aws-sdk-kms 1.59.0 → 1.60.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1158 -447
- data/lib/aws-sdk-kms/client_api.rb +111 -7
- data/lib/aws-sdk-kms/endpoint_parameters.rb +3 -0
- data/lib/aws-sdk-kms/endpoint_provider.rb +76 -76
- data/lib/aws-sdk-kms/errors.rb +192 -0
- data/lib/aws-sdk-kms/types.rb +1034 -206
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -110,14 +110,14 @@ module Aws::KMS
|
|
110
110
|
end
|
111
111
|
|
112
112
|
# The request was rejected because the specified CloudHSM cluster is
|
113
|
-
# already associated with
|
114
|
-
#
|
115
|
-
# Each
|
116
|
-
# cluster.
|
113
|
+
# already associated with an CloudHSM key store in the account, or it
|
114
|
+
# shares a backup history with an CloudHSM key store in the account.
|
115
|
+
# Each CloudHSM key store in the account must be associated with a
|
116
|
+
# different CloudHSM cluster.
|
117
117
|
#
|
118
|
-
#
|
119
|
-
# certificate. To view the cluster certificate of
|
120
|
-
# [DescribeClusters][1] operation.
|
118
|
+
# CloudHSM clusters that share a backup history have the same cluster
|
119
|
+
# certificate. To view the cluster certificate of an CloudHSM cluster,
|
120
|
+
# use the [DescribeClusters][1] operation.
|
121
121
|
#
|
122
122
|
#
|
123
123
|
#
|
@@ -135,22 +135,23 @@ module Aws::KMS
|
|
135
135
|
end
|
136
136
|
|
137
137
|
# The request was rejected because the associated CloudHSM cluster did
|
138
|
-
# not meet the configuration requirements for
|
138
|
+
# not meet the configuration requirements for an CloudHSM key store.
|
139
139
|
#
|
140
|
-
# * The cluster must be configured with private subnets in at
|
141
|
-
# different Availability Zones in the Region.
|
140
|
+
# * The CloudHSM cluster must be configured with private subnets in at
|
141
|
+
# least two different Availability Zones in the Region.
|
142
142
|
#
|
143
143
|
# * The [security group for the cluster][1]
|
144
144
|
# (cloudhsm-cluster-*<cluster-id>*-sg) must include inbound
|
145
145
|
# rules and outbound rules that allow TCP traffic on ports 2223-2225.
|
146
146
|
# The **Source** in the inbound rules and the **Destination** in the
|
147
147
|
# outbound rules must match the security group ID. These rules are set
|
148
|
-
# by default when you create the cluster. Do not delete or
|
149
|
-
# them. To get information about a particular security group,
|
150
|
-
# [DescribeSecurityGroups][2] operation.
|
148
|
+
# by default when you create the CloudHSM cluster. Do not delete or
|
149
|
+
# change them. To get information about a particular security group,
|
150
|
+
# use the [DescribeSecurityGroups][2] operation.
|
151
151
|
#
|
152
|
-
# * The cluster must contain at least as many HSMs as the
|
153
|
-
# requires. To add HSMs, use the CloudHSM [CreateHsm][3]
|
152
|
+
# * The CloudHSM cluster must contain at least as many HSMs as the
|
153
|
+
# operation requires. To add HSMs, use the CloudHSM [CreateHsm][3]
|
154
|
+
# operation.
|
154
155
|
#
|
155
156
|
# For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
|
156
157
|
# operations, the CloudHSM cluster must have at least two active HSMs,
|
@@ -158,7 +159,7 @@ module Aws::KMS
|
|
158
159
|
# operation, the CloudHSM must contain at least one active HSM.
|
159
160
|
#
|
160
161
|
# For information about the requirements for an CloudHSM cluster that is
|
161
|
-
# associated with
|
162
|
+
# associated with an CloudHSM key store, see [Assemble the
|
162
163
|
# Prerequisites][4] in the *Key Management Service Developer Guide*. For
|
163
164
|
# information about creating a private subnet for an CloudHSM cluster,
|
164
165
|
# see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
|
@@ -184,10 +185,10 @@ module Aws::KMS
|
|
184
185
|
include Aws::Structure
|
185
186
|
end
|
186
187
|
|
187
|
-
# The request was rejected because the CloudHSM cluster
|
188
|
-
#
|
189
|
-
#
|
190
|
-
#
|
188
|
+
# The request was rejected because the CloudHSM cluster associated with
|
189
|
+
# the CloudHSM key store is not active. Initialize and activate the
|
190
|
+
# cluster and try the command again. For detailed instructions, see
|
191
|
+
# [Getting Started][1] in the *CloudHSM User Guide*.
|
191
192
|
#
|
192
193
|
#
|
193
194
|
#
|
@@ -221,16 +222,17 @@ module Aws::KMS
|
|
221
222
|
|
222
223
|
# The request was rejected because the specified CloudHSM cluster has a
|
223
224
|
# different cluster certificate than the original cluster. You cannot
|
224
|
-
# use the operation to specify an unrelated cluster
|
225
|
+
# use the operation to specify an unrelated cluster for an CloudHSM key
|
226
|
+
# store.
|
225
227
|
#
|
226
|
-
# Specify
|
227
|
-
# cluster. This includes clusters that were created from a
|
228
|
-
# current cluster, and clusters that were created from the
|
229
|
-
# that produced the current cluster.
|
228
|
+
# Specify an CloudHSM cluster that shares a backup history with the
|
229
|
+
# original cluster. This includes clusters that were created from a
|
230
|
+
# backup of the current cluster, and clusters that were created from the
|
231
|
+
# same backup that produced the current cluster.
|
230
232
|
#
|
231
|
-
#
|
232
|
-
# certificate. To view the cluster certificate of
|
233
|
-
# [DescribeClusters][1] operation.
|
233
|
+
# CloudHSM clusters that share a backup history have the same cluster
|
234
|
+
# certificate. To view the cluster certificate of an CloudHSM cluster,
|
235
|
+
# use the [DescribeClusters][1] operation.
|
234
236
|
#
|
235
237
|
#
|
236
238
|
#
|
@@ -341,18 +343,31 @@ module Aws::KMS
|
|
341
343
|
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
342
344
|
# trust_anchor_certificate: "TrustAnchorCertificateType",
|
343
345
|
# key_store_password: "KeyStorePasswordType",
|
346
|
+
# custom_key_store_type: "AWS_CLOUDHSM", # accepts AWS_CLOUDHSM, EXTERNAL_KEY_STORE
|
347
|
+
# xks_proxy_uri_endpoint: "XksProxyUriEndpointType",
|
348
|
+
# xks_proxy_uri_path: "XksProxyUriPathType",
|
349
|
+
# xks_proxy_vpc_endpoint_service_name: "XksProxyVpcEndpointServiceNameType",
|
350
|
+
# xks_proxy_authentication_credential: {
|
351
|
+
# access_key_id: "XksProxyAuthenticationAccessKeyIdType", # required
|
352
|
+
# raw_secret_access_key: "XksProxyAuthenticationRawSecretAccessKeyType", # required
|
353
|
+
# },
|
354
|
+
# xks_proxy_connectivity: "PUBLIC_ENDPOINT", # accepts PUBLIC_ENDPOINT, VPC_ENDPOINT_SERVICE
|
344
355
|
# }
|
345
356
|
#
|
346
357
|
# @!attribute [rw] custom_key_store_name
|
347
358
|
# Specifies a friendly name for the custom key store. The name must be
|
348
|
-
# unique in your Amazon Web Services account.
|
359
|
+
# unique in your Amazon Web Services account and Region. This
|
360
|
+
# parameter is required for all custom key stores.
|
349
361
|
# @return [String]
|
350
362
|
#
|
351
363
|
# @!attribute [rw] cloud_hsm_cluster_id
|
352
|
-
# Identifies the CloudHSM cluster for
|
353
|
-
#
|
354
|
-
#
|
355
|
-
#
|
364
|
+
# Identifies the CloudHSM cluster for an CloudHSM key store. This
|
365
|
+
# parameter is required for custom key stores with
|
366
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
367
|
+
#
|
368
|
+
# Enter the cluster ID of any active CloudHSM cluster that is not
|
369
|
+
# already associated with a custom key store. To find the cluster ID,
|
370
|
+
# use the [DescribeClusters][1] operation.
|
356
371
|
#
|
357
372
|
#
|
358
373
|
#
|
@@ -360,9 +375,15 @@ module Aws::KMS
|
|
360
375
|
# @return [String]
|
361
376
|
#
|
362
377
|
# @!attribute [rw] trust_anchor_certificate
|
363
|
-
#
|
364
|
-
#
|
365
|
-
#
|
378
|
+
# * CreateCustom
|
379
|
+
#
|
380
|
+
# Specifies the certificate for an CloudHSM key store. This parameter
|
381
|
+
# is required for custom key stores with a `CustomKeyStoreType` of
|
382
|
+
# `AWS_CLOUDHSM`.
|
383
|
+
#
|
384
|
+
# Enter the content of the trust anchor certificate for the CloudHSM
|
385
|
+
# cluster. This is the content of the `customerCA.crt` file that you
|
386
|
+
# created when you [initialized the cluster][1].
|
366
387
|
#
|
367
388
|
#
|
368
389
|
#
|
@@ -370,6 +391,10 @@ module Aws::KMS
|
|
370
391
|
# @return [String]
|
371
392
|
#
|
372
393
|
# @!attribute [rw] key_store_password
|
394
|
+
# Specifies the `kmsuser` password for an CloudHSM key store. This
|
395
|
+
# parameter is required for custom key stores with a
|
396
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
397
|
+
#
|
373
398
|
# Enter the password of the [ `kmsuser` crypto user (CU) account][1]
|
374
399
|
# in the specified CloudHSM cluster. KMS logs into the cluster as this
|
375
400
|
# user to manage key material on your behalf.
|
@@ -385,13 +410,167 @@ module Aws::KMS
|
|
385
410
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
386
411
|
# @return [String]
|
387
412
|
#
|
413
|
+
# @!attribute [rw] custom_key_store_type
|
414
|
+
# Specifies the type of custom key store. The default value is
|
415
|
+
# `AWS_CLOUDHSM`.
|
416
|
+
#
|
417
|
+
# For a custom key store backed by an CloudHSM cluster, omit the
|
418
|
+
# parameter or enter `AWS_CLOUDHSM`. For a custom key store backed by
|
419
|
+
# an external key manager outside of Amazon Web Services, enter
|
420
|
+
# `EXTERNAL_KEY_STORE`. You cannot change this property after the key
|
421
|
+
# store is created.
|
422
|
+
# @return [String]
|
423
|
+
#
|
424
|
+
# @!attribute [rw] xks_proxy_uri_endpoint
|
425
|
+
# Specifies the endpoint that KMS uses to send requests to the
|
426
|
+
# external key store proxy (XKS proxy). This parameter is required for
|
427
|
+
# custom key stores with a `CustomKeyStoreType` of
|
428
|
+
# `EXTERNAL_KEY_STORE`.
|
429
|
+
#
|
430
|
+
# The protocol must be HTTPS. KMS communicates on port 443. Do not
|
431
|
+
# specify the port in the `XksProxyUriEndpoint` value.
|
432
|
+
#
|
433
|
+
# For external key stores with `XksProxyConnectivity` value of
|
434
|
+
# `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
|
435
|
+
# DNS name of the VPC endpoint service.
|
436
|
+
#
|
437
|
+
# For external key stores with `PUBLIC_ENDPOINT` connectivity, this
|
438
|
+
# endpoint must be reachable before you create the custom key store.
|
439
|
+
# KMS connects to the external key store proxy while creating the
|
440
|
+
# custom key store. For external key stores with
|
441
|
+
# `VPC_ENDPOINT_SERVICE` connectivity, KMS connects when you call the
|
442
|
+
# ConnectCustomKeyStore operation.
|
443
|
+
#
|
444
|
+
# The value of this parameter must begin with `https://`. The
|
445
|
+
# remainder can contain upper and lower case letters (A-Z and a-z),
|
446
|
+
# numbers (0-9), dots (`.`), and hyphens (`-`). Additional slashes
|
447
|
+
# (`/` and ``) are not permitted.
|
448
|
+
#
|
449
|
+
# <b>Uniqueness requirements: </b>
|
450
|
+
#
|
451
|
+
# * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
|
452
|
+
# must be unique in the Amazon Web Services account and Region.
|
453
|
+
#
|
454
|
+
# * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
|
455
|
+
# use the same `XksProxyUriEndpoint` value as an external key store
|
456
|
+
# with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
|
457
|
+
# Services Region.
|
458
|
+
#
|
459
|
+
# * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
|
460
|
+
# must have its own private DNS name. The `XksProxyUriEndpoint`
|
461
|
+
# value for external key stores with `VPC_ENDPOINT_SERVICE`
|
462
|
+
# connectivity (private DNS name) must be unique in the Amazon Web
|
463
|
+
# Services account and Region.
|
464
|
+
# @return [String]
|
465
|
+
#
|
466
|
+
# @!attribute [rw] xks_proxy_uri_path
|
467
|
+
# Specifies the base path to the proxy APIs for this external key
|
468
|
+
# store. To find this value, see the documentation for your external
|
469
|
+
# key store proxy. This parameter is required for all custom key
|
470
|
+
# stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
471
|
+
#
|
472
|
+
# The value must start with `/` and must end with `/kms/xks/v1` where
|
473
|
+
# `v1` represents the version of the KMS external key store proxy API.
|
474
|
+
# This path can include an optional prefix between the required
|
475
|
+
# elements such as `/prefix/kms/xks/v1`.
|
476
|
+
#
|
477
|
+
# <b>Uniqueness requirements: </b>
|
478
|
+
#
|
479
|
+
# * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
|
480
|
+
# must be unique in the Amazon Web Services account and Region.
|
481
|
+
#
|
482
|
+
# ^
|
483
|
+
# @return [String]
|
484
|
+
#
|
485
|
+
# @!attribute [rw] xks_proxy_vpc_endpoint_service_name
|
486
|
+
# Specifies the name of the Amazon VPC endpoint service for interface
|
487
|
+
# endpoints that is used to communicate with your external key store
|
488
|
+
# proxy (XKS proxy). This parameter is required when the value of
|
489
|
+
# `CustomKeyStoreType` is `EXTERNAL_KEY_STORE` and the value of
|
490
|
+
# `XksProxyConnectivity` is `VPC_ENDPOINT_SERVICE`.
|
491
|
+
#
|
492
|
+
# The Amazon VPC endpoint service must [fulfill all requirements][1]
|
493
|
+
# for use with an external key store.
|
494
|
+
#
|
495
|
+
# **Uniqueness requirements:**
|
496
|
+
#
|
497
|
+
# * External key stores with `VPC_ENDPOINT_SERVICE` connectivity can
|
498
|
+
# share an Amazon VPC, but each external key store must have its own
|
499
|
+
# VPC endpoint service and private DNS name.
|
500
|
+
#
|
501
|
+
# ^
|
502
|
+
#
|
503
|
+
#
|
504
|
+
#
|
505
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
|
506
|
+
# @return [String]
|
507
|
+
#
|
508
|
+
# @!attribute [rw] xks_proxy_authentication_credential
|
509
|
+
# Specifies an authentication credential for the external key store
|
510
|
+
# proxy (XKS proxy). This parameter is required for all custom key
|
511
|
+
# stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
512
|
+
#
|
513
|
+
# The `XksProxyAuthenticationCredential` has two required elements:
|
514
|
+
# `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
|
515
|
+
# identifier for the `RawSecretAccessKey`. For character requirements,
|
516
|
+
# see
|
517
|
+
# [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
|
518
|
+
#
|
519
|
+
# KMS uses this authentication credential to sign requests to the
|
520
|
+
# external key store proxy on your behalf. This credential is
|
521
|
+
# unrelated to Identity and Access Management (IAM) and Amazon Web
|
522
|
+
# Services credentials.
|
523
|
+
#
|
524
|
+
# This parameter doesn't set or change the authentication credentials
|
525
|
+
# on the XKS proxy. It just tells KMS the credential that you
|
526
|
+
# established on your external key store proxy. If you rotate your
|
527
|
+
# proxy authentication credential, use the UpdateCustomKeyStore
|
528
|
+
# operation to provide the new credential to KMS.
|
529
|
+
# @return [Types::XksProxyAuthenticationCredentialType]
|
530
|
+
#
|
531
|
+
# @!attribute [rw] xks_proxy_connectivity
|
532
|
+
# Indicates how KMS communicates with the external key store proxy.
|
533
|
+
# This parameter is required for custom key stores with a
|
534
|
+
# `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
535
|
+
#
|
536
|
+
# If the external key store proxy uses a public endpoint, specify
|
537
|
+
# `PUBLIC_ENDPOINT`. If the external key store proxy uses a Amazon VPC
|
538
|
+
# endpoint service for communication with KMS, specify
|
539
|
+
# `VPC_ENDPOINT_SERVICE`. For help making this choice, see [Choosing a
|
540
|
+
# connectivity option][1] in the *Key Management Service Developer
|
541
|
+
# Guide*.
|
542
|
+
#
|
543
|
+
# An Amazon VPC endpoint service keeps your communication with KMS in
|
544
|
+
# a private address space entirely within Amazon Web Services, but it
|
545
|
+
# requires more configuration, including establishing a Amazon VPC
|
546
|
+
# with multiple subnets, a VPC endpoint service, a network load
|
547
|
+
# balancer, and a verified private DNS name. A public endpoint is
|
548
|
+
# simpler to set up, but it might be slower and might not fulfill your
|
549
|
+
# security requirements. You might consider testing with a public
|
550
|
+
# endpoint, and then establishing a VPC endpoint service for
|
551
|
+
# production tasks. Note that this choice does not determine the
|
552
|
+
# location of the external key store proxy. Even if you choose a VPC
|
553
|
+
# endpoint service, the proxy can be hosted within the VPC or outside
|
554
|
+
# of Amazon Web Services such as in your corporate data center.
|
555
|
+
#
|
556
|
+
#
|
557
|
+
#
|
558
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
|
559
|
+
# @return [String]
|
560
|
+
#
|
388
561
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
|
389
562
|
#
|
390
563
|
class CreateCustomKeyStoreRequest < Struct.new(
|
391
564
|
:custom_key_store_name,
|
392
565
|
:cloud_hsm_cluster_id,
|
393
566
|
:trust_anchor_certificate,
|
394
|
-
:key_store_password
|
567
|
+
:key_store_password,
|
568
|
+
:custom_key_store_type,
|
569
|
+
:xks_proxy_uri_endpoint,
|
570
|
+
:xks_proxy_uri_path,
|
571
|
+
:xks_proxy_vpc_endpoint_service_name,
|
572
|
+
:xks_proxy_authentication_credential,
|
573
|
+
:xks_proxy_connectivity)
|
395
574
|
SENSITIVE = [:key_store_password]
|
396
575
|
include Aws::Structure
|
397
576
|
end
|
@@ -629,7 +808,7 @@ module Aws::KMS
|
|
629
808
|
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
630
809
|
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
631
810
|
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
632
|
-
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
811
|
+
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
|
633
812
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
634
813
|
# bypass_policy_lockout_safety_check: false,
|
635
814
|
# tags: [
|
@@ -639,22 +818,20 @@ module Aws::KMS
|
|
639
818
|
# },
|
640
819
|
# ],
|
641
820
|
# multi_region: false,
|
821
|
+
# xks_key_id: "XksKeyIdType",
|
642
822
|
# }
|
643
823
|
#
|
644
824
|
# @!attribute [rw] policy
|
645
|
-
# The key policy to attach to the KMS key.
|
646
|
-
# policy, KMS attaches a default key policy to the KMS key. For more
|
647
|
-
# information, see [Default key policy][1] in the *Key Management
|
648
|
-
# Service Developer Guide*.
|
825
|
+
# The key policy to attach to the KMS key.
|
649
826
|
#
|
650
827
|
# If you provide a key policy, it must meet the following criteria:
|
651
828
|
#
|
652
|
-
# * If you don't set `BypassPolicyLockoutSafetyCheck` to
|
829
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
653
830
|
# key policy must allow the principal that is making the `CreateKey`
|
654
831
|
# request to make a subsequent PutKeyPolicy request on the KMS key.
|
655
832
|
# This reduces the risk that the KMS key becomes unmanageable. For
|
656
833
|
# more information, refer to the scenario in the [Default Key
|
657
|
-
# Policy][
|
834
|
+
# Policy][1] section of the <i> <i>Key Management Service Developer
|
658
835
|
# Guide</i> </i>.
|
659
836
|
#
|
660
837
|
# * Each statement in the key policy must contain one or more
|
@@ -664,33 +841,25 @@ module Aws::KMS
|
|
664
841
|
# enforce a delay before including the new principal in a key policy
|
665
842
|
# because the new principal might not be immediately visible to KMS.
|
666
843
|
# For more information, see [Changes that I make are not always
|
667
|
-
# immediately visible][
|
844
|
+
# immediately visible][2] in the *Amazon Web Services Identity and
|
668
845
|
# Access Management User Guide*.
|
669
846
|
#
|
670
|
-
#
|
847
|
+
# If you do not provide a key policy, KMS attaches a default key
|
848
|
+
# policy to the KMS key. For more information, see [Default Key
|
849
|
+
# Policy][3] in the *Key Management Service Developer Guide*.
|
671
850
|
#
|
672
|
-
#
|
673
|
-
# through the end of the ASCII character range.
|
851
|
+
# The key policy size quota is 32 kilobytes (32768 bytes).
|
674
852
|
#
|
675
|
-
#
|
676
|
-
#
|
853
|
+
# For help writing and formatting a JSON policy document, see the [IAM
|
854
|
+
# JSON Policy Reference][4] in the <i> <i>Identity and Access
|
855
|
+
# Management User Guide</i> </i>.
|
677
856
|
#
|
678
|
-
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
679
|
-
# (`\u000D`) special characters
|
680
857
|
#
|
681
|
-
# For information about key policies, see [Key policies in KMS][4] in
|
682
|
-
# the *Key Management Service Developer Guide*. For help writing and
|
683
|
-
# formatting a JSON policy document, see the [IAM JSON Policy
|
684
|
-
# Reference][5] in the <i> <i>Identity and Access Management User
|
685
|
-
# Guide</i> </i>.
|
686
858
|
#
|
687
|
-
#
|
688
|
-
#
|
689
|
-
# [
|
690
|
-
# [
|
691
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
692
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
693
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
859
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
860
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
861
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
862
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
694
863
|
# @return [String]
|
695
864
|
#
|
696
865
|
# @!attribute [rw] description
|
@@ -737,8 +906,8 @@ module Aws::KMS
|
|
737
906
|
#
|
738
907
|
# The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
|
739
908
|
# way. Only the names differ. We recommend that you use `KeySpec`
|
740
|
-
# parameter in your code. However, to avoid breaking changes, KMS
|
741
|
-
#
|
909
|
+
# parameter in your code. However, to avoid breaking changes, KMS
|
910
|
+
# supports both parameters.
|
742
911
|
# @return [String]
|
743
912
|
#
|
744
913
|
# @!attribute [rw] key_spec
|
@@ -751,14 +920,13 @@ module Aws::KMS
|
|
751
920
|
# Guide</i> </i>.
|
752
921
|
#
|
753
922
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
754
|
-
# key or an asymmetric key pair. It also determines the
|
755
|
-
#
|
756
|
-
#
|
757
|
-
#
|
758
|
-
#
|
759
|
-
# [kms:
|
760
|
-
#
|
761
|
-
# Guide</i> </i>.
|
923
|
+
# key or an asymmetric key pair. It also determines the algorithms
|
924
|
+
# that the KMS key supports. You can't change the `KeySpec` after the
|
925
|
+
# KMS key is created. To further restrict the algorithms that can be
|
926
|
+
# used with the KMS key, use a condition key in its key policy or IAM
|
927
|
+
# policy. For more information, see [kms:EncryptionAlgorithm][2],
|
928
|
+
# [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
|
929
|
+
# <i>Key Management Service Developer Guide</i> </i>.
|
762
930
|
#
|
763
931
|
# [Amazon Web Services services that are integrated with KMS][5] use
|
764
932
|
# symmetric encryption KMS keys to protect your data. These services
|
@@ -825,45 +993,48 @@ module Aws::KMS
|
|
825
993
|
# the origin after you create the KMS key. The default is `AWS_KMS`,
|
826
994
|
# which means that KMS creates the key material.
|
827
995
|
#
|
828
|
-
# To create a KMS key with no key material (for imported key
|
829
|
-
# material), set
|
830
|
-
# importing key material into KMS, see [Importing Key Material][
|
831
|
-
# the *Key Management Service Developer Guide*.
|
832
|
-
# only for symmetric
|
996
|
+
# To [create a KMS key with no key material][1] (for imported key
|
997
|
+
# material), set this value to `EXTERNAL`. For more information about
|
998
|
+
# importing key material into KMS, see [Importing Key Material][2] in
|
999
|
+
# the *Key Management Service Developer Guide*. The `EXTERNAL` origin
|
1000
|
+
# value is valid only for symmetric KMS keys.
|
833
1001
|
#
|
834
|
-
# To create a KMS key in an
|
835
|
-
#
|
1002
|
+
# To [create a KMS key in an CloudHSM key store][3] and create its key
|
1003
|
+
# material in the associated CloudHSM cluster, set this value to
|
836
1004
|
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
837
|
-
# to identify the
|
838
|
-
#
|
1005
|
+
# to identify the CloudHSM key store. The `KeySpec` value must be
|
1006
|
+
# `SYMMETRIC_DEFAULT`.
|
1007
|
+
#
|
1008
|
+
# To [create a KMS key in an external key store][4], set this value to
|
1009
|
+
# `EXTERNAL_KEY_STORE`. You must also use the `CustomKeyStoreId`
|
1010
|
+
# parameter to identify the external key store and the `XksKeyId`
|
1011
|
+
# parameter to identify the associated external key. The `KeySpec`
|
1012
|
+
# value must be `SYMMETRIC_DEFAULT`.
|
839
1013
|
#
|
840
1014
|
#
|
841
1015
|
#
|
842
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
843
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1016
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
|
1017
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1018
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html
|
1019
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
|
844
1020
|
# @return [String]
|
845
1021
|
#
|
846
1022
|
# @!attribute [rw] custom_key_store_id
|
847
|
-
# Creates the KMS key in the specified [custom key store][1]
|
848
|
-
#
|
849
|
-
#
|
850
|
-
#
|
851
|
-
# associated with the custom key store must have at least two active
|
852
|
-
# HSMs, each in a different Availability Zone in the Region.
|
1023
|
+
# Creates the KMS key in the specified [custom key store][1]. The
|
1024
|
+
# `ConnectionState` of the custom key store must be `CONNECTED`. To
|
1025
|
+
# find the CustomKeyStoreID and ConnectionState use the
|
1026
|
+
# DescribeCustomKeyStores operation.
|
853
1027
|
#
|
854
1028
|
# This parameter is valid only for symmetric encryption KMS keys in a
|
855
1029
|
# single Region. You cannot create any other type of KMS key in a
|
856
1030
|
# custom key store.
|
857
1031
|
#
|
858
|
-
#
|
859
|
-
#
|
860
|
-
#
|
861
|
-
#
|
862
|
-
#
|
863
|
-
#
|
864
|
-
# This operation is part of the [custom key store feature][1] feature
|
865
|
-
# in KMS, which combines the convenience and extensive integration of
|
866
|
-
# KMS with the isolation and control of a single-tenant key store.
|
1032
|
+
# When you create a KMS key in an CloudHSM key store, KMS generates a
|
1033
|
+
# non-exportable 256-bit symmetric key in its associated CloudHSM
|
1034
|
+
# cluster and associates it with the KMS key. When you create a KMS
|
1035
|
+
# key in an external key store, you must use the `XksKeyId` parameter
|
1036
|
+
# to specify an external key that serves as key material for the KMS
|
1037
|
+
# key.
|
867
1038
|
#
|
868
1039
|
#
|
869
1040
|
#
|
@@ -899,7 +1070,7 @@ module Aws::KMS
|
|
899
1070
|
# TagResource operation.
|
900
1071
|
#
|
901
1072
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
902
|
-
# KMS key. For details, see [ABAC
|
1073
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
903
1074
|
# Service Developer Guide*.
|
904
1075
|
#
|
905
1076
|
# </note>
|
@@ -947,16 +1118,52 @@ module Aws::KMS
|
|
947
1118
|
# This value creates a *primary key*, not a replica. To create a
|
948
1119
|
# *replica key*, use the ReplicateKey operation.
|
949
1120
|
#
|
950
|
-
# You can create a multi-Region
|
951
|
-
#
|
952
|
-
#
|
953
|
-
# in a custom key store.
|
1121
|
+
# You can create a symmetric or asymmetric multi-Region key, and you
|
1122
|
+
# can create a multi-Region key with imported key material. However,
|
1123
|
+
# you cannot create a multi-Region key in a custom key store.
|
954
1124
|
#
|
955
1125
|
#
|
956
1126
|
#
|
957
1127
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
958
1128
|
# @return [Boolean]
|
959
1129
|
#
|
1130
|
+
# @!attribute [rw] xks_key_id
|
1131
|
+
# Identifies the [external key][1] that serves as key material for the
|
1132
|
+
# KMS key in an [external key store][2]. Specify the ID that the
|
1133
|
+
# [external key store proxy][3] uses to refer to the external key. For
|
1134
|
+
# help, see the documentation for your external key store proxy.
|
1135
|
+
#
|
1136
|
+
# This parameter is required for a KMS key with an `Origin` value of
|
1137
|
+
# `EXTERNAL_KEY_STORE`. It is not valid for KMS keys with any other
|
1138
|
+
# `Origin` value.
|
1139
|
+
#
|
1140
|
+
# The external key must be an existing 256-bit AES symmetric
|
1141
|
+
# encryption key hosted outside of Amazon Web Services in an external
|
1142
|
+
# key manager associated with the external key store specified by the
|
1143
|
+
# `CustomKeyStoreId` parameter. This key must be enabled and
|
1144
|
+
# configured to perform encryption and decryption. Each KMS key in an
|
1145
|
+
# external key store must use a different external key. For details,
|
1146
|
+
# see [Requirements for a KMS key in an external key store][4] in the
|
1147
|
+
# *Key Management Service Developer Guide*.
|
1148
|
+
#
|
1149
|
+
# Each KMS key in an external key store is associated two backing
|
1150
|
+
# keys. One is key material that KMS generates. The other is the
|
1151
|
+
# external key specified by this parameter. When you use the KMS key
|
1152
|
+
# in an external key store to encrypt data, the encryption operation
|
1153
|
+
# is performed first by KMS using the KMS key material, and then by
|
1154
|
+
# the external key manager using the specified external key, a process
|
1155
|
+
# known as *double encryption*. For details, see [Double
|
1156
|
+
# encryption][5] in the *Key Management Service Developer Guide*.
|
1157
|
+
#
|
1158
|
+
#
|
1159
|
+
#
|
1160
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
1161
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
|
1162
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
|
1163
|
+
# [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
|
1164
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
|
1165
|
+
# @return [String]
|
1166
|
+
#
|
960
1167
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
|
961
1168
|
#
|
962
1169
|
class CreateKeyRequest < Struct.new(
|
@@ -969,7 +1176,8 @@ module Aws::KMS
|
|
969
1176
|
:custom_key_store_id,
|
970
1177
|
:bypass_policy_lockout_safety_check,
|
971
1178
|
:tags,
|
972
|
-
:multi_region
|
1179
|
+
:multi_region,
|
1180
|
+
:xks_key_id)
|
973
1181
|
SENSITIVE = []
|
974
1182
|
include Aws::Structure
|
975
1183
|
end
|
@@ -1008,18 +1216,29 @@ module Aws::KMS
|
|
1008
1216
|
#
|
1009
1217
|
# This exception is thrown under the following conditions:
|
1010
1218
|
#
|
1011
|
-
# * You requested the
|
1012
|
-
#
|
1013
|
-
#
|
1219
|
+
# * You requested the ConnectCustomKeyStore operation on a custom key
|
1220
|
+
# store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
|
1221
|
+
# operation is valid for all other `ConnectionState` values. To
|
1222
|
+
# reconnect a custom key store in a `FAILED` state, disconnect it
|
1223
|
+
# (DisconnectCustomKeyStore), then connect it
|
1224
|
+
# (`ConnectCustomKeyStore`).
|
1225
|
+
#
|
1226
|
+
# * You requested the CreateKey operation in a custom key store that is
|
1227
|
+
# not connected. This operations is valid only when the custom key
|
1228
|
+
# store `ConnectionState` is `CONNECTED`.
|
1229
|
+
#
|
1230
|
+
# * You requested the DisconnectCustomKeyStore operation on a custom key
|
1231
|
+
# store with a `ConnectionState` of `DISCONNECTING` or `DISCONNECTED`.
|
1232
|
+
# This operation is valid for all other `ConnectionState` values.
|
1014
1233
|
#
|
1015
1234
|
# * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
|
1016
1235
|
# operation on a custom key store that is not disconnected. This
|
1017
1236
|
# operation is valid only when the custom key store `ConnectionState`
|
1018
1237
|
# is `DISCONNECTED`.
|
1019
1238
|
#
|
1020
|
-
# * You requested the
|
1021
|
-
#
|
1022
|
-
#
|
1239
|
+
# * You requested the GenerateRandom operation in an CloudHSM key store
|
1240
|
+
# that is not connected. This operation is valid only when the
|
1241
|
+
# CloudHSM key store `ConnectionState` is `CONNECTED`.
|
1023
1242
|
#
|
1024
1243
|
# @!attribute [rw] message
|
1025
1244
|
# @return [String]
|
@@ -1074,13 +1293,17 @@ module Aws::KMS
|
|
1074
1293
|
#
|
1075
1294
|
# @!attribute [rw] cloud_hsm_cluster_id
|
1076
1295
|
# A unique identifier for the CloudHSM cluster that is associated with
|
1077
|
-
#
|
1296
|
+
# an CloudHSM key store. This field appears only when the
|
1297
|
+
# `CustomKeyStoreType` is `AWS_CLOUDHSM`.
|
1078
1298
|
# @return [String]
|
1079
1299
|
#
|
1080
1300
|
# @!attribute [rw] trust_anchor_certificate
|
1081
|
-
# The trust anchor certificate of the
|
1082
|
-
# When you [initialize the cluster][1], you
|
1083
|
-
# and save it in the `customerCA.crt` file.
|
1301
|
+
# The trust anchor certificate of the CloudHSM cluster associated with
|
1302
|
+
# an CloudHSM key store. When you [initialize the cluster][1], you
|
1303
|
+
# create this certificate and save it in the `customerCA.crt` file.
|
1304
|
+
#
|
1305
|
+
# This field appears only when the `CustomKeyStoreType` is
|
1306
|
+
# `AWS_CLOUDHSM`.
|
1084
1307
|
#
|
1085
1308
|
#
|
1086
1309
|
#
|
@@ -1088,22 +1311,30 @@ module Aws::KMS
|
|
1088
1311
|
# @return [String]
|
1089
1312
|
#
|
1090
1313
|
# @!attribute [rw] connection_state
|
1091
|
-
# Indicates whether the custom key store is connected to its
|
1092
|
-
#
|
1314
|
+
# Indicates whether the custom key store is connected to its backing
|
1315
|
+
# key store. For an CloudHSM key store, the `ConnectionState`
|
1316
|
+
# indicates whether it is connected to its CloudHSM cluster. For an
|
1317
|
+
# external key store, the `ConnectionState` indicates whether it is
|
1318
|
+
# connected to the external key store proxy that communicates with
|
1319
|
+
# your external key manager.
|
1093
1320
|
#
|
1094
1321
|
# You can create and use KMS keys in your custom key stores only when
|
1095
|
-
# its
|
1096
|
-
#
|
1097
|
-
# The value is `DISCONNECTED` if the key store
|
1098
|
-
# connected or you use the DisconnectCustomKeyStore
|
1099
|
-
# disconnect it. If the value is `CONNECTED` but you are
|
1100
|
-
# trouble using the custom key store, make sure that
|
1101
|
-
#
|
1322
|
+
# its `ConnectionState` is `CONNECTED`.
|
1323
|
+
#
|
1324
|
+
# The `ConnectionState` value is `DISCONNECTED` only if the key store
|
1325
|
+
# has never been connected or you use the DisconnectCustomKeyStore
|
1326
|
+
# operation to disconnect it. If the value is `CONNECTED` but you are
|
1327
|
+
# having trouble using the custom key store, make sure that the
|
1328
|
+
# backing key store is reachable and active. For an CloudHSM key
|
1329
|
+
# store, verify that its associated CloudHSM cluster is active and
|
1330
|
+
# contains at least one active HSM. For an external key store, verify
|
1331
|
+
# that the external key store proxy and external key manager are
|
1332
|
+
# connected and enabled.
|
1102
1333
|
#
|
1103
1334
|
# A value of `FAILED` indicates that an attempt to connect was
|
1104
1335
|
# unsuccessful. The `ConnectionErrorCode` field in the response
|
1105
1336
|
# indicates the cause of the failure. For help resolving a connection
|
1106
|
-
# failure, see [Troubleshooting a
|
1337
|
+
# failure, see [Troubleshooting a custom key store][1] in the *Key
|
1107
1338
|
# Management Service Developer Guide*.
|
1108
1339
|
#
|
1109
1340
|
#
|
@@ -1113,35 +1344,52 @@ module Aws::KMS
|
|
1113
1344
|
#
|
1114
1345
|
# @!attribute [rw] connection_error_code
|
1115
1346
|
# Describes the connection error. This field appears in the response
|
1116
|
-
# only when the `ConnectionState` is `FAILED`.
|
1117
|
-
#
|
1118
|
-
#
|
1347
|
+
# only when the `ConnectionState` is `FAILED`.
|
1348
|
+
#
|
1349
|
+
# Many failures can be resolved by updating the properties of the
|
1350
|
+
# custom key store. To update a custom key store, disconnect it
|
1351
|
+
# (DisconnectCustomKeyStore), correct the errors
|
1352
|
+
# (UpdateCustomKeyStore), and try to connect again
|
1353
|
+
# (ConnectCustomKeyStore). For additional help resolving these errors,
|
1354
|
+
# see [How to Fix a Connection Failure][1] in *Key Management Service
|
1355
|
+
# Developer Guide*.
|
1356
|
+
#
|
1357
|
+
# **All custom key stores:**
|
1119
1358
|
#
|
1120
|
-
#
|
1359
|
+
# * `INTERNAL_ERROR` — KMS could not complete the request due to an
|
1360
|
+
# internal error. Retry the request. For `ConnectCustomKeyStore`
|
1361
|
+
# requests, disconnect the custom key store before trying to connect
|
1362
|
+
# again.
|
1121
1363
|
#
|
1122
|
-
# * `
|
1364
|
+
# * `NETWORK_ERRORS` — Network errors are preventing KMS from
|
1365
|
+
# connecting the custom key store to its backing key store.
|
1366
|
+
#
|
1367
|
+
# **CloudHSM key stores:**
|
1368
|
+
#
|
1369
|
+
# * `CLUSTER_NOT_FOUND` — KMS cannot find the CloudHSM cluster with
|
1123
1370
|
# the specified cluster ID.
|
1124
1371
|
#
|
1125
|
-
# * `INSUFFICIENT_CLOUDHSM_HSMS`
|
1372
|
+
# * `INSUFFICIENT_CLOUDHSM_HSMS` — The associated CloudHSM cluster
|
1126
1373
|
# does not contain any active HSMs. To connect a custom key store to
|
1127
1374
|
# its CloudHSM cluster, the cluster must contain at least one active
|
1128
1375
|
# HSM.
|
1129
1376
|
#
|
1130
|
-
# * `
|
1131
|
-
#
|
1132
|
-
#
|
1133
|
-
#
|
1134
|
-
#
|
1135
|
-
#
|
1136
|
-
#
|
1137
|
-
# connect your custom key store to its CloudHSM cluster, you must
|
1138
|
-
# change the `kmsuser` account password and update the key store
|
1139
|
-
# password value for the custom key store.
|
1377
|
+
# * `INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET` — At least one private
|
1378
|
+
# subnet associated with the CloudHSM cluster doesn't have any
|
1379
|
+
# available IP addresses. A CloudHSM key store connection requires
|
1380
|
+
# one free IP address in each of the associated private subnets,
|
1381
|
+
# although two are preferable. For details, see [How to Fix a
|
1382
|
+
# Connection Failure][1] in the *Key Management Service Developer
|
1383
|
+
# Guide*.
|
1140
1384
|
#
|
1141
|
-
# * `
|
1142
|
-
#
|
1385
|
+
# * `INVALID_CREDENTIALS` — The `KeyStorePassword` for the custom key
|
1386
|
+
# store doesn't match the current password of the `kmsuser` crypto
|
1387
|
+
# user in the CloudHSM cluster. Before you can connect your custom
|
1388
|
+
# key store to its CloudHSM cluster, you must change the `kmsuser`
|
1389
|
+
# account password and update the `KeyStorePassword` value for the
|
1390
|
+
# custom key store.
|
1143
1391
|
#
|
1144
|
-
# * `SUBNET_NOT_FOUND`
|
1392
|
+
# * `SUBNET_NOT_FOUND` — A subnet in the CloudHSM cluster
|
1145
1393
|
# configuration was deleted. If KMS cannot find all of the subnets
|
1146
1394
|
# in the cluster configuration, attempts to connect the custom key
|
1147
1395
|
# store to the CloudHSM cluster fail. To fix this error, create a
|
@@ -1151,13 +1399,13 @@ module Aws::KMS
|
|
1151
1399
|
# Connection Failure][1] in the *Key Management Service Developer
|
1152
1400
|
# Guide*.
|
1153
1401
|
#
|
1154
|
-
# * `USER_LOCKED_OUT`
|
1402
|
+
# * `USER_LOCKED_OUT` — The `kmsuser` CU account is locked out of the
|
1155
1403
|
# associated CloudHSM cluster due to too many failed password
|
1156
1404
|
# attempts. Before you can connect your custom key store to its
|
1157
1405
|
# CloudHSM cluster, you must change the `kmsuser` account password
|
1158
1406
|
# and update the key store password value for the custom key store.
|
1159
1407
|
#
|
1160
|
-
# * `USER_LOGGED_IN`
|
1408
|
+
# * `USER_LOGGED_IN` — The `kmsuser` CU account is logged into the
|
1161
1409
|
# associated CloudHSM cluster. This prevents KMS from rotating the
|
1162
1410
|
# `kmsuser` account password and logging into the cluster. Before
|
1163
1411
|
# you can connect your custom key store to its CloudHSM cluster, you
|
@@ -1167,22 +1415,119 @@ module Aws::KMS
|
|
1167
1415
|
# help, see [How to Log Out and Reconnect][2] in the *Key Management
|
1168
1416
|
# Service Developer Guide*.
|
1169
1417
|
#
|
1170
|
-
# * `USER_NOT_FOUND`
|
1418
|
+
# * `USER_NOT_FOUND` — KMS cannot find a `kmsuser` CU account in the
|
1171
1419
|
# associated CloudHSM cluster. Before you can connect your custom
|
1172
1420
|
# key store to its CloudHSM cluster, you must create a `kmsuser` CU
|
1173
1421
|
# account in the cluster, and then update the key store password
|
1174
1422
|
# value for the custom key store.
|
1175
1423
|
#
|
1424
|
+
# **External key stores:**
|
1425
|
+
#
|
1426
|
+
# * `INVALID_CREDENTIALS` — One or both of the
|
1427
|
+
# `XksProxyAuthenticationCredential` values is not valid on the
|
1428
|
+
# specified external key store proxy.
|
1429
|
+
#
|
1430
|
+
# * `XKS_PROXY_ACCESS_DENIED` — KMS requests are denied access to the
|
1431
|
+
# external key store proxy. If the external key store proxy has
|
1432
|
+
# authorization rules, verify that they permit KMS to communicate
|
1433
|
+
# with the proxy on your behalf.
|
1434
|
+
#
|
1435
|
+
# * `XKS_PROXY_INVALID_CONFIGURATION` — A configuration error is
|
1436
|
+
# preventing the external key store from connecting to its proxy.
|
1437
|
+
# Verify the value of the `XksProxyUriPath`.
|
1438
|
+
#
|
1439
|
+
# * `XKS_PROXY_INVALID_RESPONSE` — KMS cannot interpret the response
|
1440
|
+
# from the external key store proxy. If you see this connection
|
1441
|
+
# error code repeatedly, notify your external key store proxy
|
1442
|
+
# vendor.
|
1443
|
+
#
|
1444
|
+
# * `XKS_PROXY_INVALID_TLS_CONFIGURATION` — KMS cannot connect to the
|
1445
|
+
# external key store proxy because the TLS configuration is invalid.
|
1446
|
+
# Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify
|
1447
|
+
# that the TLS certificate is not expired, and that it matches the
|
1448
|
+
# hostname in the `XksProxyUriEndpoint` value, and that it is signed
|
1449
|
+
# by a certificate authority included in the [Trusted Certificate
|
1450
|
+
# Authorities][3] list.
|
1451
|
+
#
|
1452
|
+
# * `XKS_PROXY_NOT_REACHABLE` — KMS can't communicate with your
|
1453
|
+
# external key store proxy. Verify that the `XksProxyUriEndpoint`
|
1454
|
+
# and `XksProxyUriPath` are correct. Use the tools for your external
|
1455
|
+
# key store proxy to verify that the proxy is active and available
|
1456
|
+
# on its network. Also, verify that your external key manager
|
1457
|
+
# instances are operating properly. Connection attempts fail with
|
1458
|
+
# this connection error code if the proxy reports that all external
|
1459
|
+
# key manager instances are unavailable.
|
1460
|
+
#
|
1461
|
+
# * `XKS_PROXY_TIMED_OUT` — KMS can connect to the external key store
|
1462
|
+
# proxy, but the proxy does not respond to KMS in the time allotted.
|
1463
|
+
# If you see this connection error code repeatedly, notify your
|
1464
|
+
# external key store proxy vendor.
|
1465
|
+
#
|
1466
|
+
# * `XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION` — The Amazon VPC
|
1467
|
+
# endpoint service configuration doesn't conform to the
|
1468
|
+
# requirements for an KMS external key store.
|
1469
|
+
#
|
1470
|
+
# * The VPC endpoint service must be an endpoint service for
|
1471
|
+
# interface endpoints in the caller's Amazon Web Services
|
1472
|
+
# account.
|
1473
|
+
#
|
1474
|
+
# * It must have a network load balancer (NLB) connected to at least
|
1475
|
+
# two subnets, each in a different Availability Zone.
|
1476
|
+
#
|
1477
|
+
# * The `Allow principals` list must include the KMS service
|
1478
|
+
# principal for the Region, `cks.kms.<region>.amazonaws.com`, such
|
1479
|
+
# as `cks.kms.us-east-1.amazonaws.com`.
|
1480
|
+
#
|
1481
|
+
# * It must *not* require [acceptance][4] of connection requests.
|
1482
|
+
#
|
1483
|
+
# * It must have a private DNS name. The private DNS name for an
|
1484
|
+
# external key store with `VPC_ENDPOINT_SERVICE` connectivity must
|
1485
|
+
# be unique in its Amazon Web Services Region.
|
1486
|
+
#
|
1487
|
+
# * The domain of the private DNS name must have a [verification
|
1488
|
+
# status][5] of `verified`.
|
1489
|
+
#
|
1490
|
+
# * The [TLS certificate][6] specifies the private DNS hostname at
|
1491
|
+
# which the endpoint is reachable.
|
1492
|
+
#
|
1493
|
+
# * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
|
1494
|
+
# endpoint service that it uses to communicate with the external key
|
1495
|
+
# store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
|
1496
|
+
# correct and the KMS service principal has service consumer
|
1497
|
+
# permissions on the Amazon VPC endpoint service.
|
1498
|
+
#
|
1176
1499
|
#
|
1177
1500
|
#
|
1178
1501
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
|
1179
1502
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
|
1503
|
+
# [3]: https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities
|
1504
|
+
# [4]: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
|
1505
|
+
# [5]: https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html
|
1506
|
+
# [6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
|
1180
1507
|
# @return [String]
|
1181
1508
|
#
|
1182
1509
|
# @!attribute [rw] creation_date
|
1183
1510
|
# The date and time when the custom key store was created.
|
1184
1511
|
# @return [Time]
|
1185
1512
|
#
|
1513
|
+
# @!attribute [rw] custom_key_store_type
|
1514
|
+
# Indicates the type of the custom key store. `AWS_CLOUDHSM` indicates
|
1515
|
+
# a custom key store backed by an CloudHSM cluster.
|
1516
|
+
# `EXTERNAL_KEY_STORE` indicates a custom key store backed by an
|
1517
|
+
# external key store proxy and external key manager outside of Amazon
|
1518
|
+
# Web Services.
|
1519
|
+
# @return [String]
|
1520
|
+
#
|
1521
|
+
# @!attribute [rw] xks_proxy_configuration
|
1522
|
+
# Configuration settings for the external key store proxy (XKS proxy).
|
1523
|
+
# The external key store proxy translates KMS requests into a format
|
1524
|
+
# that your external key manager can understand. The proxy
|
1525
|
+
# configuration includes connection information that KMS requires.
|
1526
|
+
#
|
1527
|
+
# This field appears only when the `CustomKeyStoreType` is
|
1528
|
+
# `EXTERNAL_KEY_STORE`.
|
1529
|
+
# @return [Types::XksProxyConfigurationType]
|
1530
|
+
#
|
1186
1531
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoresListEntry AWS API Documentation
|
1187
1532
|
#
|
1188
1533
|
class CustomKeyStoresListEntry < Struct.new(
|
@@ -1192,7 +1537,9 @@ module Aws::KMS
|
|
1192
1537
|
:trust_anchor_certificate,
|
1193
1538
|
:connection_state,
|
1194
1539
|
:connection_error_code,
|
1195
|
-
:creation_date
|
1540
|
+
:creation_date,
|
1541
|
+
:custom_key_store_type,
|
1542
|
+
:xks_proxy_configuration)
|
1196
1543
|
SENSITIVE = []
|
1197
1544
|
include Aws::Structure
|
1198
1545
|
end
|
@@ -1416,8 +1763,8 @@ module Aws::KMS
|
|
1416
1763
|
include Aws::Structure
|
1417
1764
|
end
|
1418
1765
|
|
1419
|
-
# The system timed out while trying to fulfill the request.
|
1420
|
-
#
|
1766
|
+
# The system timed out while trying to fulfill the request. You can
|
1767
|
+
# retry the request.
|
1421
1768
|
#
|
1422
1769
|
# @!attribute [rw] message
|
1423
1770
|
# @return [String]
|
@@ -1446,8 +1793,8 @@ module Aws::KMS
|
|
1446
1793
|
#
|
1447
1794
|
# By default, this operation gets information about all custom key
|
1448
1795
|
# stores in the account and Region. To limit the output to a
|
1449
|
-
# particular custom key store,
|
1450
|
-
#
|
1796
|
+
# particular custom key store, provide either the `CustomKeyStoreId`
|
1797
|
+
# or `CustomKeyStoreName` parameter, but not both.
|
1451
1798
|
# @return [String]
|
1452
1799
|
#
|
1453
1800
|
# @!attribute [rw] custom_key_store_name
|
@@ -1456,8 +1803,8 @@ module Aws::KMS
|
|
1456
1803
|
#
|
1457
1804
|
# By default, this operation gets information about all custom key
|
1458
1805
|
# stores in the account and Region. To limit the output to a
|
1459
|
-
# particular custom key store,
|
1460
|
-
#
|
1806
|
+
# particular custom key store, provide either the `CustomKeyStoreId`
|
1807
|
+
# or `CustomKeyStoreName` parameter, but not both.
|
1461
1808
|
# @return [String]
|
1462
1809
|
#
|
1463
1810
|
# @!attribute [rw] limit
|
@@ -1733,11 +2080,10 @@ module Aws::KMS
|
|
1733
2080
|
# }
|
1734
2081
|
#
|
1735
2082
|
# @!attribute [rw] key_id
|
1736
|
-
# Identifies a symmetric encryption KMS key. You cannot enable
|
1737
|
-
#
|
1738
|
-
#
|
1739
|
-
#
|
1740
|
-
# always `false`. To enable or disable automatic rotation of a set of
|
2083
|
+
# Identifies a symmetric encryption KMS key. You cannot enable
|
2084
|
+
# automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
|
2085
|
+
# KMS keys with [imported key material][3], or KMS keys in a [custom
|
2086
|
+
# key store][4]. To enable or disable automatic rotation of a set of
|
1741
2087
|
# related [multi-Region keys][5], set the property on the primary key.
|
1742
2088
|
#
|
1743
2089
|
# Specify the key ID or key ARN of the KMS key.
|
@@ -1859,6 +2205,8 @@ module Aws::KMS
|
|
1859
2205
|
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
1860
2206
|
# encryption KMS keys. If you are using an asymmetric KMS key, we
|
1861
2207
|
# recommend RSAES\_OAEP\_SHA\_256.
|
2208
|
+
#
|
2209
|
+
# The SM2PKE algorithm is only available in China Regions.
|
1862
2210
|
# @return [String]
|
1863
2211
|
#
|
1864
2212
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
@@ -1984,8 +2332,7 @@ module Aws::KMS
|
|
1984
2332
|
# keys to encrypt and decrypt or to sign and verify (but not both),
|
1985
2333
|
# and the rule that permits you to use ECC KMS keys only to sign and
|
1986
2334
|
# verify, are not effective on data key pairs, which are used outside
|
1987
|
-
# of KMS. The SM2 key spec is only available in China Regions.
|
1988
|
-
# ECC asymmetric key pairs are also available in China Regions.
|
2335
|
+
# of KMS. The SM2 key spec is only available in China Regions.
|
1989
2336
|
# @return [String]
|
1990
2337
|
#
|
1991
2338
|
# @!attribute [rw] grant_tokens
|
@@ -2122,8 +2469,7 @@ module Aws::KMS
|
|
2122
2469
|
# keys to encrypt and decrypt or to sign and verify (but not both),
|
2123
2470
|
# and the rule that permits you to use ECC KMS keys only to sign and
|
2124
2471
|
# verify, are not effective on data key pairs, which are used outside
|
2125
|
-
# of KMS. The SM2 key spec is only available in China Regions.
|
2126
|
-
# ECC asymmetric key pairs are also available in China Regions.
|
2472
|
+
# of KMS. The SM2 key spec is only available in China Regions.
|
2127
2473
|
# @return [String]
|
2128
2474
|
#
|
2129
2475
|
# @!attribute [rw] grant_tokens
|
@@ -2511,8 +2857,14 @@ module Aws::KMS
|
|
2511
2857
|
end
|
2512
2858
|
|
2513
2859
|
# @!attribute [rw] mac
|
2514
|
-
# The hash-based message authentication code (HMAC)
|
2515
|
-
# message, key, and MAC algorithm.
|
2860
|
+
# The hash-based message authentication code (HMAC) that was generated
|
2861
|
+
# for the specified message, HMAC KMS key, and MAC algorithm.
|
2862
|
+
#
|
2863
|
+
# This is the standard, raw HMAC defined in [RFC 2104][1].
|
2864
|
+
#
|
2865
|
+
#
|
2866
|
+
#
|
2867
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
2516
2868
|
# @return [String]
|
2517
2869
|
#
|
2518
2870
|
# @!attribute [rw] mac_algorithm
|
@@ -2547,12 +2899,12 @@ module Aws::KMS
|
|
2547
2899
|
#
|
2548
2900
|
# @!attribute [rw] custom_key_store_id
|
2549
2901
|
# Generates the random byte string in the CloudHSM cluster that is
|
2550
|
-
# associated with the specified
|
2551
|
-
#
|
2552
|
-
#
|
2902
|
+
# associated with the specified CloudHSM key store. To find the ID of
|
2903
|
+
# a custom key store, use the DescribeCustomKeyStores operation.
|
2553
2904
|
#
|
2554
|
-
#
|
2555
|
-
#
|
2905
|
+
# External key store IDs are not valid for this parameter. If you
|
2906
|
+
# specify the ID of an external key store, `GenerateRandom` throws an
|
2907
|
+
# `UnsupportedOperationException`.
|
2556
2908
|
# @return [String]
|
2557
2909
|
#
|
2558
2910
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
|
@@ -2846,7 +3198,7 @@ module Aws::KMS
|
|
2846
3198
|
#
|
2847
3199
|
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
2848
3200
|
# value. We recommend that you use the `KeySpec` field in your code.
|
2849
|
-
# However, to avoid breaking changes, KMS
|
3201
|
+
# However, to avoid breaking changes, KMS supports both fields.
|
2850
3202
|
# @return [String]
|
2851
3203
|
#
|
2852
3204
|
# @!attribute [rw] key_spec
|
@@ -2900,11 +3252,10 @@ module Aws::KMS
|
|
2900
3252
|
#
|
2901
3253
|
# KMS applies the grant constraints only to cryptographic operations
|
2902
3254
|
# that support an encryption context, that is, all cryptographic
|
2903
|
-
# operations with a [symmetric
|
2904
|
-
#
|
2905
|
-
#
|
2906
|
-
#
|
2907
|
-
# RetireGrant.
|
3255
|
+
# operations with a [symmetric KMS key][3]. Grant constraints are not
|
3256
|
+
# applied to operations that do not support an encryption context, such
|
3257
|
+
# as cryptographic operations with asymmetric KMS keys and management
|
3258
|
+
# operations, such as DescribeKey or RetireGrant.
|
2908
3259
|
#
|
2909
3260
|
# In a cryptographic operation, the encryption context in the decryption
|
2910
3261
|
# operation must be an exact, case-sensitive match for the keys and
|
@@ -3088,19 +3439,37 @@ module Aws::KMS
|
|
3088
3439
|
# @return [String]
|
3089
3440
|
#
|
3090
3441
|
# @!attribute [rw] valid_to
|
3091
|
-
# The time
|
3092
|
-
#
|
3093
|
-
#
|
3094
|
-
#
|
3095
|
-
#
|
3442
|
+
# The date and time when the imported key material expires. This
|
3443
|
+
# parameter is required when the value of the `ExpirationModel`
|
3444
|
+
# parameter is `KEY_MATERIAL_EXPIRES`. Otherwise it is not valid.
|
3445
|
+
#
|
3446
|
+
# The value of this parameter must be a future date and time. The
|
3447
|
+
# maximum value is 365 days from the request date.
|
3448
|
+
#
|
3449
|
+
# When the key material expires, KMS deletes the key material from the
|
3450
|
+
# KMS key. Without its key material, the KMS key is unusable. To use
|
3451
|
+
# the KMS key in cryptographic operations, you must reimport the same
|
3452
|
+
# key material.
|
3453
|
+
#
|
3454
|
+
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
3455
|
+
# current import after the request completes. To change either value,
|
3456
|
+
# you must delete (DeleteImportedKeyMaterial) and reimport the key
|
3457
|
+
# material.
|
3096
3458
|
# @return [Time]
|
3097
3459
|
#
|
3098
3460
|
# @!attribute [rw] expiration_model
|
3099
3461
|
# Specifies whether the key material expires. The default is
|
3100
|
-
# `KEY_MATERIAL_EXPIRES
|
3101
|
-
#
|
3462
|
+
# `KEY_MATERIAL_EXPIRES`.
|
3463
|
+
#
|
3464
|
+
# When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
|
3465
|
+
# must specify a value for the `ValidTo` parameter. When value is
|
3102
3466
|
# `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo`
|
3103
3467
|
# parameter.
|
3468
|
+
#
|
3469
|
+
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
3470
|
+
# current import after the request completes. To change either value,
|
3471
|
+
# you must delete (DeleteImportedKeyMaterial) and reimport the key
|
3472
|
+
# material.
|
3104
3473
|
# @return [String]
|
3105
3474
|
#
|
3106
3475
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
|
@@ -3151,11 +3520,11 @@ module Aws::KMS
|
|
3151
3520
|
end
|
3152
3521
|
|
3153
3522
|
# The request was rejected because the trust anchor certificate in the
|
3154
|
-
# request
|
3155
|
-
# cluster.
|
3523
|
+
# request to create an CloudHSM key store is not the trust anchor
|
3524
|
+
# certificate for the specified CloudHSM cluster.
|
3156
3525
|
#
|
3157
|
-
# When you [initialize the cluster][1], you create the trust
|
3158
|
-
# certificate and save it in the `customerCA.crt` file.
|
3526
|
+
# When you [initialize the CloudHSM cluster][1], you create the trust
|
3527
|
+
# anchor certificate and save it in the `customerCA.crt` file.
|
3159
3528
|
#
|
3160
3529
|
#
|
3161
3530
|
#
|
@@ -3353,9 +3722,19 @@ module Aws::KMS
|
|
3353
3722
|
# The request was rejected because the state of the specified resource
|
3354
3723
|
# is not valid for this request.
|
3355
3724
|
#
|
3356
|
-
#
|
3357
|
-
#
|
3358
|
-
#
|
3725
|
+
# This exceptions means one of the following:
|
3726
|
+
#
|
3727
|
+
# * The key state of the KMS key is not compatible with the operation.
|
3728
|
+
#
|
3729
|
+
# To find the key state, use the DescribeKey operation. For more
|
3730
|
+
# information about which key states are compatible with each KMS
|
3731
|
+
# operation, see [Key states of KMS keys][1] in the <i> <i>Key
|
3732
|
+
# Management Service Developer Guide</i> </i>.
|
3733
|
+
#
|
3734
|
+
# * For cryptographic operations on KMS keys in custom key stores, this
|
3735
|
+
# exception represents a general failure with many possible causes. To
|
3736
|
+
# identify the cause, see the error message that accompanies the
|
3737
|
+
# exception.
|
3359
3738
|
#
|
3360
3739
|
#
|
3361
3740
|
#
|
@@ -3393,8 +3772,8 @@ module Aws::KMS
|
|
3393
3772
|
|
3394
3773
|
# Contains metadata about a KMS key.
|
3395
3774
|
#
|
3396
|
-
# This data type is used as a response element for the CreateKey
|
3397
|
-
# DescribeKey operations.
|
3775
|
+
# This data type is used as a response element for the CreateKey,
|
3776
|
+
# DescribeKey, and ReplicateKey operations.
|
3398
3777
|
#
|
3399
3778
|
# @!attribute [rw] aws_account_id
|
3400
3779
|
# The twelve-digit account ID of the Amazon Web Services account that
|
@@ -3478,7 +3857,7 @@ module Aws::KMS
|
|
3478
3857
|
#
|
3479
3858
|
# @!attribute [rw] custom_key_store_id
|
3480
3859
|
# A unique identifier for the [custom key store][1] that contains the
|
3481
|
-
# KMS key. This
|
3860
|
+
# KMS key. This field is present only when the KMS key is created in a
|
3482
3861
|
# custom key store.
|
3483
3862
|
#
|
3484
3863
|
#
|
@@ -3488,10 +3867,10 @@ module Aws::KMS
|
|
3488
3867
|
#
|
3489
3868
|
# @!attribute [rw] cloud_hsm_cluster_id
|
3490
3869
|
# The cluster ID of the CloudHSM cluster that contains the key
|
3491
|
-
# material for the KMS key. When you create a KMS key in
|
3492
|
-
# store][1], KMS creates the key material for the KMS key
|
3493
|
-
# associated CloudHSM cluster. This
|
3494
|
-
# key is created in
|
3870
|
+
# material for the KMS key. When you create a KMS key in an CloudHSM
|
3871
|
+
# [custom key store][1], KMS creates the key material for the KMS key
|
3872
|
+
# in the associated CloudHSM cluster. This field is present only when
|
3873
|
+
# the KMS key is created in an CloudHSM key store.
|
3495
3874
|
#
|
3496
3875
|
#
|
3497
3876
|
#
|
@@ -3520,7 +3899,7 @@ module Aws::KMS
|
|
3520
3899
|
#
|
3521
3900
|
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
3522
3901
|
# value. We recommend that you use the `KeySpec` field in your code.
|
3523
|
-
# However, to avoid breaking changes, KMS
|
3902
|
+
# However, to avoid breaking changes, KMS supports both fields.
|
3524
3903
|
# @return [String]
|
3525
3904
|
#
|
3526
3905
|
# @!attribute [rw] key_spec
|
@@ -3602,6 +3981,18 @@ module Aws::KMS
|
|
3602
3981
|
# `GENERATE_VERIFY_MAC`.
|
3603
3982
|
# @return [Array<String>]
|
3604
3983
|
#
|
3984
|
+
# @!attribute [rw] xks_key_configuration
|
3985
|
+
# Information about the external key that is associated with a KMS key
|
3986
|
+
# in an external key store.
|
3987
|
+
#
|
3988
|
+
# For more information, see [External key][1] in the *Key Management
|
3989
|
+
# Service Developer Guide*.
|
3990
|
+
#
|
3991
|
+
#
|
3992
|
+
#
|
3993
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
3994
|
+
# @return [Types::XksKeyConfigurationType]
|
3995
|
+
#
|
3605
3996
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
3606
3997
|
#
|
3607
3998
|
class KeyMetadata < Struct.new(
|
@@ -3627,7 +4018,8 @@ module Aws::KMS
|
|
3627
4018
|
:multi_region,
|
3628
4019
|
:multi_region_configuration,
|
3629
4020
|
:pending_deletion_window_in_days,
|
3630
|
-
:mac_algorithms
|
4021
|
+
:mac_algorithms,
|
4022
|
+
:xks_key_configuration)
|
3631
4023
|
SENSITIVE = []
|
3632
4024
|
include Aws::Structure
|
3633
4025
|
end
|
@@ -4035,7 +4427,7 @@ module Aws::KMS
|
|
4035
4427
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
4036
4428
|
#
|
4037
4429
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
4038
|
-
# KMS key. For details, see [ABAC
|
4430
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
4039
4431
|
# Service Developer Guide*.
|
4040
4432
|
#
|
4041
4433
|
# </note>
|
@@ -4267,7 +4659,7 @@ module Aws::KMS
|
|
4267
4659
|
# (`\u000D`) special characters
|
4268
4660
|
#
|
4269
4661
|
# For information about key policies, see [Key policies in KMS][3] in
|
4270
|
-
# the *Key Management Service Developer Guide*.
|
4662
|
+
# the *Key Management Service Developer Guide*.For help writing and
|
4271
4663
|
# formatting a JSON policy document, see the [IAM JSON Policy
|
4272
4664
|
# Reference][4] in the <i> <i>Identity and Access Management User
|
4273
4665
|
# Guide</i> </i>.
|
@@ -4703,7 +5095,7 @@ module Aws::KMS
|
|
4703
5095
|
# the TagResource operation.
|
4704
5096
|
#
|
4705
5097
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
4706
|
-
# KMS key. For details, see [ABAC
|
5098
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
4707
5099
|
# Service Developer Guide*.
|
4708
5100
|
#
|
4709
5101
|
# </note>
|
@@ -5266,7 +5658,7 @@ module Aws::KMS
|
|
5266
5658
|
# The KMS key must be in the same Amazon Web Services account and
|
5267
5659
|
# Region as the alias. Also, the new target KMS key must be the same
|
5268
5660
|
# type as the current target KMS key (both symmetric or both
|
5269
|
-
# asymmetric) and they must have the same key usage.
|
5661
|
+
# asymmetric or both HMAC) and they must have the same key usage.
|
5270
5662
|
#
|
5271
5663
|
# Specify the key ID or key ARN of the KMS key.
|
5272
5664
|
#
|
@@ -5306,6 +5698,14 @@ module Aws::KMS
|
|
5306
5698
|
# new_custom_key_store_name: "CustomKeyStoreNameType",
|
5307
5699
|
# key_store_password: "KeyStorePasswordType",
|
5308
5700
|
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
5701
|
+
# xks_proxy_uri_endpoint: "XksProxyUriEndpointType",
|
5702
|
+
# xks_proxy_uri_path: "XksProxyUriPathType",
|
5703
|
+
# xks_proxy_vpc_endpoint_service_name: "XksProxyVpcEndpointServiceNameType",
|
5704
|
+
# xks_proxy_authentication_credential: {
|
5705
|
+
# access_key_id: "XksProxyAuthenticationAccessKeyIdType", # required
|
5706
|
+
# raw_secret_access_key: "XksProxyAuthenticationRawSecretAccessKeyType", # required
|
5707
|
+
# },
|
5708
|
+
# xks_proxy_connectivity: "PUBLIC_ENDPOINT", # accepts PUBLIC_ENDPOINT, VPC_ENDPOINT_SERVICE
|
5309
5709
|
# }
|
5310
5710
|
#
|
5311
5711
|
# @!attribute [rw] custom_key_store_id
|
@@ -5318,19 +5718,28 @@ module Aws::KMS
|
|
5318
5718
|
# Changes the friendly name of the custom key store to the value that
|
5319
5719
|
# you specify. The custom key store name must be unique in the Amazon
|
5320
5720
|
# Web Services account.
|
5721
|
+
#
|
5722
|
+
# To change this value, an CloudHSM key store must be disconnected. An
|
5723
|
+
# external key store can be connected or disconnected.
|
5321
5724
|
# @return [String]
|
5322
5725
|
#
|
5323
5726
|
# @!attribute [rw] key_store_password
|
5324
5727
|
# Enter the current password of the `kmsuser` crypto user (CU) in the
|
5325
|
-
# CloudHSM cluster that is associated with the custom key store.
|
5728
|
+
# CloudHSM cluster that is associated with the custom key store. This
|
5729
|
+
# parameter is valid only for custom key stores with a
|
5730
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
5326
5731
|
#
|
5327
5732
|
# This parameter tells KMS the current password of the `kmsuser`
|
5328
5733
|
# crypto user (CU). It does not set or change the password of any
|
5329
5734
|
# users in the CloudHSM cluster.
|
5735
|
+
#
|
5736
|
+
# To change this value, the CloudHSM key store must be disconnected.
|
5330
5737
|
# @return [String]
|
5331
5738
|
#
|
5332
5739
|
# @!attribute [rw] cloud_hsm_cluster_id
|
5333
5740
|
# Associates the custom key store with a related CloudHSM cluster.
|
5741
|
+
# This parameter is valid only for custom key stores with a
|
5742
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
5334
5743
|
#
|
5335
5744
|
# Enter the cluster ID of the cluster that you used to create the
|
5336
5745
|
# custom key store or a cluster that shares a backup history and has
|
@@ -5341,19 +5750,111 @@ module Aws::KMS
|
|
5341
5750
|
# To view the cluster certificate of a cluster, use the
|
5342
5751
|
# [DescribeClusters][2] operation.
|
5343
5752
|
#
|
5753
|
+
# To change this value, the CloudHSM key store must be disconnected.
|
5754
|
+
#
|
5344
5755
|
#
|
5345
5756
|
#
|
5346
5757
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
|
5347
5758
|
# [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
5348
5759
|
# @return [String]
|
5349
5760
|
#
|
5761
|
+
# @!attribute [rw] xks_proxy_uri_endpoint
|
5762
|
+
# Changes the URI endpoint that KMS uses to connect to your external
|
5763
|
+
# key store proxy (XKS proxy). This parameter is valid only for custom
|
5764
|
+
# key stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
5765
|
+
#
|
5766
|
+
# For external key stores with an `XksProxyConnectivity` value of
|
5767
|
+
# `PUBLIC_ENDPOINT`, the protocol must be HTTPS.
|
5768
|
+
#
|
5769
|
+
# For external key stores with an `XksProxyConnectivity` value of
|
5770
|
+
# `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
|
5771
|
+
# DNS name associated with the VPC endpoint service. Each external key
|
5772
|
+
# store must use a different private DNS name.
|
5773
|
+
#
|
5774
|
+
# The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
|
5775
|
+
# be unique in the Amazon Web Services account and Region.
|
5776
|
+
#
|
5777
|
+
# To change this value, the external key store must be disconnected.
|
5778
|
+
# @return [String]
|
5779
|
+
#
|
5780
|
+
# @!attribute [rw] xks_proxy_uri_path
|
5781
|
+
# Changes the base path to the proxy APIs for this external key store.
|
5782
|
+
# To find this value, see the documentation for your external key
|
5783
|
+
# manager and external key store proxy (XKS proxy). This parameter is
|
5784
|
+
# valid only for custom key stores with a `CustomKeyStoreType` of
|
5785
|
+
# `EXTERNAL_KEY_STORE`.
|
5786
|
+
#
|
5787
|
+
# The value must start with `/` and must end with `/kms/xks/v1`, where
|
5788
|
+
# `v1` represents the version of the KMS external key store proxy API.
|
5789
|
+
# You can include an optional prefix between the required elements
|
5790
|
+
# such as `/example/kms/xks/v1`.
|
5791
|
+
#
|
5792
|
+
# The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
|
5793
|
+
# be unique in the Amazon Web Services account and Region.
|
5794
|
+
#
|
5795
|
+
# You can change this value when the external key store is connected
|
5796
|
+
# or disconnected.
|
5797
|
+
# @return [String]
|
5798
|
+
#
|
5799
|
+
# @!attribute [rw] xks_proxy_vpc_endpoint_service_name
|
5800
|
+
# Changes the name that KMS uses to identify the Amazon VPC endpoint
|
5801
|
+
# service for your external key store proxy (XKS proxy). This
|
5802
|
+
# parameter is valid when the `CustomKeyStoreType` is
|
5803
|
+
# `EXTERNAL_KEY_STORE` and the `XksProxyConnectivity` is
|
5804
|
+
# `VPC_ENDPOINT_SERVICE`.
|
5805
|
+
#
|
5806
|
+
# To change this value, the external key store must be disconnected.
|
5807
|
+
# @return [String]
|
5808
|
+
#
|
5809
|
+
# @!attribute [rw] xks_proxy_authentication_credential
|
5810
|
+
# Changes the credentials that KMS uses to sign requests to the
|
5811
|
+
# external key store proxy (XKS proxy). This parameter is valid only
|
5812
|
+
# for custom key stores with a `CustomKeyStoreType` of
|
5813
|
+
# `EXTERNAL_KEY_STORE`.
|
5814
|
+
#
|
5815
|
+
# You must specify both the `AccessKeyId` and `SecretAccessKey` value
|
5816
|
+
# in the authentication credential, even if you are only updating one
|
5817
|
+
# value.
|
5818
|
+
#
|
5819
|
+
# This parameter doesn't establish or change your authentication
|
5820
|
+
# credentials on the proxy. It just tells KMS the credential that you
|
5821
|
+
# established with your external key store proxy. For example, if you
|
5822
|
+
# rotate the credential on your external key store proxy, you can use
|
5823
|
+
# this parameter to update the credential in KMS.
|
5824
|
+
#
|
5825
|
+
# You can change this value when the external key store is connected
|
5826
|
+
# or disconnected.
|
5827
|
+
# @return [Types::XksProxyAuthenticationCredentialType]
|
5828
|
+
#
|
5829
|
+
# @!attribute [rw] xks_proxy_connectivity
|
5830
|
+
# Changes the connectivity setting for the external key store. To
|
5831
|
+
# indicate that the external key store proxy uses a Amazon VPC
|
5832
|
+
# endpoint service to communicate with KMS, specify
|
5833
|
+
# `VPC_ENDPOINT_SERVICE`. Otherwise, specify `PUBLIC_ENDPOINT`.
|
5834
|
+
#
|
5835
|
+
# If you change the `XksProxyConnectivity` to `VPC_ENDPOINT_SERVICE`,
|
5836
|
+
# you must also change the `XksProxyUriEndpoint` and add an
|
5837
|
+
# `XksProxyVpcEndpointServiceName` value.
|
5838
|
+
#
|
5839
|
+
# If you change the `XksProxyConnectivity` to `PUBLIC_ENDPOINT`, you
|
5840
|
+
# must also change the `XksProxyUriEndpoint` and specify a null or
|
5841
|
+
# empty string for the `XksProxyVpcEndpointServiceName` value.
|
5842
|
+
#
|
5843
|
+
# To change this value, the external key store must be disconnected.
|
5844
|
+
# @return [String]
|
5845
|
+
#
|
5350
5846
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation
|
5351
5847
|
#
|
5352
5848
|
class UpdateCustomKeyStoreRequest < Struct.new(
|
5353
5849
|
:custom_key_store_id,
|
5354
5850
|
:new_custom_key_store_name,
|
5355
5851
|
:key_store_password,
|
5356
|
-
:cloud_hsm_cluster_id
|
5852
|
+
:cloud_hsm_cluster_id,
|
5853
|
+
:xks_proxy_uri_endpoint,
|
5854
|
+
:xks_proxy_uri_path,
|
5855
|
+
:xks_proxy_vpc_endpoint_service_name,
|
5856
|
+
:xks_proxy_authentication_credential,
|
5857
|
+
:xks_proxy_connectivity)
|
5357
5858
|
SENSITIVE = [:key_store_password]
|
5358
5859
|
include Aws::Structure
|
5359
5860
|
end
|
@@ -5662,5 +6163,332 @@ module Aws::KMS
|
|
5662
6163
|
include Aws::Structure
|
5663
6164
|
end
|
5664
6165
|
|
6166
|
+
# The request was rejected because the (`XksKeyId`) is already
|
6167
|
+
# associated with a KMS key in this external key store. Each KMS key in
|
6168
|
+
# an external key store must be associated with a different external
|
6169
|
+
# key.
|
6170
|
+
#
|
6171
|
+
# @!attribute [rw] message
|
6172
|
+
# @return [String]
|
6173
|
+
#
|
6174
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyAlreadyInUseException AWS API Documentation
|
6175
|
+
#
|
6176
|
+
class XksKeyAlreadyInUseException < Struct.new(
|
6177
|
+
:message)
|
6178
|
+
SENSITIVE = []
|
6179
|
+
include Aws::Structure
|
6180
|
+
end
|
6181
|
+
|
6182
|
+
# Information about the [external key ][1]that is associated with a KMS
|
6183
|
+
# key in an external key store.
|
6184
|
+
#
|
6185
|
+
# These fields appear in a CreateKey or DescribeKey response only for a
|
6186
|
+
# KMS key in an external key store.
|
6187
|
+
#
|
6188
|
+
# The *external key* is a symmetric encryption key that is hosted by an
|
6189
|
+
# external key manager outside of Amazon Web Services. When you use the
|
6190
|
+
# KMS key in an external key store in a cryptographic operation, the
|
6191
|
+
# cryptographic operation is performed in the external key manager using
|
6192
|
+
# the specified external key. For more information, see [External
|
6193
|
+
# key][1] in the *Key Management Service Developer Guide*.
|
6194
|
+
#
|
6195
|
+
#
|
6196
|
+
#
|
6197
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
6198
|
+
#
|
6199
|
+
# @!attribute [rw] id
|
6200
|
+
# The ID of the external key in its external key manager. This is the
|
6201
|
+
# ID that the external key store proxy uses to identify the external
|
6202
|
+
# key.
|
6203
|
+
# @return [String]
|
6204
|
+
#
|
6205
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyConfigurationType AWS API Documentation
|
6206
|
+
#
|
6207
|
+
class XksKeyConfigurationType < Struct.new(
|
6208
|
+
:id)
|
6209
|
+
SENSITIVE = []
|
6210
|
+
include Aws::Structure
|
6211
|
+
end
|
6212
|
+
|
6213
|
+
# The request was rejected because the external key specified by the
|
6214
|
+
# `XksKeyId` parameter did not meet the configuration requirements for
|
6215
|
+
# an external key store.
|
6216
|
+
#
|
6217
|
+
# The external key must be an AES-256 symmetric key that is enabled and
|
6218
|
+
# performs encryption and decryption.
|
6219
|
+
#
|
6220
|
+
# @!attribute [rw] message
|
6221
|
+
# @return [String]
|
6222
|
+
#
|
6223
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyInvalidConfigurationException AWS API Documentation
|
6224
|
+
#
|
6225
|
+
class XksKeyInvalidConfigurationException < Struct.new(
|
6226
|
+
:message)
|
6227
|
+
SENSITIVE = []
|
6228
|
+
include Aws::Structure
|
6229
|
+
end
|
6230
|
+
|
6231
|
+
# The request was rejected because the external key store proxy could
|
6232
|
+
# not find the external key. This exception is thrown when the value of
|
6233
|
+
# the `XksKeyId` parameter doesn't identify a key in the external key
|
6234
|
+
# manager associated with the external key proxy.
|
6235
|
+
#
|
6236
|
+
# Verify that the `XksKeyId` represents an existing key in the external
|
6237
|
+
# key manager. Use the key identifier that the external key store proxy
|
6238
|
+
# uses to identify the key. For details, see the documentation provided
|
6239
|
+
# with your external key store proxy or key manager.
|
6240
|
+
#
|
6241
|
+
# @!attribute [rw] message
|
6242
|
+
# @return [String]
|
6243
|
+
#
|
6244
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyNotFoundException AWS API Documentation
|
6245
|
+
#
|
6246
|
+
class XksKeyNotFoundException < Struct.new(
|
6247
|
+
:message)
|
6248
|
+
SENSITIVE = []
|
6249
|
+
include Aws::Structure
|
6250
|
+
end
|
6251
|
+
|
6252
|
+
# KMS uses the authentication credential to sign requests that it sends
|
6253
|
+
# to the external key store proxy (XKS proxy) on your behalf. You
|
6254
|
+
# establish these credentials on your external key store proxy and
|
6255
|
+
# report them to KMS.
|
6256
|
+
#
|
6257
|
+
# The `XksProxyAuthenticationCredential` includes two required elements.
|
6258
|
+
#
|
6259
|
+
# @note When making an API call, you may pass XksProxyAuthenticationCredentialType
|
6260
|
+
# data as a hash:
|
6261
|
+
#
|
6262
|
+
# {
|
6263
|
+
# access_key_id: "XksProxyAuthenticationAccessKeyIdType", # required
|
6264
|
+
# raw_secret_access_key: "XksProxyAuthenticationRawSecretAccessKeyType", # required
|
6265
|
+
# }
|
6266
|
+
#
|
6267
|
+
# @!attribute [rw] access_key_id
|
6268
|
+
# A unique identifier for the raw secret access key.
|
6269
|
+
# @return [String]
|
6270
|
+
#
|
6271
|
+
# @!attribute [rw] raw_secret_access_key
|
6272
|
+
# A secret string of 43-64 characters. Valid characters are a-z, A-Z,
|
6273
|
+
# 0-9, /, +, and =.
|
6274
|
+
# @return [String]
|
6275
|
+
#
|
6276
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyAuthenticationCredentialType AWS API Documentation
|
6277
|
+
#
|
6278
|
+
class XksProxyAuthenticationCredentialType < Struct.new(
|
6279
|
+
:access_key_id,
|
6280
|
+
:raw_secret_access_key)
|
6281
|
+
SENSITIVE = [:access_key_id, :raw_secret_access_key]
|
6282
|
+
include Aws::Structure
|
6283
|
+
end
|
6284
|
+
|
6285
|
+
# Detailed information about the external key store proxy (XKS proxy).
|
6286
|
+
# Your external key store proxy translates KMS requests into a format
|
6287
|
+
# that your external key manager can understand. These fields appear in
|
6288
|
+
# a DescribeCustomKeyStores response only when the `CustomKeyStoreType`
|
6289
|
+
# is `EXTERNAL_KEY_STORE`.
|
6290
|
+
#
|
6291
|
+
# @!attribute [rw] connectivity
|
6292
|
+
# Indicates whether the external key store proxy uses a public
|
6293
|
+
# endpoint or an Amazon VPC endpoint service to communicate with KMS.
|
6294
|
+
# @return [String]
|
6295
|
+
#
|
6296
|
+
# @!attribute [rw] access_key_id
|
6297
|
+
# The part of the external key store [proxy authentication
|
6298
|
+
# credential][1] that uniquely identifies the secret access key.
|
6299
|
+
#
|
6300
|
+
#
|
6301
|
+
#
|
6302
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential
|
6303
|
+
# @return [String]
|
6304
|
+
#
|
6305
|
+
# @!attribute [rw] uri_endpoint
|
6306
|
+
# The URI endpoint for the external key store proxy.
|
6307
|
+
#
|
6308
|
+
# If the external key store proxy has a public endpoint, it is
|
6309
|
+
# displayed here.
|
6310
|
+
#
|
6311
|
+
# If the external key store proxy uses an Amazon VPC endpoint service
|
6312
|
+
# name, this field displays the private DNS name associated with the
|
6313
|
+
# VPC endpoint service.
|
6314
|
+
# @return [String]
|
6315
|
+
#
|
6316
|
+
# @!attribute [rw] uri_path
|
6317
|
+
# The path to the external key store proxy APIs.
|
6318
|
+
# @return [String]
|
6319
|
+
#
|
6320
|
+
# @!attribute [rw] vpc_endpoint_service_name
|
6321
|
+
# The Amazon VPC endpoint service used to communicate with the
|
6322
|
+
# external key store proxy. This field appears only when the external
|
6323
|
+
# key store proxy uses an Amazon VPC endpoint service to communicate
|
6324
|
+
# with KMS.
|
6325
|
+
# @return [String]
|
6326
|
+
#
|
6327
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
|
6328
|
+
#
|
6329
|
+
class XksProxyConfigurationType < Struct.new(
|
6330
|
+
:connectivity,
|
6331
|
+
:access_key_id,
|
6332
|
+
:uri_endpoint,
|
6333
|
+
:uri_path,
|
6334
|
+
:vpc_endpoint_service_name)
|
6335
|
+
SENSITIVE = [:access_key_id]
|
6336
|
+
include Aws::Structure
|
6337
|
+
end
|
6338
|
+
|
6339
|
+
# The request was rejected because the proxy credentials failed to
|
6340
|
+
# authenticate to the specified external key store proxy. The specified
|
6341
|
+
# external key store proxy rejected a status request from KMS due to
|
6342
|
+
# invalid credentials. This can indicate an error in the credentials or
|
6343
|
+
# in the identification of the external key store proxy.
|
6344
|
+
#
|
6345
|
+
# @!attribute [rw] message
|
6346
|
+
# @return [String]
|
6347
|
+
#
|
6348
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyIncorrectAuthenticationCredentialException AWS API Documentation
|
6349
|
+
#
|
6350
|
+
class XksProxyIncorrectAuthenticationCredentialException < Struct.new(
|
6351
|
+
:message)
|
6352
|
+
SENSITIVE = []
|
6353
|
+
include Aws::Structure
|
6354
|
+
end
|
6355
|
+
|
6356
|
+
# The request was rejected because the Amazon VPC endpoint service
|
6357
|
+
# configuration does not fulfill the requirements for an external key
|
6358
|
+
# store proxy. For details, see the exception message.
|
6359
|
+
#
|
6360
|
+
# @!attribute [rw] message
|
6361
|
+
# @return [String]
|
6362
|
+
#
|
6363
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidConfigurationException AWS API Documentation
|
6364
|
+
#
|
6365
|
+
class XksProxyInvalidConfigurationException < Struct.new(
|
6366
|
+
:message)
|
6367
|
+
SENSITIVE = []
|
6368
|
+
include Aws::Structure
|
6369
|
+
end
|
6370
|
+
|
6371
|
+
# KMS cannot interpret the response it received from the external key
|
6372
|
+
# store proxy. The problem might be a poorly constructed response, but
|
6373
|
+
# it could also be a transient network issue. If you see this error
|
6374
|
+
# repeatedly, report it to the proxy vendor.
|
6375
|
+
#
|
6376
|
+
# @!attribute [rw] message
|
6377
|
+
# @return [String]
|
6378
|
+
#
|
6379
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidResponseException AWS API Documentation
|
6380
|
+
#
|
6381
|
+
class XksProxyInvalidResponseException < Struct.new(
|
6382
|
+
:message)
|
6383
|
+
SENSITIVE = []
|
6384
|
+
include Aws::Structure
|
6385
|
+
end
|
6386
|
+
|
6387
|
+
# The request was rejected because the concatenation of the
|
6388
|
+
# `XksProxyUriEndpoint` is already associated with an external key store
|
6389
|
+
# in the Amazon Web Services account and Region. Each external key store
|
6390
|
+
# in an account and Region must use a unique external key store proxy
|
6391
|
+
# address.
|
6392
|
+
#
|
6393
|
+
# @!attribute [rw] message
|
6394
|
+
# @return [String]
|
6395
|
+
#
|
6396
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriEndpointInUseException AWS API Documentation
|
6397
|
+
#
|
6398
|
+
class XksProxyUriEndpointInUseException < Struct.new(
|
6399
|
+
:message)
|
6400
|
+
SENSITIVE = []
|
6401
|
+
include Aws::Structure
|
6402
|
+
end
|
6403
|
+
|
6404
|
+
# The request was rejected because the concatenation of the
|
6405
|
+
# `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
|
6406
|
+
# an external key store in the Amazon Web Services account and Region.
|
6407
|
+
# Each external key store in an account and Region must use a unique
|
6408
|
+
# external key store proxy API address.
|
6409
|
+
#
|
6410
|
+
# @!attribute [rw] message
|
6411
|
+
# @return [String]
|
6412
|
+
#
|
6413
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriInUseException AWS API Documentation
|
6414
|
+
#
|
6415
|
+
class XksProxyUriInUseException < Struct.new(
|
6416
|
+
:message)
|
6417
|
+
SENSITIVE = []
|
6418
|
+
include Aws::Structure
|
6419
|
+
end
|
6420
|
+
|
6421
|
+
# KMS was unable to reach the specified `XksProxyUriPath`. The path must
|
6422
|
+
# be reachable before you create the external key store or update its
|
6423
|
+
# settings.
|
6424
|
+
#
|
6425
|
+
# This exception is also thrown when the external key store proxy
|
6426
|
+
# response to a `GetHealthStatus` request indicates that all external
|
6427
|
+
# key manager instances are unavailable.
|
6428
|
+
#
|
6429
|
+
# @!attribute [rw] message
|
6430
|
+
# @return [String]
|
6431
|
+
#
|
6432
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriUnreachableException AWS API Documentation
|
6433
|
+
#
|
6434
|
+
class XksProxyUriUnreachableException < Struct.new(
|
6435
|
+
:message)
|
6436
|
+
SENSITIVE = []
|
6437
|
+
include Aws::Structure
|
6438
|
+
end
|
6439
|
+
|
6440
|
+
# The request was rejected because the specified Amazon VPC endpoint
|
6441
|
+
# service is already associated with an external key store in the Amazon
|
6442
|
+
# Web Services account and Region. Each external key store in an Amazon
|
6443
|
+
# Web Services account and Region must use a different Amazon VPC
|
6444
|
+
# endpoint service.
|
6445
|
+
#
|
6446
|
+
# @!attribute [rw] message
|
6447
|
+
# @return [String]
|
6448
|
+
#
|
6449
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInUseException AWS API Documentation
|
6450
|
+
#
|
6451
|
+
class XksProxyVpcEndpointServiceInUseException < Struct.new(
|
6452
|
+
:message)
|
6453
|
+
SENSITIVE = []
|
6454
|
+
include Aws::Structure
|
6455
|
+
end
|
6456
|
+
|
6457
|
+
# The request was rejected because the Amazon VPC endpoint service
|
6458
|
+
# configuration does not fulfill the requirements for an external key
|
6459
|
+
# store proxy. For details, see the exception message and [review the
|
6460
|
+
# requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
|
6461
|
+
# for Amazon VPC endpoint service connectivity for an external key
|
6462
|
+
# store.
|
6463
|
+
#
|
6464
|
+
# @!attribute [rw] message
|
6465
|
+
# @return [String]
|
6466
|
+
#
|
6467
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInvalidConfigurationException AWS API Documentation
|
6468
|
+
#
|
6469
|
+
class XksProxyVpcEndpointServiceInvalidConfigurationException < Struct.new(
|
6470
|
+
:message)
|
6471
|
+
SENSITIVE = []
|
6472
|
+
include Aws::Structure
|
6473
|
+
end
|
6474
|
+
|
6475
|
+
# The request was rejected because KMS could not find the specified VPC
|
6476
|
+
# endpoint service. Use DescribeCustomKeyStores to verify the VPC
|
6477
|
+
# endpoint service name for the external key store. Also, confirm that
|
6478
|
+
# the `Allow principals` list for the VPC endpoint service includes the
|
6479
|
+
# KMS service principal for the Region, such as
|
6480
|
+
# `cks.kms.us-east-1.amazonaws.com`.
|
6481
|
+
#
|
6482
|
+
# @!attribute [rw] message
|
6483
|
+
# @return [String]
|
6484
|
+
#
|
6485
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceNotFoundException AWS API Documentation
|
6486
|
+
#
|
6487
|
+
class XksProxyVpcEndpointServiceNotFoundException < Struct.new(
|
6488
|
+
:message)
|
6489
|
+
SENSITIVE = []
|
6490
|
+
include Aws::Structure
|
6491
|
+
end
|
6492
|
+
|
5665
6493
|
end
|
5666
6494
|
end
|