aws-sdk-kms 1.63.0 → 1.72.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +45 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1098 -342
- data/lib/aws-sdk-kms/client_api.rb +47 -0
- data/lib/aws-sdk-kms/endpoints.rb +1 -0
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/types.rb +621 -70
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +4 -4
data/lib/aws-sdk-kms/client.rb
CHANGED
|
@@ -28,6 +28,7 @@ require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
|
|
28
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
|
29
29
|
require 'aws-sdk-core/plugins/http_checksum.rb'
|
|
30
30
|
require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
|
31
|
+
require 'aws-sdk-core/plugins/request_compression.rb'
|
|
31
32
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
|
32
33
|
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
|
33
34
|
require 'aws-sdk-core/plugins/sign.rb'
|
|
@@ -77,6 +78,7 @@ module Aws::KMS
|
|
|
77
78
|
add_plugin(Aws::Plugins::TransferEncoding)
|
|
78
79
|
add_plugin(Aws::Plugins::HttpChecksum)
|
|
79
80
|
add_plugin(Aws::Plugins::ChecksumAlgorithm)
|
|
81
|
+
add_plugin(Aws::Plugins::RequestCompression)
|
|
80
82
|
add_plugin(Aws::Plugins::DefaultsMode)
|
|
81
83
|
add_plugin(Aws::Plugins::RecursionDetection)
|
|
82
84
|
add_plugin(Aws::Plugins::Sign)
|
|
@@ -190,6 +192,10 @@ module Aws::KMS
|
|
|
190
192
|
# Set to true to disable SDK automatically adding host prefix
|
|
191
193
|
# to default service endpoint when available.
|
|
192
194
|
#
|
|
195
|
+
# @option options [Boolean] :disable_request_compression (false)
|
|
196
|
+
# When set to 'true' the request body will not be compressed
|
|
197
|
+
# for supported operations.
|
|
198
|
+
#
|
|
193
199
|
# @option options [String] :endpoint
|
|
194
200
|
# The client endpoint is normally constructed from the `:region`
|
|
195
201
|
# option. You should only configure an `:endpoint` when connecting
|
|
@@ -210,6 +216,10 @@ module Aws::KMS
|
|
|
210
216
|
# @option options [Boolean] :endpoint_discovery (false)
|
|
211
217
|
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
|
212
218
|
#
|
|
219
|
+
# @option options [Boolean] :ignore_configured_endpoint_urls
|
|
220
|
+
# Setting to true disables use of endpoint URLs provided via environment
|
|
221
|
+
# variables and the shared configuration file.
|
|
222
|
+
#
|
|
213
223
|
# @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
|
|
214
224
|
# The log formatter.
|
|
215
225
|
#
|
|
@@ -230,6 +240,11 @@ module Aws::KMS
|
|
|
230
240
|
# Used when loading credentials from the shared credentials file
|
|
231
241
|
# at HOME/.aws/credentials. When not specified, 'default' is used.
|
|
232
242
|
#
|
|
243
|
+
# @option options [Integer] :request_min_compression_size_bytes (10240)
|
|
244
|
+
# The minimum size in bytes that triggers compression for request
|
|
245
|
+
# bodies. The value must be non-negative integer value between 0
|
|
246
|
+
# and 10485780 bytes inclusive.
|
|
247
|
+
#
|
|
233
248
|
# @option options [Proc] :retry_backoff
|
|
234
249
|
# A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
|
|
235
250
|
# This option is only used in the `legacy` retry mode.
|
|
@@ -275,6 +290,11 @@ module Aws::KMS
|
|
|
275
290
|
# in the future.
|
|
276
291
|
#
|
|
277
292
|
#
|
|
293
|
+
# @option options [String] :sdk_ua_app_id
|
|
294
|
+
# A unique and opaque application ID that is appended to the
|
|
295
|
+
# User-Agent header as app/<sdk_ua_app_id>. It should have a
|
|
296
|
+
# maximum length of 50.
|
|
297
|
+
#
|
|
278
298
|
# @option options [String] :secret_access_key
|
|
279
299
|
#
|
|
280
300
|
# @option options [String] :session_token
|
|
@@ -390,12 +410,12 @@ module Aws::KMS
|
|
|
390
410
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
391
411
|
# Management Service Developer Guide*.
|
|
392
412
|
#
|
|
393
|
-
# **Cross-account use
|
|
413
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
394
414
|
# key in a different Amazon Web Services account.
|
|
395
415
|
#
|
|
396
|
-
# **Required permissions
|
|
416
|
+
# **Required permissions**: [kms:CancelKeyDeletion][3] (key policy)
|
|
397
417
|
#
|
|
398
|
-
# **Related operations
|
|
418
|
+
# **Related operations**: ScheduleKeyDeletion
|
|
399
419
|
#
|
|
400
420
|
#
|
|
401
421
|
#
|
|
@@ -527,10 +547,10 @@ module Aws::KMS
|
|
|
527
547
|
# store, see [Troubleshooting an external key store][6] in the *Key
|
|
528
548
|
# Management Service Developer Guide*.
|
|
529
549
|
#
|
|
530
|
-
# **Cross-account use
|
|
550
|
+
# **Cross-account use**: No. You cannot perform this operation on a
|
|
531
551
|
# custom key store in a different Amazon Web Services account.
|
|
532
552
|
#
|
|
533
|
-
# **Required permissions
|
|
553
|
+
# **Required permissions**: [kms:ConnectCustomKeyStore][7] (IAM policy)
|
|
534
554
|
#
|
|
535
555
|
# **Related operations**
|
|
536
556
|
#
|
|
@@ -624,7 +644,7 @@ module Aws::KMS
|
|
|
624
644
|
# key state. For details, see [Key states of KMS keys][4] in the *Key
|
|
625
645
|
# Management Service Developer Guide*.
|
|
626
646
|
#
|
|
627
|
-
# **Cross-account use
|
|
647
|
+
# **Cross-account use**: No. You cannot perform this operation on an
|
|
628
648
|
# alias in a different Amazon Web Services account.
|
|
629
649
|
#
|
|
630
650
|
# **Required permissions**
|
|
@@ -657,6 +677,10 @@ module Aws::KMS
|
|
|
657
677
|
# Specifies the alias name. This value must begin with `alias/` followed
|
|
658
678
|
# by a name, such as `alias/ExampleAlias`.
|
|
659
679
|
#
|
|
680
|
+
# Do not include confidential or sensitive information in this field.
|
|
681
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
682
|
+
# output.
|
|
683
|
+
#
|
|
660
684
|
# The `AliasName` value must be string of 1-256 characters. It can
|
|
661
685
|
# contain only alphanumeric characters, forward slashes (/), underscores
|
|
662
686
|
# (\_), and dashes (-). The alias name cannot begin with `alias/aws/`.
|
|
@@ -788,10 +812,10 @@ module Aws::KMS
|
|
|
788
812
|
# For help with failures, see [Troubleshooting a custom key store][7] in
|
|
789
813
|
# the *Key Management Service Developer Guide*.
|
|
790
814
|
#
|
|
791
|
-
# **Cross-account use
|
|
815
|
+
# **Cross-account use**: No. You cannot perform this operation on a
|
|
792
816
|
# custom key store in a different Amazon Web Services account.
|
|
793
817
|
#
|
|
794
|
-
# **Required permissions
|
|
818
|
+
# **Required permissions**: [kms:CreateCustomKeyStore][9] (IAM policy).
|
|
795
819
|
#
|
|
796
820
|
# **Related operations:**
|
|
797
821
|
#
|
|
@@ -822,6 +846,10 @@ module Aws::KMS
|
|
|
822
846
|
# unique in your Amazon Web Services account and Region. This parameter
|
|
823
847
|
# is required for all custom key stores.
|
|
824
848
|
#
|
|
849
|
+
# Do not include confidential or sensitive information in this field.
|
|
850
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
851
|
+
# output.
|
|
852
|
+
#
|
|
825
853
|
# @option params [String] :cloud_hsm_cluster_id
|
|
826
854
|
# Identifies the CloudHSM cluster for an CloudHSM key store. This
|
|
827
855
|
# parameter is required for custom key stores with `CustomKeyStoreType`
|
|
@@ -1018,7 +1046,7 @@ module Aws::KMS
|
|
|
1018
1046
|
# # This example creates a custom key store that is associated with an AWS CloudHSM cluster.
|
|
1019
1047
|
#
|
|
1020
1048
|
# resp = client.create_custom_key_store({
|
|
1021
|
-
# cloud_hsm_cluster_id: "cluster-
|
|
1049
|
+
# cloud_hsm_cluster_id: "cluster-234abcdefABC", # The ID of the CloudHSM cluster.
|
|
1022
1050
|
# custom_key_store_name: "ExampleKeyStore", # A friendly name for the custom key store.
|
|
1023
1051
|
# key_store_password: "kmsPswd", # The password for the kmsuser CU account in the specified cluster.
|
|
1024
1052
|
# trust_anchor_certificate: "<certificate-goes-here>", # The content of the customerCA.crt file that you created when you initialized the cluster.
|
|
@@ -1140,11 +1168,11 @@ module Aws::KMS
|
|
|
1140
1168
|
# key state. For details, see [Key states of KMS keys][4] in the *Key
|
|
1141
1169
|
# Management Service Developer Guide*.
|
|
1142
1170
|
#
|
|
1143
|
-
# **Cross-account use
|
|
1171
|
+
# **Cross-account use**: Yes. To perform this operation on a KMS key in
|
|
1144
1172
|
# a different Amazon Web Services account, specify the key ARN in the
|
|
1145
1173
|
# value of the `KeyId` parameter.
|
|
1146
1174
|
#
|
|
1147
|
-
# **Required permissions
|
|
1175
|
+
# **Required permissions**: [kms:CreateGrant][5] (key policy)
|
|
1148
1176
|
#
|
|
1149
1177
|
# **Related operations:**
|
|
1150
1178
|
#
|
|
@@ -1235,22 +1263,19 @@ module Aws::KMS
|
|
|
1235
1263
|
# @option params [Types::GrantConstraints] :constraints
|
|
1236
1264
|
# Specifies a grant constraint.
|
|
1237
1265
|
#
|
|
1266
|
+
# Do not include confidential or sensitive information in this field.
|
|
1267
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
1268
|
+
# output.
|
|
1269
|
+
#
|
|
1238
1270
|
# KMS supports the `EncryptionContextEquals` and
|
|
1239
|
-
# `EncryptionContextSubset` grant constraints
|
|
1240
|
-
#
|
|
1241
|
-
#
|
|
1242
|
-
#
|
|
1243
|
-
#
|
|
1244
|
-
# encryption context, see [Encryption context][2] in the <i> <i>Key
|
|
1245
|
-
# Management Service Developer Guide</i> </i>.
|
|
1246
|
-
#
|
|
1247
|
-
# The encryption context grant constraints allow the permissions in the
|
|
1248
|
-
# grant only when the encryption context in the request matches
|
|
1249
|
-
# (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
|
|
1250
|
-
# the encryption context specified in this structure.
|
|
1271
|
+
# `EncryptionContextSubset` grant constraints, which allow the
|
|
1272
|
+
# permissions in the grant only when the encryption context in the
|
|
1273
|
+
# request matches (`EncryptionContextEquals`) or includes
|
|
1274
|
+
# (`EncryptionContextSubset`) the encryption context specified in the
|
|
1275
|
+
# constraint.
|
|
1251
1276
|
#
|
|
1252
1277
|
# The encryption context grant constraints are supported only on [grant
|
|
1253
|
-
# operations][
|
|
1278
|
+
# operations][1] that include an `EncryptionContext` parameter, such as
|
|
1254
1279
|
# cryptographic operations on symmetric encryption KMS keys. Grants with
|
|
1255
1280
|
# grant constraints can include the DescribeKey and RetireGrant
|
|
1256
1281
|
# operations, but the constraint doesn't apply to these operations. If
|
|
@@ -1261,15 +1286,20 @@ module Aws::KMS
|
|
|
1261
1286
|
#
|
|
1262
1287
|
# You cannot use an encryption context grant constraint for
|
|
1263
1288
|
# cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
|
|
1264
|
-
#
|
|
1265
|
-
#
|
|
1289
|
+
# Operations with these keys don't support an encryption context.
|
|
1266
1290
|
#
|
|
1291
|
+
# Each constraint value can include up to 8 encryption context pairs.
|
|
1292
|
+
# The encryption context value in each constraint cannot exceed 384
|
|
1293
|
+
# characters. For information about grant constraints, see [Using grant
|
|
1294
|
+
# constraints][2] in the *Key Management Service Developer Guide*. For
|
|
1295
|
+
# more information about encryption context, see [Encryption context][3]
|
|
1296
|
+
# in the <i> <i>Key Management Service Developer Guide</i> </i>.
|
|
1267
1297
|
#
|
|
1268
1298
|
#
|
|
1269
1299
|
#
|
|
1270
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1271
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1272
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1300
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
|
1301
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
|
1302
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
1273
1303
|
#
|
|
1274
1304
|
# @option params [Array<String>] :grant_tokens
|
|
1275
1305
|
# A list of grant tokens.
|
|
@@ -1288,6 +1318,10 @@ module Aws::KMS
|
|
|
1288
1318
|
# A friendly name for the grant. Use this value to prevent the
|
|
1289
1319
|
# unintended creation of duplicate grants when retrying this request.
|
|
1290
1320
|
#
|
|
1321
|
+
# Do not include confidential or sensitive information in this field.
|
|
1322
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
1323
|
+
# output.
|
|
1324
|
+
#
|
|
1291
1325
|
# When this value is absent, all `CreateGrant` requests result in a new
|
|
1292
1326
|
# grant with a unique `GrantId` even if all the supplied parameters are
|
|
1293
1327
|
# identical. This can result in unintended duplicates when you retry the
|
|
@@ -1300,6 +1334,17 @@ module Aws::KMS
|
|
|
1300
1334
|
# when a duplicate `GrantId` is returned. All grant tokens for the same
|
|
1301
1335
|
# grant ID can be used interchangeably.
|
|
1302
1336
|
#
|
|
1337
|
+
# @option params [Boolean] :dry_run
|
|
1338
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
1339
|
+
# parameter.
|
|
1340
|
+
#
|
|
1341
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
1342
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
1343
|
+
#
|
|
1344
|
+
#
|
|
1345
|
+
#
|
|
1346
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
1347
|
+
#
|
|
1303
1348
|
# @return [Types::CreateGrantResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
1304
1349
|
#
|
|
1305
1350
|
# * {Types::CreateGrantResponse#grant_token #grant_token} => String
|
|
@@ -1342,6 +1387,7 @@ module Aws::KMS
|
|
|
1342
1387
|
# },
|
|
1343
1388
|
# grant_tokens: ["GrantTokenType"],
|
|
1344
1389
|
# name: "GrantNameType",
|
|
1390
|
+
# dry_run: false,
|
|
1345
1391
|
# })
|
|
1346
1392
|
#
|
|
1347
1393
|
# @example Response structure
|
|
@@ -1439,13 +1485,6 @@ module Aws::KMS
|
|
|
1439
1485
|
# You can use HMAC keys to generate (GenerateMac) and verify
|
|
1440
1486
|
# (VerifyMac) HMAC codes for messages up to 4096 bytes.
|
|
1441
1487
|
#
|
|
1442
|
-
# HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
|
1443
|
-
# If you try to create an HMAC KMS key in an Amazon Web Services
|
|
1444
|
-
# Region in which HMAC keys are not supported, the `CreateKey`
|
|
1445
|
-
# operation returns an `UnsupportedOperationException`. For a list of
|
|
1446
|
-
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
|
1447
|
-
# KMS][4] in the *Key Management Service Developer Guide*.
|
|
1448
|
-
#
|
|
1449
1488
|
#
|
|
1450
1489
|
#
|
|
1451
1490
|
# Multi-Region primary keys
|
|
@@ -1472,46 +1511,48 @@ module Aws::KMS
|
|
|
1472
1511
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
|
1473
1512
|
# a different Amazon Web Services Region without re-encrypting the
|
|
1474
1513
|
# data or making a cross-Region call. For more information about
|
|
1475
|
-
# multi-Region keys, see [Multi-Region keys in KMS][
|
|
1514
|
+
# multi-Region keys, see [Multi-Region keys in KMS][4] in the *Key
|
|
1476
1515
|
# Management Service Developer Guide*.
|
|
1477
1516
|
#
|
|
1478
1517
|
#
|
|
1479
1518
|
#
|
|
1480
1519
|
# : To import your own key material into a KMS key, begin by creating a
|
|
1481
|
-
#
|
|
1482
|
-
#
|
|
1483
|
-
#
|
|
1484
|
-
#
|
|
1520
|
+
# KMS key with no key material. To do this, use the `Origin` parameter
|
|
1521
|
+
# of `CreateKey` with a value of `EXTERNAL`. Next, use
|
|
1522
|
+
# GetParametersForImport operation to get a public key and import
|
|
1523
|
+
# token. Use the wrapping public key to encrypt your key material.
|
|
1485
1524
|
# Then, use ImportKeyMaterial with your import token to import the key
|
|
1486
1525
|
# material. For step-by-step instructions, see [Importing Key
|
|
1487
|
-
# Material][
|
|
1526
|
+
# Material][5] in the <i> <i>Key Management Service Developer
|
|
1488
1527
|
# Guide</i> </i>.
|
|
1489
1528
|
#
|
|
1490
|
-
#
|
|
1491
|
-
#
|
|
1492
|
-
#
|
|
1529
|
+
# You can import key material into KMS keys of all supported KMS key
|
|
1530
|
+
# types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric
|
|
1531
|
+
# encryption KMS keys, and asymmetric signing KMS keys. You can also
|
|
1532
|
+
# create multi-Region keys with imported key material. However, you
|
|
1533
|
+
# can't import key material into a KMS key in a custom key store.
|
|
1493
1534
|
#
|
|
1494
1535
|
# To create a multi-Region primary key with imported key material, use
|
|
1495
1536
|
# the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
|
|
1496
1537
|
# the `MultiRegion` parameter with a value of `True`. To create
|
|
1497
1538
|
# replicas of the multi-Region primary key, use the ReplicateKey
|
|
1498
1539
|
# operation. For instructions, see [Importing key material into
|
|
1499
|
-
# multi-Region keys][
|
|
1500
|
-
# see [Multi-Region keys in KMS][
|
|
1540
|
+
# multi-Region keys][6]. For more information about multi-Region keys,
|
|
1541
|
+
# see [Multi-Region keys in KMS][4] in the *Key Management Service
|
|
1501
1542
|
# Developer Guide*.
|
|
1502
1543
|
#
|
|
1503
1544
|
#
|
|
1504
1545
|
#
|
|
1505
1546
|
# Custom key store
|
|
1506
1547
|
#
|
|
1507
|
-
# : A [custom key store][
|
|
1548
|
+
# : A [custom key store][7] lets you protect your Amazon Web Services
|
|
1508
1549
|
# resources using keys in a backing key store that you own and manage.
|
|
1509
1550
|
# When you request a cryptographic operation with a KMS key in a
|
|
1510
1551
|
# custom key store, the operation is performed in the backing key
|
|
1511
1552
|
# store using its cryptographic keys.
|
|
1512
1553
|
#
|
|
1513
|
-
# KMS supports [CloudHSM key stores][
|
|
1514
|
-
# and [external key stores][
|
|
1554
|
+
# KMS supports [CloudHSM key stores][8] backed by an CloudHSM cluster
|
|
1555
|
+
# and [external key stores][9] backed by an external key manager
|
|
1515
1556
|
# outside of Amazon Web Services. When you create a KMS key in an
|
|
1516
1557
|
# CloudHSM key store, KMS generates an encryption key in the CloudHSM
|
|
1517
1558
|
# cluster and associates it with the KMS key. When you create a KMS
|
|
@@ -1536,13 +1577,13 @@ module Aws::KMS
|
|
|
1536
1577
|
# `ENCRYPT_DECRYPT` to create a symmetric encryption key. No other key
|
|
1537
1578
|
# type is supported in a custom key store.
|
|
1538
1579
|
#
|
|
1539
|
-
# To create a KMS key in an [CloudHSM key store][
|
|
1580
|
+
# To create a KMS key in an [CloudHSM key store][8], use the `Origin`
|
|
1540
1581
|
# parameter with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that
|
|
1541
1582
|
# is associated with the custom key store must have at least two
|
|
1542
1583
|
# active HSMs in different Availability Zones in the Amazon Web
|
|
1543
1584
|
# Services Region.
|
|
1544
1585
|
#
|
|
1545
|
-
# To create a KMS key in an [external key store][
|
|
1586
|
+
# To create a KMS key in an [external key store][9], use the `Origin`
|
|
1546
1587
|
# parameter with a value of `EXTERNAL_KEY_STORE` and an `XksKeyId`
|
|
1547
1588
|
# parameter that identifies an existing external key.
|
|
1548
1589
|
#
|
|
@@ -1552,13 +1593,13 @@ module Aws::KMS
|
|
|
1552
1593
|
#
|
|
1553
1594
|
# </note>
|
|
1554
1595
|
#
|
|
1555
|
-
# **Cross-account use
|
|
1596
|
+
# **Cross-account use**: No. You cannot use this operation to create a
|
|
1556
1597
|
# KMS key in a different Amazon Web Services account.
|
|
1557
1598
|
#
|
|
1558
|
-
# **Required permissions
|
|
1559
|
-
#
|
|
1560
|
-
#
|
|
1561
|
-
#
|
|
1599
|
+
# **Required permissions**: [kms:CreateKey][10] (IAM policy). To use the
|
|
1600
|
+
# `Tags` parameter, [kms:TagResource][10] (IAM policy). For examples and
|
|
1601
|
+
# information about related permissions, see [Allow a user to create KMS
|
|
1602
|
+
# keys][11] in the *Key Management Service Developer Guide*.
|
|
1562
1603
|
#
|
|
1563
1604
|
# **Related operations:**
|
|
1564
1605
|
#
|
|
@@ -1573,15 +1614,14 @@ module Aws::KMS
|
|
|
1573
1614
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
|
|
1574
1615
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html
|
|
1575
1616
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
|
1576
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1577
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1578
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1579
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1580
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1581
|
-
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-
|
|
1582
|
-
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1583
|
-
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
1584
|
-
# [12]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
|
1617
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
|
1618
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
1619
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html
|
|
1620
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
|
1621
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html
|
|
1622
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
|
|
1623
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
1624
|
+
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
|
1585
1625
|
#
|
|
1586
1626
|
# @option params [String] :policy
|
|
1587
1627
|
# The key policy to attach to the KMS key.
|
|
@@ -1621,11 +1661,13 @@ module Aws::KMS
|
|
|
1621
1661
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
|
1622
1662
|
#
|
|
1623
1663
|
# @option params [String] :description
|
|
1624
|
-
# A description of the KMS key.
|
|
1664
|
+
# A description of the KMS key. Use a description that helps you decide
|
|
1665
|
+
# whether the KMS key is appropriate for a task. The default value is an
|
|
1666
|
+
# empty string (no description).
|
|
1625
1667
|
#
|
|
1626
|
-
#
|
|
1627
|
-
#
|
|
1628
|
-
#
|
|
1668
|
+
# Do not include confidential or sensitive information in this field.
|
|
1669
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
1670
|
+
# output.
|
|
1629
1671
|
#
|
|
1630
1672
|
# To set or change the description after the key is created, use
|
|
1631
1673
|
# UpdateKeyDescription.
|
|
@@ -1813,6 +1855,10 @@ module Aws::KMS
|
|
|
1813
1855
|
# KMS key when it is created. To tag an existing KMS key, use the
|
|
1814
1856
|
# TagResource operation.
|
|
1815
1857
|
#
|
|
1858
|
+
# Do not include confidential or sensitive information in this field.
|
|
1859
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
1860
|
+
# output.
|
|
1861
|
+
#
|
|
1816
1862
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
|
|
1817
1863
|
# key. For details, see [ABAC for KMS][1] in the *Key Management Service
|
|
1818
1864
|
# Developer Guide*.
|
|
@@ -2080,8 +2126,8 @@ module Aws::KMS
|
|
|
2080
2126
|
#
|
|
2081
2127
|
# @example Example: To create a KMS key for imported key material
|
|
2082
2128
|
#
|
|
2083
|
-
# # This example creates a KMS key with no key material. When the operation is complete, you can import your own
|
|
2084
|
-
# # material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
|
|
2129
|
+
# # This example creates a symmetric KMS key with no key material. When the operation is complete, you can import your own
|
|
2130
|
+
# # key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
|
|
2085
2131
|
#
|
|
2086
2132
|
# resp = client.create_key({
|
|
2087
2133
|
# origin: "EXTERNAL", # The source of the key material for the KMS key.
|
|
@@ -2125,7 +2171,7 @@ module Aws::KMS
|
|
|
2125
2171
|
# key_metadata: {
|
|
2126
2172
|
# aws_account_id: "111122223333",
|
|
2127
2173
|
# arn: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
|
|
2128
|
-
# cloud_hsm_cluster_id: "cluster-
|
|
2174
|
+
# cloud_hsm_cluster_id: "cluster-234abcdefABC",
|
|
2129
2175
|
# creation_date: Time.parse("2019-12-02T07:48:55-07:00"),
|
|
2130
2176
|
# custom_key_store_id: "cks-1234567890abcdef0",
|
|
2131
2177
|
# customer_master_key_spec: "SYMMETRIC_DEFAULT",
|
|
@@ -2297,21 +2343,27 @@ module Aws::KMS
|
|
|
2297
2343
|
# details, see [Best practices for IAM policies][4] in the *Key
|
|
2298
2344
|
# Management Service Developer Guide*.
|
|
2299
2345
|
#
|
|
2300
|
-
#
|
|
2301
|
-
#
|
|
2302
|
-
#
|
|
2303
|
-
# Amazon Web Services
|
|
2304
|
-
#
|
|
2346
|
+
# `Decrypt` also supports [Amazon Web Services Nitro Enclaves][5], which
|
|
2347
|
+
# provide an isolated compute environment in Amazon EC2. To call
|
|
2348
|
+
# `Decrypt` for a Nitro enclave, use the [Amazon Web Services Nitro
|
|
2349
|
+
# Enclaves SDK][6] or any Amazon Web Services SDK. Use the `Recipient`
|
|
2350
|
+
# parameter to provide the attestation document for the enclave. Instead
|
|
2351
|
+
# of the plaintext data, the response includes the plaintext data
|
|
2352
|
+
# encrypted with the public key from the attestation document
|
|
2353
|
+
# (`CiphertextForRecipient`).For information about the interaction
|
|
2354
|
+
# between KMS and Amazon Web Services Nitro Enclaves, see [How Amazon
|
|
2355
|
+
# Web Services Nitro Enclaves uses KMS][7] in the *Key Management
|
|
2356
|
+
# Service Developer Guide*..
|
|
2305
2357
|
#
|
|
2306
2358
|
# The KMS key that you use for this operation must be in a compatible
|
|
2307
|
-
# key state. For details, see [Key states of KMS keys][
|
|
2359
|
+
# key state. For details, see [Key states of KMS keys][8] in the *Key
|
|
2308
2360
|
# Management Service Developer Guide*.
|
|
2309
2361
|
#
|
|
2310
|
-
# **Cross-account use
|
|
2362
|
+
# **Cross-account use**: Yes. If you use the `KeyId` parameter to
|
|
2311
2363
|
# identify a KMS key in a different Amazon Web Services account, specify
|
|
2312
2364
|
# the key ARN or the alias ARN of the KMS key.
|
|
2313
2365
|
#
|
|
2314
|
-
# **Required permissions
|
|
2366
|
+
# **Required permissions**: [kms:Decrypt][9] (key policy)
|
|
2315
2367
|
#
|
|
2316
2368
|
# **Related operations:**
|
|
2317
2369
|
#
|
|
@@ -2329,10 +2381,11 @@ module Aws::KMS
|
|
|
2329
2381
|
# [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
|
2330
2382
|
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
|
2331
2383
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices
|
|
2332
|
-
# [5]: https://
|
|
2333
|
-
# [6]: https://docs.aws.amazon.com/
|
|
2334
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2335
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
2384
|
+
# [5]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
|
|
2385
|
+
# [6]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
2386
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
2387
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
|
2388
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
2336
2389
|
#
|
|
2337
2390
|
# @option params [required, String, StringIO, File] :ciphertext_blob
|
|
2338
2391
|
# Ciphertext to be decrypted. The blob includes metadata.
|
|
@@ -2417,16 +2470,55 @@ module Aws::KMS
|
|
|
2417
2470
|
# represents the only supported algorithm that is valid for symmetric
|
|
2418
2471
|
# encryption KMS keys.
|
|
2419
2472
|
#
|
|
2473
|
+
# @option params [Types::RecipientInfo] :recipient
|
|
2474
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
2475
|
+
# enclave and the encryption algorithm to use with the enclave's public
|
|
2476
|
+
# key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
|
|
2477
|
+
#
|
|
2478
|
+
# This parameter only supports attestation documents for Amazon Web
|
|
2479
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
|
2480
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
|
2481
|
+
#
|
|
2482
|
+
# When you use this parameter, instead of returning the plaintext data,
|
|
2483
|
+
# KMS encrypts the plaintext data with the public key in the attestation
|
|
2484
|
+
# document, and returns the resulting ciphertext in the
|
|
2485
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can be
|
|
2486
|
+
# decrypted only with the private key in the enclave. The `Plaintext`
|
|
2487
|
+
# field in the response is null or empty.
|
|
2488
|
+
#
|
|
2489
|
+
# For information about the interaction between KMS and Amazon Web
|
|
2490
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
|
2491
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
|
2492
|
+
#
|
|
2493
|
+
#
|
|
2494
|
+
#
|
|
2495
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
2496
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
2497
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
2498
|
+
#
|
|
2499
|
+
# @option params [Boolean] :dry_run
|
|
2500
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
2501
|
+
# parameter.
|
|
2502
|
+
#
|
|
2503
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
2504
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
2505
|
+
#
|
|
2506
|
+
#
|
|
2507
|
+
#
|
|
2508
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
2509
|
+
#
|
|
2420
2510
|
# @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
2421
2511
|
#
|
|
2422
2512
|
# * {Types::DecryptResponse#key_id #key_id} => String
|
|
2423
2513
|
# * {Types::DecryptResponse#plaintext #plaintext} => String
|
|
2424
2514
|
# * {Types::DecryptResponse#encryption_algorithm #encryption_algorithm} => String
|
|
2515
|
+
# * {Types::DecryptResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
|
|
2425
2516
|
#
|
|
2426
2517
|
#
|
|
2427
|
-
# @example Example: To decrypt data
|
|
2518
|
+
# @example Example: To decrypt data with a symmetric encryption KMS key
|
|
2428
2519
|
#
|
|
2429
|
-
# # The following example decrypts data that was encrypted with a KMS key.
|
|
2520
|
+
# # The following example decrypts data that was encrypted with a symmetric encryption KMS key. The KeyId is not required
|
|
2521
|
+
# # when decrypting with a symmetric encryption key, but it is a best practice.
|
|
2430
2522
|
#
|
|
2431
2523
|
# resp = client.decrypt({
|
|
2432
2524
|
# ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
|
|
@@ -2435,10 +2527,51 @@ module Aws::KMS
|
|
|
2435
2527
|
#
|
|
2436
2528
|
# resp.to_h outputs the following:
|
|
2437
2529
|
# {
|
|
2530
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # The encryption algorithm that was used to decrypt the ciphertext. SYMMETRIC_DEFAULT is the only valid value for symmetric encryption in AWS KMS.
|
|
2438
2531
|
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
|
|
2439
2532
|
# plaintext: "<binary data>", # The decrypted (plaintext) data.
|
|
2440
2533
|
# }
|
|
2441
2534
|
#
|
|
2535
|
+
# @example Example: To decrypt data with an asymmetric encryption KMS key
|
|
2536
|
+
#
|
|
2537
|
+
# # The following example decrypts data that was encrypted with an asymmetric encryption KMS key. When the KMS encryption
|
|
2538
|
+
# # key is asymmetric, you must specify the KMS key ID and the encryption algorithm that was used to encrypt the data.
|
|
2539
|
+
#
|
|
2540
|
+
# resp = client.decrypt({
|
|
2541
|
+
# ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
|
|
2542
|
+
# encryption_algorithm: "RSAES_OAEP_SHA_256", # The encryption algorithm that was used to encrypt the data. This parameter is required to decrypt with an asymmetric KMS key.
|
|
2543
|
+
# key_id: "0987dcba-09fe-87dc-65ba-ab0987654321", # A key identifier for the KMS key to use to decrypt the data. This parameter is required to decrypt with an asymmetric KMS key.
|
|
2544
|
+
# })
|
|
2545
|
+
#
|
|
2546
|
+
# resp.to_h outputs the following:
|
|
2547
|
+
# {
|
|
2548
|
+
# encryption_algorithm: "RSAES_OAEP_SHA_256", # The encryption algorithm that was used to decrypt the ciphertext.
|
|
2549
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
|
|
2550
|
+
# plaintext: "<binary data>", # The decrypted (plaintext) data.
|
|
2551
|
+
# }
|
|
2552
|
+
#
|
|
2553
|
+
# @example Example: To decrypt data for a Nitro enclave
|
|
2554
|
+
#
|
|
2555
|
+
# # The following Decrypt example includes the Recipient parameter with a signed attestation document from an AWS Nitro
|
|
2556
|
+
# # enclave. Instead of returning the decrypted data in plaintext (Plaintext), the operation returns the decrypted data
|
|
2557
|
+
# # encrypted by the public key from the attestation document (CiphertextForRecipient).
|
|
2558
|
+
#
|
|
2559
|
+
# resp = client.decrypt({
|
|
2560
|
+
# ciphertext_blob: "<binary data>", # The encrypted data. This ciphertext was encrypted with the KMS key
|
|
2561
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key to use to decrypt the ciphertext
|
|
2562
|
+
# recipient: {
|
|
2563
|
+
# attestation_document: "<attestation document>",
|
|
2564
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256",
|
|
2565
|
+
# }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
|
|
2566
|
+
# })
|
|
2567
|
+
#
|
|
2568
|
+
# resp.to_h outputs the following:
|
|
2569
|
+
# {
|
|
2570
|
+
# ciphertext_for_recipient: "<binary data>", # The decrypted CiphertextBlob encrypted with the public key from the attestation document
|
|
2571
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key that was used to decrypt the encrypted data (CiphertextBlob)
|
|
2572
|
+
# plaintext: "", # This field is null or empty
|
|
2573
|
+
# }
|
|
2574
|
+
#
|
|
2442
2575
|
# @example Request syntax with placeholder values
|
|
2443
2576
|
#
|
|
2444
2577
|
# resp = client.decrypt({
|
|
@@ -2449,6 +2582,11 @@ module Aws::KMS
|
|
|
2449
2582
|
# grant_tokens: ["GrantTokenType"],
|
|
2450
2583
|
# key_id: "KeyIdType",
|
|
2451
2584
|
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
2585
|
+
# recipient: {
|
|
2586
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
|
|
2587
|
+
# attestation_document: "data",
|
|
2588
|
+
# },
|
|
2589
|
+
# dry_run: false,
|
|
2452
2590
|
# })
|
|
2453
2591
|
#
|
|
2454
2592
|
# @example Response structure
|
|
@@ -2456,6 +2594,7 @@ module Aws::KMS
|
|
|
2456
2594
|
# resp.key_id #=> String
|
|
2457
2595
|
# resp.plaintext #=> String
|
|
2458
2596
|
# resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
2597
|
+
# resp.ciphertext_for_recipient #=> String
|
|
2459
2598
|
#
|
|
2460
2599
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt AWS API Documentation
|
|
2461
2600
|
#
|
|
@@ -2484,7 +2623,7 @@ module Aws::KMS
|
|
|
2484
2623
|
# create a new alias. To associate an existing alias with a different
|
|
2485
2624
|
# KMS key, call UpdateAlias.
|
|
2486
2625
|
#
|
|
2487
|
-
# **Cross-account use
|
|
2626
|
+
# **Cross-account use**: No. You cannot perform this operation on an
|
|
2488
2627
|
# alias in a different Amazon Web Services account.
|
|
2489
2628
|
#
|
|
2490
2629
|
# **Required permissions**
|
|
@@ -2578,10 +2717,10 @@ module Aws::KMS
|
|
|
2578
2717
|
# If the operation succeeds, it returns a JSON object with no
|
|
2579
2718
|
# properties.
|
|
2580
2719
|
#
|
|
2581
|
-
# **Cross-account use
|
|
2720
|
+
# **Cross-account use**: No. You cannot perform this operation on a
|
|
2582
2721
|
# custom key store in a different Amazon Web Services account.
|
|
2583
2722
|
#
|
|
2584
|
-
# **Required permissions
|
|
2723
|
+
# **Required permissions**: [kms:DeleteCustomKeyStore][5] (IAM policy)
|
|
2585
2724
|
#
|
|
2586
2725
|
# **Related operations:**
|
|
2587
2726
|
#
|
|
@@ -2639,26 +2778,24 @@ module Aws::KMS
|
|
|
2639
2778
|
req.send_request(options)
|
|
2640
2779
|
end
|
|
2641
2780
|
|
|
2642
|
-
# Deletes key material that
|
|
2643
|
-
# makes the specified KMS key unusable.
|
|
2644
|
-
#
|
|
2645
|
-
#
|
|
2781
|
+
# Deletes key material that was previously imported. This operation
|
|
2782
|
+
# makes the specified KMS key temporarily unusable. To restore the
|
|
2783
|
+
# usability of the KMS key, reimport the same key material. For more
|
|
2784
|
+
# information about importing key material into KMS, see [Importing Key
|
|
2785
|
+
# Material][1] in the *Key Management Service Developer Guide*.
|
|
2646
2786
|
#
|
|
2647
2787
|
# When the specified KMS key is in the `PendingDeletion` state, this
|
|
2648
2788
|
# operation does not change the KMS key's state. Otherwise, it changes
|
|
2649
2789
|
# the KMS key's state to `PendingImport`.
|
|
2650
2790
|
#
|
|
2651
|
-
# After you delete key material, you can use ImportKeyMaterial to
|
|
2652
|
-
# reimport the same key material into the KMS key.
|
|
2653
|
-
#
|
|
2654
2791
|
# The KMS key that you use for this operation must be in a compatible
|
|
2655
2792
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
2656
2793
|
# Management Service Developer Guide*.
|
|
2657
2794
|
#
|
|
2658
|
-
# **Cross-account use
|
|
2795
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
2659
2796
|
# key in a different Amazon Web Services account.
|
|
2660
2797
|
#
|
|
2661
|
-
# **Required permissions
|
|
2798
|
+
# **Required permissions**: [kms:DeleteImportedKeyMaterial][3] (key
|
|
2662
2799
|
# policy)
|
|
2663
2800
|
#
|
|
2664
2801
|
# **Related operations:**
|
|
@@ -2750,10 +2887,10 @@ module Aws::KMS
|
|
|
2750
2887
|
# see the [Troubleshooting external key stores][3]. Both topics are in
|
|
2751
2888
|
# the *Key Management Service Developer Guide*.
|
|
2752
2889
|
#
|
|
2753
|
-
# **Cross-account use
|
|
2890
|
+
# **Cross-account use**: No. You cannot perform this operation on a
|
|
2754
2891
|
# custom key store in a different Amazon Web Services account.
|
|
2755
2892
|
#
|
|
2756
|
-
# **Required permissions
|
|
2893
|
+
# **Required permissions**: [kms:DescribeCustomKeyStores][4] (IAM
|
|
2757
2894
|
# policy)
|
|
2758
2895
|
#
|
|
2759
2896
|
# **Related operations:**
|
|
@@ -2839,7 +2976,7 @@ module Aws::KMS
|
|
|
2839
2976
|
# {
|
|
2840
2977
|
# custom_key_stores: [
|
|
2841
2978
|
# {
|
|
2842
|
-
# cloud_hsm_cluster_id: "cluster-
|
|
2979
|
+
# cloud_hsm_cluster_id: "cluster-234abcdefABC",
|
|
2843
2980
|
# connection_state: "CONNECTED",
|
|
2844
2981
|
# creation_date: Time.parse("1.499288695918E9"),
|
|
2845
2982
|
# custom_key_store_id: "cks-1234567890abcdef0",
|
|
@@ -2988,11 +3125,11 @@ module Aws::KMS
|
|
|
2988
3125
|
# services use `DescribeKey` to create [Amazon Web Services managed
|
|
2989
3126
|
# keys][2] from a *predefined Amazon Web Services alias* with no key ID.
|
|
2990
3127
|
#
|
|
2991
|
-
# **Cross-account use
|
|
3128
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
2992
3129
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
2993
3130
|
# alias ARN in the value of the `KeyId` parameter.
|
|
2994
3131
|
#
|
|
2995
|
-
# **Required permissions
|
|
3132
|
+
# **Required permissions**: [kms:DescribeKey][4] (key policy)
|
|
2996
3133
|
#
|
|
2997
3134
|
# **Related operations:**
|
|
2998
3135
|
#
|
|
@@ -3224,7 +3361,7 @@ module Aws::KMS
|
|
|
3224
3361
|
# key_metadata: {
|
|
3225
3362
|
# aws_account_id: "123456789012",
|
|
3226
3363
|
# arn: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
|
|
3227
|
-
# cloud_hsm_cluster_id: "cluster-
|
|
3364
|
+
# cloud_hsm_cluster_id: "cluster-234abcdefABC",
|
|
3228
3365
|
# creation_date: Time.parse(1646160362.664),
|
|
3229
3366
|
# custom_key_store_id: "cks-1234567890abcdef0",
|
|
3230
3367
|
# customer_master_key_spec: "SYMMETRIC_DEFAULT",
|
|
@@ -3339,12 +3476,12 @@ module Aws::KMS
|
|
|
3339
3476
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
3340
3477
|
# Management Service Developer Guide*.
|
|
3341
3478
|
#
|
|
3342
|
-
# **Cross-account use
|
|
3479
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
3343
3480
|
# key in a different Amazon Web Services account.
|
|
3344
3481
|
#
|
|
3345
|
-
# **Required permissions
|
|
3482
|
+
# **Required permissions**: [kms:DisableKey][3] (key policy)
|
|
3346
3483
|
#
|
|
3347
|
-
# **Related operations
|
|
3484
|
+
# **Related operations**: EnableKey
|
|
3348
3485
|
#
|
|
3349
3486
|
#
|
|
3350
3487
|
#
|
|
@@ -3419,10 +3556,10 @@ module Aws::KMS
|
|
|
3419
3556
|
# key state. For details, see [Key states of KMS keys][10] in the *Key
|
|
3420
3557
|
# Management Service Developer Guide*.
|
|
3421
3558
|
#
|
|
3422
|
-
# **Cross-account use
|
|
3559
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
3423
3560
|
# key in a different Amazon Web Services account.
|
|
3424
3561
|
#
|
|
3425
|
-
# **Required permissions
|
|
3562
|
+
# **Required permissions**: [kms:DisableKeyRotation][11] (key policy)
|
|
3426
3563
|
#
|
|
3427
3564
|
# **Related operations:**
|
|
3428
3565
|
#
|
|
@@ -3524,10 +3661,10 @@ module Aws::KMS
|
|
|
3524
3661
|
# If the operation succeeds, it returns a JSON object with no
|
|
3525
3662
|
# properties.
|
|
3526
3663
|
#
|
|
3527
|
-
# **Cross-account use
|
|
3664
|
+
# **Cross-account use**: No. You cannot perform this operation on a
|
|
3528
3665
|
# custom key store in a different Amazon Web Services account.
|
|
3529
3666
|
#
|
|
3530
|
-
# **Required permissions
|
|
3667
|
+
# **Required permissions**: [kms:DisconnectCustomKeyStore][3] (IAM
|
|
3531
3668
|
# policy)
|
|
3532
3669
|
#
|
|
3533
3670
|
# **Related operations:**
|
|
@@ -3593,12 +3730,12 @@ module Aws::KMS
|
|
|
3593
3730
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
3594
3731
|
# Management Service Developer Guide*.
|
|
3595
3732
|
#
|
|
3596
|
-
# **Cross-account use
|
|
3733
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
3597
3734
|
# key in a different Amazon Web Services account.
|
|
3598
3735
|
#
|
|
3599
|
-
# **Required permissions
|
|
3736
|
+
# **Required permissions**: [kms:EnableKey][3] (key policy)
|
|
3600
3737
|
#
|
|
3601
|
-
# **Related operations
|
|
3738
|
+
# **Related operations**: DisableKey
|
|
3602
3739
|
#
|
|
3603
3740
|
#
|
|
3604
3741
|
#
|
|
@@ -3685,10 +3822,10 @@ module Aws::KMS
|
|
|
3685
3822
|
# key state. For details, see [Key states of KMS keys][11] in the *Key
|
|
3686
3823
|
# Management Service Developer Guide*.
|
|
3687
3824
|
#
|
|
3688
|
-
# **Cross-account use
|
|
3825
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
3689
3826
|
# key in a different Amazon Web Services account.
|
|
3690
3827
|
#
|
|
3691
|
-
# **Required permissions
|
|
3828
|
+
# **Required permissions**: [kms:EnableKeyRotation][12] (key policy)
|
|
3692
3829
|
#
|
|
3693
3830
|
# **Related operations:**
|
|
3694
3831
|
#
|
|
@@ -3804,39 +3941,39 @@ module Aws::KMS
|
|
|
3804
3941
|
#
|
|
3805
3942
|
# * Symmetric encryption KMS keys
|
|
3806
3943
|
#
|
|
3807
|
-
# * `SYMMETRIC_DEFAULT
|
|
3944
|
+
# * `SYMMETRIC_DEFAULT`: 4096 bytes
|
|
3808
3945
|
#
|
|
3809
3946
|
# ^
|
|
3810
3947
|
#
|
|
3811
3948
|
# * `RSA_2048`
|
|
3812
3949
|
#
|
|
3813
|
-
# * `RSAES_OAEP_SHA_1
|
|
3950
|
+
# * `RSAES_OAEP_SHA_1`: 214 bytes
|
|
3814
3951
|
#
|
|
3815
|
-
# * `RSAES_OAEP_SHA_256
|
|
3952
|
+
# * `RSAES_OAEP_SHA_256`: 190 bytes
|
|
3816
3953
|
#
|
|
3817
3954
|
# * `RSA_3072`
|
|
3818
3955
|
#
|
|
3819
|
-
# * `RSAES_OAEP_SHA_1
|
|
3956
|
+
# * `RSAES_OAEP_SHA_1`: 342 bytes
|
|
3820
3957
|
#
|
|
3821
|
-
# * `RSAES_OAEP_SHA_256
|
|
3958
|
+
# * `RSAES_OAEP_SHA_256`: 318 bytes
|
|
3822
3959
|
#
|
|
3823
3960
|
# * `RSA_4096`
|
|
3824
3961
|
#
|
|
3825
|
-
# * `RSAES_OAEP_SHA_1
|
|
3962
|
+
# * `RSAES_OAEP_SHA_1`: 470 bytes
|
|
3826
3963
|
#
|
|
3827
|
-
# * `RSAES_OAEP_SHA_256
|
|
3964
|
+
# * `RSAES_OAEP_SHA_256`: 446 bytes
|
|
3828
3965
|
#
|
|
3829
|
-
# * `SM2PKE
|
|
3966
|
+
# * `SM2PKE`: 1024 bytes (China Regions only)
|
|
3830
3967
|
#
|
|
3831
3968
|
# The KMS key that you use for this operation must be in a compatible
|
|
3832
3969
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
3833
3970
|
# Management Service Developer Guide*.
|
|
3834
3971
|
#
|
|
3835
|
-
# **Cross-account use
|
|
3972
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
3836
3973
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
3837
3974
|
# alias ARN in the value of the `KeyId` parameter.
|
|
3838
3975
|
#
|
|
3839
|
-
# **Required permissions
|
|
3976
|
+
# **Required permissions**: [kms:Encrypt][3] (key policy)
|
|
3840
3977
|
#
|
|
3841
3978
|
# **Related operations:**
|
|
3842
3979
|
#
|
|
@@ -3886,6 +4023,10 @@ module Aws::KMS
|
|
|
3886
4023
|
# asymmetric encryption algorithms and HMAC algorithms that KMS uses do
|
|
3887
4024
|
# not support an encryption context.
|
|
3888
4025
|
#
|
|
4026
|
+
# Do not include confidential or sensitive information in this field.
|
|
4027
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
4028
|
+
# output.
|
|
4029
|
+
#
|
|
3889
4030
|
# An *encryption context* is a collection of non-secret key-value pairs
|
|
3890
4031
|
# that represent additional authenticated data. When you use an
|
|
3891
4032
|
# encryption context to encrypt data, you must specify the same (an
|
|
@@ -3927,6 +4068,17 @@ module Aws::KMS
|
|
|
3927
4068
|
#
|
|
3928
4069
|
# The SM2PKE algorithm is only available in China Regions.
|
|
3929
4070
|
#
|
|
4071
|
+
# @option params [Boolean] :dry_run
|
|
4072
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
4073
|
+
# parameter.
|
|
4074
|
+
#
|
|
4075
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
4076
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
4077
|
+
#
|
|
4078
|
+
#
|
|
4079
|
+
#
|
|
4080
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
4081
|
+
#
|
|
3930
4082
|
# @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
3931
4083
|
#
|
|
3932
4084
|
# * {Types::EncryptResponse#ciphertext_blob #ciphertext_blob} => String
|
|
@@ -3934,9 +4086,9 @@ module Aws::KMS
|
|
|
3934
4086
|
# * {Types::EncryptResponse#encryption_algorithm #encryption_algorithm} => String
|
|
3935
4087
|
#
|
|
3936
4088
|
#
|
|
3937
|
-
# @example Example: To encrypt data
|
|
4089
|
+
# @example Example: To encrypt data with a symmetric encryption KMS key
|
|
3938
4090
|
#
|
|
3939
|
-
# # The following example encrypts data with the specified KMS key.
|
|
4091
|
+
# # The following example encrypts data with the specified symmetric encryption KMS key.
|
|
3940
4092
|
#
|
|
3941
4093
|
# resp = client.encrypt({
|
|
3942
4094
|
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to use for encryption. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
|
|
@@ -3946,9 +4098,28 @@ module Aws::KMS
|
|
|
3946
4098
|
# resp.to_h outputs the following:
|
|
3947
4099
|
# {
|
|
3948
4100
|
# ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
|
|
4101
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # The encryption algorithm that was used in the operation. For symmetric encryption keys, the encryption algorithm is always SYMMETRIC_DEFAULT.
|
|
3949
4102
|
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that was used to encrypt the data.
|
|
3950
4103
|
# }
|
|
3951
4104
|
#
|
|
4105
|
+
# @example Example: To encrypt data with an asymmetric encryption KMS key
|
|
4106
|
+
#
|
|
4107
|
+
# # The following example encrypts data with the specified RSA asymmetric KMS key. When you encrypt with an asymmetric key,
|
|
4108
|
+
# # you must specify the encryption algorithm.
|
|
4109
|
+
#
|
|
4110
|
+
# resp = client.encrypt({
|
|
4111
|
+
# encryption_algorithm: "RSAES_OAEP_SHA_256", # The encryption algorithm to use in the operation.
|
|
4112
|
+
# key_id: "0987dcba-09fe-87dc-65ba-ab0987654321", # The identifier of the KMS key to use for encryption. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
|
|
4113
|
+
# plaintext: "<binary data>", # The data to encrypt.
|
|
4114
|
+
# })
|
|
4115
|
+
#
|
|
4116
|
+
# resp.to_h outputs the following:
|
|
4117
|
+
# {
|
|
4118
|
+
# ciphertext_blob: "<binary data>", # The encrypted data (ciphertext).
|
|
4119
|
+
# encryption_algorithm: "RSAES_OAEP_SHA_256", # The encryption algorithm that was used in the operation.
|
|
4120
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", # The ARN of the KMS key that was used to encrypt the data.
|
|
4121
|
+
# }
|
|
4122
|
+
#
|
|
3952
4123
|
# @example Request syntax with placeholder values
|
|
3953
4124
|
#
|
|
3954
4125
|
# resp = client.encrypt({
|
|
@@ -3959,6 +4130,7 @@ module Aws::KMS
|
|
|
3959
4130
|
# },
|
|
3960
4131
|
# grant_tokens: ["GrantTokenType"],
|
|
3961
4132
|
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
4133
|
+
# dry_run: false,
|
|
3962
4134
|
# })
|
|
3963
4135
|
#
|
|
3964
4136
|
# @example Response structure
|
|
@@ -4012,14 +4184,22 @@ module Aws::KMS
|
|
|
4012
4184
|
# information, see [Encryption Context][1] in the *Key Management
|
|
4013
4185
|
# Service Developer Guide*.
|
|
4014
4186
|
#
|
|
4015
|
-
#
|
|
4016
|
-
#
|
|
4017
|
-
#
|
|
4018
|
-
# Amazon Web Services Nitro Enclaves
|
|
4019
|
-
#
|
|
4187
|
+
# `GenerateDataKey` also supports [Amazon Web Services Nitro
|
|
4188
|
+
# Enclaves][2], which provide an isolated compute environment in Amazon
|
|
4189
|
+
# EC2. To call `GenerateDataKey` for an Amazon Web Services Nitro
|
|
4190
|
+
# enclave, use the [Amazon Web Services Nitro Enclaves SDK][3] or any
|
|
4191
|
+
# Amazon Web Services SDK. Use the `Recipient` parameter to provide the
|
|
4192
|
+
# attestation document for the enclave. `GenerateDataKey` returns a copy
|
|
4193
|
+
# of the data key encrypted under the specified KMS key, as usual. But
|
|
4194
|
+
# instead of a plaintext copy of the data key, the response includes a
|
|
4195
|
+
# copy of the data key encrypted under the public key from the
|
|
4196
|
+
# attestation document (`CiphertextForRecipient`). For information about
|
|
4197
|
+
# the interaction between KMS and Amazon Web Services Nitro Enclaves,
|
|
4198
|
+
# see [How Amazon Web Services Nitro Enclaves uses KMS][4] in the *Key
|
|
4199
|
+
# Management Service Developer Guide*..
|
|
4020
4200
|
#
|
|
4021
4201
|
# The KMS key that you use for this operation must be in a compatible
|
|
4022
|
-
# key state. For details, see [Key states of KMS keys][
|
|
4202
|
+
# key state. For details, see [Key states of KMS keys][5] in the *Key
|
|
4023
4203
|
# Management Service Developer Guide*.
|
|
4024
4204
|
#
|
|
4025
4205
|
# **How to use your data key**
|
|
@@ -4027,8 +4207,8 @@ module Aws::KMS
|
|
|
4027
4207
|
# We recommend that you use the following pattern to encrypt data
|
|
4028
4208
|
# locally in your application. You can write your own code or use a
|
|
4029
4209
|
# client-side encryption library, such as the [Amazon Web Services
|
|
4030
|
-
# Encryption SDK][
|
|
4031
|
-
# [Amazon S3 client-side encryption][
|
|
4210
|
+
# Encryption SDK][6], the [Amazon DynamoDB Encryption Client][7], or
|
|
4211
|
+
# [Amazon S3 client-side encryption][8] to do these tasks for you.
|
|
4032
4212
|
#
|
|
4033
4213
|
# To encrypt data outside of KMS:
|
|
4034
4214
|
#
|
|
@@ -4049,11 +4229,11 @@ module Aws::KMS
|
|
|
4049
4229
|
# 2. Use the plaintext data key to decrypt data outside of KMS, then
|
|
4050
4230
|
# erase the plaintext data key from memory.
|
|
4051
4231
|
#
|
|
4052
|
-
# **Cross-account use
|
|
4232
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
4053
4233
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
4054
4234
|
# alias ARN in the value of the `KeyId` parameter.
|
|
4055
4235
|
#
|
|
4056
|
-
# **Required permissions
|
|
4236
|
+
# **Required permissions**: [kms:GenerateDataKey][9] (key policy)
|
|
4057
4237
|
#
|
|
4058
4238
|
# **Related operations:**
|
|
4059
4239
|
#
|
|
@@ -4070,13 +4250,14 @@ module Aws::KMS
|
|
|
4070
4250
|
#
|
|
4071
4251
|
#
|
|
4072
4252
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
4073
|
-
# [2]: https://
|
|
4074
|
-
# [3]: https://docs.aws.amazon.com/
|
|
4075
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
4076
|
-
# [5]: https://docs.aws.amazon.com/
|
|
4077
|
-
# [6]: https://docs.aws.amazon.com/
|
|
4078
|
-
# [7]: https://docs.aws.amazon.com/
|
|
4079
|
-
# [8]: https://docs.aws.amazon.com/
|
|
4253
|
+
# [2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
|
|
4254
|
+
# [3]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
4255
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
4256
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
|
4257
|
+
# [6]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
|
4258
|
+
# [7]: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/
|
|
4259
|
+
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
|
4260
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
4080
4261
|
#
|
|
4081
4262
|
# @option params [required, String] :key_id
|
|
4082
4263
|
# Specifies the symmetric encryption KMS key that encrypts the data key.
|
|
@@ -4107,6 +4288,10 @@ module Aws::KMS
|
|
|
4107
4288
|
# Specifies the encryption context that will be used when encrypting the
|
|
4108
4289
|
# data key.
|
|
4109
4290
|
#
|
|
4291
|
+
# Do not include confidential or sensitive information in this field.
|
|
4292
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
4293
|
+
# output.
|
|
4294
|
+
#
|
|
4110
4295
|
# An *encryption context* is a collection of non-secret key-value pairs
|
|
4111
4296
|
# that represent additional authenticated data. When you use an
|
|
4112
4297
|
# encryption context to encrypt data, you must specify the same (an
|
|
@@ -4152,11 +4337,51 @@ module Aws::KMS
|
|
|
4152
4337
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
4153
4338
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
4154
4339
|
#
|
|
4340
|
+
# @option params [Types::RecipientInfo] :recipient
|
|
4341
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
4342
|
+
# enclave and the encryption algorithm to use with the enclave's public
|
|
4343
|
+
# key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
|
|
4344
|
+
#
|
|
4345
|
+
# This parameter only supports attestation documents for Amazon Web
|
|
4346
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
|
4347
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
|
4348
|
+
#
|
|
4349
|
+
# When you use this parameter, instead of returning the plaintext data
|
|
4350
|
+
# key, KMS encrypts the plaintext data key under the public key in the
|
|
4351
|
+
# attestation document, and returns the resulting ciphertext in the
|
|
4352
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can be
|
|
4353
|
+
# decrypted only with the private key in the enclave. The
|
|
4354
|
+
# `CiphertextBlob` field in the response contains a copy of the data key
|
|
4355
|
+
# encrypted under the KMS key specified by the `KeyId` parameter. The
|
|
4356
|
+
# `Plaintext` field in the response is null or empty.
|
|
4357
|
+
#
|
|
4358
|
+
# For information about the interaction between KMS and Amazon Web
|
|
4359
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
|
4360
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
|
4361
|
+
#
|
|
4362
|
+
#
|
|
4363
|
+
#
|
|
4364
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
4365
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
4366
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
4367
|
+
#
|
|
4368
|
+
# @option params [Boolean] :dry_run
|
|
4369
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
4370
|
+
# parameter.
|
|
4371
|
+
#
|
|
4372
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
4373
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
4374
|
+
#
|
|
4375
|
+
#
|
|
4376
|
+
#
|
|
4377
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
4378
|
+
#
|
|
4155
4379
|
# @return [Types::GenerateDataKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
4156
4380
|
#
|
|
4157
4381
|
# * {Types::GenerateDataKeyResponse#ciphertext_blob #ciphertext_blob} => String
|
|
4158
4382
|
# * {Types::GenerateDataKeyResponse#plaintext #plaintext} => String
|
|
4159
4383
|
# * {Types::GenerateDataKeyResponse#key_id #key_id} => String
|
|
4384
|
+
# * {Types::GenerateDataKeyResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
|
|
4160
4385
|
#
|
|
4161
4386
|
#
|
|
4162
4387
|
# @example Example: To generate a data key
|
|
@@ -4176,6 +4401,31 @@ module Aws::KMS
|
|
|
4176
4401
|
# plaintext: "<binary data>", # The unencrypted (plaintext) data key.
|
|
4177
4402
|
# }
|
|
4178
4403
|
#
|
|
4404
|
+
# @example Example: To generate a data key pair for a Nitro enclave
|
|
4405
|
+
#
|
|
4406
|
+
# # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
|
|
4407
|
+
# # Instead of returning a copy of the data key encrypted by the KMS key and a plaintext copy of the data key,
|
|
4408
|
+
# # GenerateDataKey returns one copy of the data key encrypted by the KMS key (CiphertextBlob) and one copy of the data key
|
|
4409
|
+
# # encrypted by the public key from the attestation document (CiphertextForRecipient). The operation doesn't return a
|
|
4410
|
+
# # plaintext data key.
|
|
4411
|
+
#
|
|
4412
|
+
# resp = client.generate_data_key({
|
|
4413
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # Identifies the KMS key used to encrypt the encrypted data key (CiphertextBlob)
|
|
4414
|
+
# key_spec: "AES_256", # Specifies the type of data key to return
|
|
4415
|
+
# recipient: {
|
|
4416
|
+
# attestation_document: "<attestation document>",
|
|
4417
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256",
|
|
4418
|
+
# }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
|
|
4419
|
+
# })
|
|
4420
|
+
#
|
|
4421
|
+
# resp.to_h outputs the following:
|
|
4422
|
+
# {
|
|
4423
|
+
# ciphertext_blob: "<binary data>", # The data key encrypted by the specified KMS key
|
|
4424
|
+
# ciphertext_for_recipient: "<binary data>", # The plaintext data key encrypted by the public key from the attestation document
|
|
4425
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key used to encrypt the CiphertextBlob (encrypted data key)
|
|
4426
|
+
# plaintext: "", # This field is null or empty
|
|
4427
|
+
# }
|
|
4428
|
+
#
|
|
4179
4429
|
# @example Request syntax with placeholder values
|
|
4180
4430
|
#
|
|
4181
4431
|
# resp = client.generate_data_key({
|
|
@@ -4186,6 +4436,11 @@ module Aws::KMS
|
|
|
4186
4436
|
# number_of_bytes: 1,
|
|
4187
4437
|
# key_spec: "AES_256", # accepts AES_256, AES_128
|
|
4188
4438
|
# grant_tokens: ["GrantTokenType"],
|
|
4439
|
+
# recipient: {
|
|
4440
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
|
|
4441
|
+
# attestation_document: "data",
|
|
4442
|
+
# },
|
|
4443
|
+
# dry_run: false,
|
|
4189
4444
|
# })
|
|
4190
4445
|
#
|
|
4191
4446
|
# @example Response structure
|
|
@@ -4193,6 +4448,7 @@ module Aws::KMS
|
|
|
4193
4448
|
# resp.ciphertext_blob #=> String
|
|
4194
4449
|
# resp.plaintext #=> String
|
|
4195
4450
|
# resp.key_id #=> String
|
|
4451
|
+
# resp.ciphertext_for_recipient #=> String
|
|
4196
4452
|
#
|
|
4197
4453
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey AWS API Documentation
|
|
4198
4454
|
#
|
|
@@ -4245,23 +4501,38 @@ module Aws::KMS
|
|
|
4245
4501
|
# 5280][1]. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as
|
|
4246
4502
|
# specified in [RFC 5958][2].
|
|
4247
4503
|
#
|
|
4504
|
+
# `GenerateDataKeyPair` also supports [Amazon Web Services Nitro
|
|
4505
|
+
# Enclaves][3], which provide an isolated compute environment in Amazon
|
|
4506
|
+
# EC2. To call `GenerateDataKeyPair` for an Amazon Web Services Nitro
|
|
4507
|
+
# enclave, use the [Amazon Web Services Nitro Enclaves SDK][4] or any
|
|
4508
|
+
# Amazon Web Services SDK. Use the `Recipient` parameter to provide the
|
|
4509
|
+
# attestation document for the enclave. `GenerateDataKeyPair` returns
|
|
4510
|
+
# the public data key and a copy of the private data key encrypted under
|
|
4511
|
+
# the specified KMS key, as usual. But instead of a plaintext copy of
|
|
4512
|
+
# the private data key (`PrivateKeyPlaintext`), the response includes a
|
|
4513
|
+
# copy of the private data key encrypted under the public key from the
|
|
4514
|
+
# attestation document (`CiphertextForRecipient`). For information about
|
|
4515
|
+
# the interaction between KMS and Amazon Web Services Nitro Enclaves,
|
|
4516
|
+
# see [How Amazon Web Services Nitro Enclaves uses KMS][5] in the *Key
|
|
4517
|
+
# Management Service Developer Guide*..
|
|
4518
|
+
#
|
|
4248
4519
|
# You can use an optional encryption context to add additional security
|
|
4249
4520
|
# to the encryption operation. If you specify an `EncryptionContext`,
|
|
4250
4521
|
# you must specify the same encryption context (a case-sensitive exact
|
|
4251
4522
|
# match) when decrypting the encrypted data key. Otherwise, the request
|
|
4252
4523
|
# to decrypt fails with an `InvalidCiphertextException`. For more
|
|
4253
|
-
# information, see [Encryption Context][
|
|
4524
|
+
# information, see [Encryption Context][6] in the *Key Management
|
|
4254
4525
|
# Service Developer Guide*.
|
|
4255
4526
|
#
|
|
4256
4527
|
# The KMS key that you use for this operation must be in a compatible
|
|
4257
|
-
# key state. For details, see [Key states of KMS keys][
|
|
4528
|
+
# key state. For details, see [Key states of KMS keys][7] in the *Key
|
|
4258
4529
|
# Management Service Developer Guide*.
|
|
4259
4530
|
#
|
|
4260
|
-
# **Cross-account use
|
|
4531
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
4261
4532
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
4262
4533
|
# alias ARN in the value of the `KeyId` parameter.
|
|
4263
4534
|
#
|
|
4264
|
-
# **Required permissions
|
|
4535
|
+
# **Required permissions**: [kms:GenerateDataKeyPair][8] (key policy)
|
|
4265
4536
|
#
|
|
4266
4537
|
# **Related operations:**
|
|
4267
4538
|
#
|
|
@@ -4279,14 +4550,21 @@ module Aws::KMS
|
|
|
4279
4550
|
#
|
|
4280
4551
|
# [1]: https://tools.ietf.org/html/rfc5280
|
|
4281
4552
|
# [2]: https://tools.ietf.org/html/rfc5958
|
|
4282
|
-
# [3]: https://docs.aws.amazon.com/
|
|
4283
|
-
# [4]: https://docs.aws.amazon.com/
|
|
4284
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
4553
|
+
# [3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
|
|
4554
|
+
# [4]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
4555
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
4556
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
|
4557
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
|
4558
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
4285
4559
|
#
|
|
4286
4560
|
# @option params [Hash<String,String>] :encryption_context
|
|
4287
4561
|
# Specifies the encryption context that will be used when encrypting the
|
|
4288
4562
|
# private key in the data key pair.
|
|
4289
4563
|
#
|
|
4564
|
+
# Do not include confidential or sensitive information in this field.
|
|
4565
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
4566
|
+
# output.
|
|
4567
|
+
#
|
|
4290
4568
|
# An *encryption context* is a collection of non-secret key-value pairs
|
|
4291
4569
|
# that represent additional authenticated data. When you use an
|
|
4292
4570
|
# encryption context to encrypt data, you must specify the same (an
|
|
@@ -4349,6 +4627,46 @@ module Aws::KMS
|
|
|
4349
4627
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
4350
4628
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
4351
4629
|
#
|
|
4630
|
+
# @option params [Types::RecipientInfo] :recipient
|
|
4631
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
4632
|
+
# enclave and the encryption algorithm to use with the enclave's public
|
|
4633
|
+
# key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
|
|
4634
|
+
#
|
|
4635
|
+
# This parameter only supports attestation documents for Amazon Web
|
|
4636
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
|
4637
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
|
4638
|
+
#
|
|
4639
|
+
# When you use this parameter, instead of returning a plaintext copy of
|
|
4640
|
+
# the private data key, KMS encrypts the plaintext private data key
|
|
4641
|
+
# under the public key in the attestation document, and returns the
|
|
4642
|
+
# resulting ciphertext in the `CiphertextForRecipient` field in the
|
|
4643
|
+
# response. This ciphertext can be decrypted only with the private key
|
|
4644
|
+
# in the enclave. The `CiphertextBlob` field in the response contains a
|
|
4645
|
+
# copy of the private data key encrypted under the KMS key specified by
|
|
4646
|
+
# the `KeyId` parameter. The `PrivateKeyPlaintext` field in the response
|
|
4647
|
+
# is null or empty.
|
|
4648
|
+
#
|
|
4649
|
+
# For information about the interaction between KMS and Amazon Web
|
|
4650
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
|
4651
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
|
4652
|
+
#
|
|
4653
|
+
#
|
|
4654
|
+
#
|
|
4655
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
4656
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
4657
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
4658
|
+
#
|
|
4659
|
+
# @option params [Boolean] :dry_run
|
|
4660
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
4661
|
+
# parameter.
|
|
4662
|
+
#
|
|
4663
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
4664
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
4665
|
+
#
|
|
4666
|
+
#
|
|
4667
|
+
#
|
|
4668
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
4669
|
+
#
|
|
4352
4670
|
# @return [Types::GenerateDataKeyPairResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
4353
4671
|
#
|
|
4354
4672
|
# * {Types::GenerateDataKeyPairResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
|
|
@@ -4356,6 +4674,7 @@ module Aws::KMS
|
|
|
4356
4674
|
# * {Types::GenerateDataKeyPairResponse#public_key #public_key} => String
|
|
4357
4675
|
# * {Types::GenerateDataKeyPairResponse#key_id #key_id} => String
|
|
4358
4676
|
# * {Types::GenerateDataKeyPairResponse#key_pair_spec #key_pair_spec} => String
|
|
4677
|
+
# * {Types::GenerateDataKeyPairResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
|
|
4359
4678
|
#
|
|
4360
4679
|
#
|
|
4361
4680
|
# @example Example: To generate an RSA key pair for encryption and decryption
|
|
@@ -4377,6 +4696,33 @@ module Aws::KMS
|
|
|
4377
4696
|
# public_key: "<binary data>", # The public key (plaintext) of the RSA data key pair.
|
|
4378
4697
|
# }
|
|
4379
4698
|
#
|
|
4699
|
+
# @example Example: To generate a data key pair for a Nitro enclave
|
|
4700
|
+
#
|
|
4701
|
+
# # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
|
|
4702
|
+
# # Instead of returning a plaintext copy of the private data key, GenerateDataKeyPair returns a copy of the private data
|
|
4703
|
+
# # key encrypted by the public key from the attestation document (CiphertextForRecipient). It returns the public data key
|
|
4704
|
+
# # (PublicKey) and a copy of private data key encrypted under the specified KMS key (PrivateKeyCiphertextBlob), as usual,
|
|
4705
|
+
# # but plaintext private data key field (PrivateKeyPlaintext) is null or empty.
|
|
4706
|
+
#
|
|
4707
|
+
# resp = client.generate_data_key_pair({
|
|
4708
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
|
|
4709
|
+
# key_pair_spec: "RSA_3072", # The requested key spec of the RSA data key pair.
|
|
4710
|
+
# recipient: {
|
|
4711
|
+
# attestation_document: "<attestation document>",
|
|
4712
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256",
|
|
4713
|
+
# }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document.
|
|
4714
|
+
# })
|
|
4715
|
+
#
|
|
4716
|
+
# resp.to_h outputs the following:
|
|
4717
|
+
# {
|
|
4718
|
+
# ciphertext_for_recipient: "<binary data>", # The private key of the RSA data key pair encrypted by the public key from the attestation document
|
|
4719
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The key ARN of the symmetric encryption KMS key that was used to encrypt the PrivateKeyCiphertextBlob.
|
|
4720
|
+
# key_pair_spec: "RSA_3072", # The actual key spec of the RSA data key pair.
|
|
4721
|
+
# private_key_ciphertext_blob: "<binary data>", # The private key of the RSA data key pair encrypted by the KMS key.
|
|
4722
|
+
# private_key_plaintext: "", # This field is null or empty
|
|
4723
|
+
# public_key: "<binary data>", # The public key (plaintext) of the RSA data key pair.
|
|
4724
|
+
# }
|
|
4725
|
+
#
|
|
4380
4726
|
# @example Request syntax with placeholder values
|
|
4381
4727
|
#
|
|
4382
4728
|
# resp = client.generate_data_key_pair({
|
|
@@ -4386,6 +4732,11 @@ module Aws::KMS
|
|
|
4386
4732
|
# key_id: "KeyIdType", # required
|
|
4387
4733
|
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
4388
4734
|
# grant_tokens: ["GrantTokenType"],
|
|
4735
|
+
# recipient: {
|
|
4736
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
|
|
4737
|
+
# attestation_document: "data",
|
|
4738
|
+
# },
|
|
4739
|
+
# dry_run: false,
|
|
4389
4740
|
# })
|
|
4390
4741
|
#
|
|
4391
4742
|
# @example Response structure
|
|
@@ -4395,6 +4746,7 @@ module Aws::KMS
|
|
|
4395
4746
|
# resp.public_key #=> String
|
|
4396
4747
|
# resp.key_id #=> String
|
|
4397
4748
|
# resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2"
|
|
4749
|
+
# resp.ciphertext_for_recipient #=> String
|
|
4398
4750
|
#
|
|
4399
4751
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair AWS API Documentation
|
|
4400
4752
|
#
|
|
@@ -4448,12 +4800,12 @@ module Aws::KMS
|
|
|
4448
4800
|
# key state. For details, see [Key states of KMS keys][3] in the *Key
|
|
4449
4801
|
# Management Service Developer Guide*.
|
|
4450
4802
|
#
|
|
4451
|
-
# **Cross-account use
|
|
4803
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
4452
4804
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
4453
4805
|
# alias ARN in the value of the `KeyId` parameter.
|
|
4454
4806
|
#
|
|
4455
|
-
# **Required permissions
|
|
4456
|
-
#
|
|
4807
|
+
# **Required permissions**: [kms:GenerateDataKeyPairWithoutPlaintext][4]
|
|
4808
|
+
# (key policy)
|
|
4457
4809
|
#
|
|
4458
4810
|
# **Related operations:**
|
|
4459
4811
|
#
|
|
@@ -4478,6 +4830,10 @@ module Aws::KMS
|
|
|
4478
4830
|
# Specifies the encryption context that will be used when encrypting the
|
|
4479
4831
|
# private key in the data key pair.
|
|
4480
4832
|
#
|
|
4833
|
+
# Do not include confidential or sensitive information in this field.
|
|
4834
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
4835
|
+
# output.
|
|
4836
|
+
#
|
|
4481
4837
|
# An *encryption context* is a collection of non-secret key-value pairs
|
|
4482
4838
|
# that represent additional authenticated data. When you use an
|
|
4483
4839
|
# encryption context to encrypt data, you must specify the same (an
|
|
@@ -4540,6 +4896,17 @@ module Aws::KMS
|
|
|
4540
4896
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
4541
4897
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
4542
4898
|
#
|
|
4899
|
+
# @option params [Boolean] :dry_run
|
|
4900
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
4901
|
+
# parameter.
|
|
4902
|
+
#
|
|
4903
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
4904
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
4905
|
+
#
|
|
4906
|
+
#
|
|
4907
|
+
#
|
|
4908
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
4909
|
+
#
|
|
4543
4910
|
# @return [Types::GenerateDataKeyPairWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
4544
4911
|
#
|
|
4545
4912
|
# * {Types::GenerateDataKeyPairWithoutPlaintextResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
|
|
@@ -4575,6 +4942,7 @@ module Aws::KMS
|
|
|
4575
4942
|
# key_id: "KeyIdType", # required
|
|
4576
4943
|
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SM2
|
|
4577
4944
|
# grant_tokens: ["GrantTokenType"],
|
|
4945
|
+
# dry_run: false,
|
|
4578
4946
|
# })
|
|
4579
4947
|
#
|
|
4580
4948
|
# @example Response structure
|
|
@@ -4629,7 +4997,7 @@ module Aws::KMS
|
|
|
4629
4997
|
# and 256-bit data keys, use the `KeySpec` parameter.
|
|
4630
4998
|
#
|
|
4631
4999
|
# To generate an SM4 data key (China Regions only), specify a `KeySpec`
|
|
4632
|
-
# value of `AES_128` or `NumberOfBytes` value of `
|
|
5000
|
+
# value of `AES_128` or `NumberOfBytes` value of `16`. The symmetric
|
|
4633
5001
|
# encryption key used in China Regions to encrypt your data key is an
|
|
4634
5002
|
# SM4 encryption key.
|
|
4635
5003
|
#
|
|
@@ -4648,11 +5016,11 @@ module Aws::KMS
|
|
|
4648
5016
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
4649
5017
|
# Management Service Developer Guide*.
|
|
4650
5018
|
#
|
|
4651
|
-
# **Cross-account use
|
|
5019
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
4652
5020
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
4653
5021
|
# alias ARN in the value of the `KeyId` parameter.
|
|
4654
5022
|
#
|
|
4655
|
-
# **Required permissions
|
|
5023
|
+
# **Required permissions**: [kms:GenerateDataKeyWithoutPlaintext][3]
|
|
4656
5024
|
# (key policy)
|
|
4657
5025
|
#
|
|
4658
5026
|
# **Related operations:**
|
|
@@ -4702,6 +5070,10 @@ module Aws::KMS
|
|
|
4702
5070
|
# Specifies the encryption context that will be used when encrypting the
|
|
4703
5071
|
# data key.
|
|
4704
5072
|
#
|
|
5073
|
+
# Do not include confidential or sensitive information in this field.
|
|
5074
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
5075
|
+
# output.
|
|
5076
|
+
#
|
|
4705
5077
|
# An *encryption context* is a collection of non-secret key-value pairs
|
|
4706
5078
|
# that represent additional authenticated data. When you use an
|
|
4707
5079
|
# encryption context to encrypt data, you must specify the same (an
|
|
@@ -4740,6 +5112,17 @@ module Aws::KMS
|
|
|
4740
5112
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
4741
5113
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
4742
5114
|
#
|
|
5115
|
+
# @option params [Boolean] :dry_run
|
|
5116
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
5117
|
+
# parameter.
|
|
5118
|
+
#
|
|
5119
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
5120
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
5121
|
+
#
|
|
5122
|
+
#
|
|
5123
|
+
#
|
|
5124
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
5125
|
+
#
|
|
4743
5126
|
# @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
4744
5127
|
#
|
|
4745
5128
|
# * {Types::GenerateDataKeyWithoutPlaintextResponse#ciphertext_blob #ciphertext_blob} => String
|
|
@@ -4772,6 +5155,7 @@ module Aws::KMS
|
|
|
4772
5155
|
# key_spec: "AES_256", # accepts AES_256, AES_128
|
|
4773
5156
|
# number_of_bytes: 1,
|
|
4774
5157
|
# grant_tokens: ["GrantTokenType"],
|
|
5158
|
+
# dry_run: false,
|
|
4775
5159
|
# })
|
|
4776
5160
|
#
|
|
4777
5161
|
# @example Response structure
|
|
@@ -4815,13 +5199,13 @@ module Aws::KMS
|
|
|
4815
5199
|
# key state. For details, see [Key states of KMS keys][3] in the *Key
|
|
4816
5200
|
# Management Service Developer Guide*.
|
|
4817
5201
|
#
|
|
4818
|
-
# **Cross-account use
|
|
5202
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
4819
5203
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
4820
5204
|
# alias ARN in the value of the `KeyId` parameter.
|
|
4821
5205
|
#
|
|
4822
|
-
# **Required permissions
|
|
5206
|
+
# **Required permissions**: [kms:GenerateMac][4] (key policy)
|
|
4823
5207
|
#
|
|
4824
|
-
# **Related operations
|
|
5208
|
+
# **Related operations**: VerifyMac
|
|
4825
5209
|
#
|
|
4826
5210
|
#
|
|
4827
5211
|
#
|
|
@@ -4869,6 +5253,17 @@ module Aws::KMS
|
|
|
4869
5253
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
4870
5254
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
4871
5255
|
#
|
|
5256
|
+
# @option params [Boolean] :dry_run
|
|
5257
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
5258
|
+
# parameter.
|
|
5259
|
+
#
|
|
5260
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
5261
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
5262
|
+
#
|
|
5263
|
+
#
|
|
5264
|
+
#
|
|
5265
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
5266
|
+
#
|
|
4872
5267
|
# @return [Types::GenerateMacResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
4873
5268
|
#
|
|
4874
5269
|
# * {Types::GenerateMacResponse#mac #mac} => String
|
|
@@ -4901,6 +5296,7 @@ module Aws::KMS
|
|
|
4901
5296
|
# key_id: "KeyIdType", # required
|
|
4902
5297
|
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
4903
5298
|
# grant_tokens: ["GrantTokenType"],
|
|
5299
|
+
# dry_run: false,
|
|
4904
5300
|
# })
|
|
4905
5301
|
#
|
|
4906
5302
|
# @example Response structure
|
|
@@ -4927,26 +5323,33 @@ module Aws::KMS
|
|
|
4927
5323
|
# the byte string in the CloudHSM cluster associated with an CloudHSM
|
|
4928
5324
|
# key store, use the `CustomKeyStoreId` parameter.
|
|
4929
5325
|
#
|
|
4930
|
-
#
|
|
4931
|
-
#
|
|
4932
|
-
#
|
|
4933
|
-
#
|
|
4934
|
-
#
|
|
5326
|
+
# `GenerateRandom` also supports [Amazon Web Services Nitro
|
|
5327
|
+
# Enclaves][1], which provide an isolated compute environment in Amazon
|
|
5328
|
+
# EC2. To call `GenerateRandom` for a Nitro enclave, use the [Amazon Web
|
|
5329
|
+
# Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK. Use
|
|
5330
|
+
# the `Recipient` parameter to provide the attestation document for the
|
|
5331
|
+
# enclave. Instead of plaintext bytes, the response includes the
|
|
5332
|
+
# plaintext bytes encrypted under the public key from the attestation
|
|
5333
|
+
# document (`CiphertextForRecipient`).For information about the
|
|
5334
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
|
5335
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][3] in the *Key
|
|
5336
|
+
# Management Service Developer Guide*.
|
|
4935
5337
|
#
|
|
4936
5338
|
# For more information about entropy and random number generation, see
|
|
4937
|
-
# [Key Management Service Cryptographic Details][
|
|
5339
|
+
# [Key Management Service Cryptographic Details][4].
|
|
4938
5340
|
#
|
|
4939
|
-
# **Cross-account use
|
|
5341
|
+
# **Cross-account use**: Not applicable. `GenerateRandom` does not use
|
|
4940
5342
|
# any account-specific resources, such as KMS keys.
|
|
4941
5343
|
#
|
|
4942
|
-
# **Required permissions
|
|
5344
|
+
# **Required permissions**: [kms:GenerateRandom][5] (IAM policy)
|
|
4943
5345
|
#
|
|
4944
5346
|
#
|
|
4945
5347
|
#
|
|
4946
|
-
# [1]: https://
|
|
4947
|
-
# [2]: https://docs.aws.amazon.com/
|
|
4948
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/
|
|
4949
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/
|
|
5348
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html
|
|
5349
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
5350
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
5351
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/cryptographic-details/
|
|
5352
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
4950
5353
|
#
|
|
4951
5354
|
# @option params [Integer] :number_of_bytes
|
|
4952
5355
|
# The length of the random byte string. This parameter is required.
|
|
@@ -4960,9 +5363,36 @@ module Aws::KMS
|
|
|
4960
5363
|
# specify the ID of an external key store, `GenerateRandom` throws an
|
|
4961
5364
|
# `UnsupportedOperationException`.
|
|
4962
5365
|
#
|
|
5366
|
+
# @option params [Types::RecipientInfo] :recipient
|
|
5367
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
5368
|
+
# enclave and the encryption algorithm to use with the enclave's public
|
|
5369
|
+
# key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
|
|
5370
|
+
#
|
|
5371
|
+
# This parameter only supports attestation documents for Amazon Web
|
|
5372
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
|
5373
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
|
5374
|
+
#
|
|
5375
|
+
# When you use this parameter, instead of returning plaintext bytes, KMS
|
|
5376
|
+
# encrypts the plaintext bytes under the public key in the attestation
|
|
5377
|
+
# document, and returns the resulting ciphertext in the
|
|
5378
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can be
|
|
5379
|
+
# decrypted only with the private key in the enclave. The `Plaintext`
|
|
5380
|
+
# field in the response is null or empty.
|
|
5381
|
+
#
|
|
5382
|
+
# For information about the interaction between KMS and Amazon Web
|
|
5383
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
|
5384
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
|
5385
|
+
#
|
|
5386
|
+
#
|
|
5387
|
+
#
|
|
5388
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
5389
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
5390
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
5391
|
+
#
|
|
4963
5392
|
# @return [Types::GenerateRandomResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
4964
5393
|
#
|
|
4965
5394
|
# * {Types::GenerateRandomResponse#plaintext #plaintext} => String
|
|
5395
|
+
# * {Types::GenerateRandomResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
|
|
4966
5396
|
#
|
|
4967
5397
|
#
|
|
4968
5398
|
# @example Example: To generate random data
|
|
@@ -4978,16 +5408,41 @@ module Aws::KMS
|
|
|
4978
5408
|
# plaintext: "<binary data>", # The random data.
|
|
4979
5409
|
# }
|
|
4980
5410
|
#
|
|
5411
|
+
# @example Example: To generate random data
|
|
5412
|
+
#
|
|
5413
|
+
# # The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave.
|
|
5414
|
+
# # Instead of returning a plaintext (unencrypted) byte string, GenerateRandom returns the byte string encrypted by the
|
|
5415
|
+
# # public key from the enclave's attestation document.
|
|
5416
|
+
#
|
|
5417
|
+
# resp = client.generate_random({
|
|
5418
|
+
# number_of_bytes: 1024, # The length of the random byte string
|
|
5419
|
+
# recipient: {
|
|
5420
|
+
# attestation_document: "<attestation document>",
|
|
5421
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256",
|
|
5422
|
+
# }, # Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
|
|
5423
|
+
# })
|
|
5424
|
+
#
|
|
5425
|
+
# resp.to_h outputs the following:
|
|
5426
|
+
# {
|
|
5427
|
+
# ciphertext_for_recipient: "<binary data>", # The random data encrypted under the public key from the attestation document
|
|
5428
|
+
# plaintext: "", # This field is null or empty
|
|
5429
|
+
# }
|
|
5430
|
+
#
|
|
4981
5431
|
# @example Request syntax with placeholder values
|
|
4982
5432
|
#
|
|
4983
5433
|
# resp = client.generate_random({
|
|
4984
5434
|
# number_of_bytes: 1,
|
|
4985
5435
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
|
5436
|
+
# recipient: {
|
|
5437
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
|
|
5438
|
+
# attestation_document: "data",
|
|
5439
|
+
# },
|
|
4986
5440
|
# })
|
|
4987
5441
|
#
|
|
4988
5442
|
# @example Response structure
|
|
4989
5443
|
#
|
|
4990
5444
|
# resp.plaintext #=> String
|
|
5445
|
+
# resp.ciphertext_for_recipient #=> String
|
|
4991
5446
|
#
|
|
4992
5447
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom AWS API Documentation
|
|
4993
5448
|
#
|
|
@@ -5000,12 +5455,12 @@ module Aws::KMS
|
|
|
5000
5455
|
|
|
5001
5456
|
# Gets a key policy attached to the specified KMS key.
|
|
5002
5457
|
#
|
|
5003
|
-
# **Cross-account use
|
|
5458
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
5004
5459
|
# key in a different Amazon Web Services account.
|
|
5005
5460
|
#
|
|
5006
|
-
# **Required permissions
|
|
5461
|
+
# **Required permissions**: [kms:GetKeyPolicy][1] (key policy)
|
|
5007
5462
|
#
|
|
5008
|
-
# **Related operations
|
|
5463
|
+
# **Related operations**: PutKeyPolicy
|
|
5009
5464
|
#
|
|
5010
5465
|
#
|
|
5011
5466
|
#
|
|
@@ -5116,11 +5571,11 @@ module Aws::KMS
|
|
|
5116
5571
|
# If you cancel the deletion, the original key rotation status returns
|
|
5117
5572
|
# to `true`.
|
|
5118
5573
|
#
|
|
5119
|
-
# **Cross-account use
|
|
5574
|
+
# **Cross-account use**: Yes. To perform this operation on a KMS key in
|
|
5120
5575
|
# a different Amazon Web Services account, specify the key ARN in the
|
|
5121
5576
|
# value of the `KeyId` parameter.
|
|
5122
5577
|
#
|
|
5123
|
-
# **Required permissions
|
|
5578
|
+
# **Required permissions**: [kms:GetKeyRotationStatus][11] (key policy)
|
|
5124
5579
|
#
|
|
5125
5580
|
# **Related operations:**
|
|
5126
5581
|
#
|
|
@@ -5195,39 +5650,72 @@ module Aws::KMS
|
|
|
5195
5650
|
req.send_request(options)
|
|
5196
5651
|
end
|
|
5197
5652
|
|
|
5198
|
-
# Returns the
|
|
5199
|
-
#
|
|
5200
|
-
#
|
|
5201
|
-
#
|
|
5653
|
+
# Returns the public key and an import token you need to import or
|
|
5654
|
+
# reimport key material for a KMS key.
|
|
5655
|
+
#
|
|
5656
|
+
# By default, KMS keys are created with key material that KMS generates.
|
|
5657
|
+
# This operation supports [Importing key material][1], an advanced
|
|
5658
|
+
# feature that lets you generate and import the cryptographic key
|
|
5659
|
+
# material for a KMS key. For more information about importing key
|
|
5660
|
+
# material into KMS, see [Importing key material][1] in the *Key
|
|
5661
|
+
# Management Service Developer Guide*.
|
|
5662
|
+
#
|
|
5663
|
+
# Before calling `GetParametersForImport`, use the CreateKey operation
|
|
5664
|
+
# with an `Origin` value of `EXTERNAL` to create a KMS key with no key
|
|
5665
|
+
# material. You can import key material for a symmetric encryption KMS
|
|
5666
|
+
# key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric
|
|
5667
|
+
# signing KMS key. You can also import key material into a [multi-Region
|
|
5668
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of any
|
|
5669
|
+
# supported type. However, you can't import key material into a KMS key
|
|
5670
|
+
# in a [custom key
|
|
5671
|
+
# store](kms/latest/developerguide/custom-key-store-overview.html). You
|
|
5672
|
+
# can also use `GetParametersForImport` to get a public key and import
|
|
5673
|
+
# token to [reimport the original key
|
|
5674
|
+
# material](kms/latest/developerguide/importing-keys.html#reimport-key-material)
|
|
5675
|
+
# into a KMS key whose key material expired or was deleted.
|
|
5676
|
+
#
|
|
5677
|
+
# `GetParametersForImport` returns the items that you need to import
|
|
5678
|
+
# your key material.
|
|
5679
|
+
#
|
|
5680
|
+
# * The public key (or "wrapping key") of an RSA key pair that KMS
|
|
5681
|
+
# generates.
|
|
5682
|
+
#
|
|
5683
|
+
# You will use this public key to encrypt ("wrap") your key material
|
|
5684
|
+
# while it's in transit to KMS.
|
|
5685
|
+
#
|
|
5686
|
+
# * A import token that ensures that KMS can decrypt your key material
|
|
5687
|
+
# and associate it with the correct KMS key.
|
|
5688
|
+
#
|
|
5689
|
+
# The public key and its import token are permanently linked and must be
|
|
5690
|
+
# used together. Each public key and import token set is valid for 24
|
|
5691
|
+
# hours. The expiration date and time appear in the `ParametersValidTo`
|
|
5692
|
+
# field in the `GetParametersForImport` response. You cannot use an
|
|
5693
|
+
# expired public key or import token in an ImportKeyMaterial request. If
|
|
5694
|
+
# your key and token expire, send another `GetParametersForImport`
|
|
5695
|
+
# request.
|
|
5696
|
+
#
|
|
5697
|
+
# `GetParametersForImport` requires the following information:
|
|
5698
|
+
#
|
|
5699
|
+
# * The key ID of the KMS key for which you are importing the key
|
|
5700
|
+
# material.
|
|
5701
|
+
#
|
|
5702
|
+
# * The key spec of the public key ("wrapping key") that you will use
|
|
5703
|
+
# to encrypt your key material during import.
|
|
5202
5704
|
#
|
|
5203
|
-
#
|
|
5204
|
-
#
|
|
5205
|
-
#
|
|
5206
|
-
#
|
|
5207
|
-
#
|
|
5208
|
-
# which you will import key material. The KMS key `Origin` must be
|
|
5209
|
-
# `EXTERNAL`. You must also specify the wrapping algorithm and type of
|
|
5210
|
-
# wrapping key (public key) that you will use to encrypt the key
|
|
5211
|
-
# material. You cannot perform this operation on an asymmetric KMS key,
|
|
5212
|
-
# an HMAC KMS key, or on any KMS key in a different Amazon Web Services
|
|
5213
|
-
# account.
|
|
5214
|
-
#
|
|
5215
|
-
# To import key material, you must use the public key and import token
|
|
5216
|
-
# from the same response. These items are valid for 24 hours. The
|
|
5217
|
-
# expiration date and time appear in the `GetParametersForImport`
|
|
5218
|
-
# response. You cannot use an expired token in an ImportKeyMaterial
|
|
5219
|
-
# request. If your key and token expire, send another
|
|
5220
|
-
# `GetParametersForImport` request.
|
|
5705
|
+
# * The wrapping algorithm that you will use with the public key to
|
|
5706
|
+
# encrypt your key material.
|
|
5707
|
+
#
|
|
5708
|
+
# You can use the same or a different public key spec and wrapping
|
|
5709
|
+
# algorithm each time you import or reimport the same key material.
|
|
5221
5710
|
#
|
|
5222
5711
|
# The KMS key that you use for this operation must be in a compatible
|
|
5223
5712
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
5224
5713
|
# Management Service Developer Guide*.
|
|
5225
5714
|
#
|
|
5226
|
-
# **Cross-account use
|
|
5715
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
5227
5716
|
# key in a different Amazon Web Services account.
|
|
5228
5717
|
#
|
|
5229
|
-
# **Required permissions
|
|
5230
|
-
# policy)
|
|
5718
|
+
# **Required permissions**: [kms:GetParametersForImport][3] (key policy)
|
|
5231
5719
|
#
|
|
5232
5720
|
# **Related operations:**
|
|
5233
5721
|
#
|
|
@@ -5242,8 +5730,11 @@ module Aws::KMS
|
|
|
5242
5730
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
5243
5731
|
#
|
|
5244
5732
|
# @option params [required, String] :key_id
|
|
5245
|
-
# The identifier of the
|
|
5246
|
-
#
|
|
5733
|
+
# The identifier of the KMS key that will be associated with the
|
|
5734
|
+
# imported key material. The `Origin` of the KMS key must be `EXTERNAL`.
|
|
5735
|
+
#
|
|
5736
|
+
# All KMS key types are supported, including multi-Region keys. However,
|
|
5737
|
+
# you cannot import key material into a KMS key in a custom key store.
|
|
5247
5738
|
#
|
|
5248
5739
|
# Specify the key ID or key ARN of the KMS key.
|
|
5249
5740
|
#
|
|
@@ -5258,25 +5749,52 @@ module Aws::KMS
|
|
|
5258
5749
|
# DescribeKey.
|
|
5259
5750
|
#
|
|
5260
5751
|
# @option params [required, String] :wrapping_algorithm
|
|
5261
|
-
# The algorithm you will use
|
|
5262
|
-
# the
|
|
5263
|
-
# see [
|
|
5264
|
-
#
|
|
5752
|
+
# The algorithm you will use with the RSA public key (`PublicKey`) in
|
|
5753
|
+
# the response to protect your key material during import. For more
|
|
5754
|
+
# information, see [Select a wrapping
|
|
5755
|
+
# algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
|
|
5756
|
+
# in the *Key Management Service Developer Guide*.
|
|
5757
|
+
#
|
|
5758
|
+
# For RSA\_AES wrapping algorithms, you encrypt your key material with
|
|
5759
|
+
# an AES key that you generate, then encrypt your AES key with the RSA
|
|
5760
|
+
# public key from KMS. For RSAES wrapping algorithms, you encrypt your
|
|
5761
|
+
# key material directly with the RSA public key from KMS.
|
|
5265
5762
|
#
|
|
5266
|
-
# The
|
|
5267
|
-
# that you
|
|
5268
|
-
#
|
|
5269
|
-
# [cryptographic key management guidance][2] from the National Institute
|
|
5270
|
-
# of Standards and Technology (NIST).
|
|
5763
|
+
# The wrapping algorithms that you can use depend on the type of key
|
|
5764
|
+
# material that you are importing. To import an RSA private key, you
|
|
5765
|
+
# must use an RSA\_AES wrapping algorithm.
|
|
5271
5766
|
#
|
|
5767
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
|
|
5768
|
+
# ECC key material.
|
|
5272
5769
|
#
|
|
5770
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and ECC
|
|
5771
|
+
# key material.
|
|
5273
5772
|
#
|
|
5274
|
-
#
|
|
5275
|
-
#
|
|
5773
|
+
# * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key material,
|
|
5774
|
+
# except RSA key material (private key).
|
|
5775
|
+
#
|
|
5776
|
+
# You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with the
|
|
5777
|
+
# RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
|
|
5778
|
+
#
|
|
5779
|
+
# * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
|
|
5780
|
+
# except RSA key material (private key).
|
|
5781
|
+
#
|
|
5782
|
+
# You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
|
|
5783
|
+
# RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
|
|
5784
|
+
#
|
|
5785
|
+
# * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for symmetric
|
|
5786
|
+
# encryption key material (and only in legacy mode).
|
|
5276
5787
|
#
|
|
5277
5788
|
# @option params [required, String] :wrapping_key_spec
|
|
5278
|
-
# The type of
|
|
5279
|
-
#
|
|
5789
|
+
# The type of RSA public key to return in the response. You will use
|
|
5790
|
+
# this wrapping key with the specified wrapping algorithm to protect
|
|
5791
|
+
# your key material during import.
|
|
5792
|
+
#
|
|
5793
|
+
# Use the longest RSA wrapping key that is practical.
|
|
5794
|
+
#
|
|
5795
|
+
# You cannot use an RSA\_2048 public key to directly wrap an
|
|
5796
|
+
# ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
|
|
5797
|
+
# algorithm or choose a longer RSA public key.
|
|
5280
5798
|
#
|
|
5281
5799
|
# @return [Types::GetParametersForImportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
5282
5800
|
#
|
|
@@ -5286,12 +5804,13 @@ module Aws::KMS
|
|
|
5286
5804
|
# * {Types::GetParametersForImportResponse#parameters_valid_to #parameters_valid_to} => Time
|
|
5287
5805
|
#
|
|
5288
5806
|
#
|
|
5289
|
-
# @example Example: To
|
|
5807
|
+
# @example Example: To download the public key and import token for a symmetric encryption KMS key
|
|
5290
5808
|
#
|
|
5291
|
-
# # The following example
|
|
5809
|
+
# # The following example downloads a public key and import token to import symmetric encryption key material. It uses the
|
|
5810
|
+
# # default wrapping key spec and the RSAES_OAEP_SHA_256 wrapping algorithm.
|
|
5292
5811
|
#
|
|
5293
5812
|
# resp = client.get_parameters_for_import({
|
|
5294
|
-
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key
|
|
5813
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
|
5295
5814
|
# wrapping_algorithm: "RSAES_OAEP_SHA_1", # The algorithm that you will use to encrypt the key material before importing it.
|
|
5296
5815
|
# wrapping_key_spec: "RSA_2048", # The type of wrapping key (public key) to return in the response.
|
|
5297
5816
|
# })
|
|
@@ -5299,8 +5818,67 @@ module Aws::KMS
|
|
|
5299
5818
|
# resp.to_h outputs the following:
|
|
5300
5819
|
# {
|
|
5301
5820
|
# import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
|
|
5302
|
-
# key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key
|
|
5303
|
-
# parameters_valid_to: Time.parse("
|
|
5821
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
|
|
5822
|
+
# parameters_valid_to: Time.parse("2023-02-01T14:52:17-08:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
|
|
5823
|
+
# public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
|
|
5824
|
+
# }
|
|
5825
|
+
#
|
|
5826
|
+
# @example Example: To download the public key and import token for an RSA asymmetric KMS key
|
|
5827
|
+
#
|
|
5828
|
+
# # The following example downloads a public key and import token to import an RSA private key. It uses a required RSA_AES
|
|
5829
|
+
# # wrapping algorithm and the largest supported private key.
|
|
5830
|
+
#
|
|
5831
|
+
# resp = client.get_parameters_for_import({
|
|
5832
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
|
5833
|
+
# wrapping_algorithm: "RSA_AES_KEY_WRAP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
|
|
5834
|
+
# wrapping_key_spec: "RSA_4096", # The type of wrapping key (public key) to return in the response.
|
|
5835
|
+
# })
|
|
5836
|
+
#
|
|
5837
|
+
# resp.to_h outputs the following:
|
|
5838
|
+
# {
|
|
5839
|
+
# import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
|
|
5840
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
|
|
5841
|
+
# parameters_valid_to: Time.parse("2023-03-08T13:02:02-07:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
|
|
5842
|
+
# public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
|
|
5843
|
+
# }
|
|
5844
|
+
#
|
|
5845
|
+
# @example Example: To download the public key and import token for an elliptic curve (ECC) asymmetric KMS key
|
|
5846
|
+
#
|
|
5847
|
+
# # The following example downloads a public key and import token to import an ECC_NIST_P521 (secp521r1) private key. You
|
|
5848
|
+
# # cannot directly wrap this ECC key under an RSA_2048 public key, although you can use an RSA_2048 public key with an
|
|
5849
|
+
# # RSA_AES wrapping algorithm to wrap any supported key material. This example requests an RSA_3072 public key for use with
|
|
5850
|
+
# # the RSAES_OAEP_SHA_256.
|
|
5851
|
+
#
|
|
5852
|
+
# resp = client.get_parameters_for_import({
|
|
5853
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
|
5854
|
+
# wrapping_algorithm: "RSAES_OAEP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
|
|
5855
|
+
# wrapping_key_spec: "RSA_3072", # The type of wrapping key (public key) to return in the response.
|
|
5856
|
+
# })
|
|
5857
|
+
#
|
|
5858
|
+
# resp.to_h outputs the following:
|
|
5859
|
+
# {
|
|
5860
|
+
# import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
|
|
5861
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
|
|
5862
|
+
# parameters_valid_to: Time.parse("2023-09-12T03:15:01-20:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
|
|
5863
|
+
# public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
|
|
5864
|
+
# }
|
|
5865
|
+
#
|
|
5866
|
+
# @example Example: To download the public key and import token for an HMAC KMS key
|
|
5867
|
+
#
|
|
5868
|
+
# # The following example downloads a public key and import token to import an HMAC key. It uses the RSAES_OAEP_SHA_256
|
|
5869
|
+
# # wrapping algorithm and an RSA_4096 private key.
|
|
5870
|
+
#
|
|
5871
|
+
# resp = client.get_parameters_for_import({
|
|
5872
|
+
# key_id: "2468abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
|
5873
|
+
# wrapping_algorithm: "RSAES_OAEP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
|
|
5874
|
+
# wrapping_key_spec: "RSA_4096", # The type of wrapping key (public key) to return in the response.
|
|
5875
|
+
# })
|
|
5876
|
+
#
|
|
5877
|
+
# resp.to_h outputs the following:
|
|
5878
|
+
# {
|
|
5879
|
+
# import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
|
|
5880
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/2468abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
|
|
5881
|
+
# parameters_valid_to: Time.parse("2023-04-02T13:02:02-07:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
|
|
5304
5882
|
# public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
|
|
5305
5883
|
# }
|
|
5306
5884
|
#
|
|
@@ -5308,8 +5886,8 @@ module Aws::KMS
|
|
|
5308
5886
|
#
|
|
5309
5887
|
# resp = client.get_parameters_for_import({
|
|
5310
5888
|
# key_id: "KeyIdType", # required
|
|
5311
|
-
# wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
|
5312
|
-
# wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
|
|
5889
|
+
# wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256
|
|
5890
|
+
# wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096
|
|
5313
5891
|
# })
|
|
5314
5892
|
#
|
|
5315
5893
|
# @example Response structure
|
|
@@ -5348,12 +5926,12 @@ module Aws::KMS
|
|
|
5348
5926
|
# returns important information about the public key in the response,
|
|
5349
5927
|
# including:
|
|
5350
5928
|
#
|
|
5351
|
-
# * [KeySpec][2]
|
|
5929
|
+
# * [KeySpec][2]: The type of key material in the public key, such as
|
|
5352
5930
|
# `RSA_4096` or `ECC_NIST_P521`.
|
|
5353
5931
|
#
|
|
5354
|
-
# * [KeyUsage][3]
|
|
5932
|
+
# * [KeyUsage][3]: Whether the key is used for encryption or signing.
|
|
5355
5933
|
#
|
|
5356
|
-
# * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]
|
|
5934
|
+
# * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]: A list of the
|
|
5357
5935
|
# encryption algorithms or the signing algorithms for the key.
|
|
5358
5936
|
#
|
|
5359
5937
|
# Although KMS cannot enforce these restrictions on external operations,
|
|
@@ -5373,13 +5951,13 @@ module Aws::KMS
|
|
|
5373
5951
|
# key state. For details, see [Key states of KMS keys][7] in the *Key
|
|
5374
5952
|
# Management Service Developer Guide*.
|
|
5375
5953
|
#
|
|
5376
|
-
# **Cross-account use
|
|
5954
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
5377
5955
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
5378
5956
|
# alias ARN in the value of the `KeyId` parameter.
|
|
5379
5957
|
#
|
|
5380
|
-
# **Required permissions
|
|
5958
|
+
# **Required permissions**: [kms:GetPublicKey][8] (key policy)
|
|
5381
5959
|
#
|
|
5382
|
-
# **Related operations
|
|
5960
|
+
# **Related operations**: CreateKey
|
|
5383
5961
|
#
|
|
5384
5962
|
#
|
|
5385
5963
|
#
|
|
@@ -5488,66 +6066,112 @@ module Aws::KMS
|
|
|
5488
6066
|
req.send_request(options)
|
|
5489
6067
|
end
|
|
5490
6068
|
|
|
5491
|
-
# Imports key material into an existing
|
|
5492
|
-
#
|
|
5493
|
-
#
|
|
5494
|
-
#
|
|
5495
|
-
# material.
|
|
5496
|
-
#
|
|
5497
|
-
#
|
|
5498
|
-
#
|
|
5499
|
-
#
|
|
5500
|
-
#
|
|
5501
|
-
# *Key Management Service Developer Guide*.
|
|
5502
|
-
#
|
|
5503
|
-
# Before using this operation, call GetParametersForImport. Its response
|
|
5504
|
-
# includes a public key and an import token. Use the public key to
|
|
5505
|
-
# encrypt the key material. Then, submit the import token from the same
|
|
5506
|
-
# `GetParametersForImport` response.
|
|
5507
|
-
#
|
|
5508
|
-
# When calling this operation, you must specify the following values:
|
|
5509
|
-
#
|
|
5510
|
-
# * The key ID or key ARN of a KMS key with no key material. Its
|
|
5511
|
-
# `Origin` must be `EXTERNAL`.
|
|
5512
|
-
#
|
|
5513
|
-
# To create a KMS key with no key material, call CreateKey and set the
|
|
5514
|
-
# value of its `Origin` parameter to `EXTERNAL`. To get the `Origin`
|
|
5515
|
-
# of a KMS key, call DescribeKey.)
|
|
6069
|
+
# Imports or reimports key material into an existing KMS key that was
|
|
6070
|
+
# created without key material. `ImportKeyMaterial` also sets the
|
|
6071
|
+
# expiration model and expiration date of the imported key material.
|
|
6072
|
+
#
|
|
6073
|
+
# By default, KMS keys are created with key material that KMS generates.
|
|
6074
|
+
# This operation supports [Importing key material][1], an advanced
|
|
6075
|
+
# feature that lets you generate and import the cryptographic key
|
|
6076
|
+
# material for a KMS key. For more information about importing key
|
|
6077
|
+
# material into KMS, see [Importing key material][1] in the *Key
|
|
6078
|
+
# Management Service Developer Guide*.
|
|
5516
6079
|
#
|
|
5517
|
-
#
|
|
5518
|
-
#
|
|
6080
|
+
# After you successfully import key material into a KMS key, you can
|
|
6081
|
+
# [reimport the same key material][2] into that KMS key, but you cannot
|
|
6082
|
+
# import different key material. You might reimport key material to
|
|
6083
|
+
# replace key material that expired or key material that you deleted.
|
|
6084
|
+
# You might also reimport key material to change the expiration model or
|
|
6085
|
+
# expiration date of the key material. Before reimporting key material,
|
|
6086
|
+
# if necessary, call DeleteImportedKeyMaterial to delete the current
|
|
6087
|
+
# imported key material.
|
|
6088
|
+
#
|
|
6089
|
+
# Each time you import key material into KMS, you can determine whether
|
|
6090
|
+
# (`ExpirationModel`) and when (`ValidTo`) the key material expires. To
|
|
6091
|
+
# change the expiration of your key material, you must import it again,
|
|
6092
|
+
# either by calling `ImportKeyMaterial` or using the [import
|
|
6093
|
+
# features](kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console)
|
|
6094
|
+
# of the KMS console.
|
|
6095
|
+
#
|
|
6096
|
+
# Before calling `ImportKeyMaterial`:
|
|
6097
|
+
#
|
|
6098
|
+
# * Create or identify a KMS key with no key material. The KMS key must
|
|
6099
|
+
# have an `Origin` value of `EXTERNAL`, which indicates that the KMS
|
|
6100
|
+
# key is designed for imported key material.
|
|
6101
|
+
#
|
|
6102
|
+
# To create an new KMS key for imported key material, call the
|
|
6103
|
+
# CreateKey operation with an `Origin` value of `EXTERNAL`. You can
|
|
6104
|
+
# create a symmetric encryption KMS key, HMAC KMS key, asymmetric
|
|
6105
|
+
# encryption KMS key, or asymmetric signing KMS key. You can also
|
|
6106
|
+
# import key material into a [multi-Region
|
|
6107
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of
|
|
6108
|
+
# any supported type. However, you can't import key material into a
|
|
6109
|
+
# KMS key in a [custom key
|
|
6110
|
+
# store](kms/latest/developerguide/custom-key-store-overview.html).
|
|
6111
|
+
#
|
|
6112
|
+
# * Use the DescribeKey operation to verify that the `KeyState` of the
|
|
6113
|
+
# KMS key is `PendingImport`, which indicates that the KMS key has no
|
|
6114
|
+
# key material.
|
|
6115
|
+
#
|
|
6116
|
+
# If you are reimporting the same key material into an existing KMS
|
|
6117
|
+
# key, you might need to call the DeleteImportedKeyMaterial to delete
|
|
6118
|
+
# its existing key material.
|
|
6119
|
+
#
|
|
6120
|
+
# * Call the GetParametersForImport operation to get a public key and
|
|
6121
|
+
# import token set for importing key material.
|
|
6122
|
+
#
|
|
6123
|
+
# * Use the public key in the GetParametersForImport response to encrypt
|
|
6124
|
+
# your key material.
|
|
6125
|
+
#
|
|
6126
|
+
# Then, in an `ImportKeyMaterial` request, you submit your encrypted key
|
|
6127
|
+
# material and import token. When calling this operation, you must
|
|
6128
|
+
# specify the following values:
|
|
6129
|
+
#
|
|
6130
|
+
# * The key ID or key ARN of the KMS key to associate with the imported
|
|
6131
|
+
# key material. Its `Origin` must be `EXTERNAL` and its `KeyState`
|
|
6132
|
+
# must be `PendingImport`. You cannot perform this operation on a KMS
|
|
6133
|
+
# key in a [custom key
|
|
6134
|
+
# store](kms/latest/developerguide/custom-key-store-overview.html), or
|
|
6135
|
+
# on a KMS key in a different Amazon Web Services account. To get the
|
|
6136
|
+
# `Origin` and `KeyState` of a KMS key, call DescribeKey.
|
|
6137
|
+
#
|
|
6138
|
+
# * The encrypted key material.
|
|
5519
6139
|
#
|
|
5520
6140
|
# * The import token that GetParametersForImport returned. You must use
|
|
5521
6141
|
# a public key and token from the same `GetParametersForImport`
|
|
5522
6142
|
# response.
|
|
5523
6143
|
#
|
|
5524
6144
|
# * Whether the key material expires (`ExpirationModel`) and, if so,
|
|
5525
|
-
# when (`ValidTo`).
|
|
5526
|
-
#
|
|
5527
|
-
#
|
|
5528
|
-
# you
|
|
5529
|
-
#
|
|
5530
|
-
#
|
|
6145
|
+
# when (`ValidTo`). For help with this choice, see [Setting an
|
|
6146
|
+
# expiration time][3] in the *Key Management Service Developer Guide*.
|
|
6147
|
+
#
|
|
6148
|
+
# If you set an expiration date, KMS deletes the key material from the
|
|
6149
|
+
# KMS key on the specified date, making the KMS key unusable. To use
|
|
6150
|
+
# the KMS key in cryptographic operations again, you must reimport the
|
|
6151
|
+
# same key material. However, you can delete and reimport the key
|
|
6152
|
+
# material at any time, including before the key material expires.
|
|
6153
|
+
# Each time you reimport, you can eliminate or reset the expiration
|
|
6154
|
+
# time.
|
|
5531
6155
|
#
|
|
5532
6156
|
# When this operation is successful, the key state of the KMS key
|
|
5533
|
-
# changes from `PendingImport` to `Enabled`, and you can use the KMS
|
|
5534
|
-
#
|
|
6157
|
+
# changes from `PendingImport` to `Enabled`, and you can use the KMS key
|
|
6158
|
+
# in cryptographic operations.
|
|
5535
6159
|
#
|
|
5536
6160
|
# If this operation fails, use the exception to help determine the
|
|
5537
6161
|
# problem. If the error is related to the key material, the import
|
|
5538
6162
|
# token, or wrapping key, use GetParametersForImport to get a new public
|
|
5539
6163
|
# key and import token for the KMS key and repeat the import procedure.
|
|
5540
|
-
# For help, see [How To Import Key Material][
|
|
6164
|
+
# For help, see [How To Import Key Material][4] in the *Key Management
|
|
5541
6165
|
# Service Developer Guide*.
|
|
5542
6166
|
#
|
|
5543
6167
|
# The KMS key that you use for this operation must be in a compatible
|
|
5544
|
-
# key state. For details, see [Key states of KMS keys][
|
|
6168
|
+
# key state. For details, see [Key states of KMS keys][5] in the *Key
|
|
5545
6169
|
# Management Service Developer Guide*.
|
|
5546
6170
|
#
|
|
5547
|
-
# **Cross-account use
|
|
6171
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
5548
6172
|
# key in a different Amazon Web Services account.
|
|
5549
6173
|
#
|
|
5550
|
-
# **Required permissions
|
|
6174
|
+
# **Required permissions**: [kms:ImportKeyMaterial][6] (key policy)
|
|
5551
6175
|
#
|
|
5552
6176
|
# **Related operations:**
|
|
5553
6177
|
#
|
|
@@ -5557,20 +6181,27 @@ module Aws::KMS
|
|
|
5557
6181
|
#
|
|
5558
6182
|
#
|
|
5559
6183
|
#
|
|
5560
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
5561
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
5562
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-
|
|
5563
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
5564
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
|
6184
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
|
6185
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
|
|
6186
|
+
# [3]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
|
|
6187
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
|
|
6188
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
|
6189
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
5565
6190
|
#
|
|
5566
6191
|
# @option params [required, String] :key_id
|
|
5567
|
-
# The identifier of the
|
|
6192
|
+
# The identifier of the KMS key that will be associated with the
|
|
5568
6193
|
# imported key material. This must be the same KMS key specified in the
|
|
5569
6194
|
# `KeyID` parameter of the corresponding GetParametersForImport request.
|
|
5570
|
-
# The `Origin` of the KMS key must be `EXTERNAL
|
|
5571
|
-
#
|
|
5572
|
-
#
|
|
5573
|
-
#
|
|
6195
|
+
# The `Origin` of the KMS key must be `EXTERNAL` and its `KeyState` must
|
|
6196
|
+
# be `PendingImport`.
|
|
6197
|
+
#
|
|
6198
|
+
# The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
|
|
6199
|
+
# asymmetric encryption KMS key, or asymmetric signing KMS key,
|
|
6200
|
+
# including a [multi-Region
|
|
6201
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of any
|
|
6202
|
+
# supported type. You cannot perform this operation on a KMS key in a
|
|
6203
|
+
# custom key store, or on a KMS key in a different Amazon Web Services
|
|
6204
|
+
# account.
|
|
5574
6205
|
#
|
|
5575
6206
|
# Specify the key ID or key ARN of the KMS key.
|
|
5576
6207
|
#
|
|
@@ -5591,7 +6222,7 @@ module Aws::KMS
|
|
|
5591
6222
|
#
|
|
5592
6223
|
# @option params [required, String, StringIO, File] :encrypted_key_material
|
|
5593
6224
|
# The encrypted key material to import. The key material must be
|
|
5594
|
-
# encrypted
|
|
6225
|
+
# encrypted under the public wrapping key that GetParametersForImport
|
|
5595
6226
|
# returned, using the wrapping algorithm that you specified in the same
|
|
5596
6227
|
# `GetParametersForImport` request.
|
|
5597
6228
|
#
|
|
@@ -5615,7 +6246,8 @@ module Aws::KMS
|
|
|
5615
6246
|
#
|
|
5616
6247
|
# @option params [String] :expiration_model
|
|
5617
6248
|
# Specifies whether the key material expires. The default is
|
|
5618
|
-
# `KEY_MATERIAL_EXPIRES`.
|
|
6249
|
+
# `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
|
|
6250
|
+
# expiration time][1] in the *Key Management Service Developer Guide*.
|
|
5619
6251
|
#
|
|
5620
6252
|
# When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
|
|
5621
6253
|
# must specify a value for the `ValidTo` parameter. When value is
|
|
@@ -5623,8 +6255,11 @@ module Aws::KMS
|
|
|
5623
6255
|
#
|
|
5624
6256
|
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
|
5625
6257
|
# current import after the request completes. To change either value,
|
|
5626
|
-
# you must
|
|
5627
|
-
#
|
|
6258
|
+
# you must reimport the key material.
|
|
6259
|
+
#
|
|
6260
|
+
#
|
|
6261
|
+
#
|
|
6262
|
+
# [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
|
|
5628
6263
|
#
|
|
5629
6264
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
|
5630
6265
|
#
|
|
@@ -5640,6 +6275,19 @@ module Aws::KMS
|
|
|
5640
6275
|
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
|
5641
6276
|
# })
|
|
5642
6277
|
#
|
|
6278
|
+
# @example Example: To import key material into a KMS key
|
|
6279
|
+
#
|
|
6280
|
+
# # The following example imports key material that expires in 3 days. It might be part of an application that frequently
|
|
6281
|
+
# # reimports the same key material to comply with business rules or regulations.
|
|
6282
|
+
#
|
|
6283
|
+
# resp = client.import_key_material({
|
|
6284
|
+
# encrypted_key_material: "<binary data>", # The encrypted key material to import.
|
|
6285
|
+
# expiration_model: "KEY_MATERIAL_EXPIRES", # A value that specifies whether the key material expires.
|
|
6286
|
+
# import_token: "<binary data>", # The import token that you received in the response to a previous GetParametersForImport request.
|
|
6287
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
|
6288
|
+
# valid_to: Time.parse("2023-09-30T00:00:00-00:00"), # Specifies the date and time when the imported key material expires.
|
|
6289
|
+
# })
|
|
6290
|
+
#
|
|
5643
6291
|
# @example Request syntax with placeholder values
|
|
5644
6292
|
#
|
|
5645
6293
|
# resp = client.import_key_material({
|
|
@@ -5679,10 +6327,10 @@ module Aws::KMS
|
|
|
5679
6327
|
# Web Services creates in your account, including predefined aliases, do
|
|
5680
6328
|
# not count against your [KMS aliases quota][1].
|
|
5681
6329
|
#
|
|
5682
|
-
# **Cross-account use
|
|
6330
|
+
# **Cross-account use**: No. `ListAliases` does not return aliases in
|
|
5683
6331
|
# other Amazon Web Services accounts.
|
|
5684
6332
|
#
|
|
5685
|
-
# **Required permissions
|
|
6333
|
+
# **Required permissions**: [kms:ListAliases][2] (IAM policy)
|
|
5686
6334
|
#
|
|
5687
6335
|
# For details, see [Controlling access to aliases][3] in the *Key
|
|
5688
6336
|
# Management Service Developer Guide*.
|
|
@@ -5843,11 +6491,11 @@ module Aws::KMS
|
|
|
5843
6491
|
#
|
|
5844
6492
|
# </note>
|
|
5845
6493
|
#
|
|
5846
|
-
# **Cross-account use
|
|
6494
|
+
# **Cross-account use**: Yes. To perform this operation on a KMS key in
|
|
5847
6495
|
# a different Amazon Web Services account, specify the key ARN in the
|
|
5848
6496
|
# value of the `KeyId` parameter.
|
|
5849
6497
|
#
|
|
5850
|
-
# **Required permissions
|
|
6498
|
+
# **Required permissions**: [kms:ListGrants][4] (key policy)
|
|
5851
6499
|
#
|
|
5852
6500
|
# **Related operations:**
|
|
5853
6501
|
#
|
|
@@ -6022,10 +6670,10 @@ module Aws::KMS
|
|
|
6022
6670
|
# GetKeyPolicy operation. However, the only valid policy name is
|
|
6023
6671
|
# `default`.
|
|
6024
6672
|
#
|
|
6025
|
-
# **Cross-account use
|
|
6673
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
6026
6674
|
# key in a different Amazon Web Services account.
|
|
6027
6675
|
#
|
|
6028
|
-
# **Required permissions
|
|
6676
|
+
# **Required permissions**: [kms:ListKeyPolicies][1] (key policy)
|
|
6029
6677
|
#
|
|
6030
6678
|
# **Related operations:**
|
|
6031
6679
|
#
|
|
@@ -6120,10 +6768,10 @@ module Aws::KMS
|
|
|
6120
6768
|
# Gets a list of all KMS keys in the caller's Amazon Web Services
|
|
6121
6769
|
# account and Region.
|
|
6122
6770
|
#
|
|
6123
|
-
# **Cross-account use
|
|
6771
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
6124
6772
|
# key in a different Amazon Web Services account.
|
|
6125
6773
|
#
|
|
6126
|
-
# **Required permissions
|
|
6774
|
+
# **Required permissions**: [kms:ListKeys][1] (IAM policy)
|
|
6127
6775
|
#
|
|
6128
6776
|
# **Related operations:**
|
|
6129
6777
|
#
|
|
@@ -6235,10 +6883,10 @@ module Aws::KMS
|
|
|
6235
6883
|
# Services General Reference*. For information about using tags in KMS,
|
|
6236
6884
|
# see [Tagging keys][2].
|
|
6237
6885
|
#
|
|
6238
|
-
# **Cross-account use
|
|
6886
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
6239
6887
|
# key in a different Amazon Web Services account.
|
|
6240
6888
|
#
|
|
6241
|
-
# **Required permissions
|
|
6889
|
+
# **Required permissions**: [kms:ListResourceTags][3] (key policy)
|
|
6242
6890
|
#
|
|
6243
6891
|
# **Related operations:**
|
|
6244
6892
|
#
|
|
@@ -6362,14 +7010,14 @@ module Aws::KMS
|
|
|
6362
7010
|
# Guide</i> </i>. For examples of working with grants in several
|
|
6363
7011
|
# programming languages, see [Programming grants][2].
|
|
6364
7012
|
#
|
|
6365
|
-
# **Cross-account use
|
|
6366
|
-
#
|
|
7013
|
+
# **Cross-account use**: You must specify a principal in your Amazon Web
|
|
7014
|
+
# Services account. However, this operation can return grants in any
|
|
6367
7015
|
# Amazon Web Services account. You do not need `kms:ListRetirableGrants`
|
|
6368
7016
|
# permission (or any other additional permission) in any Amazon Web
|
|
6369
7017
|
# Services account other than your own.
|
|
6370
7018
|
#
|
|
6371
|
-
# **Required permissions
|
|
6372
|
-
#
|
|
7019
|
+
# **Required permissions**: [kms:ListRetirableGrants][3] (IAM policy) in
|
|
7020
|
+
# your Amazon Web Services account.
|
|
6373
7021
|
#
|
|
6374
7022
|
# **Related operations:**
|
|
6375
7023
|
#
|
|
@@ -6498,12 +7146,12 @@ module Aws::KMS
|
|
|
6498
7146
|
# programming languages, see [Setting a key policy][3] in the *Key
|
|
6499
7147
|
# Management Service Developer Guide*.
|
|
6500
7148
|
#
|
|
6501
|
-
# **Cross-account use
|
|
7149
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
6502
7150
|
# key in a different Amazon Web Services account.
|
|
6503
7151
|
#
|
|
6504
|
-
# **Required permissions
|
|
7152
|
+
# **Required permissions**: [kms:PutKeyPolicy][4] (key policy)
|
|
6505
7153
|
#
|
|
6506
|
-
# **Related operations
|
|
7154
|
+
# **Related operations**: GetKeyPolicy
|
|
6507
7155
|
#
|
|
6508
7156
|
#
|
|
6509
7157
|
#
|
|
@@ -6686,12 +7334,12 @@ module Aws::KMS
|
|
|
6686
7334
|
# key state. For details, see [Key states of KMS keys][6] in the *Key
|
|
6687
7335
|
# Management Service Developer Guide*.
|
|
6688
7336
|
#
|
|
6689
|
-
# **Cross-account use
|
|
6690
|
-
#
|
|
6691
|
-
#
|
|
6692
|
-
#
|
|
7337
|
+
# **Cross-account use**: Yes. The source KMS key and destination KMS key
|
|
7338
|
+
# can be in different Amazon Web Services accounts. Either or both KMS
|
|
7339
|
+
# keys can be in a different account than the caller. To specify a KMS
|
|
7340
|
+
# key in a different account, you must use its key ARN or alias ARN.
|
|
6693
7341
|
#
|
|
6694
|
-
# **Required permissions
|
|
7342
|
+
# **Required permissions**:
|
|
6695
7343
|
#
|
|
6696
7344
|
# * [kms:ReEncryptFrom][7] permission on the source KMS key (key policy)
|
|
6697
7345
|
#
|
|
@@ -6812,6 +7460,10 @@ module Aws::KMS
|
|
|
6812
7460
|
# Specifies that encryption context to use when the reencrypting the
|
|
6813
7461
|
# data.
|
|
6814
7462
|
#
|
|
7463
|
+
# Do not include confidential or sensitive information in this field.
|
|
7464
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
7465
|
+
# output.
|
|
7466
|
+
#
|
|
6815
7467
|
# A destination encryption context is valid only when the destination
|
|
6816
7468
|
# KMS key is a symmetric encryption KMS key. The standard ciphertext
|
|
6817
7469
|
# format for asymmetric KMS keys does not include fields for metadata.
|
|
@@ -6865,6 +7517,17 @@ module Aws::KMS
|
|
|
6865
7517
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
6866
7518
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
6867
7519
|
#
|
|
7520
|
+
# @option params [Boolean] :dry_run
|
|
7521
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
7522
|
+
# parameter.
|
|
7523
|
+
#
|
|
7524
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
7525
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
7526
|
+
#
|
|
7527
|
+
#
|
|
7528
|
+
#
|
|
7529
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
7530
|
+
#
|
|
6868
7531
|
# @return [Types::ReEncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
6869
7532
|
#
|
|
6870
7533
|
# * {Types::ReEncryptResponse#ciphertext_blob #ciphertext_blob} => String
|
|
@@ -6905,6 +7568,7 @@ module Aws::KMS
|
|
|
6905
7568
|
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
6906
7569
|
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, SM2PKE
|
|
6907
7570
|
# grant_tokens: ["GrantTokenType"],
|
|
7571
|
+
# dry_run: false,
|
|
6908
7572
|
# })
|
|
6909
7573
|
#
|
|
6910
7574
|
# @example Response structure
|
|
@@ -6992,10 +7656,10 @@ module Aws::KMS
|
|
|
6992
7656
|
#
|
|
6993
7657
|
# </note>
|
|
6994
7658
|
#
|
|
6995
|
-
# **Cross-account use
|
|
7659
|
+
# **Cross-account use**: No. You cannot use this operation to create a
|
|
6996
7660
|
# replica key in a different Amazon Web Services account.
|
|
6997
7661
|
#
|
|
6998
|
-
# **Required permissions
|
|
7662
|
+
# **Required permissions**:
|
|
6999
7663
|
#
|
|
7000
7664
|
# * `kms:ReplicateKey` on the primary key (in the primary key's
|
|
7001
7665
|
# Region). Include this permission in the primary key's key policy.
|
|
@@ -7153,6 +7817,10 @@ module Aws::KMS
|
|
|
7153
7817
|
# A description of the KMS key. The default value is an empty string (no
|
|
7154
7818
|
# description).
|
|
7155
7819
|
#
|
|
7820
|
+
# Do not include confidential or sensitive information in this field.
|
|
7821
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
7822
|
+
# output.
|
|
7823
|
+
#
|
|
7156
7824
|
# The description is not a shared property of multi-Region keys. You can
|
|
7157
7825
|
# specify the same description or a different description for each key
|
|
7158
7826
|
# in a set of related multi-Region keys. KMS does not synchronize this
|
|
@@ -7163,6 +7831,10 @@ module Aws::KMS
|
|
|
7163
7831
|
# the KMS key when it is created. To tag an existing KMS key, use the
|
|
7164
7832
|
# TagResource operation.
|
|
7165
7833
|
#
|
|
7834
|
+
# Do not include confidential or sensitive information in this field.
|
|
7835
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
7836
|
+
# output.
|
|
7837
|
+
#
|
|
7166
7838
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the KMS
|
|
7167
7839
|
# key. For details, see [ABAC for KMS][1] in the *Key Management Service
|
|
7168
7840
|
# Developer Guide*.
|
|
@@ -7327,10 +7999,10 @@ module Aws::KMS
|
|
|
7327
7999
|
# Guide</i> </i>. For examples of working with grants in several
|
|
7328
8000
|
# programming languages, see [Programming grants][4].
|
|
7329
8001
|
#
|
|
7330
|
-
# **Cross-account use
|
|
8002
|
+
# **Cross-account use**: Yes. You can retire a grant on a KMS key in a
|
|
7331
8003
|
# different Amazon Web Services account.
|
|
7332
8004
|
#
|
|
7333
|
-
# **Required permissions
|
|
8005
|
+
# **Required permissions:**:Permission to retire a grant is determined
|
|
7334
8006
|
# primarily by the grant. For details, see [Retiring and revoking
|
|
7335
8007
|
# grants][2] in the *Key Management Service Developer Guide*.
|
|
7336
8008
|
#
|
|
@@ -7380,6 +8052,17 @@ module Aws::KMS
|
|
|
7380
8052
|
#
|
|
7381
8053
|
# ^
|
|
7382
8054
|
#
|
|
8055
|
+
# @option params [Boolean] :dry_run
|
|
8056
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
8057
|
+
# parameter.
|
|
8058
|
+
#
|
|
8059
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
8060
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
8061
|
+
#
|
|
8062
|
+
#
|
|
8063
|
+
#
|
|
8064
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
8065
|
+
#
|
|
7383
8066
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
|
7384
8067
|
#
|
|
7385
8068
|
#
|
|
@@ -7398,6 +8081,7 @@ module Aws::KMS
|
|
|
7398
8081
|
# grant_token: "GrantTokenType",
|
|
7399
8082
|
# key_id: "KeyIdType",
|
|
7400
8083
|
# grant_id: "GrantIdType",
|
|
8084
|
+
# dry_run: false,
|
|
7401
8085
|
# })
|
|
7402
8086
|
#
|
|
7403
8087
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant AWS API Documentation
|
|
@@ -7425,11 +8109,11 @@ module Aws::KMS
|
|
|
7425
8109
|
# Guide</i> </i>. For examples of working with grants in several
|
|
7426
8110
|
# programming languages, see [Programming grants][4].
|
|
7427
8111
|
#
|
|
7428
|
-
# **Cross-account use
|
|
8112
|
+
# **Cross-account use**: Yes. To perform this operation on a KMS key in
|
|
7429
8113
|
# a different Amazon Web Services account, specify the key ARN in the
|
|
7430
8114
|
# value of the `KeyId` parameter.
|
|
7431
8115
|
#
|
|
7432
|
-
# **Required permissions
|
|
8116
|
+
# **Required permissions**: [kms:RevokeGrant][5] (key policy).
|
|
7433
8117
|
#
|
|
7434
8118
|
# **Related operations:**
|
|
7435
8119
|
#
|
|
@@ -7470,6 +8154,17 @@ module Aws::KMS
|
|
|
7470
8154
|
# Identifies the grant to revoke. To get the grant ID, use CreateGrant,
|
|
7471
8155
|
# ListGrants, or ListRetirableGrants.
|
|
7472
8156
|
#
|
|
8157
|
+
# @option params [Boolean] :dry_run
|
|
8158
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
8159
|
+
# parameter.
|
|
8160
|
+
#
|
|
8161
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
8162
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
8163
|
+
#
|
|
8164
|
+
#
|
|
8165
|
+
#
|
|
8166
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
8167
|
+
#
|
|
7473
8168
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
|
7474
8169
|
#
|
|
7475
8170
|
#
|
|
@@ -7487,6 +8182,7 @@ module Aws::KMS
|
|
|
7487
8182
|
# resp = client.revoke_grant({
|
|
7488
8183
|
# key_id: "KeyIdType", # required
|
|
7489
8184
|
# grant_id: "GrantIdType", # required
|
|
8185
|
+
# dry_run: false,
|
|
7490
8186
|
# })
|
|
7491
8187
|
#
|
|
7492
8188
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant AWS API Documentation
|
|
@@ -7512,8 +8208,11 @@ module Aws::KMS
|
|
|
7512
8208
|
# Deleting a KMS key is a destructive and potentially dangerous
|
|
7513
8209
|
# operation. When a KMS key is deleted, all data that was encrypted
|
|
7514
8210
|
# under the KMS key is unrecoverable. (The only exception is a
|
|
7515
|
-
# multi-Region replica
|
|
7516
|
-
#
|
|
8211
|
+
# [multi-Region replica
|
|
8212
|
+
# key](kms/latest/developerguide/multi-region-keys-delete.html), or an
|
|
8213
|
+
# [asymmetric or HMAC KMS key with imported key
|
|
8214
|
+
# material](kms/latest/developerguide/importing-keys-managing.html#import-delete-key).)
|
|
8215
|
+
# To prevent the use of a KMS key without deleting it, use DisableKey.
|
|
7517
8216
|
#
|
|
7518
8217
|
# You can schedule the deletion of a multi-Region primary key and its
|
|
7519
8218
|
# replica keys at any time. However, KMS will not delete a multi-Region
|
|
@@ -7546,10 +8245,10 @@ module Aws::KMS
|
|
|
7546
8245
|
# key state. For details, see [Key states of KMS keys][6] in the *Key
|
|
7547
8246
|
# Management Service Developer Guide*.
|
|
7548
8247
|
#
|
|
7549
|
-
# **Cross-account use
|
|
8248
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
7550
8249
|
# key in a different Amazon Web Services account.
|
|
7551
8250
|
#
|
|
7552
|
-
# **Required permissions
|
|
8251
|
+
# **Required permissions**: kms:ScheduleKeyDeletion (key policy)
|
|
7553
8252
|
#
|
|
7554
8253
|
# **Related operations**
|
|
7555
8254
|
#
|
|
@@ -7591,6 +8290,13 @@ module Aws::KMS
|
|
|
7591
8290
|
#
|
|
7592
8291
|
# This value is optional. If you include a value, it must be between 7
|
|
7593
8292
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
|
8293
|
+
# You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
|
|
8294
|
+
# condition key to further constrain the values that principals can
|
|
8295
|
+
# specify in the `PendingWindowInDays` parameter.
|
|
8296
|
+
#
|
|
8297
|
+
#
|
|
8298
|
+
#
|
|
8299
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days
|
|
7594
8300
|
#
|
|
7595
8301
|
# @return [Types::ScheduleKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
7596
8302
|
#
|
|
@@ -7689,13 +8395,13 @@ module Aws::KMS
|
|
|
7689
8395
|
# key state. For details, see [Key states of KMS keys][3] in the *Key
|
|
7690
8396
|
# Management Service Developer Guide*.
|
|
7691
8397
|
#
|
|
7692
|
-
# **Cross-account use
|
|
8398
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
7693
8399
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
7694
8400
|
# alias ARN in the value of the `KeyId` parameter.
|
|
7695
8401
|
#
|
|
7696
|
-
# **Required permissions
|
|
8402
|
+
# **Required permissions**: [kms:Sign][4] (key policy)
|
|
7697
8403
|
#
|
|
7698
|
-
# **Related operations
|
|
8404
|
+
# **Related operations**: Verify
|
|
7699
8405
|
#
|
|
7700
8406
|
#
|
|
7701
8407
|
#
|
|
@@ -7799,6 +8505,17 @@ module Aws::KMS
|
|
|
7799
8505
|
# RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1\_5
|
|
7800
8506
|
# algorithms for compatibility with existing applications.
|
|
7801
8507
|
#
|
|
8508
|
+
# @option params [Boolean] :dry_run
|
|
8509
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
8510
|
+
# parameter.
|
|
8511
|
+
#
|
|
8512
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
8513
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
8514
|
+
#
|
|
8515
|
+
#
|
|
8516
|
+
#
|
|
8517
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
8518
|
+
#
|
|
7802
8519
|
# @return [Types::SignResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
7803
8520
|
#
|
|
7804
8521
|
# * {Types::SignResponse#key_id #key_id} => String
|
|
@@ -7853,6 +8570,7 @@ module Aws::KMS
|
|
|
7853
8570
|
# message_type: "RAW", # accepts RAW, DIGEST
|
|
7854
8571
|
# grant_tokens: ["GrantTokenType"],
|
|
7855
8572
|
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
8573
|
+
# dry_run: false,
|
|
7856
8574
|
# })
|
|
7857
8575
|
#
|
|
7858
8576
|
# @example Response structure
|
|
@@ -7899,10 +8617,10 @@ module Aws::KMS
|
|
|
7899
8617
|
# key state. For details, see [Key states of KMS keys][9] in the *Key
|
|
7900
8618
|
# Management Service Developer Guide*.
|
|
7901
8619
|
#
|
|
7902
|
-
# **Cross-account use
|
|
8620
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
7903
8621
|
# key in a different Amazon Web Services account.
|
|
7904
8622
|
#
|
|
7905
|
-
# **Required permissions
|
|
8623
|
+
# **Required permissions**: [kms:TagResource][10] (key policy)
|
|
7906
8624
|
#
|
|
7907
8625
|
# **Related operations**
|
|
7908
8626
|
#
|
|
@@ -7943,10 +8661,12 @@ module Aws::KMS
|
|
|
7943
8661
|
# DescribeKey.
|
|
7944
8662
|
#
|
|
7945
8663
|
# @option params [required, Array<Types::Tag>] :tags
|
|
7946
|
-
# One or more tags.
|
|
8664
|
+
# One or more tags. Each tag consists of a tag key and a tag value. The
|
|
8665
|
+
# tag value can be an empty (null) string.
|
|
7947
8666
|
#
|
|
7948
|
-
#
|
|
7949
|
-
#
|
|
8667
|
+
# Do not include confidential or sensitive information in this field.
|
|
8668
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
8669
|
+
# output.
|
|
7950
8670
|
#
|
|
7951
8671
|
# You cannot have more than one tag on a KMS key with the same tag key.
|
|
7952
8672
|
# If you specify an existing tag key with a different tag value, KMS
|
|
@@ -8013,10 +8733,10 @@ module Aws::KMS
|
|
|
8013
8733
|
# key state. For details, see [Key states of KMS keys][5] in the *Key
|
|
8014
8734
|
# Management Service Developer Guide*.
|
|
8015
8735
|
#
|
|
8016
|
-
# **Cross-account use
|
|
8736
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
8017
8737
|
# key in a different Amazon Web Services account.
|
|
8018
8738
|
#
|
|
8019
|
-
# **Required permissions
|
|
8739
|
+
# **Required permissions**: [kms:UntagResource][6] (key policy)
|
|
8020
8740
|
#
|
|
8021
8741
|
# **Related operations**
|
|
8022
8742
|
#
|
|
@@ -8117,7 +8837,7 @@ module Aws::KMS
|
|
|
8117
8837
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
|
8118
8838
|
# Management Service Developer Guide*.
|
|
8119
8839
|
#
|
|
8120
|
-
# **Cross-account use
|
|
8840
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
8121
8841
|
# key in a different Amazon Web Services account.
|
|
8122
8842
|
#
|
|
8123
8843
|
# **Required permissions**
|
|
@@ -8152,6 +8872,10 @@ module Aws::KMS
|
|
|
8152
8872
|
# `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the alias
|
|
8153
8873
|
# name.
|
|
8154
8874
|
#
|
|
8875
|
+
# Do not include confidential or sensitive information in this field.
|
|
8876
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
8877
|
+
# output.
|
|
8878
|
+
#
|
|
8155
8879
|
# @option params [required, String] :target_key_id
|
|
8156
8880
|
# Identifies the [customer managed key][1] to associate with the alias.
|
|
8157
8881
|
# You don't have permission to associate an alias with an [Amazon Web
|
|
@@ -8289,10 +9013,10 @@ module Aws::KMS
|
|
|
8289
9013
|
# If the operation succeeds, it returns a JSON object with no
|
|
8290
9014
|
# properties.
|
|
8291
9015
|
#
|
|
8292
|
-
# **Cross-account use
|
|
9016
|
+
# **Cross-account use**: No. You cannot perform this operation on a
|
|
8293
9017
|
# custom key store in a different Amazon Web Services account.
|
|
8294
9018
|
#
|
|
8295
|
-
# **Required permissions
|
|
9019
|
+
# **Required permissions**: [kms:UpdateCustomKeyStore][2] (IAM policy)
|
|
8296
9020
|
#
|
|
8297
9021
|
# **Related operations:**
|
|
8298
9022
|
#
|
|
@@ -8321,6 +9045,10 @@ module Aws::KMS
|
|
|
8321
9045
|
# you specify. The custom key store name must be unique in the Amazon
|
|
8322
9046
|
# Web Services account.
|
|
8323
9047
|
#
|
|
9048
|
+
# Do not include confidential or sensitive information in this field.
|
|
9049
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
9050
|
+
# output.
|
|
9051
|
+
#
|
|
8324
9052
|
# To change this value, an CloudHSM key store must be disconnected. An
|
|
8325
9053
|
# external key store can be connected or disconnected.
|
|
8326
9054
|
#
|
|
@@ -8474,7 +9202,7 @@ module Aws::KMS
|
|
|
8474
9202
|
# # worked, use the DescribeCustomKeyStores operation.
|
|
8475
9203
|
#
|
|
8476
9204
|
# resp = client.update_custom_key_store({
|
|
8477
|
-
# cloud_hsm_cluster_id: "cluster-
|
|
9205
|
+
# cloud_hsm_cluster_id: "cluster-234abcdefABC", # The ID of the AWS CloudHSM cluster that you want to associate with the custom key store. This cluster must be related to the original CloudHSM cluster for this key store.
|
|
8478
9206
|
# custom_key_store_id: "cks-1234567890abcdef0", # The ID of the custom key store that you are updating.
|
|
8479
9207
|
# })
|
|
8480
9208
|
#
|
|
@@ -8565,10 +9293,10 @@ module Aws::KMS
|
|
|
8565
9293
|
# key state. For details, see [Key states of KMS keys][1] in the *Key
|
|
8566
9294
|
# Management Service Developer Guide*.
|
|
8567
9295
|
#
|
|
8568
|
-
# **Cross-account use
|
|
9296
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
|
8569
9297
|
# key in a different Amazon Web Services account.
|
|
8570
9298
|
#
|
|
8571
|
-
# **Required permissions
|
|
9299
|
+
# **Required permissions**: [kms:UpdateKeyDescription][2] (key policy)
|
|
8572
9300
|
#
|
|
8573
9301
|
# **Related operations**
|
|
8574
9302
|
#
|
|
@@ -8599,6 +9327,10 @@ module Aws::KMS
|
|
|
8599
9327
|
# @option params [required, String] :description
|
|
8600
9328
|
# New description for the KMS key.
|
|
8601
9329
|
#
|
|
9330
|
+
# Do not include confidential or sensitive information in this field.
|
|
9331
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
|
9332
|
+
# output.
|
|
9333
|
+
#
|
|
8602
9334
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
|
8603
9335
|
#
|
|
8604
9336
|
#
|
|
@@ -8681,10 +9413,10 @@ module Aws::KMS
|
|
|
8681
9413
|
# This operation does not return any output. To verify that primary key
|
|
8682
9414
|
# is changed, use the DescribeKey operation.
|
|
8683
9415
|
#
|
|
8684
|
-
# **Cross-account use
|
|
9416
|
+
# **Cross-account use**: No. You cannot use this operation in a
|
|
8685
9417
|
# different Amazon Web Services account.
|
|
8686
9418
|
#
|
|
8687
|
-
# **Required permissions
|
|
9419
|
+
# **Required permissions**:
|
|
8688
9420
|
#
|
|
8689
9421
|
# * `kms:UpdatePrimaryRegion` on the current primary key (in the primary
|
|
8690
9422
|
# key's Region). Include this permission primary key's key policy.
|
|
@@ -8810,13 +9542,13 @@ module Aws::KMS
|
|
|
8810
9542
|
# key state. For details, see [Key states of KMS keys][3] in the *Key
|
|
8811
9543
|
# Management Service Developer Guide*.
|
|
8812
9544
|
#
|
|
8813
|
-
# **Cross-account use
|
|
9545
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
8814
9546
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
8815
9547
|
# alias ARN in the value of the `KeyId` parameter.
|
|
8816
9548
|
#
|
|
8817
|
-
# **Required permissions
|
|
9549
|
+
# **Required permissions**: [kms:Verify][4] (key policy)
|
|
8818
9550
|
#
|
|
8819
|
-
# **Related operations
|
|
9551
|
+
# **Related operations**: Sign
|
|
8820
9552
|
#
|
|
8821
9553
|
#
|
|
8822
9554
|
#
|
|
@@ -8921,6 +9653,17 @@ module Aws::KMS
|
|
|
8921
9653
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
8922
9654
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
8923
9655
|
#
|
|
9656
|
+
# @option params [Boolean] :dry_run
|
|
9657
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
9658
|
+
# parameter.
|
|
9659
|
+
#
|
|
9660
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
9661
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
9662
|
+
#
|
|
9663
|
+
#
|
|
9664
|
+
#
|
|
9665
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
9666
|
+
#
|
|
8924
9667
|
# @return [Types::VerifyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
8925
9668
|
#
|
|
8926
9669
|
# * {Types::VerifyResponse#key_id #key_id} => String
|
|
@@ -8978,6 +9721,7 @@ module Aws::KMS
|
|
|
8978
9721
|
# signature: "data", # required
|
|
8979
9722
|
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA
|
|
8980
9723
|
# grant_tokens: ["GrantTokenType"],
|
|
9724
|
+
# dry_run: false,
|
|
8981
9725
|
# })
|
|
8982
9726
|
#
|
|
8983
9727
|
# @example Response structure
|
|
@@ -9015,13 +9759,13 @@ module Aws::KMS
|
|
|
9015
9759
|
# key state. For details, see [Key states of KMS keys][3] in the *Key
|
|
9016
9760
|
# Management Service Developer Guide*.
|
|
9017
9761
|
#
|
|
9018
|
-
# **Cross-account use
|
|
9762
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
9019
9763
|
# in a different Amazon Web Services account, specify the key ARN or
|
|
9020
9764
|
# alias ARN in the value of the `KeyId` parameter.
|
|
9021
9765
|
#
|
|
9022
|
-
# **Required permissions
|
|
9766
|
+
# **Required permissions**: [kms:VerifyMac][4] (key policy)
|
|
9023
9767
|
#
|
|
9024
|
-
# **Related operations
|
|
9768
|
+
# **Related operations**: GenerateMac
|
|
9025
9769
|
#
|
|
9026
9770
|
#
|
|
9027
9771
|
#
|
|
@@ -9068,6 +9812,17 @@ module Aws::KMS
|
|
|
9068
9812
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
9069
9813
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
9070
9814
|
#
|
|
9815
|
+
# @option params [Boolean] :dry_run
|
|
9816
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
9817
|
+
# parameter.
|
|
9818
|
+
#
|
|
9819
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
9820
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
9821
|
+
#
|
|
9822
|
+
#
|
|
9823
|
+
#
|
|
9824
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
9825
|
+
#
|
|
9071
9826
|
# @return [Types::VerifyMacResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
9072
9827
|
#
|
|
9073
9828
|
# * {Types::VerifyMacResponse#key_id #key_id} => String
|
|
@@ -9102,6 +9857,7 @@ module Aws::KMS
|
|
|
9102
9857
|
# mac_algorithm: "HMAC_SHA_224", # required, accepts HMAC_SHA_224, HMAC_SHA_256, HMAC_SHA_384, HMAC_SHA_512
|
|
9103
9858
|
# mac: "data", # required
|
|
9104
9859
|
# grant_tokens: ["GrantTokenType"],
|
|
9860
|
+
# dry_run: false,
|
|
9105
9861
|
# })
|
|
9106
9862
|
#
|
|
9107
9863
|
# @example Response structure
|
|
@@ -9132,7 +9888,7 @@ module Aws::KMS
|
|
|
9132
9888
|
params: params,
|
|
9133
9889
|
config: config)
|
|
9134
9890
|
context[:gem_name] = 'aws-sdk-kms'
|
|
9135
|
-
context[:gem_version] = '1.
|
|
9891
|
+
context[:gem_version] = '1.72.0'
|
|
9136
9892
|
Seahorse::Client::Request.new(handlers, context)
|
|
9137
9893
|
end
|
|
9138
9894
|
|