aws-sdk-kms 1.59.0 → 1.61.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1227 -439
- data/lib/aws-sdk-kms/client_api.rb +111 -7
- data/lib/aws-sdk-kms/endpoint_parameters.rb +3 -0
- data/lib/aws-sdk-kms/endpoint_provider.rb +74 -75
- data/lib/aws-sdk-kms/errors.rb +192 -0
- data/lib/aws-sdk-kms/types.rb +1005 -723
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-kms/types.rb
CHANGED
|
@@ -61,13 +61,6 @@ module Aws::KMS
|
|
|
61
61
|
include Aws::Structure
|
|
62
62
|
end
|
|
63
63
|
|
|
64
|
-
# @note When making an API call, you may pass CancelKeyDeletionRequest
|
|
65
|
-
# data as a hash:
|
|
66
|
-
#
|
|
67
|
-
# {
|
|
68
|
-
# key_id: "KeyIdType", # required
|
|
69
|
-
# }
|
|
70
|
-
#
|
|
71
64
|
# @!attribute [rw] key_id
|
|
72
65
|
# Identifies the KMS key whose deletion is being canceled.
|
|
73
66
|
#
|
|
@@ -110,14 +103,14 @@ module Aws::KMS
|
|
|
110
103
|
end
|
|
111
104
|
|
|
112
105
|
# The request was rejected because the specified CloudHSM cluster is
|
|
113
|
-
# already associated with
|
|
114
|
-
#
|
|
115
|
-
# Each
|
|
116
|
-
# cluster.
|
|
106
|
+
# already associated with an CloudHSM key store in the account, or it
|
|
107
|
+
# shares a backup history with an CloudHSM key store in the account.
|
|
108
|
+
# Each CloudHSM key store in the account must be associated with a
|
|
109
|
+
# different CloudHSM cluster.
|
|
117
110
|
#
|
|
118
|
-
#
|
|
119
|
-
# certificate. To view the cluster certificate of
|
|
120
|
-
# [DescribeClusters][1] operation.
|
|
111
|
+
# CloudHSM clusters that share a backup history have the same cluster
|
|
112
|
+
# certificate. To view the cluster certificate of an CloudHSM cluster,
|
|
113
|
+
# use the [DescribeClusters][1] operation.
|
|
121
114
|
#
|
|
122
115
|
#
|
|
123
116
|
#
|
|
@@ -135,22 +128,23 @@ module Aws::KMS
|
|
|
135
128
|
end
|
|
136
129
|
|
|
137
130
|
# The request was rejected because the associated CloudHSM cluster did
|
|
138
|
-
# not meet the configuration requirements for
|
|
131
|
+
# not meet the configuration requirements for an CloudHSM key store.
|
|
139
132
|
#
|
|
140
|
-
# * The cluster must be configured with private subnets in at
|
|
141
|
-
# different Availability Zones in the Region.
|
|
133
|
+
# * The CloudHSM cluster must be configured with private subnets in at
|
|
134
|
+
# least two different Availability Zones in the Region.
|
|
142
135
|
#
|
|
143
136
|
# * The [security group for the cluster][1]
|
|
144
137
|
# (cloudhsm-cluster-*<cluster-id>*-sg) must include inbound
|
|
145
138
|
# rules and outbound rules that allow TCP traffic on ports 2223-2225.
|
|
146
139
|
# The **Source** in the inbound rules and the **Destination** in the
|
|
147
140
|
# outbound rules must match the security group ID. These rules are set
|
|
148
|
-
# by default when you create the cluster. Do not delete or
|
|
149
|
-
# them. To get information about a particular security group,
|
|
150
|
-
# [DescribeSecurityGroups][2] operation.
|
|
141
|
+
# by default when you create the CloudHSM cluster. Do not delete or
|
|
142
|
+
# change them. To get information about a particular security group,
|
|
143
|
+
# use the [DescribeSecurityGroups][2] operation.
|
|
151
144
|
#
|
|
152
|
-
# * The cluster must contain at least as many HSMs as the
|
|
153
|
-
# requires. To add HSMs, use the CloudHSM [CreateHsm][3]
|
|
145
|
+
# * The CloudHSM cluster must contain at least as many HSMs as the
|
|
146
|
+
# operation requires. To add HSMs, use the CloudHSM [CreateHsm][3]
|
|
147
|
+
# operation.
|
|
154
148
|
#
|
|
155
149
|
# For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
|
|
156
150
|
# operations, the CloudHSM cluster must have at least two active HSMs,
|
|
@@ -158,7 +152,7 @@ module Aws::KMS
|
|
|
158
152
|
# operation, the CloudHSM must contain at least one active HSM.
|
|
159
153
|
#
|
|
160
154
|
# For information about the requirements for an CloudHSM cluster that is
|
|
161
|
-
# associated with
|
|
155
|
+
# associated with an CloudHSM key store, see [Assemble the
|
|
162
156
|
# Prerequisites][4] in the *Key Management Service Developer Guide*. For
|
|
163
157
|
# information about creating a private subnet for an CloudHSM cluster,
|
|
164
158
|
# see [Create a Private Subnet][5] in the *CloudHSM User Guide*. For
|
|
@@ -184,10 +178,10 @@ module Aws::KMS
|
|
|
184
178
|
include Aws::Structure
|
|
185
179
|
end
|
|
186
180
|
|
|
187
|
-
# The request was rejected because the CloudHSM cluster
|
|
188
|
-
#
|
|
189
|
-
#
|
|
190
|
-
#
|
|
181
|
+
# The request was rejected because the CloudHSM cluster associated with
|
|
182
|
+
# the CloudHSM key store is not active. Initialize and activate the
|
|
183
|
+
# cluster and try the command again. For detailed instructions, see
|
|
184
|
+
# [Getting Started][1] in the *CloudHSM User Guide*.
|
|
191
185
|
#
|
|
192
186
|
#
|
|
193
187
|
#
|
|
@@ -221,16 +215,17 @@ module Aws::KMS
|
|
|
221
215
|
|
|
222
216
|
# The request was rejected because the specified CloudHSM cluster has a
|
|
223
217
|
# different cluster certificate than the original cluster. You cannot
|
|
224
|
-
# use the operation to specify an unrelated cluster
|
|
218
|
+
# use the operation to specify an unrelated cluster for an CloudHSM key
|
|
219
|
+
# store.
|
|
225
220
|
#
|
|
226
|
-
# Specify
|
|
227
|
-
# cluster. This includes clusters that were created from a
|
|
228
|
-
# current cluster, and clusters that were created from the
|
|
229
|
-
# that produced the current cluster.
|
|
221
|
+
# Specify an CloudHSM cluster that shares a backup history with the
|
|
222
|
+
# original cluster. This includes clusters that were created from a
|
|
223
|
+
# backup of the current cluster, and clusters that were created from the
|
|
224
|
+
# same backup that produced the current cluster.
|
|
230
225
|
#
|
|
231
|
-
#
|
|
232
|
-
# certificate. To view the cluster certificate of
|
|
233
|
-
# [DescribeClusters][1] operation.
|
|
226
|
+
# CloudHSM clusters that share a backup history have the same cluster
|
|
227
|
+
# certificate. To view the cluster certificate of an CloudHSM cluster,
|
|
228
|
+
# use the [DescribeClusters][1] operation.
|
|
234
229
|
#
|
|
235
230
|
#
|
|
236
231
|
#
|
|
@@ -247,13 +242,6 @@ module Aws::KMS
|
|
|
247
242
|
include Aws::Structure
|
|
248
243
|
end
|
|
249
244
|
|
|
250
|
-
# @note When making an API call, you may pass ConnectCustomKeyStoreRequest
|
|
251
|
-
# data as a hash:
|
|
252
|
-
#
|
|
253
|
-
# {
|
|
254
|
-
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
|
255
|
-
# }
|
|
256
|
-
#
|
|
257
245
|
# @!attribute [rw] custom_key_store_id
|
|
258
246
|
# Enter the key store ID of the custom key store that you want to
|
|
259
247
|
# connect. To find the ID of a custom key store, use the
|
|
@@ -272,14 +260,6 @@ module Aws::KMS
|
|
|
272
260
|
#
|
|
273
261
|
class ConnectCustomKeyStoreResponse < Aws::EmptyStructure; end
|
|
274
262
|
|
|
275
|
-
# @note When making an API call, you may pass CreateAliasRequest
|
|
276
|
-
# data as a hash:
|
|
277
|
-
#
|
|
278
|
-
# {
|
|
279
|
-
# alias_name: "AliasNameType", # required
|
|
280
|
-
# target_key_id: "KeyIdType", # required
|
|
281
|
-
# }
|
|
282
|
-
#
|
|
283
263
|
# @!attribute [rw] alias_name
|
|
284
264
|
# Specifies the alias name. This value must begin with `alias/`
|
|
285
265
|
# followed by a name, such as `alias/ExampleAlias`.
|
|
@@ -333,26 +313,20 @@ module Aws::KMS
|
|
|
333
313
|
include Aws::Structure
|
|
334
314
|
end
|
|
335
315
|
|
|
336
|
-
# @note When making an API call, you may pass CreateCustomKeyStoreRequest
|
|
337
|
-
# data as a hash:
|
|
338
|
-
#
|
|
339
|
-
# {
|
|
340
|
-
# custom_key_store_name: "CustomKeyStoreNameType", # required
|
|
341
|
-
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
|
342
|
-
# trust_anchor_certificate: "TrustAnchorCertificateType",
|
|
343
|
-
# key_store_password: "KeyStorePasswordType",
|
|
344
|
-
# }
|
|
345
|
-
#
|
|
346
316
|
# @!attribute [rw] custom_key_store_name
|
|
347
317
|
# Specifies a friendly name for the custom key store. The name must be
|
|
348
|
-
# unique in your Amazon Web Services account.
|
|
318
|
+
# unique in your Amazon Web Services account and Region. This
|
|
319
|
+
# parameter is required for all custom key stores.
|
|
349
320
|
# @return [String]
|
|
350
321
|
#
|
|
351
322
|
# @!attribute [rw] cloud_hsm_cluster_id
|
|
352
|
-
# Identifies the CloudHSM cluster for
|
|
353
|
-
#
|
|
354
|
-
#
|
|
355
|
-
#
|
|
323
|
+
# Identifies the CloudHSM cluster for an CloudHSM key store. This
|
|
324
|
+
# parameter is required for custom key stores with
|
|
325
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
|
326
|
+
#
|
|
327
|
+
# Enter the cluster ID of any active CloudHSM cluster that is not
|
|
328
|
+
# already associated with a custom key store. To find the cluster ID,
|
|
329
|
+
# use the [DescribeClusters][1] operation.
|
|
356
330
|
#
|
|
357
331
|
#
|
|
358
332
|
#
|
|
@@ -360,9 +334,13 @@ module Aws::KMS
|
|
|
360
334
|
# @return [String]
|
|
361
335
|
#
|
|
362
336
|
# @!attribute [rw] trust_anchor_certificate
|
|
363
|
-
#
|
|
364
|
-
#
|
|
365
|
-
#
|
|
337
|
+
# Specifies the certificate for an CloudHSM key store. This parameter
|
|
338
|
+
# is required for custom key stores with a `CustomKeyStoreType` of
|
|
339
|
+
# `AWS_CLOUDHSM`.
|
|
340
|
+
#
|
|
341
|
+
# Enter the content of the trust anchor certificate for the CloudHSM
|
|
342
|
+
# cluster. This is the content of the `customerCA.crt` file that you
|
|
343
|
+
# created when you [initialized the cluster][1].
|
|
366
344
|
#
|
|
367
345
|
#
|
|
368
346
|
#
|
|
@@ -370,6 +348,10 @@ module Aws::KMS
|
|
|
370
348
|
# @return [String]
|
|
371
349
|
#
|
|
372
350
|
# @!attribute [rw] key_store_password
|
|
351
|
+
# Specifies the `kmsuser` password for an CloudHSM key store. This
|
|
352
|
+
# parameter is required for custom key stores with a
|
|
353
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
|
354
|
+
#
|
|
373
355
|
# Enter the password of the [ `kmsuser` crypto user (CU) account][1]
|
|
374
356
|
# in the specified CloudHSM cluster. KMS logs into the cluster as this
|
|
375
357
|
# user to manage key material on your behalf.
|
|
@@ -385,13 +367,167 @@ module Aws::KMS
|
|
|
385
367
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser
|
|
386
368
|
# @return [String]
|
|
387
369
|
#
|
|
370
|
+
# @!attribute [rw] custom_key_store_type
|
|
371
|
+
# Specifies the type of custom key store. The default value is
|
|
372
|
+
# `AWS_CLOUDHSM`.
|
|
373
|
+
#
|
|
374
|
+
# For a custom key store backed by an CloudHSM cluster, omit the
|
|
375
|
+
# parameter or enter `AWS_CLOUDHSM`. For a custom key store backed by
|
|
376
|
+
# an external key manager outside of Amazon Web Services, enter
|
|
377
|
+
# `EXTERNAL_KEY_STORE`. You cannot change this property after the key
|
|
378
|
+
# store is created.
|
|
379
|
+
# @return [String]
|
|
380
|
+
#
|
|
381
|
+
# @!attribute [rw] xks_proxy_uri_endpoint
|
|
382
|
+
# Specifies the endpoint that KMS uses to send requests to the
|
|
383
|
+
# external key store proxy (XKS proxy). This parameter is required for
|
|
384
|
+
# custom key stores with a `CustomKeyStoreType` of
|
|
385
|
+
# `EXTERNAL_KEY_STORE`.
|
|
386
|
+
#
|
|
387
|
+
# The protocol must be HTTPS. KMS communicates on port 443. Do not
|
|
388
|
+
# specify the port in the `XksProxyUriEndpoint` value.
|
|
389
|
+
#
|
|
390
|
+
# For external key stores with `XksProxyConnectivity` value of
|
|
391
|
+
# `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
|
|
392
|
+
# DNS name of the VPC endpoint service.
|
|
393
|
+
#
|
|
394
|
+
# For external key stores with `PUBLIC_ENDPOINT` connectivity, this
|
|
395
|
+
# endpoint must be reachable before you create the custom key store.
|
|
396
|
+
# KMS connects to the external key store proxy while creating the
|
|
397
|
+
# custom key store. For external key stores with
|
|
398
|
+
# `VPC_ENDPOINT_SERVICE` connectivity, KMS connects when you call the
|
|
399
|
+
# ConnectCustomKeyStore operation.
|
|
400
|
+
#
|
|
401
|
+
# The value of this parameter must begin with `https://`. The
|
|
402
|
+
# remainder can contain upper and lower case letters (A-Z and a-z),
|
|
403
|
+
# numbers (0-9), dots (`.`), and hyphens (`-`). Additional slashes
|
|
404
|
+
# (`/` and ``) are not permitted.
|
|
405
|
+
#
|
|
406
|
+
# <b>Uniqueness requirements: </b>
|
|
407
|
+
#
|
|
408
|
+
# * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
|
|
409
|
+
# must be unique in the Amazon Web Services account and Region.
|
|
410
|
+
#
|
|
411
|
+
# * An external key store with `PUBLIC_ENDPOINT` connectivity cannot
|
|
412
|
+
# use the same `XksProxyUriEndpoint` value as an external key store
|
|
413
|
+
# with `VPC_ENDPOINT_SERVICE` connectivity in the same Amazon Web
|
|
414
|
+
# Services Region.
|
|
415
|
+
#
|
|
416
|
+
# * Each external key store with `VPC_ENDPOINT_SERVICE` connectivity
|
|
417
|
+
# must have its own private DNS name. The `XksProxyUriEndpoint`
|
|
418
|
+
# value for external key stores with `VPC_ENDPOINT_SERVICE`
|
|
419
|
+
# connectivity (private DNS name) must be unique in the Amazon Web
|
|
420
|
+
# Services account and Region.
|
|
421
|
+
# @return [String]
|
|
422
|
+
#
|
|
423
|
+
# @!attribute [rw] xks_proxy_uri_path
|
|
424
|
+
# Specifies the base path to the proxy APIs for this external key
|
|
425
|
+
# store. To find this value, see the documentation for your external
|
|
426
|
+
# key store proxy. This parameter is required for all custom key
|
|
427
|
+
# stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
|
428
|
+
#
|
|
429
|
+
# The value must start with `/` and must end with `/kms/xks/v1` where
|
|
430
|
+
# `v1` represents the version of the KMS external key store proxy API.
|
|
431
|
+
# This path can include an optional prefix between the required
|
|
432
|
+
# elements such as `/prefix/kms/xks/v1`.
|
|
433
|
+
#
|
|
434
|
+
# <b>Uniqueness requirements: </b>
|
|
435
|
+
#
|
|
436
|
+
# * The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values
|
|
437
|
+
# must be unique in the Amazon Web Services account and Region.
|
|
438
|
+
#
|
|
439
|
+
# ^
|
|
440
|
+
# @return [String]
|
|
441
|
+
#
|
|
442
|
+
# @!attribute [rw] xks_proxy_vpc_endpoint_service_name
|
|
443
|
+
# Specifies the name of the Amazon VPC endpoint service for interface
|
|
444
|
+
# endpoints that is used to communicate with your external key store
|
|
445
|
+
# proxy (XKS proxy). This parameter is required when the value of
|
|
446
|
+
# `CustomKeyStoreType` is `EXTERNAL_KEY_STORE` and the value of
|
|
447
|
+
# `XksProxyConnectivity` is `VPC_ENDPOINT_SERVICE`.
|
|
448
|
+
#
|
|
449
|
+
# The Amazon VPC endpoint service must [fulfill all requirements][1]
|
|
450
|
+
# for use with an external key store.
|
|
451
|
+
#
|
|
452
|
+
# **Uniqueness requirements:**
|
|
453
|
+
#
|
|
454
|
+
# * External key stores with `VPC_ENDPOINT_SERVICE` connectivity can
|
|
455
|
+
# share an Amazon VPC, but each external key store must have its own
|
|
456
|
+
# VPC endpoint service and private DNS name.
|
|
457
|
+
#
|
|
458
|
+
# ^
|
|
459
|
+
#
|
|
460
|
+
#
|
|
461
|
+
#
|
|
462
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements
|
|
463
|
+
# @return [String]
|
|
464
|
+
#
|
|
465
|
+
# @!attribute [rw] xks_proxy_authentication_credential
|
|
466
|
+
# Specifies an authentication credential for the external key store
|
|
467
|
+
# proxy (XKS proxy). This parameter is required for all custom key
|
|
468
|
+
# stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
|
469
|
+
#
|
|
470
|
+
# The `XksProxyAuthenticationCredential` has two required elements:
|
|
471
|
+
# `RawSecretAccessKey`, a secret key, and `AccessKeyId`, a unique
|
|
472
|
+
# identifier for the `RawSecretAccessKey`. For character requirements,
|
|
473
|
+
# see
|
|
474
|
+
# [XksProxyAuthenticationCredentialType](kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html).
|
|
475
|
+
#
|
|
476
|
+
# KMS uses this authentication credential to sign requests to the
|
|
477
|
+
# external key store proxy on your behalf. This credential is
|
|
478
|
+
# unrelated to Identity and Access Management (IAM) and Amazon Web
|
|
479
|
+
# Services credentials.
|
|
480
|
+
#
|
|
481
|
+
# This parameter doesn't set or change the authentication credentials
|
|
482
|
+
# on the XKS proxy. It just tells KMS the credential that you
|
|
483
|
+
# established on your external key store proxy. If you rotate your
|
|
484
|
+
# proxy authentication credential, use the UpdateCustomKeyStore
|
|
485
|
+
# operation to provide the new credential to KMS.
|
|
486
|
+
# @return [Types::XksProxyAuthenticationCredentialType]
|
|
487
|
+
#
|
|
488
|
+
# @!attribute [rw] xks_proxy_connectivity
|
|
489
|
+
# Indicates how KMS communicates with the external key store proxy.
|
|
490
|
+
# This parameter is required for custom key stores with a
|
|
491
|
+
# `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
|
492
|
+
#
|
|
493
|
+
# If the external key store proxy uses a public endpoint, specify
|
|
494
|
+
# `PUBLIC_ENDPOINT`. If the external key store proxy uses a Amazon VPC
|
|
495
|
+
# endpoint service for communication with KMS, specify
|
|
496
|
+
# `VPC_ENDPOINT_SERVICE`. For help making this choice, see [Choosing a
|
|
497
|
+
# connectivity option][1] in the *Key Management Service Developer
|
|
498
|
+
# Guide*.
|
|
499
|
+
#
|
|
500
|
+
# An Amazon VPC endpoint service keeps your communication with KMS in
|
|
501
|
+
# a private address space entirely within Amazon Web Services, but it
|
|
502
|
+
# requires more configuration, including establishing a Amazon VPC
|
|
503
|
+
# with multiple subnets, a VPC endpoint service, a network load
|
|
504
|
+
# balancer, and a verified private DNS name. A public endpoint is
|
|
505
|
+
# simpler to set up, but it might be slower and might not fulfill your
|
|
506
|
+
# security requirements. You might consider testing with a public
|
|
507
|
+
# endpoint, and then establishing a VPC endpoint service for
|
|
508
|
+
# production tasks. Note that this choice does not determine the
|
|
509
|
+
# location of the external key store proxy. Even if you choose a VPC
|
|
510
|
+
# endpoint service, the proxy can be hosted within the VPC or outside
|
|
511
|
+
# of Amazon Web Services such as in your corporate data center.
|
|
512
|
+
#
|
|
513
|
+
#
|
|
514
|
+
#
|
|
515
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivity
|
|
516
|
+
# @return [String]
|
|
517
|
+
#
|
|
388
518
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStoreRequest AWS API Documentation
|
|
389
519
|
#
|
|
390
520
|
class CreateCustomKeyStoreRequest < Struct.new(
|
|
391
521
|
:custom_key_store_name,
|
|
392
522
|
:cloud_hsm_cluster_id,
|
|
393
523
|
:trust_anchor_certificate,
|
|
394
|
-
:key_store_password
|
|
524
|
+
:key_store_password,
|
|
525
|
+
:custom_key_store_type,
|
|
526
|
+
:xks_proxy_uri_endpoint,
|
|
527
|
+
:xks_proxy_uri_path,
|
|
528
|
+
:xks_proxy_vpc_endpoint_service_name,
|
|
529
|
+
:xks_proxy_authentication_credential,
|
|
530
|
+
:xks_proxy_connectivity)
|
|
395
531
|
SENSITIVE = [:key_store_password]
|
|
396
532
|
include Aws::Structure
|
|
397
533
|
end
|
|
@@ -408,26 +544,6 @@ module Aws::KMS
|
|
|
408
544
|
include Aws::Structure
|
|
409
545
|
end
|
|
410
546
|
|
|
411
|
-
# @note When making an API call, you may pass CreateGrantRequest
|
|
412
|
-
# data as a hash:
|
|
413
|
-
#
|
|
414
|
-
# {
|
|
415
|
-
# key_id: "KeyIdType", # required
|
|
416
|
-
# grantee_principal: "PrincipalIdType", # required
|
|
417
|
-
# retiring_principal: "PrincipalIdType",
|
|
418
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
|
|
419
|
-
# constraints: {
|
|
420
|
-
# encryption_context_subset: {
|
|
421
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
422
|
-
# },
|
|
423
|
-
# encryption_context_equals: {
|
|
424
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
425
|
-
# },
|
|
426
|
-
# },
|
|
427
|
-
# grant_tokens: ["GrantTokenType"],
|
|
428
|
-
# name: "GrantNameType",
|
|
429
|
-
# }
|
|
430
|
-
#
|
|
431
547
|
# @!attribute [rw] key_id
|
|
432
548
|
# Identifies the KMS key for the grant. The grant gives principals
|
|
433
549
|
# permission to use this KMS key.
|
|
@@ -620,41 +736,17 @@ module Aws::KMS
|
|
|
620
736
|
include Aws::Structure
|
|
621
737
|
end
|
|
622
738
|
|
|
623
|
-
# @note When making an API call, you may pass CreateKeyRequest
|
|
624
|
-
# data as a hash:
|
|
625
|
-
#
|
|
626
|
-
# {
|
|
627
|
-
# policy: "PolicyType",
|
|
628
|
-
# description: "DescriptionType",
|
|
629
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
|
630
|
-
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
631
|
-
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
632
|
-
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
|
633
|
-
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
634
|
-
# bypass_policy_lockout_safety_check: false,
|
|
635
|
-
# tags: [
|
|
636
|
-
# {
|
|
637
|
-
# tag_key: "TagKeyType", # required
|
|
638
|
-
# tag_value: "TagValueType", # required
|
|
639
|
-
# },
|
|
640
|
-
# ],
|
|
641
|
-
# multi_region: false,
|
|
642
|
-
# }
|
|
643
|
-
#
|
|
644
739
|
# @!attribute [rw] policy
|
|
645
|
-
# The key policy to attach to the KMS key.
|
|
646
|
-
# policy, KMS attaches a default key policy to the KMS key. For more
|
|
647
|
-
# information, see [Default key policy][1] in the *Key Management
|
|
648
|
-
# Service Developer Guide*.
|
|
740
|
+
# The key policy to attach to the KMS key.
|
|
649
741
|
#
|
|
650
742
|
# If you provide a key policy, it must meet the following criteria:
|
|
651
743
|
#
|
|
652
|
-
# * If you don't set `BypassPolicyLockoutSafetyCheck` to
|
|
744
|
+
# * If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
|
|
653
745
|
# key policy must allow the principal that is making the `CreateKey`
|
|
654
746
|
# request to make a subsequent PutKeyPolicy request on the KMS key.
|
|
655
747
|
# This reduces the risk that the KMS key becomes unmanageable. For
|
|
656
748
|
# more information, refer to the scenario in the [Default Key
|
|
657
|
-
# Policy][
|
|
749
|
+
# Policy][1] section of the <i> <i>Key Management Service Developer
|
|
658
750
|
# Guide</i> </i>.
|
|
659
751
|
#
|
|
660
752
|
# * Each statement in the key policy must contain one or more
|
|
@@ -664,33 +756,25 @@ module Aws::KMS
|
|
|
664
756
|
# enforce a delay before including the new principal in a key policy
|
|
665
757
|
# because the new principal might not be immediately visible to KMS.
|
|
666
758
|
# For more information, see [Changes that I make are not always
|
|
667
|
-
# immediately visible][
|
|
759
|
+
# immediately visible][2] in the *Amazon Web Services Identity and
|
|
668
760
|
# Access Management User Guide*.
|
|
669
761
|
#
|
|
670
|
-
#
|
|
762
|
+
# If you do not provide a key policy, KMS attaches a default key
|
|
763
|
+
# policy to the KMS key. For more information, see [Default Key
|
|
764
|
+
# Policy][3] in the *Key Management Service Developer Guide*.
|
|
671
765
|
#
|
|
672
|
-
#
|
|
673
|
-
# through the end of the ASCII character range.
|
|
766
|
+
# The key policy size quota is 32 kilobytes (32768 bytes).
|
|
674
767
|
#
|
|
675
|
-
#
|
|
676
|
-
#
|
|
768
|
+
# For help writing and formatting a JSON policy document, see the [IAM
|
|
769
|
+
# JSON Policy Reference][4] in the <i> <i>Identity and Access
|
|
770
|
+
# Management User Guide</i> </i>.
|
|
677
771
|
#
|
|
678
|
-
# * The tab (`\u0009`), line feed (`\u000A`), and carriage return
|
|
679
|
-
# (`\u000D`) special characters
|
|
680
772
|
#
|
|
681
|
-
# For information about key policies, see [Key policies in KMS][4] in
|
|
682
|
-
# the *Key Management Service Developer Guide*. For help writing and
|
|
683
|
-
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
684
|
-
# Reference][5] in the <i> <i>Identity and Access Management User
|
|
685
|
-
# Guide</i> </i>.
|
|
686
773
|
#
|
|
687
|
-
#
|
|
688
|
-
#
|
|
689
|
-
# [
|
|
690
|
-
# [
|
|
691
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
692
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
|
693
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
774
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
|
775
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
|
|
776
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
|
777
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
694
778
|
# @return [String]
|
|
695
779
|
#
|
|
696
780
|
# @!attribute [rw] description
|
|
@@ -737,8 +821,8 @@ module Aws::KMS
|
|
|
737
821
|
#
|
|
738
822
|
# The `KeySpec` and `CustomerMasterKeySpec` parameters work the same
|
|
739
823
|
# way. Only the names differ. We recommend that you use `KeySpec`
|
|
740
|
-
# parameter in your code. However, to avoid breaking changes, KMS
|
|
741
|
-
#
|
|
824
|
+
# parameter in your code. However, to avoid breaking changes, KMS
|
|
825
|
+
# supports both parameters.
|
|
742
826
|
# @return [String]
|
|
743
827
|
#
|
|
744
828
|
# @!attribute [rw] key_spec
|
|
@@ -751,14 +835,13 @@ module Aws::KMS
|
|
|
751
835
|
# Guide</i> </i>.
|
|
752
836
|
#
|
|
753
837
|
# The `KeySpec` determines whether the KMS key contains a symmetric
|
|
754
|
-
# key or an asymmetric key pair. It also determines the
|
|
755
|
-
#
|
|
756
|
-
#
|
|
757
|
-
#
|
|
758
|
-
#
|
|
759
|
-
# [kms:
|
|
760
|
-
#
|
|
761
|
-
# Guide</i> </i>.
|
|
838
|
+
# key or an asymmetric key pair. It also determines the algorithms
|
|
839
|
+
# that the KMS key supports. You can't change the `KeySpec` after the
|
|
840
|
+
# KMS key is created. To further restrict the algorithms that can be
|
|
841
|
+
# used with the KMS key, use a condition key in its key policy or IAM
|
|
842
|
+
# policy. For more information, see [kms:EncryptionAlgorithm][2],
|
|
843
|
+
# [kms:MacAlgorithm][3] or [kms:Signing Algorithm][4] in the <i>
|
|
844
|
+
# <i>Key Management Service Developer Guide</i> </i>.
|
|
762
845
|
#
|
|
763
846
|
# [Amazon Web Services services that are integrated with KMS][5] use
|
|
764
847
|
# symmetric encryption KMS keys to protect your data. These services
|
|
@@ -825,45 +908,48 @@ module Aws::KMS
|
|
|
825
908
|
# the origin after you create the KMS key. The default is `AWS_KMS`,
|
|
826
909
|
# which means that KMS creates the key material.
|
|
827
910
|
#
|
|
828
|
-
# To create a KMS key with no key material (for imported key
|
|
829
|
-
# material), set
|
|
830
|
-
# importing key material into KMS, see [Importing Key Material][
|
|
831
|
-
# the *Key Management Service Developer Guide*.
|
|
832
|
-
# only for symmetric
|
|
911
|
+
# To [create a KMS key with no key material][1] (for imported key
|
|
912
|
+
# material), set this value to `EXTERNAL`. For more information about
|
|
913
|
+
# importing key material into KMS, see [Importing Key Material][2] in
|
|
914
|
+
# the *Key Management Service Developer Guide*. The `EXTERNAL` origin
|
|
915
|
+
# value is valid only for symmetric KMS keys.
|
|
833
916
|
#
|
|
834
|
-
# To create a KMS key in an
|
|
835
|
-
#
|
|
917
|
+
# To [create a KMS key in an CloudHSM key store][3] and create its key
|
|
918
|
+
# material in the associated CloudHSM cluster, set this value to
|
|
836
919
|
# `AWS_CLOUDHSM`. You must also use the `CustomKeyStoreId` parameter
|
|
837
|
-
# to identify the
|
|
838
|
-
#
|
|
920
|
+
# to identify the CloudHSM key store. The `KeySpec` value must be
|
|
921
|
+
# `SYMMETRIC_DEFAULT`.
|
|
922
|
+
#
|
|
923
|
+
# To [create a KMS key in an external key store][4], set this value to
|
|
924
|
+
# `EXTERNAL_KEY_STORE`. You must also use the `CustomKeyStoreId`
|
|
925
|
+
# parameter to identify the external key store and the `XksKeyId`
|
|
926
|
+
# parameter to identify the associated external key. The `KeySpec`
|
|
927
|
+
# value must be `SYMMETRIC_DEFAULT`.
|
|
839
928
|
#
|
|
840
929
|
#
|
|
841
930
|
#
|
|
842
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
843
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
931
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
|
|
932
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
933
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html
|
|
934
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
|
|
844
935
|
# @return [String]
|
|
845
936
|
#
|
|
846
937
|
# @!attribute [rw] custom_key_store_id
|
|
847
|
-
# Creates the KMS key in the specified [custom key store][1]
|
|
848
|
-
#
|
|
849
|
-
#
|
|
850
|
-
#
|
|
851
|
-
# associated with the custom key store must have at least two active
|
|
852
|
-
# HSMs, each in a different Availability Zone in the Region.
|
|
938
|
+
# Creates the KMS key in the specified [custom key store][1]. The
|
|
939
|
+
# `ConnectionState` of the custom key store must be `CONNECTED`. To
|
|
940
|
+
# find the CustomKeyStoreID and ConnectionState use the
|
|
941
|
+
# DescribeCustomKeyStores operation.
|
|
853
942
|
#
|
|
854
943
|
# This parameter is valid only for symmetric encryption KMS keys in a
|
|
855
944
|
# single Region. You cannot create any other type of KMS key in a
|
|
856
945
|
# custom key store.
|
|
857
946
|
#
|
|
858
|
-
#
|
|
859
|
-
#
|
|
860
|
-
#
|
|
861
|
-
#
|
|
862
|
-
#
|
|
863
|
-
#
|
|
864
|
-
# This operation is part of the [custom key store feature][1] feature
|
|
865
|
-
# in KMS, which combines the convenience and extensive integration of
|
|
866
|
-
# KMS with the isolation and control of a single-tenant key store.
|
|
947
|
+
# When you create a KMS key in an CloudHSM key store, KMS generates a
|
|
948
|
+
# non-exportable 256-bit symmetric key in its associated CloudHSM
|
|
949
|
+
# cluster and associates it with the KMS key. When you create a KMS
|
|
950
|
+
# key in an external key store, you must use the `XksKeyId` parameter
|
|
951
|
+
# to specify an external key that serves as key material for the KMS
|
|
952
|
+
# key.
|
|
867
953
|
#
|
|
868
954
|
#
|
|
869
955
|
#
|
|
@@ -899,7 +985,7 @@ module Aws::KMS
|
|
|
899
985
|
# TagResource operation.
|
|
900
986
|
#
|
|
901
987
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
902
|
-
# KMS key. For details, see [ABAC
|
|
988
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
|
903
989
|
# Service Developer Guide*.
|
|
904
990
|
#
|
|
905
991
|
# </note>
|
|
@@ -947,16 +1033,52 @@ module Aws::KMS
|
|
|
947
1033
|
# This value creates a *primary key*, not a replica. To create a
|
|
948
1034
|
# *replica key*, use the ReplicateKey operation.
|
|
949
1035
|
#
|
|
950
|
-
# You can create a multi-Region
|
|
951
|
-
#
|
|
952
|
-
#
|
|
953
|
-
# in a custom key store.
|
|
1036
|
+
# You can create a symmetric or asymmetric multi-Region key, and you
|
|
1037
|
+
# can create a multi-Region key with imported key material. However,
|
|
1038
|
+
# you cannot create a multi-Region key in a custom key store.
|
|
954
1039
|
#
|
|
955
1040
|
#
|
|
956
1041
|
#
|
|
957
1042
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
|
958
1043
|
# @return [Boolean]
|
|
959
1044
|
#
|
|
1045
|
+
# @!attribute [rw] xks_key_id
|
|
1046
|
+
# Identifies the [external key][1] that serves as key material for the
|
|
1047
|
+
# KMS key in an [external key store][2]. Specify the ID that the
|
|
1048
|
+
# [external key store proxy][3] uses to refer to the external key. For
|
|
1049
|
+
# help, see the documentation for your external key store proxy.
|
|
1050
|
+
#
|
|
1051
|
+
# This parameter is required for a KMS key with an `Origin` value of
|
|
1052
|
+
# `EXTERNAL_KEY_STORE`. It is not valid for KMS keys with any other
|
|
1053
|
+
# `Origin` value.
|
|
1054
|
+
#
|
|
1055
|
+
# The external key must be an existing 256-bit AES symmetric
|
|
1056
|
+
# encryption key hosted outside of Amazon Web Services in an external
|
|
1057
|
+
# key manager associated with the external key store specified by the
|
|
1058
|
+
# `CustomKeyStoreId` parameter. This key must be enabled and
|
|
1059
|
+
# configured to perform encryption and decryption. Each KMS key in an
|
|
1060
|
+
# external key store must use a different external key. For details,
|
|
1061
|
+
# see [Requirements for a KMS key in an external key store][4] in the
|
|
1062
|
+
# *Key Management Service Developer Guide*.
|
|
1063
|
+
#
|
|
1064
|
+
# Each KMS key in an external key store is associated two backing
|
|
1065
|
+
# keys. One is key material that KMS generates. The other is the
|
|
1066
|
+
# external key specified by this parameter. When you use the KMS key
|
|
1067
|
+
# in an external key store to encrypt data, the encryption operation
|
|
1068
|
+
# is performed first by KMS using the KMS key material, and then by
|
|
1069
|
+
# the external key manager using the specified external key, a process
|
|
1070
|
+
# known as *double encryption*. For details, see [Double
|
|
1071
|
+
# encryption][5] in the *Key Management Service Developer Guide*.
|
|
1072
|
+
#
|
|
1073
|
+
#
|
|
1074
|
+
#
|
|
1075
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
|
1076
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
|
|
1077
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxy
|
|
1078
|
+
# [4]: https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements
|
|
1079
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryption
|
|
1080
|
+
# @return [String]
|
|
1081
|
+
#
|
|
960
1082
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKeyRequest AWS API Documentation
|
|
961
1083
|
#
|
|
962
1084
|
class CreateKeyRequest < Struct.new(
|
|
@@ -969,7 +1091,8 @@ module Aws::KMS
|
|
|
969
1091
|
:custom_key_store_id,
|
|
970
1092
|
:bypass_policy_lockout_safety_check,
|
|
971
1093
|
:tags,
|
|
972
|
-
:multi_region
|
|
1094
|
+
:multi_region,
|
|
1095
|
+
:xks_key_id)
|
|
973
1096
|
SENSITIVE = []
|
|
974
1097
|
include Aws::Structure
|
|
975
1098
|
end
|
|
@@ -1008,18 +1131,29 @@ module Aws::KMS
|
|
|
1008
1131
|
#
|
|
1009
1132
|
# This exception is thrown under the following conditions:
|
|
1010
1133
|
#
|
|
1011
|
-
# * You requested the
|
|
1012
|
-
#
|
|
1013
|
-
#
|
|
1134
|
+
# * You requested the ConnectCustomKeyStore operation on a custom key
|
|
1135
|
+
# store with a `ConnectionState` of `DISCONNECTING` or `FAILED`. This
|
|
1136
|
+
# operation is valid for all other `ConnectionState` values. To
|
|
1137
|
+
# reconnect a custom key store in a `FAILED` state, disconnect it
|
|
1138
|
+
# (DisconnectCustomKeyStore), then connect it
|
|
1139
|
+
# (`ConnectCustomKeyStore`).
|
|
1140
|
+
#
|
|
1141
|
+
# * You requested the CreateKey operation in a custom key store that is
|
|
1142
|
+
# not connected. This operations is valid only when the custom key
|
|
1143
|
+
# store `ConnectionState` is `CONNECTED`.
|
|
1144
|
+
#
|
|
1145
|
+
# * You requested the DisconnectCustomKeyStore operation on a custom key
|
|
1146
|
+
# store with a `ConnectionState` of `DISCONNECTING` or `DISCONNECTED`.
|
|
1147
|
+
# This operation is valid for all other `ConnectionState` values.
|
|
1014
1148
|
#
|
|
1015
1149
|
# * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
|
|
1016
1150
|
# operation on a custom key store that is not disconnected. This
|
|
1017
1151
|
# operation is valid only when the custom key store `ConnectionState`
|
|
1018
1152
|
# is `DISCONNECTED`.
|
|
1019
1153
|
#
|
|
1020
|
-
# * You requested the
|
|
1021
|
-
#
|
|
1022
|
-
#
|
|
1154
|
+
# * You requested the GenerateRandom operation in an CloudHSM key store
|
|
1155
|
+
# that is not connected. This operation is valid only when the
|
|
1156
|
+
# CloudHSM key store `ConnectionState` is `CONNECTED`.
|
|
1023
1157
|
#
|
|
1024
1158
|
# @!attribute [rw] message
|
|
1025
1159
|
# @return [String]
|
|
@@ -1074,13 +1208,17 @@ module Aws::KMS
|
|
|
1074
1208
|
#
|
|
1075
1209
|
# @!attribute [rw] cloud_hsm_cluster_id
|
|
1076
1210
|
# A unique identifier for the CloudHSM cluster that is associated with
|
|
1077
|
-
#
|
|
1211
|
+
# an CloudHSM key store. This field appears only when the
|
|
1212
|
+
# `CustomKeyStoreType` is `AWS_CLOUDHSM`.
|
|
1078
1213
|
# @return [String]
|
|
1079
1214
|
#
|
|
1080
1215
|
# @!attribute [rw] trust_anchor_certificate
|
|
1081
|
-
# The trust anchor certificate of the
|
|
1082
|
-
# When you [initialize the cluster][1], you
|
|
1083
|
-
# and save it in the `customerCA.crt` file.
|
|
1216
|
+
# The trust anchor certificate of the CloudHSM cluster associated with
|
|
1217
|
+
# an CloudHSM key store. When you [initialize the cluster][1], you
|
|
1218
|
+
# create this certificate and save it in the `customerCA.crt` file.
|
|
1219
|
+
#
|
|
1220
|
+
# This field appears only when the `CustomKeyStoreType` is
|
|
1221
|
+
# `AWS_CLOUDHSM`.
|
|
1084
1222
|
#
|
|
1085
1223
|
#
|
|
1086
1224
|
#
|
|
@@ -1088,22 +1226,30 @@ module Aws::KMS
|
|
|
1088
1226
|
# @return [String]
|
|
1089
1227
|
#
|
|
1090
1228
|
# @!attribute [rw] connection_state
|
|
1091
|
-
# Indicates whether the custom key store is connected to its
|
|
1092
|
-
#
|
|
1229
|
+
# Indicates whether the custom key store is connected to its backing
|
|
1230
|
+
# key store. For an CloudHSM key store, the `ConnectionState`
|
|
1231
|
+
# indicates whether it is connected to its CloudHSM cluster. For an
|
|
1232
|
+
# external key store, the `ConnectionState` indicates whether it is
|
|
1233
|
+
# connected to the external key store proxy that communicates with
|
|
1234
|
+
# your external key manager.
|
|
1093
1235
|
#
|
|
1094
1236
|
# You can create and use KMS keys in your custom key stores only when
|
|
1095
|
-
# its
|
|
1096
|
-
#
|
|
1097
|
-
# The value is `DISCONNECTED` if the key store
|
|
1098
|
-
# connected or you use the DisconnectCustomKeyStore
|
|
1099
|
-
# disconnect it. If the value is `CONNECTED` but you are
|
|
1100
|
-
# trouble using the custom key store, make sure that
|
|
1101
|
-
#
|
|
1237
|
+
# its `ConnectionState` is `CONNECTED`.
|
|
1238
|
+
#
|
|
1239
|
+
# The `ConnectionState` value is `DISCONNECTED` only if the key store
|
|
1240
|
+
# has never been connected or you use the DisconnectCustomKeyStore
|
|
1241
|
+
# operation to disconnect it. If the value is `CONNECTED` but you are
|
|
1242
|
+
# having trouble using the custom key store, make sure that the
|
|
1243
|
+
# backing key store is reachable and active. For an CloudHSM key
|
|
1244
|
+
# store, verify that its associated CloudHSM cluster is active and
|
|
1245
|
+
# contains at least one active HSM. For an external key store, verify
|
|
1246
|
+
# that the external key store proxy and external key manager are
|
|
1247
|
+
# connected and enabled.
|
|
1102
1248
|
#
|
|
1103
1249
|
# A value of `FAILED` indicates that an attempt to connect was
|
|
1104
1250
|
# unsuccessful. The `ConnectionErrorCode` field in the response
|
|
1105
1251
|
# indicates the cause of the failure. For help resolving a connection
|
|
1106
|
-
# failure, see [Troubleshooting a
|
|
1252
|
+
# failure, see [Troubleshooting a custom key store][1] in the *Key
|
|
1107
1253
|
# Management Service Developer Guide*.
|
|
1108
1254
|
#
|
|
1109
1255
|
#
|
|
@@ -1113,35 +1259,52 @@ module Aws::KMS
|
|
|
1113
1259
|
#
|
|
1114
1260
|
# @!attribute [rw] connection_error_code
|
|
1115
1261
|
# Describes the connection error. This field appears in the response
|
|
1116
|
-
# only when the `ConnectionState` is `FAILED`.
|
|
1117
|
-
#
|
|
1118
|
-
#
|
|
1262
|
+
# only when the `ConnectionState` is `FAILED`.
|
|
1263
|
+
#
|
|
1264
|
+
# Many failures can be resolved by updating the properties of the
|
|
1265
|
+
# custom key store. To update a custom key store, disconnect it
|
|
1266
|
+
# (DisconnectCustomKeyStore), correct the errors
|
|
1267
|
+
# (UpdateCustomKeyStore), and try to connect again
|
|
1268
|
+
# (ConnectCustomKeyStore). For additional help resolving these errors,
|
|
1269
|
+
# see [How to Fix a Connection Failure][1] in *Key Management Service
|
|
1270
|
+
# Developer Guide*.
|
|
1271
|
+
#
|
|
1272
|
+
# **All custom key stores:**
|
|
1273
|
+
#
|
|
1274
|
+
# * `INTERNAL_ERROR` — KMS could not complete the request due to an
|
|
1275
|
+
# internal error. Retry the request. For `ConnectCustomKeyStore`
|
|
1276
|
+
# requests, disconnect the custom key store before trying to connect
|
|
1277
|
+
# again.
|
|
1278
|
+
#
|
|
1279
|
+
# * `NETWORK_ERRORS` — Network errors are preventing KMS from
|
|
1280
|
+
# connecting the custom key store to its backing key store.
|
|
1119
1281
|
#
|
|
1120
|
-
#
|
|
1282
|
+
# **CloudHSM key stores:**
|
|
1121
1283
|
#
|
|
1122
|
-
# * `CLUSTER_NOT_FOUND`
|
|
1284
|
+
# * `CLUSTER_NOT_FOUND` — KMS cannot find the CloudHSM cluster with
|
|
1123
1285
|
# the specified cluster ID.
|
|
1124
1286
|
#
|
|
1125
|
-
# * `INSUFFICIENT_CLOUDHSM_HSMS`
|
|
1287
|
+
# * `INSUFFICIENT_CLOUDHSM_HSMS` — The associated CloudHSM cluster
|
|
1126
1288
|
# does not contain any active HSMs. To connect a custom key store to
|
|
1127
1289
|
# its CloudHSM cluster, the cluster must contain at least one active
|
|
1128
1290
|
# HSM.
|
|
1129
1291
|
#
|
|
1130
|
-
# * `
|
|
1131
|
-
#
|
|
1132
|
-
#
|
|
1133
|
-
#
|
|
1134
|
-
#
|
|
1135
|
-
#
|
|
1136
|
-
#
|
|
1137
|
-
# connect your custom key store to its CloudHSM cluster, you must
|
|
1138
|
-
# change the `kmsuser` account password and update the key store
|
|
1139
|
-
# password value for the custom key store.
|
|
1292
|
+
# * `INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET` — At least one private
|
|
1293
|
+
# subnet associated with the CloudHSM cluster doesn't have any
|
|
1294
|
+
# available IP addresses. A CloudHSM key store connection requires
|
|
1295
|
+
# one free IP address in each of the associated private subnets,
|
|
1296
|
+
# although two are preferable. For details, see [How to Fix a
|
|
1297
|
+
# Connection Failure][1] in the *Key Management Service Developer
|
|
1298
|
+
# Guide*.
|
|
1140
1299
|
#
|
|
1141
|
-
# * `
|
|
1142
|
-
#
|
|
1300
|
+
# * `INVALID_CREDENTIALS` — The `KeyStorePassword` for the custom key
|
|
1301
|
+
# store doesn't match the current password of the `kmsuser` crypto
|
|
1302
|
+
# user in the CloudHSM cluster. Before you can connect your custom
|
|
1303
|
+
# key store to its CloudHSM cluster, you must change the `kmsuser`
|
|
1304
|
+
# account password and update the `KeyStorePassword` value for the
|
|
1305
|
+
# custom key store.
|
|
1143
1306
|
#
|
|
1144
|
-
# * `SUBNET_NOT_FOUND`
|
|
1307
|
+
# * `SUBNET_NOT_FOUND` — A subnet in the CloudHSM cluster
|
|
1145
1308
|
# configuration was deleted. If KMS cannot find all of the subnets
|
|
1146
1309
|
# in the cluster configuration, attempts to connect the custom key
|
|
1147
1310
|
# store to the CloudHSM cluster fail. To fix this error, create a
|
|
@@ -1151,13 +1314,13 @@ module Aws::KMS
|
|
|
1151
1314
|
# Connection Failure][1] in the *Key Management Service Developer
|
|
1152
1315
|
# Guide*.
|
|
1153
1316
|
#
|
|
1154
|
-
# * `USER_LOCKED_OUT`
|
|
1317
|
+
# * `USER_LOCKED_OUT` — The `kmsuser` CU account is locked out of the
|
|
1155
1318
|
# associated CloudHSM cluster due to too many failed password
|
|
1156
1319
|
# attempts. Before you can connect your custom key store to its
|
|
1157
1320
|
# CloudHSM cluster, you must change the `kmsuser` account password
|
|
1158
1321
|
# and update the key store password value for the custom key store.
|
|
1159
1322
|
#
|
|
1160
|
-
# * `USER_LOGGED_IN`
|
|
1323
|
+
# * `USER_LOGGED_IN` — The `kmsuser` CU account is logged into the
|
|
1161
1324
|
# associated CloudHSM cluster. This prevents KMS from rotating the
|
|
1162
1325
|
# `kmsuser` account password and logging into the cluster. Before
|
|
1163
1326
|
# you can connect your custom key store to its CloudHSM cluster, you
|
|
@@ -1167,22 +1330,119 @@ module Aws::KMS
|
|
|
1167
1330
|
# help, see [How to Log Out and Reconnect][2] in the *Key Management
|
|
1168
1331
|
# Service Developer Guide*.
|
|
1169
1332
|
#
|
|
1170
|
-
# * `USER_NOT_FOUND`
|
|
1333
|
+
# * `USER_NOT_FOUND` — KMS cannot find a `kmsuser` CU account in the
|
|
1171
1334
|
# associated CloudHSM cluster. Before you can connect your custom
|
|
1172
1335
|
# key store to its CloudHSM cluster, you must create a `kmsuser` CU
|
|
1173
1336
|
# account in the cluster, and then update the key store password
|
|
1174
1337
|
# value for the custom key store.
|
|
1175
1338
|
#
|
|
1339
|
+
# **External key stores:**
|
|
1340
|
+
#
|
|
1341
|
+
# * `INVALID_CREDENTIALS` — One or both of the
|
|
1342
|
+
# `XksProxyAuthenticationCredential` values is not valid on the
|
|
1343
|
+
# specified external key store proxy.
|
|
1344
|
+
#
|
|
1345
|
+
# * `XKS_PROXY_ACCESS_DENIED` — KMS requests are denied access to the
|
|
1346
|
+
# external key store proxy. If the external key store proxy has
|
|
1347
|
+
# authorization rules, verify that they permit KMS to communicate
|
|
1348
|
+
# with the proxy on your behalf.
|
|
1349
|
+
#
|
|
1350
|
+
# * `XKS_PROXY_INVALID_CONFIGURATION` — A configuration error is
|
|
1351
|
+
# preventing the external key store from connecting to its proxy.
|
|
1352
|
+
# Verify the value of the `XksProxyUriPath`.
|
|
1353
|
+
#
|
|
1354
|
+
# * `XKS_PROXY_INVALID_RESPONSE` — KMS cannot interpret the response
|
|
1355
|
+
# from the external key store proxy. If you see this connection
|
|
1356
|
+
# error code repeatedly, notify your external key store proxy
|
|
1357
|
+
# vendor.
|
|
1358
|
+
#
|
|
1359
|
+
# * `XKS_PROXY_INVALID_TLS_CONFIGURATION` — KMS cannot connect to the
|
|
1360
|
+
# external key store proxy because the TLS configuration is invalid.
|
|
1361
|
+
# Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify
|
|
1362
|
+
# that the TLS certificate is not expired, and that it matches the
|
|
1363
|
+
# hostname in the `XksProxyUriEndpoint` value, and that it is signed
|
|
1364
|
+
# by a certificate authority included in the [Trusted Certificate
|
|
1365
|
+
# Authorities][3] list.
|
|
1366
|
+
#
|
|
1367
|
+
# * `XKS_PROXY_NOT_REACHABLE` — KMS can't communicate with your
|
|
1368
|
+
# external key store proxy. Verify that the `XksProxyUriEndpoint`
|
|
1369
|
+
# and `XksProxyUriPath` are correct. Use the tools for your external
|
|
1370
|
+
# key store proxy to verify that the proxy is active and available
|
|
1371
|
+
# on its network. Also, verify that your external key manager
|
|
1372
|
+
# instances are operating properly. Connection attempts fail with
|
|
1373
|
+
# this connection error code if the proxy reports that all external
|
|
1374
|
+
# key manager instances are unavailable.
|
|
1375
|
+
#
|
|
1376
|
+
# * `XKS_PROXY_TIMED_OUT` — KMS can connect to the external key store
|
|
1377
|
+
# proxy, but the proxy does not respond to KMS in the time allotted.
|
|
1378
|
+
# If you see this connection error code repeatedly, notify your
|
|
1379
|
+
# external key store proxy vendor.
|
|
1380
|
+
#
|
|
1381
|
+
# * `XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION` — The Amazon VPC
|
|
1382
|
+
# endpoint service configuration doesn't conform to the
|
|
1383
|
+
# requirements for an KMS external key store.
|
|
1384
|
+
#
|
|
1385
|
+
# * The VPC endpoint service must be an endpoint service for
|
|
1386
|
+
# interface endpoints in the caller's Amazon Web Services
|
|
1387
|
+
# account.
|
|
1388
|
+
#
|
|
1389
|
+
# * It must have a network load balancer (NLB) connected to at least
|
|
1390
|
+
# two subnets, each in a different Availability Zone.
|
|
1391
|
+
#
|
|
1392
|
+
# * The `Allow principals` list must include the KMS service
|
|
1393
|
+
# principal for the Region, `cks.kms.<region>.amazonaws.com`, such
|
|
1394
|
+
# as `cks.kms.us-east-1.amazonaws.com`.
|
|
1395
|
+
#
|
|
1396
|
+
# * It must *not* require [acceptance][4] of connection requests.
|
|
1397
|
+
#
|
|
1398
|
+
# * It must have a private DNS name. The private DNS name for an
|
|
1399
|
+
# external key store with `VPC_ENDPOINT_SERVICE` connectivity must
|
|
1400
|
+
# be unique in its Amazon Web Services Region.
|
|
1401
|
+
#
|
|
1402
|
+
# * The domain of the private DNS name must have a [verification
|
|
1403
|
+
# status][5] of `verified`.
|
|
1404
|
+
#
|
|
1405
|
+
# * The [TLS certificate][6] specifies the private DNS hostname at
|
|
1406
|
+
# which the endpoint is reachable.
|
|
1407
|
+
#
|
|
1408
|
+
# * `XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND` — KMS can't find the VPC
|
|
1409
|
+
# endpoint service that it uses to communicate with the external key
|
|
1410
|
+
# store proxy. Verify that the `XksProxyVpcEndpointServiceName` is
|
|
1411
|
+
# correct and the KMS service principal has service consumer
|
|
1412
|
+
# permissions on the Amazon VPC endpoint service.
|
|
1413
|
+
#
|
|
1176
1414
|
#
|
|
1177
1415
|
#
|
|
1178
1416
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed
|
|
1179
1417
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2
|
|
1418
|
+
# [3]: https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities
|
|
1419
|
+
# [4]: https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
|
|
1420
|
+
# [5]: https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html
|
|
1421
|
+
# [6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
|
|
1180
1422
|
# @return [String]
|
|
1181
1423
|
#
|
|
1182
1424
|
# @!attribute [rw] creation_date
|
|
1183
1425
|
# The date and time when the custom key store was created.
|
|
1184
1426
|
# @return [Time]
|
|
1185
1427
|
#
|
|
1428
|
+
# @!attribute [rw] custom_key_store_type
|
|
1429
|
+
# Indicates the type of the custom key store. `AWS_CLOUDHSM` indicates
|
|
1430
|
+
# a custom key store backed by an CloudHSM cluster.
|
|
1431
|
+
# `EXTERNAL_KEY_STORE` indicates a custom key store backed by an
|
|
1432
|
+
# external key store proxy and external key manager outside of Amazon
|
|
1433
|
+
# Web Services.
|
|
1434
|
+
# @return [String]
|
|
1435
|
+
#
|
|
1436
|
+
# @!attribute [rw] xks_proxy_configuration
|
|
1437
|
+
# Configuration settings for the external key store proxy (XKS proxy).
|
|
1438
|
+
# The external key store proxy translates KMS requests into a format
|
|
1439
|
+
# that your external key manager can understand. The proxy
|
|
1440
|
+
# configuration includes connection information that KMS requires.
|
|
1441
|
+
#
|
|
1442
|
+
# This field appears only when the `CustomKeyStoreType` is
|
|
1443
|
+
# `EXTERNAL_KEY_STORE`.
|
|
1444
|
+
# @return [Types::XksProxyConfigurationType]
|
|
1445
|
+
#
|
|
1186
1446
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CustomKeyStoresListEntry AWS API Documentation
|
|
1187
1447
|
#
|
|
1188
1448
|
class CustomKeyStoresListEntry < Struct.new(
|
|
@@ -1192,24 +1452,13 @@ module Aws::KMS
|
|
|
1192
1452
|
:trust_anchor_certificate,
|
|
1193
1453
|
:connection_state,
|
|
1194
1454
|
:connection_error_code,
|
|
1195
|
-
:creation_date
|
|
1455
|
+
:creation_date,
|
|
1456
|
+
:custom_key_store_type,
|
|
1457
|
+
:xks_proxy_configuration)
|
|
1196
1458
|
SENSITIVE = []
|
|
1197
1459
|
include Aws::Structure
|
|
1198
1460
|
end
|
|
1199
1461
|
|
|
1200
|
-
# @note When making an API call, you may pass DecryptRequest
|
|
1201
|
-
# data as a hash:
|
|
1202
|
-
#
|
|
1203
|
-
# {
|
|
1204
|
-
# ciphertext_blob: "data", # required
|
|
1205
|
-
# encryption_context: {
|
|
1206
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1207
|
-
# },
|
|
1208
|
-
# grant_tokens: ["GrantTokenType"],
|
|
1209
|
-
# key_id: "KeyIdType",
|
|
1210
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
1211
|
-
# }
|
|
1212
|
-
#
|
|
1213
1462
|
# @!attribute [rw] ciphertext_blob
|
|
1214
1463
|
# Ciphertext to be decrypted. The blob includes metadata.
|
|
1215
1464
|
# @return [String]
|
|
@@ -1340,13 +1589,6 @@ module Aws::KMS
|
|
|
1340
1589
|
include Aws::Structure
|
|
1341
1590
|
end
|
|
1342
1591
|
|
|
1343
|
-
# @note When making an API call, you may pass DeleteAliasRequest
|
|
1344
|
-
# data as a hash:
|
|
1345
|
-
#
|
|
1346
|
-
# {
|
|
1347
|
-
# alias_name: "AliasNameType", # required
|
|
1348
|
-
# }
|
|
1349
|
-
#
|
|
1350
1592
|
# @!attribute [rw] alias_name
|
|
1351
1593
|
# The alias to be deleted. The alias name must begin with `alias/`
|
|
1352
1594
|
# followed by the alias name, such as `alias/ExampleAlias`.
|
|
@@ -1360,13 +1602,6 @@ module Aws::KMS
|
|
|
1360
1602
|
include Aws::Structure
|
|
1361
1603
|
end
|
|
1362
1604
|
|
|
1363
|
-
# @note When making an API call, you may pass DeleteCustomKeyStoreRequest
|
|
1364
|
-
# data as a hash:
|
|
1365
|
-
#
|
|
1366
|
-
# {
|
|
1367
|
-
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
|
1368
|
-
# }
|
|
1369
|
-
#
|
|
1370
1605
|
# @!attribute [rw] custom_key_store_id
|
|
1371
1606
|
# Enter the ID of the custom key store you want to delete. To find the
|
|
1372
1607
|
# ID of a custom key store, use the DescribeCustomKeyStores operation.
|
|
@@ -1384,13 +1619,6 @@ module Aws::KMS
|
|
|
1384
1619
|
#
|
|
1385
1620
|
class DeleteCustomKeyStoreResponse < Aws::EmptyStructure; end
|
|
1386
1621
|
|
|
1387
|
-
# @note When making an API call, you may pass DeleteImportedKeyMaterialRequest
|
|
1388
|
-
# data as a hash:
|
|
1389
|
-
#
|
|
1390
|
-
# {
|
|
1391
|
-
# key_id: "KeyIdType", # required
|
|
1392
|
-
# }
|
|
1393
|
-
#
|
|
1394
1622
|
# @!attribute [rw] key_id
|
|
1395
1623
|
# Identifies the KMS key from which you are deleting imported key
|
|
1396
1624
|
# material. The `Origin` of the KMS key must be `EXTERNAL`.
|
|
@@ -1416,8 +1644,8 @@ module Aws::KMS
|
|
|
1416
1644
|
include Aws::Structure
|
|
1417
1645
|
end
|
|
1418
1646
|
|
|
1419
|
-
# The system timed out while trying to fulfill the request.
|
|
1420
|
-
#
|
|
1647
|
+
# The system timed out while trying to fulfill the request. You can
|
|
1648
|
+
# retry the request.
|
|
1421
1649
|
#
|
|
1422
1650
|
# @!attribute [rw] message
|
|
1423
1651
|
# @return [String]
|
|
@@ -1430,24 +1658,14 @@ module Aws::KMS
|
|
|
1430
1658
|
include Aws::Structure
|
|
1431
1659
|
end
|
|
1432
1660
|
|
|
1433
|
-
# @note When making an API call, you may pass DescribeCustomKeyStoresRequest
|
|
1434
|
-
# data as a hash:
|
|
1435
|
-
#
|
|
1436
|
-
# {
|
|
1437
|
-
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
1438
|
-
# custom_key_store_name: "CustomKeyStoreNameType",
|
|
1439
|
-
# limit: 1,
|
|
1440
|
-
# marker: "MarkerType",
|
|
1441
|
-
# }
|
|
1442
|
-
#
|
|
1443
1661
|
# @!attribute [rw] custom_key_store_id
|
|
1444
1662
|
# Gets only information about the specified custom key store. Enter
|
|
1445
1663
|
# the key store ID.
|
|
1446
1664
|
#
|
|
1447
1665
|
# By default, this operation gets information about all custom key
|
|
1448
1666
|
# stores in the account and Region. To limit the output to a
|
|
1449
|
-
# particular custom key store,
|
|
1450
|
-
#
|
|
1667
|
+
# particular custom key store, provide either the `CustomKeyStoreId`
|
|
1668
|
+
# or `CustomKeyStoreName` parameter, but not both.
|
|
1451
1669
|
# @return [String]
|
|
1452
1670
|
#
|
|
1453
1671
|
# @!attribute [rw] custom_key_store_name
|
|
@@ -1456,8 +1674,8 @@ module Aws::KMS
|
|
|
1456
1674
|
#
|
|
1457
1675
|
# By default, this operation gets information about all custom key
|
|
1458
1676
|
# stores in the account and Region. To limit the output to a
|
|
1459
|
-
# particular custom key store,
|
|
1460
|
-
#
|
|
1677
|
+
# particular custom key store, provide either the `CustomKeyStoreId`
|
|
1678
|
+
# or `CustomKeyStoreName` parameter, but not both.
|
|
1461
1679
|
# @return [String]
|
|
1462
1680
|
#
|
|
1463
1681
|
# @!attribute [rw] limit
|
|
@@ -1509,14 +1727,6 @@ module Aws::KMS
|
|
|
1509
1727
|
include Aws::Structure
|
|
1510
1728
|
end
|
|
1511
1729
|
|
|
1512
|
-
# @note When making an API call, you may pass DescribeKeyRequest
|
|
1513
|
-
# data as a hash:
|
|
1514
|
-
#
|
|
1515
|
-
# {
|
|
1516
|
-
# key_id: "KeyIdType", # required
|
|
1517
|
-
# grant_tokens: ["GrantTokenType"],
|
|
1518
|
-
# }
|
|
1519
|
-
#
|
|
1520
1730
|
# @!attribute [rw] key_id
|
|
1521
1731
|
# Describes the specified KMS key.
|
|
1522
1732
|
#
|
|
@@ -1584,13 +1794,6 @@ module Aws::KMS
|
|
|
1584
1794
|
include Aws::Structure
|
|
1585
1795
|
end
|
|
1586
1796
|
|
|
1587
|
-
# @note When making an API call, you may pass DisableKeyRequest
|
|
1588
|
-
# data as a hash:
|
|
1589
|
-
#
|
|
1590
|
-
# {
|
|
1591
|
-
# key_id: "KeyIdType", # required
|
|
1592
|
-
# }
|
|
1593
|
-
#
|
|
1594
1797
|
# @!attribute [rw] key_id
|
|
1595
1798
|
# Identifies the KMS key to disable.
|
|
1596
1799
|
#
|
|
@@ -1615,13 +1818,6 @@ module Aws::KMS
|
|
|
1615
1818
|
include Aws::Structure
|
|
1616
1819
|
end
|
|
1617
1820
|
|
|
1618
|
-
# @note When making an API call, you may pass DisableKeyRotationRequest
|
|
1619
|
-
# data as a hash:
|
|
1620
|
-
#
|
|
1621
|
-
# {
|
|
1622
|
-
# key_id: "KeyIdType", # required
|
|
1623
|
-
# }
|
|
1624
|
-
#
|
|
1625
1821
|
# @!attribute [rw] key_id
|
|
1626
1822
|
# Identifies a symmetric encryption KMS key. You cannot enable or
|
|
1627
1823
|
# disable automatic rotation of [asymmetric KMS keys][1], [HMAC KMS
|
|
@@ -1669,13 +1865,6 @@ module Aws::KMS
|
|
|
1669
1865
|
include Aws::Structure
|
|
1670
1866
|
end
|
|
1671
1867
|
|
|
1672
|
-
# @note When making an API call, you may pass DisconnectCustomKeyStoreRequest
|
|
1673
|
-
# data as a hash:
|
|
1674
|
-
#
|
|
1675
|
-
# {
|
|
1676
|
-
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
|
1677
|
-
# }
|
|
1678
|
-
#
|
|
1679
1868
|
# @!attribute [rw] custom_key_store_id
|
|
1680
1869
|
# Enter the ID of the custom key store you want to disconnect. To find
|
|
1681
1870
|
# the ID of a custom key store, use the DescribeCustomKeyStores
|
|
@@ -1694,13 +1883,6 @@ module Aws::KMS
|
|
|
1694
1883
|
#
|
|
1695
1884
|
class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
|
|
1696
1885
|
|
|
1697
|
-
# @note When making an API call, you may pass EnableKeyRequest
|
|
1698
|
-
# data as a hash:
|
|
1699
|
-
#
|
|
1700
|
-
# {
|
|
1701
|
-
# key_id: "KeyIdType", # required
|
|
1702
|
-
# }
|
|
1703
|
-
#
|
|
1704
1886
|
# @!attribute [rw] key_id
|
|
1705
1887
|
# Identifies the KMS key to enable.
|
|
1706
1888
|
#
|
|
@@ -1725,19 +1907,11 @@ module Aws::KMS
|
|
|
1725
1907
|
include Aws::Structure
|
|
1726
1908
|
end
|
|
1727
1909
|
|
|
1728
|
-
# @note When making an API call, you may pass EnableKeyRotationRequest
|
|
1729
|
-
# data as a hash:
|
|
1730
|
-
#
|
|
1731
|
-
# {
|
|
1732
|
-
# key_id: "KeyIdType", # required
|
|
1733
|
-
# }
|
|
1734
|
-
#
|
|
1735
1910
|
# @!attribute [rw] key_id
|
|
1736
|
-
# Identifies a symmetric encryption KMS key. You cannot enable
|
|
1737
|
-
#
|
|
1738
|
-
#
|
|
1739
|
-
#
|
|
1740
|
-
# always `false`. To enable or disable automatic rotation of a set of
|
|
1911
|
+
# Identifies a symmetric encryption KMS key. You cannot enable
|
|
1912
|
+
# automatic rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
|
|
1913
|
+
# KMS keys with [imported key material][3], or KMS keys in a [custom
|
|
1914
|
+
# key store][4]. To enable or disable automatic rotation of a set of
|
|
1741
1915
|
# related [multi-Region keys][5], set the property on the primary key.
|
|
1742
1916
|
#
|
|
1743
1917
|
# Specify the key ID or key ARN of the KMS key.
|
|
@@ -1769,19 +1943,6 @@ module Aws::KMS
|
|
|
1769
1943
|
include Aws::Structure
|
|
1770
1944
|
end
|
|
1771
1945
|
|
|
1772
|
-
# @note When making an API call, you may pass EncryptRequest
|
|
1773
|
-
# data as a hash:
|
|
1774
|
-
#
|
|
1775
|
-
# {
|
|
1776
|
-
# key_id: "KeyIdType", # required
|
|
1777
|
-
# plaintext: "data", # required
|
|
1778
|
-
# encryption_context: {
|
|
1779
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1780
|
-
# },
|
|
1781
|
-
# grant_tokens: ["GrantTokenType"],
|
|
1782
|
-
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
1783
|
-
# }
|
|
1784
|
-
#
|
|
1785
1946
|
# @!attribute [rw] key_id
|
|
1786
1947
|
# Identifies the KMS key to use in the encryption operation. The KMS
|
|
1787
1948
|
# key must have a `KeyUsage` of `ENCRYPT_DECRYPT`. To find the
|
|
@@ -1859,6 +2020,8 @@ module Aws::KMS
|
|
|
1859
2020
|
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric
|
|
1860
2021
|
# encryption KMS keys. If you are using an asymmetric KMS key, we
|
|
1861
2022
|
# recommend RSAES\_OAEP\_SHA\_256.
|
|
2023
|
+
#
|
|
2024
|
+
# The SM2PKE algorithm is only available in China Regions.
|
|
1862
2025
|
# @return [String]
|
|
1863
2026
|
#
|
|
1864
2027
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
|
@@ -1918,18 +2081,6 @@ module Aws::KMS
|
|
|
1918
2081
|
include Aws::Structure
|
|
1919
2082
|
end
|
|
1920
2083
|
|
|
1921
|
-
# @note When making an API call, you may pass GenerateDataKeyPairRequest
|
|
1922
|
-
# data as a hash:
|
|
1923
|
-
#
|
|
1924
|
-
# {
|
|
1925
|
-
# encryption_context: {
|
|
1926
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
1927
|
-
# },
|
|
1928
|
-
# key_id: "KeyIdType", # required
|
|
1929
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
1930
|
-
# grant_tokens: ["GrantTokenType"],
|
|
1931
|
-
# }
|
|
1932
|
-
#
|
|
1933
2084
|
# @!attribute [rw] encryption_context
|
|
1934
2085
|
# Specifies the encryption context that will be used when encrypting
|
|
1935
2086
|
# the private key in the data key pair.
|
|
@@ -1984,8 +2135,7 @@ module Aws::KMS
|
|
|
1984
2135
|
# keys to encrypt and decrypt or to sign and verify (but not both),
|
|
1985
2136
|
# and the rule that permits you to use ECC KMS keys only to sign and
|
|
1986
2137
|
# verify, are not effective on data key pairs, which are used outside
|
|
1987
|
-
# of KMS. The SM2 key spec is only available in China Regions.
|
|
1988
|
-
# ECC asymmetric key pairs are also available in China Regions.
|
|
2138
|
+
# of KMS. The SM2 key spec is only available in China Regions.
|
|
1989
2139
|
# @return [String]
|
|
1990
2140
|
#
|
|
1991
2141
|
# @!attribute [rw] grant_tokens
|
|
@@ -2056,18 +2206,6 @@ module Aws::KMS
|
|
|
2056
2206
|
include Aws::Structure
|
|
2057
2207
|
end
|
|
2058
2208
|
|
|
2059
|
-
# @note When making an API call, you may pass GenerateDataKeyPairWithoutPlaintextRequest
|
|
2060
|
-
# data as a hash:
|
|
2061
|
-
#
|
|
2062
|
-
# {
|
|
2063
|
-
# encryption_context: {
|
|
2064
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
2065
|
-
# },
|
|
2066
|
-
# key_id: "KeyIdType", # required
|
|
2067
|
-
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
2068
|
-
# grant_tokens: ["GrantTokenType"],
|
|
2069
|
-
# }
|
|
2070
|
-
#
|
|
2071
2209
|
# @!attribute [rw] encryption_context
|
|
2072
2210
|
# Specifies the encryption context that will be used when encrypting
|
|
2073
2211
|
# the private key in the data key pair.
|
|
@@ -2122,8 +2260,7 @@ module Aws::KMS
|
|
|
2122
2260
|
# keys to encrypt and decrypt or to sign and verify (but not both),
|
|
2123
2261
|
# and the rule that permits you to use ECC KMS keys only to sign and
|
|
2124
2262
|
# verify, are not effective on data key pairs, which are used outside
|
|
2125
|
-
# of KMS. The SM2 key spec is only available in China Regions.
|
|
2126
|
-
# ECC asymmetric key pairs are also available in China Regions.
|
|
2263
|
+
# of KMS. The SM2 key spec is only available in China Regions.
|
|
2127
2264
|
# @return [String]
|
|
2128
2265
|
#
|
|
2129
2266
|
# @!attribute [rw] grant_tokens
|
|
@@ -2187,19 +2324,6 @@ module Aws::KMS
|
|
|
2187
2324
|
include Aws::Structure
|
|
2188
2325
|
end
|
|
2189
2326
|
|
|
2190
|
-
# @note When making an API call, you may pass GenerateDataKeyRequest
|
|
2191
|
-
# data as a hash:
|
|
2192
|
-
#
|
|
2193
|
-
# {
|
|
2194
|
-
# key_id: "KeyIdType", # required
|
|
2195
|
-
# encryption_context: {
|
|
2196
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
2197
|
-
# },
|
|
2198
|
-
# number_of_bytes: 1,
|
|
2199
|
-
# key_spec: "AES_256", # accepts AES_256, AES_128
|
|
2200
|
-
# grant_tokens: ["GrantTokenType"],
|
|
2201
|
-
# }
|
|
2202
|
-
#
|
|
2203
2327
|
# @!attribute [rw] key_id
|
|
2204
2328
|
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2205
2329
|
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
@@ -2324,19 +2448,6 @@ module Aws::KMS
|
|
|
2324
2448
|
include Aws::Structure
|
|
2325
2449
|
end
|
|
2326
2450
|
|
|
2327
|
-
# @note When making an API call, you may pass GenerateDataKeyWithoutPlaintextRequest
|
|
2328
|
-
# data as a hash:
|
|
2329
|
-
#
|
|
2330
|
-
# {
|
|
2331
|
-
# key_id: "KeyIdType", # required
|
|
2332
|
-
# encryption_context: {
|
|
2333
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
2334
|
-
# },
|
|
2335
|
-
# key_spec: "AES_256", # accepts AES_256, AES_128
|
|
2336
|
-
# number_of_bytes: 1,
|
|
2337
|
-
# grant_tokens: ["GrantTokenType"],
|
|
2338
|
-
# }
|
|
2339
|
-
#
|
|
2340
2451
|
# @!attribute [rw] key_id
|
|
2341
2452
|
# Specifies the symmetric encryption KMS key that encrypts the data
|
|
2342
2453
|
# key. You cannot specify an asymmetric KMS key or a KMS key in a
|
|
@@ -2446,16 +2557,6 @@ module Aws::KMS
|
|
|
2446
2557
|
include Aws::Structure
|
|
2447
2558
|
end
|
|
2448
2559
|
|
|
2449
|
-
# @note When making an API call, you may pass GenerateMacRequest
|
|
2450
|
-
# data as a hash:
|
|
2451
|
-
#
|
|
2452
|
-
# {
|
|
2453
|
-
# message: "data", # required
|
|
2454
|
-
# key_id: "KeyIdType", # required
|
|
2455
|
-
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
2456
|
-
# grant_tokens: ["GrantTokenType"],
|
|
2457
|
-
# }
|
|
2458
|
-
#
|
|
2459
2560
|
# @!attribute [rw] message
|
|
2460
2561
|
# The message to be hashed. Specify a message of up to 4,096 bytes.
|
|
2461
2562
|
#
|
|
@@ -2511,8 +2612,14 @@ module Aws::KMS
|
|
|
2511
2612
|
end
|
|
2512
2613
|
|
|
2513
2614
|
# @!attribute [rw] mac
|
|
2514
|
-
# The hash-based message authentication code (HMAC)
|
|
2515
|
-
# message, key, and MAC algorithm.
|
|
2615
|
+
# The hash-based message authentication code (HMAC) that was generated
|
|
2616
|
+
# for the specified message, HMAC KMS key, and MAC algorithm.
|
|
2617
|
+
#
|
|
2618
|
+
# This is the standard, raw HMAC defined in [RFC 2104][1].
|
|
2619
|
+
#
|
|
2620
|
+
#
|
|
2621
|
+
#
|
|
2622
|
+
# [1]: https://datatracker.ietf.org/doc/html/rfc2104
|
|
2516
2623
|
# @return [String]
|
|
2517
2624
|
#
|
|
2518
2625
|
# @!attribute [rw] mac_algorithm
|
|
@@ -2533,26 +2640,18 @@ module Aws::KMS
|
|
|
2533
2640
|
include Aws::Structure
|
|
2534
2641
|
end
|
|
2535
2642
|
|
|
2536
|
-
# @note When making an API call, you may pass GenerateRandomRequest
|
|
2537
|
-
# data as a hash:
|
|
2538
|
-
#
|
|
2539
|
-
# {
|
|
2540
|
-
# number_of_bytes: 1,
|
|
2541
|
-
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
2542
|
-
# }
|
|
2543
|
-
#
|
|
2544
2643
|
# @!attribute [rw] number_of_bytes
|
|
2545
2644
|
# The length of the random byte string. This parameter is required.
|
|
2546
2645
|
# @return [Integer]
|
|
2547
2646
|
#
|
|
2548
2647
|
# @!attribute [rw] custom_key_store_id
|
|
2549
2648
|
# Generates the random byte string in the CloudHSM cluster that is
|
|
2550
|
-
# associated with the specified
|
|
2551
|
-
#
|
|
2649
|
+
# associated with the specified CloudHSM key store. To find the ID of
|
|
2650
|
+
# a custom key store, use the DescribeCustomKeyStores operation.
|
|
2552
2651
|
#
|
|
2553
|
-
#
|
|
2554
|
-
#
|
|
2555
|
-
#
|
|
2652
|
+
# External key store IDs are not valid for this parameter. If you
|
|
2653
|
+
# specify the ID of an external key store, `GenerateRandom` throws an
|
|
2654
|
+
# `UnsupportedOperationException`.
|
|
2556
2655
|
# @return [String]
|
|
2557
2656
|
#
|
|
2558
2657
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
|
|
@@ -2578,14 +2677,6 @@ module Aws::KMS
|
|
|
2578
2677
|
include Aws::Structure
|
|
2579
2678
|
end
|
|
2580
2679
|
|
|
2581
|
-
# @note When making an API call, you may pass GetKeyPolicyRequest
|
|
2582
|
-
# data as a hash:
|
|
2583
|
-
#
|
|
2584
|
-
# {
|
|
2585
|
-
# key_id: "KeyIdType", # required
|
|
2586
|
-
# policy_name: "PolicyNameType", # required
|
|
2587
|
-
# }
|
|
2588
|
-
#
|
|
2589
2680
|
# @!attribute [rw] key_id
|
|
2590
2681
|
# Gets the key policy for the specified KMS key.
|
|
2591
2682
|
#
|
|
@@ -2628,13 +2719,6 @@ module Aws::KMS
|
|
|
2628
2719
|
include Aws::Structure
|
|
2629
2720
|
end
|
|
2630
2721
|
|
|
2631
|
-
# @note When making an API call, you may pass GetKeyRotationStatusRequest
|
|
2632
|
-
# data as a hash:
|
|
2633
|
-
#
|
|
2634
|
-
# {
|
|
2635
|
-
# key_id: "KeyIdType", # required
|
|
2636
|
-
# }
|
|
2637
|
-
#
|
|
2638
2722
|
# @!attribute [rw] key_id
|
|
2639
2723
|
# Gets the rotation status for the specified KMS key.
|
|
2640
2724
|
#
|
|
@@ -2673,15 +2757,6 @@ module Aws::KMS
|
|
|
2673
2757
|
include Aws::Structure
|
|
2674
2758
|
end
|
|
2675
2759
|
|
|
2676
|
-
# @note When making an API call, you may pass GetParametersForImportRequest
|
|
2677
|
-
# data as a hash:
|
|
2678
|
-
#
|
|
2679
|
-
# {
|
|
2680
|
-
# key_id: "KeyIdType", # required
|
|
2681
|
-
# wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
2682
|
-
# wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
|
|
2683
|
-
# }
|
|
2684
|
-
#
|
|
2685
2760
|
# @!attribute [rw] key_id
|
|
2686
2761
|
# The identifier of the symmetric encryption KMS key into which you
|
|
2687
2762
|
# will import key material. The `Origin` of the KMS key must be
|
|
@@ -2763,14 +2838,6 @@ module Aws::KMS
|
|
|
2763
2838
|
include Aws::Structure
|
|
2764
2839
|
end
|
|
2765
2840
|
|
|
2766
|
-
# @note When making an API call, you may pass GetPublicKeyRequest
|
|
2767
|
-
# data as a hash:
|
|
2768
|
-
#
|
|
2769
|
-
# {
|
|
2770
|
-
# key_id: "KeyIdType", # required
|
|
2771
|
-
# grant_tokens: ["GrantTokenType"],
|
|
2772
|
-
# }
|
|
2773
|
-
#
|
|
2774
2841
|
# @!attribute [rw] key_id
|
|
2775
2842
|
# Identifies the asymmetric KMS key that includes the public key.
|
|
2776
2843
|
#
|
|
@@ -2846,7 +2913,7 @@ module Aws::KMS
|
|
|
2846
2913
|
#
|
|
2847
2914
|
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
|
2848
2915
|
# value. We recommend that you use the `KeySpec` field in your code.
|
|
2849
|
-
# However, to avoid breaking changes, KMS
|
|
2916
|
+
# However, to avoid breaking changes, KMS supports both fields.
|
|
2850
2917
|
# @return [String]
|
|
2851
2918
|
#
|
|
2852
2919
|
# @!attribute [rw] key_spec
|
|
@@ -2900,11 +2967,10 @@ module Aws::KMS
|
|
|
2900
2967
|
#
|
|
2901
2968
|
# KMS applies the grant constraints only to cryptographic operations
|
|
2902
2969
|
# that support an encryption context, that is, all cryptographic
|
|
2903
|
-
# operations with a [symmetric
|
|
2904
|
-
#
|
|
2905
|
-
#
|
|
2906
|
-
#
|
|
2907
|
-
# RetireGrant.
|
|
2970
|
+
# operations with a [symmetric KMS key][3]. Grant constraints are not
|
|
2971
|
+
# applied to operations that do not support an encryption context, such
|
|
2972
|
+
# as cryptographic operations with asymmetric KMS keys and management
|
|
2973
|
+
# operations, such as DescribeKey or RetireGrant.
|
|
2908
2974
|
#
|
|
2909
2975
|
# In a cryptographic operation, the encryption context in the decryption
|
|
2910
2976
|
# operation must be an exact, case-sensitive match for the keys and
|
|
@@ -2928,18 +2994,6 @@ module Aws::KMS
|
|
|
2928
2994
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks
|
|
2929
2995
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context
|
|
2930
2996
|
#
|
|
2931
|
-
# @note When making an API call, you may pass GrantConstraints
|
|
2932
|
-
# data as a hash:
|
|
2933
|
-
#
|
|
2934
|
-
# {
|
|
2935
|
-
# encryption_context_subset: {
|
|
2936
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
2937
|
-
# },
|
|
2938
|
-
# encryption_context_equals: {
|
|
2939
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
2940
|
-
# },
|
|
2941
|
-
# }
|
|
2942
|
-
#
|
|
2943
2997
|
# @!attribute [rw] encryption_context_subset
|
|
2944
2998
|
# A list of key-value pairs that must be included in the encryption
|
|
2945
2999
|
# context of the [cryptographic operation][1] request. The grant
|
|
@@ -3040,17 +3094,6 @@ module Aws::KMS
|
|
|
3040
3094
|
include Aws::Structure
|
|
3041
3095
|
end
|
|
3042
3096
|
|
|
3043
|
-
# @note When making an API call, you may pass ImportKeyMaterialRequest
|
|
3044
|
-
# data as a hash:
|
|
3045
|
-
#
|
|
3046
|
-
# {
|
|
3047
|
-
# key_id: "KeyIdType", # required
|
|
3048
|
-
# import_token: "data", # required
|
|
3049
|
-
# encrypted_key_material: "data", # required
|
|
3050
|
-
# valid_to: Time.now,
|
|
3051
|
-
# expiration_model: "KEY_MATERIAL_EXPIRES", # accepts KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
|
|
3052
|
-
# }
|
|
3053
|
-
#
|
|
3054
3097
|
# @!attribute [rw] key_id
|
|
3055
3098
|
# The identifier of the symmetric encryption KMS key that receives the
|
|
3056
3099
|
# imported key material. This must be the same KMS key specified in
|
|
@@ -3088,19 +3131,37 @@ module Aws::KMS
|
|
|
3088
3131
|
# @return [String]
|
|
3089
3132
|
#
|
|
3090
3133
|
# @!attribute [rw] valid_to
|
|
3091
|
-
# The time
|
|
3092
|
-
#
|
|
3093
|
-
#
|
|
3094
|
-
#
|
|
3095
|
-
#
|
|
3134
|
+
# The date and time when the imported key material expires. This
|
|
3135
|
+
# parameter is required when the value of the `ExpirationModel`
|
|
3136
|
+
# parameter is `KEY_MATERIAL_EXPIRES`. Otherwise it is not valid.
|
|
3137
|
+
#
|
|
3138
|
+
# The value of this parameter must be a future date and time. The
|
|
3139
|
+
# maximum value is 365 days from the request date.
|
|
3140
|
+
#
|
|
3141
|
+
# When the key material expires, KMS deletes the key material from the
|
|
3142
|
+
# KMS key. Without its key material, the KMS key is unusable. To use
|
|
3143
|
+
# the KMS key in cryptographic operations, you must reimport the same
|
|
3144
|
+
# key material.
|
|
3145
|
+
#
|
|
3146
|
+
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
|
3147
|
+
# current import after the request completes. To change either value,
|
|
3148
|
+
# you must delete (DeleteImportedKeyMaterial) and reimport the key
|
|
3149
|
+
# material.
|
|
3096
3150
|
# @return [Time]
|
|
3097
3151
|
#
|
|
3098
3152
|
# @!attribute [rw] expiration_model
|
|
3099
3153
|
# Specifies whether the key material expires. The default is
|
|
3100
|
-
# `KEY_MATERIAL_EXPIRES
|
|
3101
|
-
#
|
|
3154
|
+
# `KEY_MATERIAL_EXPIRES`.
|
|
3155
|
+
#
|
|
3156
|
+
# When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
|
|
3157
|
+
# must specify a value for the `ValidTo` parameter. When value is
|
|
3102
3158
|
# `KEY_MATERIAL_DOES_NOT_EXPIRE`, you must omit the `ValidTo`
|
|
3103
3159
|
# parameter.
|
|
3160
|
+
#
|
|
3161
|
+
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
|
3162
|
+
# current import after the request completes. To change either value,
|
|
3163
|
+
# you must delete (DeleteImportedKeyMaterial) and reimport the key
|
|
3164
|
+
# material.
|
|
3104
3165
|
# @return [String]
|
|
3105
3166
|
#
|
|
3106
3167
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
|
|
@@ -3151,11 +3212,11 @@ module Aws::KMS
|
|
|
3151
3212
|
end
|
|
3152
3213
|
|
|
3153
3214
|
# The request was rejected because the trust anchor certificate in the
|
|
3154
|
-
# request
|
|
3155
|
-
# cluster.
|
|
3215
|
+
# request to create an CloudHSM key store is not the trust anchor
|
|
3216
|
+
# certificate for the specified CloudHSM cluster.
|
|
3156
3217
|
#
|
|
3157
|
-
# When you [initialize the cluster][1], you create the trust
|
|
3158
|
-
# certificate and save it in the `customerCA.crt` file.
|
|
3218
|
+
# When you [initialize the CloudHSM cluster][1], you create the trust
|
|
3219
|
+
# anchor certificate and save it in the `customerCA.crt` file.
|
|
3159
3220
|
#
|
|
3160
3221
|
#
|
|
3161
3222
|
#
|
|
@@ -3353,9 +3414,19 @@ module Aws::KMS
|
|
|
3353
3414
|
# The request was rejected because the state of the specified resource
|
|
3354
3415
|
# is not valid for this request.
|
|
3355
3416
|
#
|
|
3356
|
-
#
|
|
3357
|
-
#
|
|
3358
|
-
#
|
|
3417
|
+
# This exceptions means one of the following:
|
|
3418
|
+
#
|
|
3419
|
+
# * The key state of the KMS key is not compatible with the operation.
|
|
3420
|
+
#
|
|
3421
|
+
# To find the key state, use the DescribeKey operation. For more
|
|
3422
|
+
# information about which key states are compatible with each KMS
|
|
3423
|
+
# operation, see [Key states of KMS keys][1] in the <i> <i>Key
|
|
3424
|
+
# Management Service Developer Guide</i> </i>.
|
|
3425
|
+
#
|
|
3426
|
+
# * For cryptographic operations on KMS keys in custom key stores, this
|
|
3427
|
+
# exception represents a general failure with many possible causes. To
|
|
3428
|
+
# identify the cause, see the error message that accompanies the
|
|
3429
|
+
# exception.
|
|
3359
3430
|
#
|
|
3360
3431
|
#
|
|
3361
3432
|
#
|
|
@@ -3393,8 +3464,8 @@ module Aws::KMS
|
|
|
3393
3464
|
|
|
3394
3465
|
# Contains metadata about a KMS key.
|
|
3395
3466
|
#
|
|
3396
|
-
# This data type is used as a response element for the CreateKey
|
|
3397
|
-
# DescribeKey operations.
|
|
3467
|
+
# This data type is used as a response element for the CreateKey,
|
|
3468
|
+
# DescribeKey, and ReplicateKey operations.
|
|
3398
3469
|
#
|
|
3399
3470
|
# @!attribute [rw] aws_account_id
|
|
3400
3471
|
# The twelve-digit account ID of the Amazon Web Services account that
|
|
@@ -3478,7 +3549,7 @@ module Aws::KMS
|
|
|
3478
3549
|
#
|
|
3479
3550
|
# @!attribute [rw] custom_key_store_id
|
|
3480
3551
|
# A unique identifier for the [custom key store][1] that contains the
|
|
3481
|
-
# KMS key. This
|
|
3552
|
+
# KMS key. This field is present only when the KMS key is created in a
|
|
3482
3553
|
# custom key store.
|
|
3483
3554
|
#
|
|
3484
3555
|
#
|
|
@@ -3488,10 +3559,10 @@ module Aws::KMS
|
|
|
3488
3559
|
#
|
|
3489
3560
|
# @!attribute [rw] cloud_hsm_cluster_id
|
|
3490
3561
|
# The cluster ID of the CloudHSM cluster that contains the key
|
|
3491
|
-
# material for the KMS key. When you create a KMS key in
|
|
3492
|
-
# store][1], KMS creates the key material for the KMS key
|
|
3493
|
-
# associated CloudHSM cluster. This
|
|
3494
|
-
# key is created in
|
|
3562
|
+
# material for the KMS key. When you create a KMS key in an CloudHSM
|
|
3563
|
+
# [custom key store][1], KMS creates the key material for the KMS key
|
|
3564
|
+
# in the associated CloudHSM cluster. This field is present only when
|
|
3565
|
+
# the KMS key is created in an CloudHSM key store.
|
|
3495
3566
|
#
|
|
3496
3567
|
#
|
|
3497
3568
|
#
|
|
@@ -3520,7 +3591,7 @@ module Aws::KMS
|
|
|
3520
3591
|
#
|
|
3521
3592
|
# The `KeySpec` and `CustomerMasterKeySpec` fields have the same
|
|
3522
3593
|
# value. We recommend that you use the `KeySpec` field in your code.
|
|
3523
|
-
# However, to avoid breaking changes, KMS
|
|
3594
|
+
# However, to avoid breaking changes, KMS supports both fields.
|
|
3524
3595
|
# @return [String]
|
|
3525
3596
|
#
|
|
3526
3597
|
# @!attribute [rw] key_spec
|
|
@@ -3602,6 +3673,18 @@ module Aws::KMS
|
|
|
3602
3673
|
# `GENERATE_VERIFY_MAC`.
|
|
3603
3674
|
# @return [Array<String>]
|
|
3604
3675
|
#
|
|
3676
|
+
# @!attribute [rw] xks_key_configuration
|
|
3677
|
+
# Information about the external key that is associated with a KMS key
|
|
3678
|
+
# in an external key store.
|
|
3679
|
+
#
|
|
3680
|
+
# For more information, see [External key][1] in the *Key Management
|
|
3681
|
+
# Service Developer Guide*.
|
|
3682
|
+
#
|
|
3683
|
+
#
|
|
3684
|
+
#
|
|
3685
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
|
3686
|
+
# @return [Types::XksKeyConfigurationType]
|
|
3687
|
+
#
|
|
3605
3688
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/KeyMetadata AWS API Documentation
|
|
3606
3689
|
#
|
|
3607
3690
|
class KeyMetadata < Struct.new(
|
|
@@ -3627,7 +3710,8 @@ module Aws::KMS
|
|
|
3627
3710
|
:multi_region,
|
|
3628
3711
|
:multi_region_configuration,
|
|
3629
3712
|
:pending_deletion_window_in_days,
|
|
3630
|
-
:mac_algorithms
|
|
3713
|
+
:mac_algorithms,
|
|
3714
|
+
:xks_key_configuration)
|
|
3631
3715
|
SENSITIVE = []
|
|
3632
3716
|
include Aws::Structure
|
|
3633
3717
|
end
|
|
@@ -3665,15 +3749,6 @@ module Aws::KMS
|
|
|
3665
3749
|
include Aws::Structure
|
|
3666
3750
|
end
|
|
3667
3751
|
|
|
3668
|
-
# @note When making an API call, you may pass ListAliasesRequest
|
|
3669
|
-
# data as a hash:
|
|
3670
|
-
#
|
|
3671
|
-
# {
|
|
3672
|
-
# key_id: "KeyIdType",
|
|
3673
|
-
# limit: 1,
|
|
3674
|
-
# marker: "MarkerType",
|
|
3675
|
-
# }
|
|
3676
|
-
#
|
|
3677
3752
|
# @!attribute [rw] key_id
|
|
3678
3753
|
# Lists only aliases that are associated with the specified KMS key.
|
|
3679
3754
|
# Enter a KMS key in your Amazon Web Services account.
|
|
@@ -3746,17 +3821,6 @@ module Aws::KMS
|
|
|
3746
3821
|
include Aws::Structure
|
|
3747
3822
|
end
|
|
3748
3823
|
|
|
3749
|
-
# @note When making an API call, you may pass ListGrantsRequest
|
|
3750
|
-
# data as a hash:
|
|
3751
|
-
#
|
|
3752
|
-
# {
|
|
3753
|
-
# limit: 1,
|
|
3754
|
-
# marker: "MarkerType",
|
|
3755
|
-
# key_id: "KeyIdType", # required
|
|
3756
|
-
# grant_id: "GrantIdType",
|
|
3757
|
-
# grantee_principal: "PrincipalIdType",
|
|
3758
|
-
# }
|
|
3759
|
-
#
|
|
3760
3824
|
# @!attribute [rw] limit
|
|
3761
3825
|
# Use this parameter to specify the maximum number of items to return.
|
|
3762
3826
|
# When this value is present, KMS does not return more than the
|
|
@@ -3840,15 +3904,6 @@ module Aws::KMS
|
|
|
3840
3904
|
include Aws::Structure
|
|
3841
3905
|
end
|
|
3842
3906
|
|
|
3843
|
-
# @note When making an API call, you may pass ListKeyPoliciesRequest
|
|
3844
|
-
# data as a hash:
|
|
3845
|
-
#
|
|
3846
|
-
# {
|
|
3847
|
-
# key_id: "KeyIdType", # required
|
|
3848
|
-
# limit: 1,
|
|
3849
|
-
# marker: "MarkerType",
|
|
3850
|
-
# }
|
|
3851
|
-
#
|
|
3852
3907
|
# @!attribute [rw] key_id
|
|
3853
3908
|
# Gets the names of key policies for the specified KMS key.
|
|
3854
3909
|
#
|
|
@@ -3919,14 +3974,6 @@ module Aws::KMS
|
|
|
3919
3974
|
include Aws::Structure
|
|
3920
3975
|
end
|
|
3921
3976
|
|
|
3922
|
-
# @note When making an API call, you may pass ListKeysRequest
|
|
3923
|
-
# data as a hash:
|
|
3924
|
-
#
|
|
3925
|
-
# {
|
|
3926
|
-
# limit: 1,
|
|
3927
|
-
# marker: "MarkerType",
|
|
3928
|
-
# }
|
|
3929
|
-
#
|
|
3930
3977
|
# @!attribute [rw] limit
|
|
3931
3978
|
# Use this parameter to specify the maximum number of items to return.
|
|
3932
3979
|
# When this value is present, KMS does not return more than the
|
|
@@ -3978,15 +4025,6 @@ module Aws::KMS
|
|
|
3978
4025
|
include Aws::Structure
|
|
3979
4026
|
end
|
|
3980
4027
|
|
|
3981
|
-
# @note When making an API call, you may pass ListResourceTagsRequest
|
|
3982
|
-
# data as a hash:
|
|
3983
|
-
#
|
|
3984
|
-
# {
|
|
3985
|
-
# key_id: "KeyIdType", # required
|
|
3986
|
-
# limit: 1,
|
|
3987
|
-
# marker: "MarkerType",
|
|
3988
|
-
# }
|
|
3989
|
-
#
|
|
3990
4028
|
# @!attribute [rw] key_id
|
|
3991
4029
|
# Gets tags on the specified KMS key.
|
|
3992
4030
|
#
|
|
@@ -4035,7 +4073,7 @@ module Aws::KMS
|
|
|
4035
4073
|
# A list of tags. Each tag consists of a tag key and a tag value.
|
|
4036
4074
|
#
|
|
4037
4075
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
4038
|
-
# KMS key. For details, see [ABAC
|
|
4076
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
|
4039
4077
|
# Service Developer Guide*.
|
|
4040
4078
|
#
|
|
4041
4079
|
# </note>
|
|
@@ -4069,15 +4107,6 @@ module Aws::KMS
|
|
|
4069
4107
|
include Aws::Structure
|
|
4070
4108
|
end
|
|
4071
4109
|
|
|
4072
|
-
# @note When making an API call, you may pass ListRetirableGrantsRequest
|
|
4073
|
-
# data as a hash:
|
|
4074
|
-
#
|
|
4075
|
-
# {
|
|
4076
|
-
# limit: 1,
|
|
4077
|
-
# marker: "MarkerType",
|
|
4078
|
-
# retiring_principal: "PrincipalIdType", # required
|
|
4079
|
-
# }
|
|
4080
|
-
#
|
|
4081
4110
|
# @!attribute [rw] limit
|
|
4082
4111
|
# Use this parameter to specify the maximum number of items to return.
|
|
4083
4112
|
# When this value is present, KMS does not return more than the
|
|
@@ -4202,16 +4231,6 @@ module Aws::KMS
|
|
|
4202
4231
|
include Aws::Structure
|
|
4203
4232
|
end
|
|
4204
4233
|
|
|
4205
|
-
# @note When making an API call, you may pass PutKeyPolicyRequest
|
|
4206
|
-
# data as a hash:
|
|
4207
|
-
#
|
|
4208
|
-
# {
|
|
4209
|
-
# key_id: "KeyIdType", # required
|
|
4210
|
-
# policy_name: "PolicyNameType", # required
|
|
4211
|
-
# policy: "PolicyType", # required
|
|
4212
|
-
# bypass_policy_lockout_safety_check: false,
|
|
4213
|
-
# }
|
|
4214
|
-
#
|
|
4215
4234
|
# @!attribute [rw] key_id
|
|
4216
4235
|
# Sets the key policy on the specified KMS key.
|
|
4217
4236
|
#
|
|
@@ -4267,7 +4286,7 @@ module Aws::KMS
|
|
|
4267
4286
|
# (`\u000D`) special characters
|
|
4268
4287
|
#
|
|
4269
4288
|
# For information about key policies, see [Key policies in KMS][3] in
|
|
4270
|
-
# the *Key Management Service Developer Guide*.
|
|
4289
|
+
# the *Key Management Service Developer Guide*.For help writing and
|
|
4271
4290
|
# formatting a JSON policy document, see the [IAM JSON Policy
|
|
4272
4291
|
# Reference][4] in the <i> <i>Identity and Access Management User
|
|
4273
4292
|
# Guide</i> </i>.
|
|
@@ -4313,24 +4332,6 @@ module Aws::KMS
|
|
|
4313
4332
|
include Aws::Structure
|
|
4314
4333
|
end
|
|
4315
4334
|
|
|
4316
|
-
# @note When making an API call, you may pass ReEncryptRequest
|
|
4317
|
-
# data as a hash:
|
|
4318
|
-
#
|
|
4319
|
-
# {
|
|
4320
|
-
# ciphertext_blob: "data", # required
|
|
4321
|
-
# source_encryption_context: {
|
|
4322
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
4323
|
-
# },
|
|
4324
|
-
# source_key_id: "KeyIdType",
|
|
4325
|
-
# destination_key_id: "KeyIdType", # required
|
|
4326
|
-
# destination_encryption_context: {
|
|
4327
|
-
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
4328
|
-
# },
|
|
4329
|
-
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
4330
|
-
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
4331
|
-
# grant_tokens: ["GrantTokenType"],
|
|
4332
|
-
# }
|
|
4333
|
-
#
|
|
4334
4335
|
# @!attribute [rw] ciphertext_blob
|
|
4335
4336
|
# Ciphertext of the data to reencrypt.
|
|
4336
4337
|
# @return [String]
|
|
@@ -4536,23 +4537,6 @@ module Aws::KMS
|
|
|
4536
4537
|
include Aws::Structure
|
|
4537
4538
|
end
|
|
4538
4539
|
|
|
4539
|
-
# @note When making an API call, you may pass ReplicateKeyRequest
|
|
4540
|
-
# data as a hash:
|
|
4541
|
-
#
|
|
4542
|
-
# {
|
|
4543
|
-
# key_id: "KeyIdType", # required
|
|
4544
|
-
# replica_region: "RegionType", # required
|
|
4545
|
-
# policy: "PolicyType",
|
|
4546
|
-
# bypass_policy_lockout_safety_check: false,
|
|
4547
|
-
# description: "DescriptionType",
|
|
4548
|
-
# tags: [
|
|
4549
|
-
# {
|
|
4550
|
-
# tag_key: "TagKeyType", # required
|
|
4551
|
-
# tag_value: "TagValueType", # required
|
|
4552
|
-
# },
|
|
4553
|
-
# ],
|
|
4554
|
-
# }
|
|
4555
|
-
#
|
|
4556
4540
|
# @!attribute [rw] key_id
|
|
4557
4541
|
# Identifies the multi-Region primary key that is being replicated. To
|
|
4558
4542
|
# determine whether a KMS key is a multi-Region primary key, use the
|
|
@@ -4703,7 +4687,7 @@ module Aws::KMS
|
|
|
4703
4687
|
# the TagResource operation.
|
|
4704
4688
|
#
|
|
4705
4689
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
|
4706
|
-
# KMS key. For details, see [ABAC
|
|
4690
|
+
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
|
4707
4691
|
# Service Developer Guide*.
|
|
4708
4692
|
#
|
|
4709
4693
|
# </note>
|
|
@@ -4778,15 +4762,6 @@ module Aws::KMS
|
|
|
4778
4762
|
include Aws::Structure
|
|
4779
4763
|
end
|
|
4780
4764
|
|
|
4781
|
-
# @note When making an API call, you may pass RetireGrantRequest
|
|
4782
|
-
# data as a hash:
|
|
4783
|
-
#
|
|
4784
|
-
# {
|
|
4785
|
-
# grant_token: "GrantTokenType",
|
|
4786
|
-
# key_id: "KeyIdType",
|
|
4787
|
-
# grant_id: "GrantIdType",
|
|
4788
|
-
# }
|
|
4789
|
-
#
|
|
4790
4765
|
# @!attribute [rw] grant_token
|
|
4791
4766
|
# Identifies the grant to be retired. You can use a grant token to
|
|
4792
4767
|
# identify a new grant even before it has achieved eventual
|
|
@@ -4830,14 +4805,6 @@ module Aws::KMS
|
|
|
4830
4805
|
include Aws::Structure
|
|
4831
4806
|
end
|
|
4832
4807
|
|
|
4833
|
-
# @note When making an API call, you may pass RevokeGrantRequest
|
|
4834
|
-
# data as a hash:
|
|
4835
|
-
#
|
|
4836
|
-
# {
|
|
4837
|
-
# key_id: "KeyIdType", # required
|
|
4838
|
-
# grant_id: "GrantIdType", # required
|
|
4839
|
-
# }
|
|
4840
|
-
#
|
|
4841
4808
|
# @!attribute [rw] key_id
|
|
4842
4809
|
# A unique identifier for the KMS key associated with the grant. To
|
|
4843
4810
|
# get the key ID and key ARN for a KMS key, use ListKeys or
|
|
@@ -4872,14 +4839,6 @@ module Aws::KMS
|
|
|
4872
4839
|
include Aws::Structure
|
|
4873
4840
|
end
|
|
4874
4841
|
|
|
4875
|
-
# @note When making an API call, you may pass ScheduleKeyDeletionRequest
|
|
4876
|
-
# data as a hash:
|
|
4877
|
-
#
|
|
4878
|
-
# {
|
|
4879
|
-
# key_id: "KeyIdType", # required
|
|
4880
|
-
# pending_window_in_days: 1,
|
|
4881
|
-
# }
|
|
4882
|
-
#
|
|
4883
4842
|
# @!attribute [rw] key_id
|
|
4884
4843
|
# The unique identifier of the KMS key to delete.
|
|
4885
4844
|
#
|
|
@@ -4965,17 +4924,6 @@ module Aws::KMS
|
|
|
4965
4924
|
include Aws::Structure
|
|
4966
4925
|
end
|
|
4967
4926
|
|
|
4968
|
-
# @note When making an API call, you may pass SignRequest
|
|
4969
|
-
# data as a hash:
|
|
4970
|
-
#
|
|
4971
|
-
# {
|
|
4972
|
-
# key_id: "KeyIdType", # required
|
|
4973
|
-
# message: "data", # required
|
|
4974
|
-
# message_type: "RAW", # accepts RAW, DIGEST
|
|
4975
|
-
# grant_tokens: ["GrantTokenType"],
|
|
4976
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
4977
|
-
# }
|
|
4978
|
-
#
|
|
4979
4927
|
# @!attribute [rw] key_id
|
|
4980
4928
|
# Identifies an asymmetric KMS key. KMS uses the private key in the
|
|
4981
4929
|
# asymmetric KMS key to sign the message. The `KeyUsage` type of the
|
|
@@ -5105,14 +5053,6 @@ module Aws::KMS
|
|
|
5105
5053
|
#
|
|
5106
5054
|
# [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
|
|
5107
5055
|
#
|
|
5108
|
-
# @note When making an API call, you may pass Tag
|
|
5109
|
-
# data as a hash:
|
|
5110
|
-
#
|
|
5111
|
-
# {
|
|
5112
|
-
# tag_key: "TagKeyType", # required
|
|
5113
|
-
# tag_value: "TagValueType", # required
|
|
5114
|
-
# }
|
|
5115
|
-
#
|
|
5116
5056
|
# @!attribute [rw] tag_key
|
|
5117
5057
|
# The key of the tag.
|
|
5118
5058
|
# @return [String]
|
|
@@ -5143,19 +5083,6 @@ module Aws::KMS
|
|
|
5143
5083
|
include Aws::Structure
|
|
5144
5084
|
end
|
|
5145
5085
|
|
|
5146
|
-
# @note When making an API call, you may pass TagResourceRequest
|
|
5147
|
-
# data as a hash:
|
|
5148
|
-
#
|
|
5149
|
-
# {
|
|
5150
|
-
# key_id: "KeyIdType", # required
|
|
5151
|
-
# tags: [ # required
|
|
5152
|
-
# {
|
|
5153
|
-
# tag_key: "TagKeyType", # required
|
|
5154
|
-
# tag_value: "TagValueType", # required
|
|
5155
|
-
# },
|
|
5156
|
-
# ],
|
|
5157
|
-
# }
|
|
5158
|
-
#
|
|
5159
5086
|
# @!attribute [rw] key_id
|
|
5160
5087
|
# Identifies a customer managed key in the account and Region.
|
|
5161
5088
|
#
|
|
@@ -5206,14 +5133,6 @@ module Aws::KMS
|
|
|
5206
5133
|
include Aws::Structure
|
|
5207
5134
|
end
|
|
5208
5135
|
|
|
5209
|
-
# @note When making an API call, you may pass UntagResourceRequest
|
|
5210
|
-
# data as a hash:
|
|
5211
|
-
#
|
|
5212
|
-
# {
|
|
5213
|
-
# key_id: "KeyIdType", # required
|
|
5214
|
-
# tag_keys: ["TagKeyType"], # required
|
|
5215
|
-
# }
|
|
5216
|
-
#
|
|
5217
5136
|
# @!attribute [rw] key_id
|
|
5218
5137
|
# Identifies the KMS key from which you are removing tags.
|
|
5219
5138
|
#
|
|
@@ -5243,14 +5162,6 @@ module Aws::KMS
|
|
|
5243
5162
|
include Aws::Structure
|
|
5244
5163
|
end
|
|
5245
5164
|
|
|
5246
|
-
# @note When making an API call, you may pass UpdateAliasRequest
|
|
5247
|
-
# data as a hash:
|
|
5248
|
-
#
|
|
5249
|
-
# {
|
|
5250
|
-
# alias_name: "AliasNameType", # required
|
|
5251
|
-
# target_key_id: "KeyIdType", # required
|
|
5252
|
-
# }
|
|
5253
|
-
#
|
|
5254
5165
|
# @!attribute [rw] alias_name
|
|
5255
5166
|
# Identifies the alias that is changing its KMS key. This value must
|
|
5256
5167
|
# begin with `alias/` followed by the alias name, such as
|
|
@@ -5266,7 +5177,7 @@ module Aws::KMS
|
|
|
5266
5177
|
# The KMS key must be in the same Amazon Web Services account and
|
|
5267
5178
|
# Region as the alias. Also, the new target KMS key must be the same
|
|
5268
5179
|
# type as the current target KMS key (both symmetric or both
|
|
5269
|
-
# asymmetric) and they must have the same key usage.
|
|
5180
|
+
# asymmetric or both HMAC) and they must have the same key usage.
|
|
5270
5181
|
#
|
|
5271
5182
|
# Specify the key ID or key ARN of the KMS key.
|
|
5272
5183
|
#
|
|
@@ -5298,16 +5209,6 @@ module Aws::KMS
|
|
|
5298
5209
|
include Aws::Structure
|
|
5299
5210
|
end
|
|
5300
5211
|
|
|
5301
|
-
# @note When making an API call, you may pass UpdateCustomKeyStoreRequest
|
|
5302
|
-
# data as a hash:
|
|
5303
|
-
#
|
|
5304
|
-
# {
|
|
5305
|
-
# custom_key_store_id: "CustomKeyStoreIdType", # required
|
|
5306
|
-
# new_custom_key_store_name: "CustomKeyStoreNameType",
|
|
5307
|
-
# key_store_password: "KeyStorePasswordType",
|
|
5308
|
-
# cloud_hsm_cluster_id: "CloudHsmClusterIdType",
|
|
5309
|
-
# }
|
|
5310
|
-
#
|
|
5311
5212
|
# @!attribute [rw] custom_key_store_id
|
|
5312
5213
|
# Identifies the custom key store that you want to update. Enter the
|
|
5313
5214
|
# ID of the custom key store. To find the ID of a custom key store,
|
|
@@ -5318,19 +5219,28 @@ module Aws::KMS
|
|
|
5318
5219
|
# Changes the friendly name of the custom key store to the value that
|
|
5319
5220
|
# you specify. The custom key store name must be unique in the Amazon
|
|
5320
5221
|
# Web Services account.
|
|
5222
|
+
#
|
|
5223
|
+
# To change this value, an CloudHSM key store must be disconnected. An
|
|
5224
|
+
# external key store can be connected or disconnected.
|
|
5321
5225
|
# @return [String]
|
|
5322
5226
|
#
|
|
5323
5227
|
# @!attribute [rw] key_store_password
|
|
5324
5228
|
# Enter the current password of the `kmsuser` crypto user (CU) in the
|
|
5325
|
-
# CloudHSM cluster that is associated with the custom key store.
|
|
5229
|
+
# CloudHSM cluster that is associated with the custom key store. This
|
|
5230
|
+
# parameter is valid only for custom key stores with a
|
|
5231
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
|
5326
5232
|
#
|
|
5327
5233
|
# This parameter tells KMS the current password of the `kmsuser`
|
|
5328
5234
|
# crypto user (CU). It does not set or change the password of any
|
|
5329
5235
|
# users in the CloudHSM cluster.
|
|
5236
|
+
#
|
|
5237
|
+
# To change this value, the CloudHSM key store must be disconnected.
|
|
5330
5238
|
# @return [String]
|
|
5331
5239
|
#
|
|
5332
5240
|
# @!attribute [rw] cloud_hsm_cluster_id
|
|
5333
5241
|
# Associates the custom key store with a related CloudHSM cluster.
|
|
5242
|
+
# This parameter is valid only for custom key stores with a
|
|
5243
|
+
# `CustomKeyStoreType` of `AWS_CLOUDHSM`.
|
|
5334
5244
|
#
|
|
5335
5245
|
# Enter the cluster ID of the cluster that you used to create the
|
|
5336
5246
|
# custom key store or a cluster that shares a backup history and has
|
|
@@ -5341,19 +5251,111 @@ module Aws::KMS
|
|
|
5341
5251
|
# To view the cluster certificate of a cluster, use the
|
|
5342
5252
|
# [DescribeClusters][2] operation.
|
|
5343
5253
|
#
|
|
5254
|
+
# To change this value, the CloudHSM key store must be disconnected.
|
|
5255
|
+
#
|
|
5344
5256
|
#
|
|
5345
5257
|
#
|
|
5346
5258
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore
|
|
5347
5259
|
# [2]: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html
|
|
5348
5260
|
# @return [String]
|
|
5349
5261
|
#
|
|
5262
|
+
# @!attribute [rw] xks_proxy_uri_endpoint
|
|
5263
|
+
# Changes the URI endpoint that KMS uses to connect to your external
|
|
5264
|
+
# key store proxy (XKS proxy). This parameter is valid only for custom
|
|
5265
|
+
# key stores with a `CustomKeyStoreType` of `EXTERNAL_KEY_STORE`.
|
|
5266
|
+
#
|
|
5267
|
+
# For external key stores with an `XksProxyConnectivity` value of
|
|
5268
|
+
# `PUBLIC_ENDPOINT`, the protocol must be HTTPS.
|
|
5269
|
+
#
|
|
5270
|
+
# For external key stores with an `XksProxyConnectivity` value of
|
|
5271
|
+
# `VPC_ENDPOINT_SERVICE`, specify `https://` followed by the private
|
|
5272
|
+
# DNS name associated with the VPC endpoint service. Each external key
|
|
5273
|
+
# store must use a different private DNS name.
|
|
5274
|
+
#
|
|
5275
|
+
# The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
|
|
5276
|
+
# be unique in the Amazon Web Services account and Region.
|
|
5277
|
+
#
|
|
5278
|
+
# To change this value, the external key store must be disconnected.
|
|
5279
|
+
# @return [String]
|
|
5280
|
+
#
|
|
5281
|
+
# @!attribute [rw] xks_proxy_uri_path
|
|
5282
|
+
# Changes the base path to the proxy APIs for this external key store.
|
|
5283
|
+
# To find this value, see the documentation for your external key
|
|
5284
|
+
# manager and external key store proxy (XKS proxy). This parameter is
|
|
5285
|
+
# valid only for custom key stores with a `CustomKeyStoreType` of
|
|
5286
|
+
# `EXTERNAL_KEY_STORE`.
|
|
5287
|
+
#
|
|
5288
|
+
# The value must start with `/` and must end with `/kms/xks/v1`, where
|
|
5289
|
+
# `v1` represents the version of the KMS external key store proxy API.
|
|
5290
|
+
# You can include an optional prefix between the required elements
|
|
5291
|
+
# such as `/example/kms/xks/v1`.
|
|
5292
|
+
#
|
|
5293
|
+
# The combined `XksProxyUriEndpoint` and `XksProxyUriPath` values must
|
|
5294
|
+
# be unique in the Amazon Web Services account and Region.
|
|
5295
|
+
#
|
|
5296
|
+
# You can change this value when the external key store is connected
|
|
5297
|
+
# or disconnected.
|
|
5298
|
+
# @return [String]
|
|
5299
|
+
#
|
|
5300
|
+
# @!attribute [rw] xks_proxy_vpc_endpoint_service_name
|
|
5301
|
+
# Changes the name that KMS uses to identify the Amazon VPC endpoint
|
|
5302
|
+
# service for your external key store proxy (XKS proxy). This
|
|
5303
|
+
# parameter is valid when the `CustomKeyStoreType` is
|
|
5304
|
+
# `EXTERNAL_KEY_STORE` and the `XksProxyConnectivity` is
|
|
5305
|
+
# `VPC_ENDPOINT_SERVICE`.
|
|
5306
|
+
#
|
|
5307
|
+
# To change this value, the external key store must be disconnected.
|
|
5308
|
+
# @return [String]
|
|
5309
|
+
#
|
|
5310
|
+
# @!attribute [rw] xks_proxy_authentication_credential
|
|
5311
|
+
# Changes the credentials that KMS uses to sign requests to the
|
|
5312
|
+
# external key store proxy (XKS proxy). This parameter is valid only
|
|
5313
|
+
# for custom key stores with a `CustomKeyStoreType` of
|
|
5314
|
+
# `EXTERNAL_KEY_STORE`.
|
|
5315
|
+
#
|
|
5316
|
+
# You must specify both the `AccessKeyId` and `SecretAccessKey` value
|
|
5317
|
+
# in the authentication credential, even if you are only updating one
|
|
5318
|
+
# value.
|
|
5319
|
+
#
|
|
5320
|
+
# This parameter doesn't establish or change your authentication
|
|
5321
|
+
# credentials on the proxy. It just tells KMS the credential that you
|
|
5322
|
+
# established with your external key store proxy. For example, if you
|
|
5323
|
+
# rotate the credential on your external key store proxy, you can use
|
|
5324
|
+
# this parameter to update the credential in KMS.
|
|
5325
|
+
#
|
|
5326
|
+
# You can change this value when the external key store is connected
|
|
5327
|
+
# or disconnected.
|
|
5328
|
+
# @return [Types::XksProxyAuthenticationCredentialType]
|
|
5329
|
+
#
|
|
5330
|
+
# @!attribute [rw] xks_proxy_connectivity
|
|
5331
|
+
# Changes the connectivity setting for the external key store. To
|
|
5332
|
+
# indicate that the external key store proxy uses a Amazon VPC
|
|
5333
|
+
# endpoint service to communicate with KMS, specify
|
|
5334
|
+
# `VPC_ENDPOINT_SERVICE`. Otherwise, specify `PUBLIC_ENDPOINT`.
|
|
5335
|
+
#
|
|
5336
|
+
# If you change the `XksProxyConnectivity` to `VPC_ENDPOINT_SERVICE`,
|
|
5337
|
+
# you must also change the `XksProxyUriEndpoint` and add an
|
|
5338
|
+
# `XksProxyVpcEndpointServiceName` value.
|
|
5339
|
+
#
|
|
5340
|
+
# If you change the `XksProxyConnectivity` to `PUBLIC_ENDPOINT`, you
|
|
5341
|
+
# must also change the `XksProxyUriEndpoint` and specify a null or
|
|
5342
|
+
# empty string for the `XksProxyVpcEndpointServiceName` value.
|
|
5343
|
+
#
|
|
5344
|
+
# To change this value, the external key store must be disconnected.
|
|
5345
|
+
# @return [String]
|
|
5346
|
+
#
|
|
5350
5347
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStoreRequest AWS API Documentation
|
|
5351
5348
|
#
|
|
5352
5349
|
class UpdateCustomKeyStoreRequest < Struct.new(
|
|
5353
5350
|
:custom_key_store_id,
|
|
5354
5351
|
:new_custom_key_store_name,
|
|
5355
5352
|
:key_store_password,
|
|
5356
|
-
:cloud_hsm_cluster_id
|
|
5353
|
+
:cloud_hsm_cluster_id,
|
|
5354
|
+
:xks_proxy_uri_endpoint,
|
|
5355
|
+
:xks_proxy_uri_path,
|
|
5356
|
+
:xks_proxy_vpc_endpoint_service_name,
|
|
5357
|
+
:xks_proxy_authentication_credential,
|
|
5358
|
+
:xks_proxy_connectivity)
|
|
5357
5359
|
SENSITIVE = [:key_store_password]
|
|
5358
5360
|
include Aws::Structure
|
|
5359
5361
|
end
|
|
@@ -5362,14 +5364,6 @@ module Aws::KMS
|
|
|
5362
5364
|
#
|
|
5363
5365
|
class UpdateCustomKeyStoreResponse < Aws::EmptyStructure; end
|
|
5364
5366
|
|
|
5365
|
-
# @note When making an API call, you may pass UpdateKeyDescriptionRequest
|
|
5366
|
-
# data as a hash:
|
|
5367
|
-
#
|
|
5368
|
-
# {
|
|
5369
|
-
# key_id: "KeyIdType", # required
|
|
5370
|
-
# description: "DescriptionType", # required
|
|
5371
|
-
# }
|
|
5372
|
-
#
|
|
5373
5367
|
# @!attribute [rw] key_id
|
|
5374
5368
|
# Updates the description of the specified KMS key.
|
|
5375
5369
|
#
|
|
@@ -5399,14 +5393,6 @@ module Aws::KMS
|
|
|
5399
5393
|
include Aws::Structure
|
|
5400
5394
|
end
|
|
5401
5395
|
|
|
5402
|
-
# @note When making an API call, you may pass UpdatePrimaryRegionRequest
|
|
5403
|
-
# data as a hash:
|
|
5404
|
-
#
|
|
5405
|
-
# {
|
|
5406
|
-
# key_id: "KeyIdType", # required
|
|
5407
|
-
# primary_region: "RegionType", # required
|
|
5408
|
-
# }
|
|
5409
|
-
#
|
|
5410
5396
|
# @!attribute [rw] key_id
|
|
5411
5397
|
# Identifies the current primary key. When the operation completes,
|
|
5412
5398
|
# this KMS key will be a replica key.
|
|
@@ -5442,17 +5428,6 @@ module Aws::KMS
|
|
|
5442
5428
|
include Aws::Structure
|
|
5443
5429
|
end
|
|
5444
5430
|
|
|
5445
|
-
# @note When making an API call, you may pass VerifyMacRequest
|
|
5446
|
-
# data as a hash:
|
|
5447
|
-
#
|
|
5448
|
-
# {
|
|
5449
|
-
# message: "data", # required
|
|
5450
|
-
# key_id: "KeyIdType", # required
|
|
5451
|
-
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
5452
|
-
# mac: "data", # required
|
|
5453
|
-
# grant_tokens: ["GrantTokenType"],
|
|
5454
|
-
# }
|
|
5455
|
-
#
|
|
5456
5431
|
# @!attribute [rw] message
|
|
5457
5432
|
# The message that will be used in the verification. Enter the same
|
|
5458
5433
|
# message that was used to generate the HMAC.
|
|
@@ -5536,18 +5511,6 @@ module Aws::KMS
|
|
|
5536
5511
|
include Aws::Structure
|
|
5537
5512
|
end
|
|
5538
5513
|
|
|
5539
|
-
# @note When making an API call, you may pass VerifyRequest
|
|
5540
|
-
# data as a hash:
|
|
5541
|
-
#
|
|
5542
|
-
# {
|
|
5543
|
-
# key_id: "KeyIdType", # required
|
|
5544
|
-
# message: "data", # required
|
|
5545
|
-
# message_type: "RAW", # accepts RAW, DIGEST
|
|
5546
|
-
# signature: "data", # required
|
|
5547
|
-
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
5548
|
-
# grant_tokens: ["GrantTokenType"],
|
|
5549
|
-
# }
|
|
5550
|
-
#
|
|
5551
5514
|
# @!attribute [rw] key_id
|
|
5552
5515
|
# Identifies the asymmetric KMS key that will be used to verify the
|
|
5553
5516
|
# signature. This must be the same KMS key that was used to generate
|
|
@@ -5662,5 +5625,324 @@ module Aws::KMS
|
|
|
5662
5625
|
include Aws::Structure
|
|
5663
5626
|
end
|
|
5664
5627
|
|
|
5628
|
+
# The request was rejected because the (`XksKeyId`) is already
|
|
5629
|
+
# associated with a KMS key in this external key store. Each KMS key in
|
|
5630
|
+
# an external key store must be associated with a different external
|
|
5631
|
+
# key.
|
|
5632
|
+
#
|
|
5633
|
+
# @!attribute [rw] message
|
|
5634
|
+
# @return [String]
|
|
5635
|
+
#
|
|
5636
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyAlreadyInUseException AWS API Documentation
|
|
5637
|
+
#
|
|
5638
|
+
class XksKeyAlreadyInUseException < Struct.new(
|
|
5639
|
+
:message)
|
|
5640
|
+
SENSITIVE = []
|
|
5641
|
+
include Aws::Structure
|
|
5642
|
+
end
|
|
5643
|
+
|
|
5644
|
+
# Information about the [external key ][1]that is associated with a KMS
|
|
5645
|
+
# key in an external key store.
|
|
5646
|
+
#
|
|
5647
|
+
# This element appears in a CreateKey or DescribeKey response only for a
|
|
5648
|
+
# KMS key in an external key store.
|
|
5649
|
+
#
|
|
5650
|
+
# The *external key* is a symmetric encryption key that is hosted by an
|
|
5651
|
+
# external key manager outside of Amazon Web Services. When you use the
|
|
5652
|
+
# KMS key in an external key store in a cryptographic operation, the
|
|
5653
|
+
# cryptographic operation is performed in the external key manager using
|
|
5654
|
+
# the specified external key. For more information, see [External
|
|
5655
|
+
# key][1] in the *Key Management Service Developer Guide*.
|
|
5656
|
+
#
|
|
5657
|
+
#
|
|
5658
|
+
#
|
|
5659
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key
|
|
5660
|
+
#
|
|
5661
|
+
# @!attribute [rw] id
|
|
5662
|
+
# The ID of the external key in its external key manager. This is the
|
|
5663
|
+
# ID that the external key store proxy uses to identify the external
|
|
5664
|
+
# key.
|
|
5665
|
+
# @return [String]
|
|
5666
|
+
#
|
|
5667
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyConfigurationType AWS API Documentation
|
|
5668
|
+
#
|
|
5669
|
+
class XksKeyConfigurationType < Struct.new(
|
|
5670
|
+
:id)
|
|
5671
|
+
SENSITIVE = []
|
|
5672
|
+
include Aws::Structure
|
|
5673
|
+
end
|
|
5674
|
+
|
|
5675
|
+
# The request was rejected because the external key specified by the
|
|
5676
|
+
# `XksKeyId` parameter did not meet the configuration requirements for
|
|
5677
|
+
# an external key store.
|
|
5678
|
+
#
|
|
5679
|
+
# The external key must be an AES-256 symmetric key that is enabled and
|
|
5680
|
+
# performs encryption and decryption.
|
|
5681
|
+
#
|
|
5682
|
+
# @!attribute [rw] message
|
|
5683
|
+
# @return [String]
|
|
5684
|
+
#
|
|
5685
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyInvalidConfigurationException AWS API Documentation
|
|
5686
|
+
#
|
|
5687
|
+
class XksKeyInvalidConfigurationException < Struct.new(
|
|
5688
|
+
:message)
|
|
5689
|
+
SENSITIVE = []
|
|
5690
|
+
include Aws::Structure
|
|
5691
|
+
end
|
|
5692
|
+
|
|
5693
|
+
# The request was rejected because the external key store proxy could
|
|
5694
|
+
# not find the external key. This exception is thrown when the value of
|
|
5695
|
+
# the `XksKeyId` parameter doesn't identify a key in the external key
|
|
5696
|
+
# manager associated with the external key proxy.
|
|
5697
|
+
#
|
|
5698
|
+
# Verify that the `XksKeyId` represents an existing key in the external
|
|
5699
|
+
# key manager. Use the key identifier that the external key store proxy
|
|
5700
|
+
# uses to identify the key. For details, see the documentation provided
|
|
5701
|
+
# with your external key store proxy or key manager.
|
|
5702
|
+
#
|
|
5703
|
+
# @!attribute [rw] message
|
|
5704
|
+
# @return [String]
|
|
5705
|
+
#
|
|
5706
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksKeyNotFoundException AWS API Documentation
|
|
5707
|
+
#
|
|
5708
|
+
class XksKeyNotFoundException < Struct.new(
|
|
5709
|
+
:message)
|
|
5710
|
+
SENSITIVE = []
|
|
5711
|
+
include Aws::Structure
|
|
5712
|
+
end
|
|
5713
|
+
|
|
5714
|
+
# KMS uses the authentication credential to sign requests that it sends
|
|
5715
|
+
# to the external key store proxy (XKS proxy) on your behalf. You
|
|
5716
|
+
# establish these credentials on your external key store proxy and
|
|
5717
|
+
# report them to KMS.
|
|
5718
|
+
#
|
|
5719
|
+
# The `XksProxyAuthenticationCredential` includes two required elements.
|
|
5720
|
+
#
|
|
5721
|
+
# @!attribute [rw] access_key_id
|
|
5722
|
+
# A unique identifier for the raw secret access key.
|
|
5723
|
+
# @return [String]
|
|
5724
|
+
#
|
|
5725
|
+
# @!attribute [rw] raw_secret_access_key
|
|
5726
|
+
# A secret string of 43-64 characters. Valid characters are a-z, A-Z,
|
|
5727
|
+
# 0-9, /, +, and =.
|
|
5728
|
+
# @return [String]
|
|
5729
|
+
#
|
|
5730
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyAuthenticationCredentialType AWS API Documentation
|
|
5731
|
+
#
|
|
5732
|
+
class XksProxyAuthenticationCredentialType < Struct.new(
|
|
5733
|
+
:access_key_id,
|
|
5734
|
+
:raw_secret_access_key)
|
|
5735
|
+
SENSITIVE = [:access_key_id, :raw_secret_access_key]
|
|
5736
|
+
include Aws::Structure
|
|
5737
|
+
end
|
|
5738
|
+
|
|
5739
|
+
# Detailed information about the external key store proxy (XKS proxy).
|
|
5740
|
+
# Your external key store proxy translates KMS requests into a format
|
|
5741
|
+
# that your external key manager can understand. These fields appear in
|
|
5742
|
+
# a DescribeCustomKeyStores response only when the `CustomKeyStoreType`
|
|
5743
|
+
# is `EXTERNAL_KEY_STORE`.
|
|
5744
|
+
#
|
|
5745
|
+
# @!attribute [rw] connectivity
|
|
5746
|
+
# Indicates whether the external key store proxy uses a public
|
|
5747
|
+
# endpoint or an Amazon VPC endpoint service to communicate with KMS.
|
|
5748
|
+
# @return [String]
|
|
5749
|
+
#
|
|
5750
|
+
# @!attribute [rw] access_key_id
|
|
5751
|
+
# The part of the external key store [proxy authentication
|
|
5752
|
+
# credential][1] that uniquely identifies the secret access key.
|
|
5753
|
+
#
|
|
5754
|
+
#
|
|
5755
|
+
#
|
|
5756
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential
|
|
5757
|
+
# @return [String]
|
|
5758
|
+
#
|
|
5759
|
+
# @!attribute [rw] uri_endpoint
|
|
5760
|
+
# The URI endpoint for the external key store proxy.
|
|
5761
|
+
#
|
|
5762
|
+
# If the external key store proxy has a public endpoint, it is
|
|
5763
|
+
# displayed here.
|
|
5764
|
+
#
|
|
5765
|
+
# If the external key store proxy uses an Amazon VPC endpoint service
|
|
5766
|
+
# name, this field displays the private DNS name associated with the
|
|
5767
|
+
# VPC endpoint service.
|
|
5768
|
+
# @return [String]
|
|
5769
|
+
#
|
|
5770
|
+
# @!attribute [rw] uri_path
|
|
5771
|
+
# The path to the external key store proxy APIs.
|
|
5772
|
+
# @return [String]
|
|
5773
|
+
#
|
|
5774
|
+
# @!attribute [rw] vpc_endpoint_service_name
|
|
5775
|
+
# The Amazon VPC endpoint service used to communicate with the
|
|
5776
|
+
# external key store proxy. This field appears only when the external
|
|
5777
|
+
# key store proxy uses an Amazon VPC endpoint service to communicate
|
|
5778
|
+
# with KMS.
|
|
5779
|
+
# @return [String]
|
|
5780
|
+
#
|
|
5781
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyConfigurationType AWS API Documentation
|
|
5782
|
+
#
|
|
5783
|
+
class XksProxyConfigurationType < Struct.new(
|
|
5784
|
+
:connectivity,
|
|
5785
|
+
:access_key_id,
|
|
5786
|
+
:uri_endpoint,
|
|
5787
|
+
:uri_path,
|
|
5788
|
+
:vpc_endpoint_service_name)
|
|
5789
|
+
SENSITIVE = [:access_key_id]
|
|
5790
|
+
include Aws::Structure
|
|
5791
|
+
end
|
|
5792
|
+
|
|
5793
|
+
# The request was rejected because the proxy credentials failed to
|
|
5794
|
+
# authenticate to the specified external key store proxy. The specified
|
|
5795
|
+
# external key store proxy rejected a status request from KMS due to
|
|
5796
|
+
# invalid credentials. This can indicate an error in the credentials or
|
|
5797
|
+
# in the identification of the external key store proxy.
|
|
5798
|
+
#
|
|
5799
|
+
# @!attribute [rw] message
|
|
5800
|
+
# @return [String]
|
|
5801
|
+
#
|
|
5802
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyIncorrectAuthenticationCredentialException AWS API Documentation
|
|
5803
|
+
#
|
|
5804
|
+
class XksProxyIncorrectAuthenticationCredentialException < Struct.new(
|
|
5805
|
+
:message)
|
|
5806
|
+
SENSITIVE = []
|
|
5807
|
+
include Aws::Structure
|
|
5808
|
+
end
|
|
5809
|
+
|
|
5810
|
+
# The request was rejected because the Amazon VPC endpoint service
|
|
5811
|
+
# configuration does not fulfill the requirements for an external key
|
|
5812
|
+
# store proxy. For details, see the exception message.
|
|
5813
|
+
#
|
|
5814
|
+
# @!attribute [rw] message
|
|
5815
|
+
# @return [String]
|
|
5816
|
+
#
|
|
5817
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidConfigurationException AWS API Documentation
|
|
5818
|
+
#
|
|
5819
|
+
class XksProxyInvalidConfigurationException < Struct.new(
|
|
5820
|
+
:message)
|
|
5821
|
+
SENSITIVE = []
|
|
5822
|
+
include Aws::Structure
|
|
5823
|
+
end
|
|
5824
|
+
|
|
5825
|
+
# KMS cannot interpret the response it received from the external key
|
|
5826
|
+
# store proxy. The problem might be a poorly constructed response, but
|
|
5827
|
+
# it could also be a transient network issue. If you see this error
|
|
5828
|
+
# repeatedly, report it to the proxy vendor.
|
|
5829
|
+
#
|
|
5830
|
+
# @!attribute [rw] message
|
|
5831
|
+
# @return [String]
|
|
5832
|
+
#
|
|
5833
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyInvalidResponseException AWS API Documentation
|
|
5834
|
+
#
|
|
5835
|
+
class XksProxyInvalidResponseException < Struct.new(
|
|
5836
|
+
:message)
|
|
5837
|
+
SENSITIVE = []
|
|
5838
|
+
include Aws::Structure
|
|
5839
|
+
end
|
|
5840
|
+
|
|
5841
|
+
# The request was rejected because the concatenation of the
|
|
5842
|
+
# `XksProxyUriEndpoint` is already associated with an external key store
|
|
5843
|
+
# in the Amazon Web Services account and Region. Each external key store
|
|
5844
|
+
# in an account and Region must use a unique external key store proxy
|
|
5845
|
+
# address.
|
|
5846
|
+
#
|
|
5847
|
+
# @!attribute [rw] message
|
|
5848
|
+
# @return [String]
|
|
5849
|
+
#
|
|
5850
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriEndpointInUseException AWS API Documentation
|
|
5851
|
+
#
|
|
5852
|
+
class XksProxyUriEndpointInUseException < Struct.new(
|
|
5853
|
+
:message)
|
|
5854
|
+
SENSITIVE = []
|
|
5855
|
+
include Aws::Structure
|
|
5856
|
+
end
|
|
5857
|
+
|
|
5858
|
+
# The request was rejected because the concatenation of the
|
|
5859
|
+
# `XksProxyUriEndpoint` and `XksProxyUriPath` is already associated with
|
|
5860
|
+
# an external key store in the Amazon Web Services account and Region.
|
|
5861
|
+
# Each external key store in an account and Region must use a unique
|
|
5862
|
+
# external key store proxy API address.
|
|
5863
|
+
#
|
|
5864
|
+
# @!attribute [rw] message
|
|
5865
|
+
# @return [String]
|
|
5866
|
+
#
|
|
5867
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriInUseException AWS API Documentation
|
|
5868
|
+
#
|
|
5869
|
+
class XksProxyUriInUseException < Struct.new(
|
|
5870
|
+
:message)
|
|
5871
|
+
SENSITIVE = []
|
|
5872
|
+
include Aws::Structure
|
|
5873
|
+
end
|
|
5874
|
+
|
|
5875
|
+
# KMS was unable to reach the specified `XksProxyUriPath`. The path must
|
|
5876
|
+
# be reachable before you create the external key store or update its
|
|
5877
|
+
# settings.
|
|
5878
|
+
#
|
|
5879
|
+
# This exception is also thrown when the external key store proxy
|
|
5880
|
+
# response to a `GetHealthStatus` request indicates that all external
|
|
5881
|
+
# key manager instances are unavailable.
|
|
5882
|
+
#
|
|
5883
|
+
# @!attribute [rw] message
|
|
5884
|
+
# @return [String]
|
|
5885
|
+
#
|
|
5886
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyUriUnreachableException AWS API Documentation
|
|
5887
|
+
#
|
|
5888
|
+
class XksProxyUriUnreachableException < Struct.new(
|
|
5889
|
+
:message)
|
|
5890
|
+
SENSITIVE = []
|
|
5891
|
+
include Aws::Structure
|
|
5892
|
+
end
|
|
5893
|
+
|
|
5894
|
+
# The request was rejected because the specified Amazon VPC endpoint
|
|
5895
|
+
# service is already associated with an external key store in the Amazon
|
|
5896
|
+
# Web Services account and Region. Each external key store in an Amazon
|
|
5897
|
+
# Web Services account and Region must use a different Amazon VPC
|
|
5898
|
+
# endpoint service.
|
|
5899
|
+
#
|
|
5900
|
+
# @!attribute [rw] message
|
|
5901
|
+
# @return [String]
|
|
5902
|
+
#
|
|
5903
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInUseException AWS API Documentation
|
|
5904
|
+
#
|
|
5905
|
+
class XksProxyVpcEndpointServiceInUseException < Struct.new(
|
|
5906
|
+
:message)
|
|
5907
|
+
SENSITIVE = []
|
|
5908
|
+
include Aws::Structure
|
|
5909
|
+
end
|
|
5910
|
+
|
|
5911
|
+
# The request was rejected because the Amazon VPC endpoint service
|
|
5912
|
+
# configuration does not fulfill the requirements for an external key
|
|
5913
|
+
# store proxy. For details, see the exception message and [review the
|
|
5914
|
+
# requirements](kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements)
|
|
5915
|
+
# for Amazon VPC endpoint service connectivity for an external key
|
|
5916
|
+
# store.
|
|
5917
|
+
#
|
|
5918
|
+
# @!attribute [rw] message
|
|
5919
|
+
# @return [String]
|
|
5920
|
+
#
|
|
5921
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceInvalidConfigurationException AWS API Documentation
|
|
5922
|
+
#
|
|
5923
|
+
class XksProxyVpcEndpointServiceInvalidConfigurationException < Struct.new(
|
|
5924
|
+
:message)
|
|
5925
|
+
SENSITIVE = []
|
|
5926
|
+
include Aws::Structure
|
|
5927
|
+
end
|
|
5928
|
+
|
|
5929
|
+
# The request was rejected because KMS could not find the specified VPC
|
|
5930
|
+
# endpoint service. Use DescribeCustomKeyStores to verify the VPC
|
|
5931
|
+
# endpoint service name for the external key store. Also, confirm that
|
|
5932
|
+
# the `Allow principals` list for the VPC endpoint service includes the
|
|
5933
|
+
# KMS service principal for the Region, such as
|
|
5934
|
+
# `cks.kms.us-east-1.amazonaws.com`.
|
|
5935
|
+
#
|
|
5936
|
+
# @!attribute [rw] message
|
|
5937
|
+
# @return [String]
|
|
5938
|
+
#
|
|
5939
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/XksProxyVpcEndpointServiceNotFoundException AWS API Documentation
|
|
5940
|
+
#
|
|
5941
|
+
class XksProxyVpcEndpointServiceNotFoundException < Struct.new(
|
|
5942
|
+
:message)
|
|
5943
|
+
SENSITIVE = []
|
|
5944
|
+
include Aws::Structure
|
|
5945
|
+
end
|
|
5946
|
+
|
|
5665
5947
|
end
|
|
5666
5948
|
end
|