|
2139
|
+
# operations][3]. Then, use ScheduleKeyDeletion to delete the KMS keys
|
|
2140
|
+
# from the key store. When the scheduled waiting period expires, the
|
|
2141
|
+
# `ScheduleKeyDeletion` operation deletes the KMS keys. Then it makes a
|
|
2142
|
+
# best effort to delete the key material from the associated cluster.
|
|
2143
|
+
# However, you might need to manually [delete the orphaned key
|
|
2144
|
+
# material][4] from the cluster and its backups.
|
|
2132
2145
|
#
|
|
2133
2146
|
# After all KMS keys are deleted from KMS, use DisconnectCustomKeyStore
|
|
2134
2147
|
# to disconnect the key store from KMS. Then, you can delete the custom
|
|
@@ -2143,7 +2156,7 @@ module Aws::KMS
|
|
|
2143
2156
|
# If the operation succeeds, it returns a JSON object with no
|
|
2144
2157
|
# properties.
|
|
2145
2158
|
#
|
|
2146
|
-
# This operation is part of the [
|
|
2159
|
+
# This operation is part of the [custom key store feature][1] feature in
|
|
2147
2160
|
# KMS, which combines the convenience and extensive integration of KMS
|
|
2148
2161
|
# with the isolation and control of a single-tenant key store.
|
|
2149
2162
|
#
|
|
@@ -2287,7 +2300,7 @@ module Aws::KMS
|
|
|
2287
2300
|
# Gets information about [custom key stores][1] in the account and
|
|
2288
2301
|
# Region.
|
|
2289
2302
|
#
|
|
2290
|
-
# This operation is part of the [
|
|
2303
|
+
# This operation is part of the [custom key store feature][1] feature in
|
|
2291
2304
|
# KMS, which combines the convenience and extensive integration of KMS
|
|
2292
2305
|
# with the isolation and control of a single-tenant key store.
|
|
2293
2306
|
#
|
|
@@ -2372,6 +2385,8 @@ module Aws::KMS
|
|
|
2372
2385
|
# * {Types::DescribeCustomKeyStoresResponse#next_marker #next_marker} => String
|
|
2373
2386
|
# * {Types::DescribeCustomKeyStoresResponse#truncated #truncated} => Boolean
|
|
2374
2387
|
#
|
|
2388
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
|
2389
|
+
#
|
|
2375
2390
|
#
|
|
2376
2391
|
# @example Example: To get detailed information about custom key stores in the account and Region
|
|
2377
2392
|
#
|
|
@@ -2427,7 +2442,7 @@ module Aws::KMS
|
|
|
2427
2442
|
# resp.custom_key_stores[0].cloud_hsm_cluster_id #=> String
|
|
2428
2443
|
# resp.custom_key_stores[0].trust_anchor_certificate #=> String
|
|
2429
2444
|
# resp.custom_key_stores[0].connection_state #=> String, one of "CONNECTED", "CONNECTING", "FAILED", "DISCONNECTED", "DISCONNECTING"
|
|
2430
|
-
# resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN", "SUBNET_NOT_FOUND"
|
|
2445
|
+
# resp.custom_key_stores[0].connection_error_code #=> String, one of "INVALID_CREDENTIALS", "CLUSTER_NOT_FOUND", "NETWORK_ERRORS", "INTERNAL_ERROR", "INSUFFICIENT_CLOUDHSM_HSMS", "USER_LOCKED_OUT", "USER_NOT_FOUND", "USER_LOGGED_IN", "SUBNET_NOT_FOUND", "INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET"
|
|
2431
2446
|
# resp.custom_key_stores[0].creation_date #=> Time
|
|
2432
2447
|
# resp.next_marker #=> String
|
|
2433
2448
|
# resp.truncated #=> Boolean
|
|
@@ -2464,7 +2479,7 @@ module Aws::KMS
|
|
|
2464
2479
|
# * Whether automatic key rotation is enabled on the KMS key. To get
|
|
2465
2480
|
# this information, use GetKeyRotationStatus. Also, some key states
|
|
2466
2481
|
# prevent a KMS key from being automatically rotated. For details, see
|
|
2467
|
-
# [How Automatic Key Rotation Works][3] in *Key Management Service
|
|
2482
|
+
# [How Automatic Key Rotation Works][3] in the *Key Management Service
|
|
2468
2483
|
# Developer Guide*.
|
|
2469
2484
|
#
|
|
2470
2485
|
# * Tags on the KMS key. To get this information, use ListResourceTags.
|
|
@@ -2724,12 +2739,12 @@ module Aws::KMS
|
|
|
2724
2739
|
# resp.key_metadata.cloud_hsm_cluster_id #=> String
|
|
2725
2740
|
# resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
|
2726
2741
|
# resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
|
2727
|
-
# resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
|
|
2728
|
-
# resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
|
|
2742
|
+
# resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
2743
|
+
# resp.key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
2729
2744
|
# resp.key_metadata.encryption_algorithms #=> Array
|
|
2730
|
-
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
|
2745
|
+
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
2731
2746
|
# resp.key_metadata.signing_algorithms #=> Array
|
|
2732
|
-
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
|
2747
|
+
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
2733
2748
|
# resp.key_metadata.multi_region #=> Boolean
|
|
2734
2749
|
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
|
2735
2750
|
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
|
@@ -2940,7 +2955,7 @@ module Aws::KMS
|
|
|
2940
2955
|
# If the operation succeeds, it returns a JSON object with no
|
|
2941
2956
|
# properties.
|
|
2942
2957
|
#
|
|
2943
|
-
# This operation is part of the [
|
|
2958
|
+
# This operation is part of the [custom key store feature][1] feature in
|
|
2944
2959
|
# KMS, which combines the convenience and extensive integration of KMS
|
|
2945
2960
|
# with the isolation and control of a single-tenant key store.
|
|
2946
2961
|
#
|
|
@@ -3204,7 +3219,7 @@ module Aws::KMS
|
|
|
3204
3219
|
#
|
|
3205
3220
|
# If you specify an asymmetric KMS key, you must also specify the
|
|
3206
3221
|
# encryption algorithm. The algorithm must be compatible with the KMS
|
|
3207
|
-
# key
|
|
3222
|
+
# key spec.
|
|
3208
3223
|
#
|
|
3209
3224
|
# When you use an asymmetric KMS key to encrypt or reencrypt data, be
|
|
3210
3225
|
# sure to record the KMS key and encryption algorithm that you choose.
|
|
@@ -3246,6 +3261,8 @@ module Aws::KMS
|
|
|
3246
3261
|
#
|
|
3247
3262
|
# * `RSAES_OAEP_SHA_256`\: 446 bytes
|
|
3248
3263
|
#
|
|
3264
|
+
# * `SM2PKE`\: 1024 bytes (China Regions only)
|
|
3265
|
+
#
|
|
3249
3266
|
# The KMS key that you use for this operation must be in a compatible
|
|
3250
3267
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
3251
3268
|
# Management Service Developer Guide*.
|
|
@@ -3374,14 +3391,14 @@ module Aws::KMS
|
|
|
3374
3391
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
3375
3392
|
# },
|
|
3376
3393
|
# grant_tokens: ["GrantTokenType"],
|
|
3377
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
3394
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
3378
3395
|
# })
|
|
3379
3396
|
#
|
|
3380
3397
|
# @example Response structure
|
|
3381
3398
|
#
|
|
3382
3399
|
# resp.ciphertext_blob #=> String
|
|
3383
3400
|
# resp.key_id #=> String
|
|
3384
|
-
# resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
|
3401
|
+
# resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
3385
3402
|
#
|
|
3386
3403
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt AWS API Documentation
|
|
3387
3404
|
#
|
|
@@ -3403,9 +3420,16 @@ module Aws::KMS
|
|
|
3403
3420
|
# To generate a data key, specify the symmetric encryption KMS key that
|
|
3404
3421
|
# will be used to encrypt the data key. You cannot use an asymmetric KMS
|
|
3405
3422
|
# key to encrypt data keys. To get the type of your KMS key, use the
|
|
3406
|
-
# DescribeKey operation.
|
|
3407
|
-
#
|
|
3408
|
-
#
|
|
3423
|
+
# DescribeKey operation.
|
|
3424
|
+
#
|
|
3425
|
+
# You must also specify the length of the data key. Use either the
|
|
3426
|
+
# `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
|
|
3427
|
+
# and 256-bit data keys, use the `KeySpec` parameter.
|
|
3428
|
+
#
|
|
3429
|
+
# To generate an SM4 data key (China Regions only), specify a `KeySpec`
|
|
3430
|
+
# value of `AES_128` or `NumberOfBytes` value of `128`. The symmetric
|
|
3431
|
+
# encryption key used in China Regions to encrypt your data key is an
|
|
3432
|
+
# SM4 encryption key.
|
|
3409
3433
|
#
|
|
3410
3434
|
# To get only an encrypted copy of the data key, use
|
|
3411
3435
|
# GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
|
|
@@ -3632,10 +3656,11 @@ module Aws::KMS
|
|
|
3632
3656
|
# type and origin of your KMS key, use the DescribeKey operation.
|
|
3633
3657
|
#
|
|
3634
3658
|
# Use the `KeyPairSpec` parameter to choose an RSA or Elliptic Curve
|
|
3635
|
-
# (ECC) data key pair.
|
|
3636
|
-
#
|
|
3637
|
-
#
|
|
3638
|
-
#
|
|
3659
|
+
# (ECC) data key pair. In China Regions, you can also choose an SM2 data
|
|
3660
|
+
# key pair. KMS recommends that you use ECC key pairs for signing, and
|
|
3661
|
+
# use RSA and SM2 key pairs for either encryption or signing, but not
|
|
3662
|
+
# both. However, KMS cannot enforce any restrictions on the use of data
|
|
3663
|
+
# key pairs outside of KMS.
|
|
3639
3664
|
#
|
|
3640
3665
|
# If you are using the data key pair to encrypt data, or for any
|
|
3641
3666
|
# operation where you don't immediately need a private key, consider
|
|
@@ -3738,10 +3763,12 @@ module Aws::KMS
|
|
|
3738
3763
|
# @option params [required, String] :key_pair_spec
|
|
3739
3764
|
# Determines the type of data key pair that is generated.
|
|
3740
3765
|
#
|
|
3741
|
-
# The KMS rule that restricts the use of asymmetric RSA KMS keys
|
|
3742
|
-
# encrypt and decrypt or to sign and verify (but not both), and the
|
|
3743
|
-
# that permits you to use ECC KMS keys only to sign and verify, are
|
|
3744
|
-
# effective on data key pairs, which are used outside of KMS.
|
|
3766
|
+
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
|
|
3767
|
+
# to encrypt and decrypt or to sign and verify (but not both), and the
|
|
3768
|
+
# rule that permits you to use ECC KMS keys only to sign and verify, are
|
|
3769
|
+
# not effective on data key pairs, which are used outside of KMS. The
|
|
3770
|
+
# SM2 key spec is only available in China Regions. RSA and ECC
|
|
3771
|
+
# asymmetric key pairs are also available in China Regions.
|
|
3745
3772
|
#
|
|
3746
3773
|
# @option params [Array<String>] :grant_tokens
|
|
3747
3774
|
# A list of grant tokens.
|
|
@@ -3791,7 +3818,7 @@ module Aws::KMS
|
|
|
3791
3818
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
3792
3819
|
# },
|
|
3793
3820
|
# key_id: "KeyIdType", # required
|
|
3794
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
|
3821
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
3795
3822
|
# grant_tokens: ["GrantTokenType"],
|
|
3796
3823
|
# })
|
|
3797
3824
|
#
|
|
@@ -3801,7 +3828,7 @@ module Aws::KMS
|
|
|
3801
3828
|
# resp.private_key_plaintext #=> String
|
|
3802
3829
|
# resp.public_key #=> String
|
|
3803
3830
|
# resp.key_id #=> String
|
|
3804
|
-
# resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
|
|
3831
|
+
# resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
|
|
3805
3832
|
#
|
|
3806
3833
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair AWS API Documentation
|
|
3807
3834
|
#
|
|
@@ -3831,10 +3858,11 @@ module Aws::KMS
|
|
|
3831
3858
|
# type and origin of your KMS key, use the DescribeKey operation.
|
|
3832
3859
|
#
|
|
3833
3860
|
# Use the `KeyPairSpec` parameter to choose an RSA or Elliptic Curve
|
|
3834
|
-
# (ECC) data key pair.
|
|
3835
|
-
#
|
|
3836
|
-
#
|
|
3837
|
-
#
|
|
3861
|
+
# (ECC) data key pair. In China Regions, you can also choose an SM2 data
|
|
3862
|
+
# key pair. KMS recommends that you use ECC key pairs for signing, and
|
|
3863
|
+
# use RSA and SM2 key pairs for either encryption or signing, but not
|
|
3864
|
+
# both. However, KMS cannot enforce any restrictions on the use of data
|
|
3865
|
+
# key pairs outside of KMS.
|
|
3838
3866
|
#
|
|
3839
3867
|
# `GenerateDataKeyPairWithoutPlaintext` returns a unique data key pair
|
|
3840
3868
|
# for each request. The bytes in the key are not related to the caller
|
|
@@ -3927,10 +3955,12 @@ module Aws::KMS
|
|
|
3927
3955
|
# @option params [required, String] :key_pair_spec
|
|
3928
3956
|
# Determines the type of data key pair that is generated.
|
|
3929
3957
|
#
|
|
3930
|
-
# The KMS rule that restricts the use of asymmetric RSA KMS keys
|
|
3931
|
-
# encrypt and decrypt or to sign and verify (but not both), and the
|
|
3932
|
-
# that permits you to use ECC KMS keys only to sign and verify, are
|
|
3933
|
-
# effective on data key pairs, which are used outside of KMS.
|
|
3958
|
+
# The KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
|
|
3959
|
+
# to encrypt and decrypt or to sign and verify (but not both), and the
|
|
3960
|
+
# rule that permits you to use ECC KMS keys only to sign and verify, are
|
|
3961
|
+
# not effective on data key pairs, which are used outside of KMS. The
|
|
3962
|
+
# SM2 key spec is only available in China Regions. RSA and ECC
|
|
3963
|
+
# asymmetric key pairs are also available in China Regions.
|
|
3934
3964
|
#
|
|
3935
3965
|
# @option params [Array<String>] :grant_tokens
|
|
3936
3966
|
# A list of grant tokens.
|
|
@@ -3978,7 +4008,7 @@ module Aws::KMS
|
|
|
3978
4008
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
3979
4009
|
# },
|
|
3980
4010
|
# key_id: "KeyIdType", # required
|
|
3981
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
|
4011
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
3982
4012
|
# grant_tokens: ["GrantTokenType"],
|
|
3983
4013
|
# })
|
|
3984
4014
|
#
|
|
@@ -3987,7 +4017,7 @@ module Aws::KMS
|
|
|
3987
4017
|
# resp.private_key_ciphertext_blob #=> String
|
|
3988
4018
|
# resp.public_key #=> String
|
|
3989
4019
|
# resp.key_id #=> String
|
|
3990
|
-
# resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
|
|
4020
|
+
# resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
|
|
3991
4021
|
#
|
|
3992
4022
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext AWS API Documentation
|
|
3993
4023
|
#
|
|
@@ -4315,6 +4345,9 @@ module Aws::KMS
|
|
|
4315
4345
|
|
|
4316
4346
|
# Returns a random byte string that is cryptographically secure.
|
|
4317
4347
|
#
|
|
4348
|
+
# You must use the `NumberOfBytes` parameter to specify the length of
|
|
4349
|
+
# the random byte string. There is no default value for string length.
|
|
4350
|
+
#
|
|
4318
4351
|
# By default, the random byte string is generated in KMS. To generate
|
|
4319
4352
|
# the byte string in the CloudHSM cluster that is associated with a
|
|
4320
4353
|
# [custom key store][1], specify the custom key store ID.
|
|
@@ -4328,6 +4361,9 @@ module Aws::KMS
|
|
|
4328
4361
|
# For more information about entropy and random number generation, see
|
|
4329
4362
|
# [Key Management Service Cryptographic Details][4].
|
|
4330
4363
|
#
|
|
4364
|
+
# **Cross-account use**\: Not applicable. `GenerateRandom` does not use
|
|
4365
|
+
# any account-specific resources, such as KMS keys.
|
|
4366
|
+
#
|
|
4331
4367
|
# **Required permissions**\: [kms:GenerateRandom][5] (IAM policy)
|
|
4332
4368
|
#
|
|
4333
4369
|
#
|
|
@@ -4339,7 +4375,7 @@ module Aws::KMS
|
|
|
4339
4375
|
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
4340
4376
|
#
|
|
4341
4377
|
# @option params [Integer] :number_of_bytes
|
|
4342
|
-
# The length of the byte string.
|
|
4378
|
+
# The length of the random byte string. This parameter is required.
|
|
4343
4379
|
#
|
|
4344
4380
|
# @option params [String] :custom_key_store_id
|
|
4345
4381
|
# Generates the random byte string in the CloudHSM cluster that is
|
|
@@ -4726,8 +4762,12 @@ module Aws::KMS
|
|
|
4726
4762
|
# the public key within KMS, you benefit from the authentication,
|
|
4727
4763
|
# authorization, and logging that are part of every KMS operation. You
|
|
4728
4764
|
# also reduce of risk of encrypting data that cannot be decrypted. These
|
|
4729
|
-
# features are not effective outside of KMS.
|
|
4730
|
-
#
|
|
4765
|
+
# features are not effective outside of KMS.
|
|
4766
|
+
#
|
|
4767
|
+
# To verify a signature outside of KMS with an SM2 public key (China
|
|
4768
|
+
# Regions only), you must specify the distinguishing ID. By default, KMS
|
|
4769
|
+
# uses `1234567812345678` as the distinguishing ID. For more
|
|
4770
|
+
# information, see [Offline verification with SM2 key pairs][2].
|
|
4731
4771
|
#
|
|
4732
4772
|
# To help you use the public key safely outside of KMS, `GetPublicKey`
|
|
4733
4773
|
# returns important information about the public key in the response,
|
|
@@ -4764,7 +4804,7 @@ module Aws::KMS
|
|
|
4764
4804
|
#
|
|
4765
4805
|
#
|
|
4766
4806
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
4767
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
4807
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
|
|
4768
4808
|
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec
|
|
4769
4809
|
# [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
|
|
4770
4810
|
# [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
|
|
@@ -4851,13 +4891,13 @@ module Aws::KMS
|
|
|
4851
4891
|
#
|
|
4852
4892
|
# resp.key_id #=> String
|
|
4853
4893
|
# resp.public_key #=> String
|
|
4854
|
-
# resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
|
|
4855
|
-
# resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
|
|
4894
|
+
# resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
4895
|
+
# resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
4856
4896
|
# resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
|
4857
4897
|
# resp.encryption_algorithms #=> Array
|
|
4858
|
-
# resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
|
4898
|
+
# resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
4859
4899
|
# resp.signing_algorithms #=> Array
|
|
4860
|
-
# resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
|
4900
|
+
# resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
4861
4901
|
#
|
|
4862
4902
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
|
|
4863
4903
|
#
|
|
@@ -5654,6 +5694,8 @@ module Aws::KMS
|
|
|
5654
5694
|
# * {Types::ListResourceTagsResponse#next_marker #next_marker} => String
|
|
5655
5695
|
# * {Types::ListResourceTagsResponse#truncated #truncated} => Boolean
|
|
5656
5696
|
#
|
|
5697
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
|
5698
|
+
#
|
|
5657
5699
|
#
|
|
5658
5700
|
# @example Example: To list tags for a KMS key
|
|
5659
5701
|
#
|
|
@@ -5782,6 +5824,8 @@ module Aws::KMS
|
|
|
5782
5824
|
# * {Types::ListGrantsResponse#next_marker #next_marker} => String
|
|
5783
5825
|
# * {Types::ListGrantsResponse#truncated #truncated} => Boolean
|
|
5784
5826
|
#
|
|
5827
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
|
5828
|
+
#
|
|
5785
5829
|
#
|
|
5786
5830
|
# @example Example: To list grants that the specified principal can retire
|
|
5787
5831
|
#
|
|
@@ -5910,25 +5954,29 @@ module Aws::KMS
|
|
|
5910
5954
|
# visible][2] in the *Amazon Web Services Identity and Access
|
|
5911
5955
|
# Management User Guide*.
|
|
5912
5956
|
#
|
|
5913
|
-
# A key policy document
|
|
5957
|
+
# A key policy document can include only the following characters:
|
|
5914
5958
|
#
|
|
5915
|
-
# *
|
|
5959
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
5960
|
+
# through the end of the ASCII character range.
|
|
5916
5961
|
#
|
|
5917
|
-
# *
|
|
5962
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
5963
|
+
# character set (through `\u00FF`).
|
|
5918
5964
|
#
|
|
5919
|
-
# * The
|
|
5920
|
-
#
|
|
5921
|
-
# carriage return (U+000D), and characters in the range U+0020 to
|
|
5922
|
-
# U+00FF.
|
|
5965
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
5966
|
+
# (`\u000D`) special characters
|
|
5923
5967
|
#
|
|
5924
|
-
#
|
|
5925
|
-
#
|
|
5926
|
-
#
|
|
5968
|
+
# For information about key policies, see [Key policies in KMS][3] in
|
|
5969
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
5970
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
5971
|
+
# Reference][4] in the <i> <i>Identity and Access Management User
|
|
5972
|
+
# Guide</i> </i>.
|
|
5927
5973
|
#
|
|
5928
5974
|
#
|
|
5929
5975
|
#
|
|
5930
5976
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
5931
5977
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
5978
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
5979
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
5932
5980
|
#
|
|
5933
5981
|
# @option params [Boolean] :bypass_policy_lockout_safety_check
|
|
5934
5982
|
# A flag to indicate whether to bypass the key policy lockout safety
|
|
@@ -6260,8 +6308,8 @@ module Aws::KMS
|
|
|
6260
6308
|
# destination_encryption_context: {
|
|
6261
6309
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
6262
6310
|
# },
|
|
6263
|
-
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
6264
|
-
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
6311
|
+
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
6312
|
+
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
6265
6313
|
# grant_tokens: ["GrantTokenType"],
|
|
6266
6314
|
# })
|
|
6267
6315
|
#
|
|
@@ -6270,8 +6318,8 @@ module Aws::KMS
|
|
|
6270
6318
|
# resp.ciphertext_blob #=> String
|
|
6271
6319
|
# resp.source_key_id #=> String
|
|
6272
6320
|
# resp.key_id #=> String
|
|
6273
|
-
# resp.source_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
|
6274
|
-
# resp.destination_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
|
6321
|
+
# resp.source_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
6322
|
+
# resp.destination_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
6275
6323
|
#
|
|
6276
6324
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt AWS API Documentation
|
|
6277
6325
|
#
|
|
@@ -6466,26 +6514,30 @@ module Aws::KMS
|
|
|
6466
6514
|
# visible][3] in the <i> <i>Identity and Access Management User
|
|
6467
6515
|
# Guide</i> </i>.
|
|
6468
6516
|
#
|
|
6469
|
-
# A key policy document
|
|
6517
|
+
# A key policy document can include only the following characters:
|
|
6470
6518
|
#
|
|
6471
|
-
# *
|
|
6519
|
+
# * Printable ASCII characters from the space character (`\u0020`)
|
|
6520
|
+
# through the end of the ASCII character range.
|
|
6472
6521
|
#
|
|
6473
|
-
# *
|
|
6522
|
+
# * Printable characters in the Basic Latin and Latin-1 Supplement
|
|
6523
|
+
# character set (through `\u00FF`).
|
|
6474
6524
|
#
|
|
6475
|
-
# * The
|
|
6476
|
-
#
|
|
6477
|
-
# carriage return (U+000D), and characters in the range U+0020 to
|
|
6478
|
-
# U+00FF.
|
|
6525
|
+
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
6526
|
+
# (`\u000D`) special characters
|
|
6479
6527
|
#
|
|
6480
|
-
#
|
|
6481
|
-
#
|
|
6482
|
-
#
|
|
6528
|
+
# For information about key policies, see [Key policies in KMS][4] in
|
|
6529
|
+
# the *Key Management Service Developer Guide*. For help writing and
|
|
6530
|
+
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
6531
|
+
# Reference][5] in the <i> <i>Identity and Access Management User
|
|
6532
|
+
# Guide</i> </i>.
|
|
6483
6533
|
#
|
|
6484
6534
|
#
|
|
6485
6535
|
#
|
|
6486
6536
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
6487
6537
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
6488
6538
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
6539
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
6540
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
6489
6541
|
#
|
|
6490
6542
|
# @option params [Boolean] :bypass_policy_lockout_safety_check
|
|
6491
6543
|
# A flag to indicate whether to bypass the key policy lockout safety
|
|
@@ -6637,12 +6689,12 @@ module Aws::KMS
|
|
|
6637
6689
|
# resp.replica_key_metadata.cloud_hsm_cluster_id #=> String
|
|
6638
6690
|
# resp.replica_key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
|
6639
6691
|
# resp.replica_key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
|
6640
|
-
# resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
|
|
6641
|
-
# resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512"
|
|
6692
|
+
# resp.replica_key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
6693
|
+
# resp.replica_key_metadata.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
6642
6694
|
# resp.replica_key_metadata.encryption_algorithms #=> Array
|
|
6643
|
-
# resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
|
6695
|
+
# resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
6644
6696
|
# resp.replica_key_metadata.signing_algorithms #=> Array
|
|
6645
|
-
# resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
|
6697
|
+
# resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
6646
6698
|
# resp.replica_key_metadata.multi_region #=> Boolean
|
|
6647
6699
|
# resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
|
6648
6700
|
# resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
|
|
@@ -7144,14 +7196,14 @@ module Aws::KMS
|
|
|
7144
7196
|
# message: "data", # required
|
|
7145
7197
|
# message_type: "RAW", # accepts RAW, DIGEST
|
|
7146
7198
|
# grant_tokens: ["GrantTokenType"],
|
|
7147
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
|
7199
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
7148
7200
|
# })
|
|
7149
7201
|
#
|
|
7150
7202
|
# @example Response structure
|
|
7151
7203
|
#
|
|
7152
7204
|
# resp.key_id #=> String
|
|
7153
7205
|
# resp.signature #=> String
|
|
7154
|
-
# resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
|
7206
|
+
# resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
7155
7207
|
#
|
|
7156
7208
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign AWS API Documentation
|
|
7157
7209
|
#
|
|
@@ -7442,7 +7494,7 @@ module Aws::KMS
|
|
|
7442
7494
|
# @option params [required, String] :alias_name
|
|
7443
7495
|
# Identifies the alias that is changing its KMS key. This value must
|
|
7444
7496
|
# begin with `alias/` followed by the alias name, such as
|
|
7445
|
-
# `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
|
|
7497
|
+
# `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the alias
|
|
7446
7498
|
# name.
|
|
7447
7499
|
#
|
|
7448
7500
|
# @option params [required, String] :target_key_id
|
|
@@ -7541,7 +7593,7 @@ module Aws::KMS
|
|
|
7541
7593
|
# If the operation succeeds, it returns a JSON object with no
|
|
7542
7594
|
# properties.
|
|
7543
7595
|
#
|
|
7544
|
-
# This operation is part of the [
|
|
7596
|
+
# This operation is part of the [custom key store feature][3] feature in
|
|
7545
7597
|
# KMS, which combines the convenience and extensive integration of KMS
|
|
7546
7598
|
# with the isolation and control of a single-tenant key store.
|
|
7547
7599
|
#
|
|
@@ -7888,7 +7940,11 @@ module Aws::KMS
|
|
|
7888
7940
|
# You can also verify the digital signature by using the public key of
|
|
7889
7941
|
# the KMS key outside of KMS. Use the GetPublicKey operation to download
|
|
7890
7942
|
# the public key in the asymmetric KMS key and then use the public key
|
|
7891
|
-
# to verify the signature outside of KMS.
|
|
7943
|
+
# to verify the signature outside of KMS. To verify a signature outside
|
|
7944
|
+
# of KMS with an SM2 public key, you must specify the distinguishing ID.
|
|
7945
|
+
# By default, KMS uses `1234567812345678` as the distinguishing ID. For
|
|
7946
|
+
# more information, see [Offline verification with SM2 key pairs][2] in
|
|
7947
|
+
# *Key Management Service Developer Guide*. The advantage of using the
|
|
7892
7948
|
# `Verify` operation is that it is performed within KMS. As a result,
|
|
7893
7949
|
# it's easy to call, the operation is performed within the FIPS
|
|
7894
7950
|
# boundary, it is logged in CloudTrail, and you can use key policy and
|
|
@@ -7896,22 +7952,23 @@ module Aws::KMS
|
|
|
7896
7952
|
# signatures.
|
|
7897
7953
|
#
|
|
7898
7954
|
# The KMS key that you use for this operation must be in a compatible
|
|
7899
|
-
# key state. For details, see [Key states of KMS keys][
|
|
7955
|
+
# key state. For details, see [Key states of KMS keys][3] in the *Key
|
|
7900
7956
|
# Management Service Developer Guide*.
|
|
7901
7957
|
#
|
|
7902
7958
|
# **Cross-account use**\: Yes. To perform this operation with a KMS key
|
|
7903
7959
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
7904
7960
|
# alias ARN in the value of the `KeyId` parameter.
|
|
7905
7961
|
#
|
|
7906
|
-
# **Required permissions**\: [kms:Verify][
|
|
7962
|
+
# **Required permissions**\: [kms:Verify][4] (key policy)
|
|
7907
7963
|
#
|
|
7908
7964
|
# **Related operations**\: Sign
|
|
7909
7965
|
#
|
|
7910
7966
|
#
|
|
7911
7967
|
#
|
|
7912
7968
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
7913
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
|
7914
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
7969
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification
|
|
7970
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
|
7971
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
7915
7972
|
#
|
|
7916
7973
|
# @option params [required, String] :key_id
|
|
7917
7974
|
# Identifies the asymmetric KMS key that will be used to verify the
|
|
@@ -8010,7 +8067,7 @@ module Aws::KMS
|
|
|
8010
8067
|
# message: "data", # required
|
|
8011
8068
|
# message_type: "RAW", # accepts RAW, DIGEST
|
|
8012
8069
|
# signature: "data", # required
|
|
8013
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
|
8070
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
8014
8071
|
# grant_tokens: ["GrantTokenType"],
|
|
8015
8072
|
# })
|
|
8016
8073
|
#
|
|
@@ -8018,7 +8075,7 @@ module Aws::KMS
|
|
|
8018
8075
|
#
|
|
8019
8076
|
# resp.key_id #=> String
|
|
8020
8077
|
# resp.signature_valid #=> Boolean
|
|
8021
|
-
# resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
|
8078
|
+
# resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
8022
8079
|
#
|
|
8023
8080
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify AWS API Documentation
|
|
8024
8081
|
#
|
|
@@ -8164,7 +8221,7 @@ module Aws::KMS
|
|
|
8164
8221
|
params: params,
|
|
8165
8222
|
config: config)
|
|
8166
8223
|
context[:gem_name] = 'aws-sdk-kms'
|
|
8167
|
-
context[:gem_version] = '1.
|
|
8224
|
+
context[:gem_version] = '1.58.0'
|
|
8168
8225
|
Seahorse::Client::Request.new(handlers, context)
|
|
8169
8226
|
end
|
|
8170
8227
|
|