aws-sdk-kms 1.63.0 → 1.72.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +45 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +1098 -342
- data/lib/aws-sdk-kms/client_api.rb +47 -0
- data/lib/aws-sdk-kms/endpoints.rb +1 -0
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/types.rb +621 -70
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +4 -4
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -264,6 +264,10 @@ module Aws::KMS
|
|
264
264
|
# Specifies the alias name. This value must begin with `alias/`
|
265
265
|
# followed by a name, such as `alias/ExampleAlias`.
|
266
266
|
#
|
267
|
+
# Do not include confidential or sensitive information in this field.
|
268
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
269
|
+
# other output.
|
270
|
+
#
|
267
271
|
# The `AliasName` value must be string of 1-256 characters. It can
|
268
272
|
# contain only alphanumeric characters, forward slashes (/),
|
269
273
|
# underscores (\_), and dashes (-). The alias name cannot begin with
|
@@ -317,6 +321,10 @@ module Aws::KMS
|
|
317
321
|
# Specifies a friendly name for the custom key store. The name must be
|
318
322
|
# unique in your Amazon Web Services account and Region. This
|
319
323
|
# parameter is required for all custom key stores.
|
324
|
+
#
|
325
|
+
# Do not include confidential or sensitive information in this field.
|
326
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
327
|
+
# other output.
|
320
328
|
# @return [String]
|
321
329
|
#
|
322
330
|
# @!attribute [rw] cloud_hsm_cluster_id
|
@@ -620,23 +628,19 @@ module Aws::KMS
|
|
620
628
|
# @!attribute [rw] constraints
|
621
629
|
# Specifies a grant constraint.
|
622
630
|
#
|
623
|
-
#
|
624
|
-
#
|
625
|
-
#
|
626
|
-
# value in each constraint cannot exceed 384 characters. For
|
627
|
-
# information about grant constraints, see [Using grant
|
628
|
-
# constraints][1] in the *Key Management Service Developer Guide*. For
|
629
|
-
# more information about encryption context, see [Encryption
|
630
|
-
# context][2] in the <i> <i>Key Management Service Developer Guide</i>
|
631
|
-
# </i>.
|
631
|
+
# Do not include confidential or sensitive information in this field.
|
632
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
633
|
+
# other output.
|
632
634
|
#
|
633
|
-
#
|
634
|
-
#
|
635
|
-
#
|
636
|
-
#
|
635
|
+
# KMS supports the `EncryptionContextEquals` and
|
636
|
+
# `EncryptionContextSubset` grant constraints, which allow the
|
637
|
+
# permissions in the grant only when the encryption context in the
|
638
|
+
# request matches (`EncryptionContextEquals`) or includes
|
639
|
+
# (`EncryptionContextSubset`) the encryption context specified in the
|
640
|
+
# constraint.
|
637
641
|
#
|
638
642
|
# The encryption context grant constraints are supported only on
|
639
|
-
# [grant operations][
|
643
|
+
# [grant operations][1] that include an `EncryptionContext` parameter,
|
640
644
|
# such as cryptographic operations on symmetric encryption KMS keys.
|
641
645
|
# Grants with grant constraints can include the DescribeKey and
|
642
646
|
# RetireGrant operations, but the constraint doesn't apply to these
|
@@ -647,15 +651,21 @@ module Aws::KMS
|
|
647
651
|
#
|
648
652
|
# You cannot use an encryption context grant constraint for
|
649
653
|
# cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
|
650
|
-
#
|
651
|
-
#
|
654
|
+
# Operations with these keys don't support an encryption context.
|
652
655
|
#
|
656
|
+
# Each constraint value can include up to 8 encryption context pairs.
|
657
|
+
# The encryption context value in each constraint cannot exceed 384
|
658
|
+
# characters. For information about grant constraints, see [Using
|
659
|
+
# grant constraints][2] in the *Key Management Service Developer
|
660
|
+
# Guide*. For more information about encryption context, see
|
661
|
+
# [Encryption context][3] in the <i> <i>Key Management Service
|
662
|
+
# Developer Guide</i> </i>.
|
653
663
|
#
|
654
664
|
#
|
655
665
|
#
|
656
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
657
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
658
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
666
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
|
667
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
|
668
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
659
669
|
# @return [Types::GrantConstraints]
|
660
670
|
#
|
661
671
|
# @!attribute [rw] grant_tokens
|
@@ -676,6 +686,10 @@ module Aws::KMS
|
|
676
686
|
# A friendly name for the grant. Use this value to prevent the
|
677
687
|
# unintended creation of duplicate grants when retrying this request.
|
678
688
|
#
|
689
|
+
# Do not include confidential or sensitive information in this field.
|
690
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
691
|
+
# other output.
|
692
|
+
#
|
679
693
|
# When this value is absent, all `CreateGrant` requests result in a
|
680
694
|
# new grant with a unique `GrantId` even if all the supplied
|
681
695
|
# parameters are identical. This can result in unintended duplicates
|
@@ -689,6 +703,18 @@ module Aws::KMS
|
|
689
703
|
# the same grant ID can be used interchangeably.
|
690
704
|
# @return [String]
|
691
705
|
#
|
706
|
+
# @!attribute [rw] dry_run
|
707
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
708
|
+
# parameter.
|
709
|
+
#
|
710
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
711
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
712
|
+
#
|
713
|
+
#
|
714
|
+
#
|
715
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
716
|
+
# @return [Boolean]
|
717
|
+
#
|
692
718
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
|
693
719
|
#
|
694
720
|
class CreateGrantRequest < Struct.new(
|
@@ -698,7 +724,8 @@ module Aws::KMS
|
|
698
724
|
:operations,
|
699
725
|
:constraints,
|
700
726
|
:grant_tokens,
|
701
|
-
:name
|
727
|
+
:name,
|
728
|
+
:dry_run)
|
702
729
|
SENSITIVE = []
|
703
730
|
include Aws::Structure
|
704
731
|
end
|
@@ -773,11 +800,13 @@ module Aws::KMS
|
|
773
800
|
# @return [String]
|
774
801
|
#
|
775
802
|
# @!attribute [rw] description
|
776
|
-
# A description of the KMS key.
|
803
|
+
# A description of the KMS key. Use a description that helps you
|
804
|
+
# decide whether the KMS key is appropriate for a task. The default
|
805
|
+
# value is an empty string (no description).
|
777
806
|
#
|
778
|
-
#
|
779
|
-
#
|
780
|
-
#
|
807
|
+
# Do not include confidential or sensitive information in this field.
|
808
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
809
|
+
# other output.
|
781
810
|
#
|
782
811
|
# To set or change the description after the key is created, use
|
783
812
|
# UpdateKeyDescription.
|
@@ -976,6 +1005,10 @@ module Aws::KMS
|
|
976
1005
|
# the KMS key when it is created. To tag an existing KMS key, use the
|
977
1006
|
# TagResource operation.
|
978
1007
|
#
|
1008
|
+
# Do not include confidential or sensitive information in this field.
|
1009
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
1010
|
+
# other output.
|
1011
|
+
#
|
979
1012
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
980
1013
|
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
981
1014
|
# Service Developer Guide*.
|
@@ -1540,6 +1573,46 @@ module Aws::KMS
|
|
1540
1573
|
# encryption KMS keys.
|
1541
1574
|
# @return [String]
|
1542
1575
|
#
|
1576
|
+
# @!attribute [rw] recipient
|
1577
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
1578
|
+
# enclave and the encryption algorithm to use with the enclave's
|
1579
|
+
# public key. The only valid encryption algorithm is
|
1580
|
+
# `RSAES_OAEP_SHA_256`.
|
1581
|
+
#
|
1582
|
+
# This parameter only supports attestation documents for Amazon Web
|
1583
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
1584
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
1585
|
+
#
|
1586
|
+
# When you use this parameter, instead of returning the plaintext
|
1587
|
+
# data, KMS encrypts the plaintext data with the public key in the
|
1588
|
+
# attestation document, and returns the resulting ciphertext in the
|
1589
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can
|
1590
|
+
# be decrypted only with the private key in the enclave. The
|
1591
|
+
# `Plaintext` field in the response is null or empty.
|
1592
|
+
#
|
1593
|
+
# For information about the interaction between KMS and Amazon Web
|
1594
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
1595
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
1596
|
+
#
|
1597
|
+
#
|
1598
|
+
#
|
1599
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
1600
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
1601
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
1602
|
+
# @return [Types::RecipientInfo]
|
1603
|
+
#
|
1604
|
+
# @!attribute [rw] dry_run
|
1605
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
1606
|
+
# parameter.
|
1607
|
+
#
|
1608
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
1609
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
1610
|
+
#
|
1611
|
+
#
|
1612
|
+
#
|
1613
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
1614
|
+
# @return [Boolean]
|
1615
|
+
#
|
1543
1616
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptRequest AWS API Documentation
|
1544
1617
|
#
|
1545
1618
|
class DecryptRequest < Struct.new(
|
@@ -1547,7 +1620,9 @@ module Aws::KMS
|
|
1547
1620
|
:encryption_context,
|
1548
1621
|
:grant_tokens,
|
1549
1622
|
:key_id,
|
1550
|
-
:encryption_algorithm
|
1623
|
+
:encryption_algorithm,
|
1624
|
+
:recipient,
|
1625
|
+
:dry_run)
|
1551
1626
|
SENSITIVE = []
|
1552
1627
|
include Aws::Structure
|
1553
1628
|
end
|
@@ -1565,18 +1640,38 @@ module Aws::KMS
|
|
1565
1640
|
# Decrypted plaintext data. When you use the HTTP API or the Amazon
|
1566
1641
|
# Web Services CLI, the value is Base64-encoded. Otherwise, it is not
|
1567
1642
|
# Base64-encoded.
|
1643
|
+
#
|
1644
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
1645
|
+
# `Plaintext` field is null or empty.
|
1568
1646
|
# @return [String]
|
1569
1647
|
#
|
1570
1648
|
# @!attribute [rw] encryption_algorithm
|
1571
1649
|
# The encryption algorithm that was used to decrypt the ciphertext.
|
1572
1650
|
# @return [String]
|
1573
1651
|
#
|
1652
|
+
# @!attribute [rw] ciphertext_for_recipient
|
1653
|
+
# The plaintext data encrypted with the public key in the attestation
|
1654
|
+
# document.
|
1655
|
+
#
|
1656
|
+
# This field is included in the response only when the `Recipient`
|
1657
|
+
# parameter in the request includes a valid attestation document from
|
1658
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
1659
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
1660
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
1661
|
+
# Management Service Developer Guide*.
|
1662
|
+
#
|
1663
|
+
#
|
1664
|
+
#
|
1665
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
1666
|
+
# @return [String]
|
1667
|
+
#
|
1574
1668
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DecryptResponse AWS API Documentation
|
1575
1669
|
#
|
1576
1670
|
class DecryptResponse < Struct.new(
|
1577
1671
|
:key_id,
|
1578
1672
|
:plaintext,
|
1579
|
-
:encryption_algorithm
|
1673
|
+
:encryption_algorithm,
|
1674
|
+
:ciphertext_for_recipient)
|
1580
1675
|
SENSITIVE = [:plaintext]
|
1581
1676
|
include Aws::Structure
|
1582
1677
|
end
|
@@ -1875,6 +1970,19 @@ module Aws::KMS
|
|
1875
1970
|
#
|
1876
1971
|
class DisconnectCustomKeyStoreResponse < Aws::EmptyStructure; end
|
1877
1972
|
|
1973
|
+
# The request was rejected because the DryRun parameter was specified.
|
1974
|
+
#
|
1975
|
+
# @!attribute [rw] message
|
1976
|
+
# @return [String]
|
1977
|
+
#
|
1978
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DryRunOperationException AWS API Documentation
|
1979
|
+
#
|
1980
|
+
class DryRunOperationException < Struct.new(
|
1981
|
+
:message)
|
1982
|
+
SENSITIVE = []
|
1983
|
+
include Aws::Structure
|
1984
|
+
end
|
1985
|
+
|
1878
1986
|
# @!attribute [rw] key_id
|
1879
1987
|
# Identifies the KMS key to enable.
|
1880
1988
|
#
|
@@ -1971,6 +2079,10 @@ module Aws::KMS
|
|
1971
2079
|
# asymmetric encryption algorithms and HMAC algorithms that KMS uses
|
1972
2080
|
# do not support an encryption context.
|
1973
2081
|
#
|
2082
|
+
# Do not include confidential or sensitive information in this field.
|
2083
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2084
|
+
# other output.
|
2085
|
+
#
|
1974
2086
|
# An *encryption context* is a collection of non-secret key-value
|
1975
2087
|
# pairs that represent additional authenticated data. When you use an
|
1976
2088
|
# encryption context to encrypt data, you must specify the same (an
|
@@ -2016,6 +2128,18 @@ module Aws::KMS
|
|
2016
2128
|
# The SM2PKE algorithm is only available in China Regions.
|
2017
2129
|
# @return [String]
|
2018
2130
|
#
|
2131
|
+
# @!attribute [rw] dry_run
|
2132
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2133
|
+
# parameter.
|
2134
|
+
#
|
2135
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2136
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2137
|
+
#
|
2138
|
+
#
|
2139
|
+
#
|
2140
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2141
|
+
# @return [Boolean]
|
2142
|
+
#
|
2019
2143
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EncryptRequest AWS API Documentation
|
2020
2144
|
#
|
2021
2145
|
class EncryptRequest < Struct.new(
|
@@ -2023,7 +2147,8 @@ module Aws::KMS
|
|
2023
2147
|
:plaintext,
|
2024
2148
|
:encryption_context,
|
2025
2149
|
:grant_tokens,
|
2026
|
-
:encryption_algorithm
|
2150
|
+
:encryption_algorithm,
|
2151
|
+
:dry_run)
|
2027
2152
|
SENSITIVE = [:plaintext]
|
2028
2153
|
include Aws::Structure
|
2029
2154
|
end
|
@@ -2077,6 +2202,10 @@ module Aws::KMS
|
|
2077
2202
|
# Specifies the encryption context that will be used when encrypting
|
2078
2203
|
# the private key in the data key pair.
|
2079
2204
|
#
|
2205
|
+
# Do not include confidential or sensitive information in this field.
|
2206
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2207
|
+
# other output.
|
2208
|
+
#
|
2080
2209
|
# An *encryption context* is a collection of non-secret key-value
|
2081
2210
|
# pairs that represent additional authenticated data. When you use an
|
2082
2211
|
# encryption context to encrypt data, you must specify the same (an
|
@@ -2144,13 +2273,58 @@ module Aws::KMS
|
|
2144
2273
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2145
2274
|
# @return [Array<String>]
|
2146
2275
|
#
|
2276
|
+
# @!attribute [rw] recipient
|
2277
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
2278
|
+
# enclave and the encryption algorithm to use with the enclave's
|
2279
|
+
# public key. The only valid encryption algorithm is
|
2280
|
+
# `RSAES_OAEP_SHA_256`.
|
2281
|
+
#
|
2282
|
+
# This parameter only supports attestation documents for Amazon Web
|
2283
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
2284
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
2285
|
+
#
|
2286
|
+
# When you use this parameter, instead of returning a plaintext copy
|
2287
|
+
# of the private data key, KMS encrypts the plaintext private data key
|
2288
|
+
# under the public key in the attestation document, and returns the
|
2289
|
+
# resulting ciphertext in the `CiphertextForRecipient` field in the
|
2290
|
+
# response. This ciphertext can be decrypted only with the private key
|
2291
|
+
# in the enclave. The `CiphertextBlob` field in the response contains
|
2292
|
+
# a copy of the private data key encrypted under the KMS key specified
|
2293
|
+
# by the `KeyId` parameter. The `PrivateKeyPlaintext` field in the
|
2294
|
+
# response is null or empty.
|
2295
|
+
#
|
2296
|
+
# For information about the interaction between KMS and Amazon Web
|
2297
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
2298
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
2299
|
+
#
|
2300
|
+
#
|
2301
|
+
#
|
2302
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
2303
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
2304
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2305
|
+
# @return [Types::RecipientInfo]
|
2306
|
+
#
|
2307
|
+
# @!attribute [rw] dry_run
|
2308
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2309
|
+
# parameter.
|
2310
|
+
#
|
2311
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2312
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2313
|
+
#
|
2314
|
+
#
|
2315
|
+
#
|
2316
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2317
|
+
# @return [Boolean]
|
2318
|
+
#
|
2147
2319
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairRequest AWS API Documentation
|
2148
2320
|
#
|
2149
2321
|
class GenerateDataKeyPairRequest < Struct.new(
|
2150
2322
|
:encryption_context,
|
2151
2323
|
:key_id,
|
2152
2324
|
:key_pair_spec,
|
2153
|
-
:grant_tokens
|
2325
|
+
:grant_tokens,
|
2326
|
+
:recipient,
|
2327
|
+
:dry_run)
|
2154
2328
|
SENSITIVE = []
|
2155
2329
|
include Aws::Structure
|
2156
2330
|
end
|
@@ -2165,6 +2339,9 @@ module Aws::KMS
|
|
2165
2339
|
# The plaintext copy of the private key. When you use the HTTP API or
|
2166
2340
|
# the Amazon Web Services CLI, the value is Base64-encoded. Otherwise,
|
2167
2341
|
# it is not Base64-encoded.
|
2342
|
+
#
|
2343
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
2344
|
+
# `PrivateKeyPlaintext` field is null or empty.
|
2168
2345
|
# @return [String]
|
2169
2346
|
#
|
2170
2347
|
# @!attribute [rw] public_key
|
@@ -2186,6 +2363,23 @@ module Aws::KMS
|
|
2186
2363
|
# The type of data key pair that was generated.
|
2187
2364
|
# @return [String]
|
2188
2365
|
#
|
2366
|
+
# @!attribute [rw] ciphertext_for_recipient
|
2367
|
+
# The plaintext private data key encrypted with the public key from
|
2368
|
+
# the Nitro enclave. This ciphertext can be decrypted only by using a
|
2369
|
+
# private key in the Nitro enclave.
|
2370
|
+
#
|
2371
|
+
# This field is included in the response only when the `Recipient`
|
2372
|
+
# parameter in the request includes a valid attestation document from
|
2373
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
2374
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
2375
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
2376
|
+
# Management Service Developer Guide*.
|
2377
|
+
#
|
2378
|
+
#
|
2379
|
+
#
|
2380
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2381
|
+
# @return [String]
|
2382
|
+
#
|
2189
2383
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairResponse AWS API Documentation
|
2190
2384
|
#
|
2191
2385
|
class GenerateDataKeyPairResponse < Struct.new(
|
@@ -2193,7 +2387,8 @@ module Aws::KMS
|
|
2193
2387
|
:private_key_plaintext,
|
2194
2388
|
:public_key,
|
2195
2389
|
:key_id,
|
2196
|
-
:key_pair_spec
|
2390
|
+
:key_pair_spec,
|
2391
|
+
:ciphertext_for_recipient)
|
2197
2392
|
SENSITIVE = [:private_key_plaintext]
|
2198
2393
|
include Aws::Structure
|
2199
2394
|
end
|
@@ -2202,6 +2397,10 @@ module Aws::KMS
|
|
2202
2397
|
# Specifies the encryption context that will be used when encrypting
|
2203
2398
|
# the private key in the data key pair.
|
2204
2399
|
#
|
2400
|
+
# Do not include confidential or sensitive information in this field.
|
2401
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2402
|
+
# other output.
|
2403
|
+
#
|
2205
2404
|
# An *encryption context* is a collection of non-secret key-value
|
2206
2405
|
# pairs that represent additional authenticated data. When you use an
|
2207
2406
|
# encryption context to encrypt data, you must specify the same (an
|
@@ -2269,13 +2468,26 @@ module Aws::KMS
|
|
2269
2468
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2270
2469
|
# @return [Array<String>]
|
2271
2470
|
#
|
2471
|
+
# @!attribute [rw] dry_run
|
2472
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2473
|
+
# parameter.
|
2474
|
+
#
|
2475
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2476
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2477
|
+
#
|
2478
|
+
#
|
2479
|
+
#
|
2480
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2481
|
+
# @return [Boolean]
|
2482
|
+
#
|
2272
2483
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintextRequest AWS API Documentation
|
2273
2484
|
#
|
2274
2485
|
class GenerateDataKeyPairWithoutPlaintextRequest < Struct.new(
|
2275
2486
|
:encryption_context,
|
2276
2487
|
:key_id,
|
2277
2488
|
:key_pair_spec,
|
2278
|
-
:grant_tokens
|
2489
|
+
:grant_tokens,
|
2490
|
+
:dry_run)
|
2279
2491
|
SENSITIVE = []
|
2280
2492
|
include Aws::Structure
|
2281
2493
|
end
|
@@ -2346,6 +2558,10 @@ module Aws::KMS
|
|
2346
2558
|
# Specifies the encryption context that will be used when encrypting
|
2347
2559
|
# the data key.
|
2348
2560
|
#
|
2561
|
+
# Do not include confidential or sensitive information in this field.
|
2562
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2563
|
+
# other output.
|
2564
|
+
#
|
2349
2565
|
# An *encryption context* is a collection of non-secret key-value
|
2350
2566
|
# pairs that represent additional authenticated data. When you use an
|
2351
2567
|
# encryption context to encrypt data, you must specify the same (an
|
@@ -2396,6 +2612,48 @@ module Aws::KMS
|
|
2396
2612
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2397
2613
|
# @return [Array<String>]
|
2398
2614
|
#
|
2615
|
+
# @!attribute [rw] recipient
|
2616
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
2617
|
+
# enclave and the encryption algorithm to use with the enclave's
|
2618
|
+
# public key. The only valid encryption algorithm is
|
2619
|
+
# `RSAES_OAEP_SHA_256`.
|
2620
|
+
#
|
2621
|
+
# This parameter only supports attestation documents for Amazon Web
|
2622
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
2623
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
2624
|
+
#
|
2625
|
+
# When you use this parameter, instead of returning the plaintext data
|
2626
|
+
# key, KMS encrypts the plaintext data key under the public key in the
|
2627
|
+
# attestation document, and returns the resulting ciphertext in the
|
2628
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can
|
2629
|
+
# be decrypted only with the private key in the enclave. The
|
2630
|
+
# `CiphertextBlob` field in the response contains a copy of the data
|
2631
|
+
# key encrypted under the KMS key specified by the `KeyId` parameter.
|
2632
|
+
# The `Plaintext` field in the response is null or empty.
|
2633
|
+
#
|
2634
|
+
# For information about the interaction between KMS and Amazon Web
|
2635
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
2636
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
2637
|
+
#
|
2638
|
+
#
|
2639
|
+
#
|
2640
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
2641
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
2642
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2643
|
+
# @return [Types::RecipientInfo]
|
2644
|
+
#
|
2645
|
+
# @!attribute [rw] dry_run
|
2646
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2647
|
+
# parameter.
|
2648
|
+
#
|
2649
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2650
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2651
|
+
#
|
2652
|
+
#
|
2653
|
+
#
|
2654
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2655
|
+
# @return [Boolean]
|
2656
|
+
#
|
2399
2657
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyRequest AWS API Documentation
|
2400
2658
|
#
|
2401
2659
|
class GenerateDataKeyRequest < Struct.new(
|
@@ -2403,7 +2661,9 @@ module Aws::KMS
|
|
2403
2661
|
:encryption_context,
|
2404
2662
|
:number_of_bytes,
|
2405
2663
|
:key_spec,
|
2406
|
-
:grant_tokens
|
2664
|
+
:grant_tokens,
|
2665
|
+
:recipient,
|
2666
|
+
:dry_run)
|
2407
2667
|
SENSITIVE = []
|
2408
2668
|
include Aws::Structure
|
2409
2669
|
end
|
@@ -2419,6 +2679,9 @@ module Aws::KMS
|
|
2419
2679
|
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2420
2680
|
# Base64-encoded. Use this data key to encrypt your data outside of
|
2421
2681
|
# KMS. Then, remove it from memory as soon as possible.
|
2682
|
+
#
|
2683
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
2684
|
+
# `Plaintext` field is null or empty.
|
2422
2685
|
# @return [String]
|
2423
2686
|
#
|
2424
2687
|
# @!attribute [rw] key_id
|
@@ -2430,12 +2693,30 @@ module Aws::KMS
|
|
2430
2693
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN
|
2431
2694
|
# @return [String]
|
2432
2695
|
#
|
2696
|
+
# @!attribute [rw] ciphertext_for_recipient
|
2697
|
+
# The plaintext data key encrypted with the public key from the Nitro
|
2698
|
+
# enclave. This ciphertext can be decrypted only by using a private
|
2699
|
+
# key in the Nitro enclave.
|
2700
|
+
#
|
2701
|
+
# This field is included in the response only when the `Recipient`
|
2702
|
+
# parameter in the request includes a valid attestation document from
|
2703
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
2704
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
2705
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
2706
|
+
# Management Service Developer Guide*.
|
2707
|
+
#
|
2708
|
+
#
|
2709
|
+
#
|
2710
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2711
|
+
# @return [String]
|
2712
|
+
#
|
2433
2713
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyResponse AWS API Documentation
|
2434
2714
|
#
|
2435
2715
|
class GenerateDataKeyResponse < Struct.new(
|
2436
2716
|
:ciphertext_blob,
|
2437
2717
|
:plaintext,
|
2438
|
-
:key_id
|
2718
|
+
:key_id,
|
2719
|
+
:ciphertext_for_recipient)
|
2439
2720
|
SENSITIVE = [:plaintext]
|
2440
2721
|
include Aws::Structure
|
2441
2722
|
end
|
@@ -2470,6 +2751,10 @@ module Aws::KMS
|
|
2470
2751
|
# Specifies the encryption context that will be used when encrypting
|
2471
2752
|
# the data key.
|
2472
2753
|
#
|
2754
|
+
# Do not include confidential or sensitive information in this field.
|
2755
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
2756
|
+
# other output.
|
2757
|
+
#
|
2473
2758
|
# An *encryption context* is a collection of non-secret key-value
|
2474
2759
|
# pairs that represent additional authenticated data. When you use an
|
2475
2760
|
# encryption context to encrypt data, you must specify the same (an
|
@@ -2513,6 +2798,18 @@ module Aws::KMS
|
|
2513
2798
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2514
2799
|
# @return [Array<String>]
|
2515
2800
|
#
|
2801
|
+
# @!attribute [rw] dry_run
|
2802
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2803
|
+
# parameter.
|
2804
|
+
#
|
2805
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2806
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2807
|
+
#
|
2808
|
+
#
|
2809
|
+
#
|
2810
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2811
|
+
# @return [Boolean]
|
2812
|
+
#
|
2516
2813
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintextRequest AWS API Documentation
|
2517
2814
|
#
|
2518
2815
|
class GenerateDataKeyWithoutPlaintextRequest < Struct.new(
|
@@ -2520,7 +2817,8 @@ module Aws::KMS
|
|
2520
2817
|
:encryption_context,
|
2521
2818
|
:key_spec,
|
2522
2819
|
:number_of_bytes,
|
2523
|
-
:grant_tokens
|
2820
|
+
:grant_tokens,
|
2821
|
+
:dry_run)
|
2524
2822
|
SENSITIVE = []
|
2525
2823
|
include Aws::Structure
|
2526
2824
|
end
|
@@ -2592,13 +2890,26 @@ module Aws::KMS
|
|
2592
2890
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
2593
2891
|
# @return [Array<String>]
|
2594
2892
|
#
|
2893
|
+
# @!attribute [rw] dry_run
|
2894
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
2895
|
+
# parameter.
|
2896
|
+
#
|
2897
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
2898
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
2899
|
+
#
|
2900
|
+
#
|
2901
|
+
#
|
2902
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
2903
|
+
# @return [Boolean]
|
2904
|
+
#
|
2595
2905
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMacRequest AWS API Documentation
|
2596
2906
|
#
|
2597
2907
|
class GenerateMacRequest < Struct.new(
|
2598
2908
|
:message,
|
2599
2909
|
:key_id,
|
2600
2910
|
:mac_algorithm,
|
2601
|
-
:grant_tokens
|
2911
|
+
:grant_tokens,
|
2912
|
+
:dry_run)
|
2602
2913
|
SENSITIVE = [:message]
|
2603
2914
|
include Aws::Structure
|
2604
2915
|
end
|
@@ -2646,11 +2957,40 @@ module Aws::KMS
|
|
2646
2957
|
# `UnsupportedOperationException`.
|
2647
2958
|
# @return [String]
|
2648
2959
|
#
|
2960
|
+
# @!attribute [rw] recipient
|
2961
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
2962
|
+
# enclave and the encryption algorithm to use with the enclave's
|
2963
|
+
# public key. The only valid encryption algorithm is
|
2964
|
+
# `RSAES_OAEP_SHA_256`.
|
2965
|
+
#
|
2966
|
+
# This parameter only supports attestation documents for Amazon Web
|
2967
|
+
# Services Nitro Enclaves. To include this parameter, use the [Amazon
|
2968
|
+
# Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
|
2969
|
+
#
|
2970
|
+
# When you use this parameter, instead of returning plaintext bytes,
|
2971
|
+
# KMS encrypts the plaintext bytes under the public key in the
|
2972
|
+
# attestation document, and returns the resulting ciphertext in the
|
2973
|
+
# `CiphertextForRecipient` field in the response. This ciphertext can
|
2974
|
+
# be decrypted only with the private key in the enclave. The
|
2975
|
+
# `Plaintext` field in the response is null or empty.
|
2976
|
+
#
|
2977
|
+
# For information about the interaction between KMS and Amazon Web
|
2978
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
2979
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
2980
|
+
#
|
2981
|
+
#
|
2982
|
+
#
|
2983
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
2984
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
2985
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2986
|
+
# @return [Types::RecipientInfo]
|
2987
|
+
#
|
2649
2988
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomRequest AWS API Documentation
|
2650
2989
|
#
|
2651
2990
|
class GenerateRandomRequest < Struct.new(
|
2652
2991
|
:number_of_bytes,
|
2653
|
-
:custom_key_store_id
|
2992
|
+
:custom_key_store_id,
|
2993
|
+
:recipient)
|
2654
2994
|
SENSITIVE = []
|
2655
2995
|
include Aws::Structure
|
2656
2996
|
end
|
@@ -2659,12 +2999,33 @@ module Aws::KMS
|
|
2659
2999
|
# The random byte string. When you use the HTTP API or the Amazon Web
|
2660
3000
|
# Services CLI, the value is Base64-encoded. Otherwise, it is not
|
2661
3001
|
# Base64-encoded.
|
3002
|
+
#
|
3003
|
+
# If the response includes the `CiphertextForRecipient` field, the
|
3004
|
+
# `Plaintext` field is null or empty.
|
3005
|
+
# @return [String]
|
3006
|
+
#
|
3007
|
+
# @!attribute [rw] ciphertext_for_recipient
|
3008
|
+
# The plaintext random bytes encrypted with the public key from the
|
3009
|
+
# Nitro enclave. This ciphertext can be decrypted only by using a
|
3010
|
+
# private key in the Nitro enclave.
|
3011
|
+
#
|
3012
|
+
# This field is included in the response only when the `Recipient`
|
3013
|
+
# parameter in the request includes a valid attestation document from
|
3014
|
+
# an Amazon Web Services Nitro enclave. For information about the
|
3015
|
+
# interaction between KMS and Amazon Web Services Nitro Enclaves, see
|
3016
|
+
# [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
|
3017
|
+
# Management Service Developer Guide*.
|
3018
|
+
#
|
3019
|
+
#
|
3020
|
+
#
|
3021
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
2662
3022
|
# @return [String]
|
2663
3023
|
#
|
2664
3024
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandomResponse AWS API Documentation
|
2665
3025
|
#
|
2666
3026
|
class GenerateRandomResponse < Struct.new(
|
2667
|
-
:plaintext
|
3027
|
+
:plaintext,
|
3028
|
+
:ciphertext_for_recipient)
|
2668
3029
|
SENSITIVE = [:plaintext]
|
2669
3030
|
include Aws::Structure
|
2670
3031
|
end
|
@@ -2750,10 +3111,14 @@ module Aws::KMS
|
|
2750
3111
|
end
|
2751
3112
|
|
2752
3113
|
# @!attribute [rw] key_id
|
2753
|
-
# The identifier of the
|
2754
|
-
#
|
3114
|
+
# The identifier of the KMS key that will be associated with the
|
3115
|
+
# imported key material. The `Origin` of the KMS key must be
|
2755
3116
|
# `EXTERNAL`.
|
2756
3117
|
#
|
3118
|
+
# All KMS key types are supported, including multi-Region keys.
|
3119
|
+
# However, you cannot import key material into a KMS key in a custom
|
3120
|
+
# key store.
|
3121
|
+
#
|
2757
3122
|
# Specify the key ID or key ARN of the KMS key.
|
2758
3123
|
#
|
2759
3124
|
# For example:
|
@@ -2768,26 +3133,54 @@ module Aws::KMS
|
|
2768
3133
|
# @return [String]
|
2769
3134
|
#
|
2770
3135
|
# @!attribute [rw] wrapping_algorithm
|
2771
|
-
# The algorithm you will use
|
2772
|
-
# the
|
2773
|
-
# see [
|
2774
|
-
#
|
3136
|
+
# The algorithm you will use with the RSA public key (`PublicKey`) in
|
3137
|
+
# the response to protect your key material during import. For more
|
3138
|
+
# information, see [Select a wrapping
|
3139
|
+
# algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
|
3140
|
+
# in the *Key Management Service Developer Guide*.
|
3141
|
+
#
|
3142
|
+
# For RSA\_AES wrapping algorithms, you encrypt your key material with
|
3143
|
+
# an AES key that you generate, then encrypt your AES key with the RSA
|
3144
|
+
# public key from KMS. For RSAES wrapping algorithms, you encrypt your
|
3145
|
+
# key material directly with the RSA public key from KMS.
|
3146
|
+
#
|
3147
|
+
# The wrapping algorithms that you can use depend on the type of key
|
3148
|
+
# material that you are importing. To import an RSA private key, you
|
3149
|
+
# must use an RSA\_AES wrapping algorithm.
|
3150
|
+
#
|
3151
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
|
3152
|
+
# ECC key material.
|
3153
|
+
#
|
3154
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and
|
3155
|
+
# ECC key material.
|
2775
3156
|
#
|
2776
|
-
#
|
2777
|
-
#
|
2778
|
-
# immediately. KMS will end support for `RSAES_PKCS1_V1_5` by October
|
2779
|
-
# 1, 2023 pursuant to [cryptographic key management guidance][2] from
|
2780
|
-
# the National Institute of Standards and Technology (NIST).
|
3157
|
+
# * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key
|
3158
|
+
# material, except RSA key material (private key).
|
2781
3159
|
#
|
3160
|
+
# You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with
|
3161
|
+
# the RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key
|
3162
|
+
# material.
|
2782
3163
|
#
|
3164
|
+
# * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
|
3165
|
+
# except RSA key material (private key).
|
2783
3166
|
#
|
2784
|
-
#
|
2785
|
-
#
|
3167
|
+
# You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
|
3168
|
+
# RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
|
3169
|
+
#
|
3170
|
+
# * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
|
3171
|
+
# symmetric encryption key material (and only in legacy mode).
|
2786
3172
|
# @return [String]
|
2787
3173
|
#
|
2788
3174
|
# @!attribute [rw] wrapping_key_spec
|
2789
|
-
# The type of
|
2790
|
-
#
|
3175
|
+
# The type of RSA public key to return in the response. You will use
|
3176
|
+
# this wrapping key with the specified wrapping algorithm to protect
|
3177
|
+
# your key material during import.
|
3178
|
+
#
|
3179
|
+
# Use the longest RSA wrapping key that is practical.
|
3180
|
+
#
|
3181
|
+
# You cannot use an RSA\_2048 public key to directly wrap an
|
3182
|
+
# ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
|
3183
|
+
# algorithm or choose a longer RSA public key.
|
2791
3184
|
# @return [String]
|
2792
3185
|
#
|
2793
3186
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
|
@@ -3094,13 +3487,19 @@ module Aws::KMS
|
|
3094
3487
|
end
|
3095
3488
|
|
3096
3489
|
# @!attribute [rw] key_id
|
3097
|
-
# The identifier of the
|
3490
|
+
# The identifier of the KMS key that will be associated with the
|
3098
3491
|
# imported key material. This must be the same KMS key specified in
|
3099
3492
|
# the `KeyID` parameter of the corresponding GetParametersForImport
|
3100
|
-
# request. The `Origin` of the KMS key must be `EXTERNAL
|
3101
|
-
#
|
3102
|
-
#
|
3103
|
-
#
|
3493
|
+
# request. The `Origin` of the KMS key must be `EXTERNAL` and its
|
3494
|
+
# `KeyState` must be `PendingImport`.
|
3495
|
+
#
|
3496
|
+
# The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
|
3497
|
+
# asymmetric encryption KMS key, or asymmetric signing KMS key,
|
3498
|
+
# including a [multi-Region
|
3499
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of
|
3500
|
+
# any supported type. You cannot perform this operation on a KMS key
|
3501
|
+
# in a custom key store, or on a KMS key in a different Amazon Web
|
3502
|
+
# Services account.
|
3104
3503
|
#
|
3105
3504
|
# Specify the key ID or key ARN of the KMS key.
|
3106
3505
|
#
|
@@ -3124,7 +3523,7 @@ module Aws::KMS
|
|
3124
3523
|
#
|
3125
3524
|
# @!attribute [rw] encrypted_key_material
|
3126
3525
|
# The encrypted key material to import. The key material must be
|
3127
|
-
# encrypted
|
3526
|
+
# encrypted under the public wrapping key that GetParametersForImport
|
3128
3527
|
# returned, using the wrapping algorithm that you specified in the
|
3129
3528
|
# same `GetParametersForImport` request.
|
3130
3529
|
# @return [String]
|
@@ -3150,7 +3549,8 @@ module Aws::KMS
|
|
3150
3549
|
#
|
3151
3550
|
# @!attribute [rw] expiration_model
|
3152
3551
|
# Specifies whether the key material expires. The default is
|
3153
|
-
# `KEY_MATERIAL_EXPIRES`.
|
3552
|
+
# `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
|
3553
|
+
# expiration time][1] in the *Key Management Service Developer Guide*.
|
3154
3554
|
#
|
3155
3555
|
# When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
|
3156
3556
|
# must specify a value for the `ValidTo` parameter. When value is
|
@@ -3159,8 +3559,11 @@ module Aws::KMS
|
|
3159
3559
|
#
|
3160
3560
|
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
3161
3561
|
# current import after the request completes. To change either value,
|
3162
|
-
# you must
|
3163
|
-
#
|
3562
|
+
# you must reimport the key material.
|
3563
|
+
#
|
3564
|
+
#
|
3565
|
+
#
|
3566
|
+
# [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
|
3164
3567
|
# @return [String]
|
3165
3568
|
#
|
3166
3569
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
|
@@ -4417,6 +4820,10 @@ module Aws::KMS
|
|
4417
4820
|
# Specifies that encryption context to use when the reencrypting the
|
4418
4821
|
# data.
|
4419
4822
|
#
|
4823
|
+
# Do not include confidential or sensitive information in this field.
|
4824
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
4825
|
+
# other output.
|
4826
|
+
#
|
4420
4827
|
# A destination encryption context is valid only when the destination
|
4421
4828
|
# KMS key is a symmetric encryption KMS key. The standard ciphertext
|
4422
4829
|
# format for asymmetric KMS keys does not include fields for metadata.
|
@@ -4475,6 +4882,18 @@ module Aws::KMS
|
|
4475
4882
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
4476
4883
|
# @return [Array<String>]
|
4477
4884
|
#
|
4885
|
+
# @!attribute [rw] dry_run
|
4886
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
4887
|
+
# parameter.
|
4888
|
+
#
|
4889
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
4890
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
4891
|
+
#
|
4892
|
+
#
|
4893
|
+
#
|
4894
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
4895
|
+
# @return [Boolean]
|
4896
|
+
#
|
4478
4897
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncryptRequest AWS API Documentation
|
4479
4898
|
#
|
4480
4899
|
class ReEncryptRequest < Struct.new(
|
@@ -4485,7 +4904,8 @@ module Aws::KMS
|
|
4485
4904
|
:destination_encryption_context,
|
4486
4905
|
:source_encryption_algorithm,
|
4487
4906
|
:destination_encryption_algorithm,
|
4488
|
-
:grant_tokens
|
4907
|
+
:grant_tokens,
|
4908
|
+
:dry_run)
|
4489
4909
|
SENSITIVE = []
|
4490
4910
|
include Aws::Structure
|
4491
4911
|
end
|
@@ -4531,6 +4951,39 @@ module Aws::KMS
|
|
4531
4951
|
include Aws::Structure
|
4532
4952
|
end
|
4533
4953
|
|
4954
|
+
# Contains information about the party that receives the response from
|
4955
|
+
# the API operation.
|
4956
|
+
#
|
4957
|
+
# This data type is designed to support Amazon Web Services Nitro
|
4958
|
+
# Enclaves, which lets you create an isolated compute environment in
|
4959
|
+
# Amazon EC2. For information about the interaction between KMS and
|
4960
|
+
# Amazon Web Services Nitro Enclaves, see [How Amazon Web Services Nitro
|
4961
|
+
# Enclaves uses KMS][1] in the *Key Management Service Developer Guide*.
|
4962
|
+
#
|
4963
|
+
#
|
4964
|
+
#
|
4965
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
4966
|
+
#
|
4967
|
+
# @!attribute [rw] key_encryption_algorithm
|
4968
|
+
# The encryption algorithm that KMS should use with the public key for
|
4969
|
+
# an Amazon Web Services Nitro Enclave to encrypt plaintext values for
|
4970
|
+
# the response. The only valid value is `RSAES_OAEP_SHA_256`.
|
4971
|
+
# @return [String]
|
4972
|
+
#
|
4973
|
+
# @!attribute [rw] attestation_document
|
4974
|
+
# The attestation document for an Amazon Web Services Nitro Enclave.
|
4975
|
+
# This document includes the enclave's public key.
|
4976
|
+
# @return [String]
|
4977
|
+
#
|
4978
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RecipientInfo AWS API Documentation
|
4979
|
+
#
|
4980
|
+
class RecipientInfo < Struct.new(
|
4981
|
+
:key_encryption_algorithm,
|
4982
|
+
:attestation_document)
|
4983
|
+
SENSITIVE = []
|
4984
|
+
include Aws::Structure
|
4985
|
+
end
|
4986
|
+
|
4534
4987
|
# @!attribute [rw] key_id
|
4535
4988
|
# Identifies the multi-Region primary key that is being replicated. To
|
4536
4989
|
# determine whether a KMS key is a multi-Region primary key, use the
|
@@ -4666,6 +5119,10 @@ module Aws::KMS
|
|
4666
5119
|
# A description of the KMS key. The default value is an empty string
|
4667
5120
|
# (no description).
|
4668
5121
|
#
|
5122
|
+
# Do not include confidential or sensitive information in this field.
|
5123
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5124
|
+
# other output.
|
5125
|
+
#
|
4669
5126
|
# The description is not a shared property of multi-Region keys. You
|
4670
5127
|
# can specify the same description or a different description for each
|
4671
5128
|
# key in a set of related multi-Region keys. KMS does not synchronize
|
@@ -4677,6 +5134,10 @@ module Aws::KMS
|
|
4677
5134
|
# tag the KMS key when it is created. To tag an existing KMS key, use
|
4678
5135
|
# the TagResource operation.
|
4679
5136
|
#
|
5137
|
+
# Do not include confidential or sensitive information in this field.
|
5138
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5139
|
+
# other output.
|
5140
|
+
#
|
4680
5141
|
# <note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
|
4681
5142
|
# KMS key. For details, see [ABAC for KMS][1] in the *Key Management
|
4682
5143
|
# Service Developer Guide*.
|
@@ -4786,12 +5247,25 @@ module Aws::KMS
|
|
4786
5247
|
# ^
|
4787
5248
|
# @return [String]
|
4788
5249
|
#
|
5250
|
+
# @!attribute [rw] dry_run
|
5251
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
5252
|
+
# parameter.
|
5253
|
+
#
|
5254
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
5255
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
5256
|
+
#
|
5257
|
+
#
|
5258
|
+
#
|
5259
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
5260
|
+
# @return [Boolean]
|
5261
|
+
#
|
4789
5262
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrantRequest AWS API Documentation
|
4790
5263
|
#
|
4791
5264
|
class RetireGrantRequest < Struct.new(
|
4792
5265
|
:grant_token,
|
4793
5266
|
:key_id,
|
4794
|
-
:grant_id
|
5267
|
+
:grant_id,
|
5268
|
+
:dry_run)
|
4795
5269
|
SENSITIVE = []
|
4796
5270
|
include Aws::Structure
|
4797
5271
|
end
|
@@ -4821,11 +5295,24 @@ module Aws::KMS
|
|
4821
5295
|
# CreateGrant, ListGrants, or ListRetirableGrants.
|
4822
5296
|
# @return [String]
|
4823
5297
|
#
|
5298
|
+
# @!attribute [rw] dry_run
|
5299
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
5300
|
+
# parameter.
|
5301
|
+
#
|
5302
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
5303
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
5304
|
+
#
|
5305
|
+
#
|
5306
|
+
#
|
5307
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
5308
|
+
# @return [Boolean]
|
5309
|
+
#
|
4824
5310
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrantRequest AWS API Documentation
|
4825
5311
|
#
|
4826
5312
|
class RevokeGrantRequest < Struct.new(
|
4827
5313
|
:key_id,
|
4828
|
-
:grant_id
|
5314
|
+
:grant_id,
|
5315
|
+
:dry_run)
|
4829
5316
|
SENSITIVE = []
|
4830
5317
|
include Aws::Structure
|
4831
5318
|
end
|
@@ -4856,6 +5343,13 @@ module Aws::KMS
|
|
4856
5343
|
#
|
4857
5344
|
# This value is optional. If you include a value, it must be between 7
|
4858
5345
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
5346
|
+
# You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
|
5347
|
+
# condition key to further constrain the values that principals can
|
5348
|
+
# specify in the `PendingWindowInDays` parameter.
|
5349
|
+
#
|
5350
|
+
#
|
5351
|
+
#
|
5352
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days
|
4859
5353
|
# @return [Integer]
|
4860
5354
|
#
|
4861
5355
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionRequest AWS API Documentation
|
@@ -5017,6 +5511,18 @@ module Aws::KMS
|
|
5017
5511
|
# algorithms for compatibility with existing applications.
|
5018
5512
|
# @return [String]
|
5019
5513
|
#
|
5514
|
+
# @!attribute [rw] dry_run
|
5515
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
5516
|
+
# parameter.
|
5517
|
+
#
|
5518
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
5519
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
5520
|
+
#
|
5521
|
+
#
|
5522
|
+
#
|
5523
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
5524
|
+
# @return [Boolean]
|
5525
|
+
#
|
5020
5526
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/SignRequest AWS API Documentation
|
5021
5527
|
#
|
5022
5528
|
class SignRequest < Struct.new(
|
@@ -5024,7 +5530,8 @@ module Aws::KMS
|
|
5024
5530
|
:message,
|
5025
5531
|
:message_type,
|
5026
5532
|
:grant_tokens,
|
5027
|
-
:signing_algorithm
|
5533
|
+
:signing_algorithm,
|
5534
|
+
:dry_run)
|
5028
5535
|
SENSITIVE = [:message]
|
5029
5536
|
include Aws::Structure
|
5030
5537
|
end
|
@@ -5046,7 +5553,7 @@ module Aws::KMS
|
|
5046
5553
|
#
|
5047
5554
|
# * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
|
5048
5555
|
# `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
|
5049
|
-
# object as defined by
|
5556
|
+
# object as defined by ANSI X9.62–2005 and [RFC 3279 Section
|
5050
5557
|
# 2.2.3][2]. This is the most commonly used signature format and is
|
5051
5558
|
# appropriate for most uses.
|
5052
5559
|
#
|
@@ -5077,6 +5584,10 @@ module Aws::KMS
|
|
5077
5584
|
# keys and tag values are both required, but tag values can be empty
|
5078
5585
|
# (null) strings.
|
5079
5586
|
#
|
5587
|
+
# Do not include confidential or sensitive information in this field.
|
5588
|
+
# This field may be displayed in plaintext in CloudTrail logs and other
|
5589
|
+
# output.
|
5590
|
+
#
|
5080
5591
|
# For information about the rules that apply to tag keys and tag values,
|
5081
5592
|
# see [User-Defined Tag Restrictions][1] in the *Amazon Web Services
|
5082
5593
|
# Billing and Cost Management User Guide*.
|
@@ -5132,10 +5643,12 @@ module Aws::KMS
|
|
5132
5643
|
# @return [String]
|
5133
5644
|
#
|
5134
5645
|
# @!attribute [rw] tags
|
5135
|
-
# One or more tags.
|
5646
|
+
# One or more tags. Each tag consists of a tag key and a tag value.
|
5647
|
+
# The tag value can be an empty (null) string.
|
5136
5648
|
#
|
5137
|
-
#
|
5138
|
-
#
|
5649
|
+
# Do not include confidential or sensitive information in this field.
|
5650
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5651
|
+
# other output.
|
5139
5652
|
#
|
5140
5653
|
# You cannot have more than one tag on a KMS key with the same tag
|
5141
5654
|
# key. If you specify an existing tag key with a different tag value,
|
@@ -5199,6 +5712,10 @@ module Aws::KMS
|
|
5199
5712
|
# begin with `alias/` followed by the alias name, such as
|
5200
5713
|
# `alias/ExampleAlias`. You cannot use `UpdateAlias` to change the
|
5201
5714
|
# alias name.
|
5715
|
+
#
|
5716
|
+
# Do not include confidential or sensitive information in this field.
|
5717
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5718
|
+
# other output.
|
5202
5719
|
# @return [String]
|
5203
5720
|
#
|
5204
5721
|
# @!attribute [rw] target_key_id
|
@@ -5252,6 +5769,10 @@ module Aws::KMS
|
|
5252
5769
|
# you specify. The custom key store name must be unique in the Amazon
|
5253
5770
|
# Web Services account.
|
5254
5771
|
#
|
5772
|
+
# Do not include confidential or sensitive information in this field.
|
5773
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5774
|
+
# other output.
|
5775
|
+
#
|
5255
5776
|
# To change this value, an CloudHSM key store must be disconnected. An
|
5256
5777
|
# external key store can be connected or disconnected.
|
5257
5778
|
# @return [String]
|
@@ -5414,6 +5935,10 @@ module Aws::KMS
|
|
5414
5935
|
#
|
5415
5936
|
# @!attribute [rw] description
|
5416
5937
|
# New description for the KMS key.
|
5938
|
+
#
|
5939
|
+
# Do not include confidential or sensitive information in this field.
|
5940
|
+
# This field may be displayed in plaintext in CloudTrail logs and
|
5941
|
+
# other output.
|
5417
5942
|
# @return [String]
|
5418
5943
|
#
|
5419
5944
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescriptionRequest AWS API Documentation
|
@@ -5503,6 +6028,18 @@ module Aws::KMS
|
|
5503
6028
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
5504
6029
|
# @return [Array<String>]
|
5505
6030
|
#
|
6031
|
+
# @!attribute [rw] dry_run
|
6032
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
6033
|
+
# parameter.
|
6034
|
+
#
|
6035
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
6036
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
6037
|
+
#
|
6038
|
+
#
|
6039
|
+
#
|
6040
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
6041
|
+
# @return [Boolean]
|
6042
|
+
#
|
5506
6043
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMacRequest AWS API Documentation
|
5507
6044
|
#
|
5508
6045
|
class VerifyMacRequest < Struct.new(
|
@@ -5510,7 +6047,8 @@ module Aws::KMS
|
|
5510
6047
|
:key_id,
|
5511
6048
|
:mac_algorithm,
|
5512
6049
|
:mac,
|
5513
|
-
:grant_tokens
|
6050
|
+
:grant_tokens,
|
6051
|
+
:dry_run)
|
5514
6052
|
SENSITIVE = [:message]
|
5515
6053
|
include Aws::Structure
|
5516
6054
|
end
|
@@ -5647,6 +6185,18 @@ module Aws::KMS
|
|
5647
6185
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
5648
6186
|
# @return [Array<String>]
|
5649
6187
|
#
|
6188
|
+
# @!attribute [rw] dry_run
|
6189
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
6190
|
+
# parameter.
|
6191
|
+
#
|
6192
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
6193
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
6194
|
+
#
|
6195
|
+
#
|
6196
|
+
#
|
6197
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
6198
|
+
# @return [Boolean]
|
6199
|
+
#
|
5650
6200
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyRequest AWS API Documentation
|
5651
6201
|
#
|
5652
6202
|
class VerifyRequest < Struct.new(
|
@@ -5655,7 +6205,8 @@ module Aws::KMS
|
|
5655
6205
|
:message_type,
|
5656
6206
|
:signature,
|
5657
6207
|
:signing_algorithm,
|
5658
|
-
:grant_tokens
|
6208
|
+
:grant_tokens,
|
6209
|
+
:dry_run)
|
5659
6210
|
SENSITIVE = [:message]
|
5660
6211
|
include Aws::Structure
|
5661
6212
|
end
|