aws-sdk-kms 1.65.0 → 1.67.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +339 -143
- data/lib/aws-sdk-kms/endpoints.rb +1 -0
- data/lib/aws-sdk-kms/types.rb +74 -25
- data/lib/aws-sdk-kms.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d4df26cdf51fc1211e80fe242d0901d58577819b97568f58bd66a0ce1ee9b30c
|
4
|
+
data.tar.gz: e9c51398d4299e3d5db2b03ea6afcaccb3aecfd58fa5ca7c78440432d8831e8d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 03d3e954abcce0e006342c8c07740c668c7e0b5ba72264ed47b9b447efbd4ba12194dfe247a9e3ce1535313c8d7afcfc7ddfcf80ea06fb73db3b48b700267e54
|
7
|
+
data.tar.gz: ad20130589b40e65fe023ca43e2d1ac2544baebb3122adb76e0b7118d9611d84b6c019f3b3e62e3844b8cf5cc28ef0cf9640e15ee75727d66fdafc4f5a4a8f0f
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,16 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
1.67.0 (2023-06-15)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
8
|
+
|
9
|
+
1.66.0 (2023-06-05)
|
10
|
+
------------------
|
11
|
+
|
12
|
+
* Feature - This release includes feature to import customer's asymmetric (RSA and ECC) and HMAC keys into KMS. It also includes feature to allow customers to specify number of days to schedule a KMS key deletion as a policy condition key.
|
13
|
+
|
4
14
|
1.65.0 (2023-05-31)
|
5
15
|
------------------
|
6
16
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.67.0
|
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -1458,13 +1458,6 @@ module Aws::KMS
|
|
1458
1458
|
# You can use HMAC keys to generate (GenerateMac) and verify
|
1459
1459
|
# (VerifyMac) HMAC codes for messages up to 4096 bytes.
|
1460
1460
|
#
|
1461
|
-
# HMAC KMS keys are not supported in all Amazon Web Services Regions.
|
1462
|
-
# If you try to create an HMAC KMS key in an Amazon Web Services
|
1463
|
-
# Region in which HMAC keys are not supported, the `CreateKey`
|
1464
|
-
# operation returns an `UnsupportedOperationException`. For a list of
|
1465
|
-
# Regions in which HMAC KMS keys are supported, see [HMAC keys in
|
1466
|
-
# KMS][4] in the *Key Management Service Developer Guide*.
|
1467
|
-
#
|
1468
1461
|
#
|
1469
1462
|
#
|
1470
1463
|
# Multi-Region primary keys
|
@@ -1491,46 +1484,48 @@ module Aws::KMS
|
|
1491
1484
|
# to encrypt data in one Amazon Web Services Region and decrypt it in
|
1492
1485
|
# a different Amazon Web Services Region without re-encrypting the
|
1493
1486
|
# data or making a cross-Region call. For more information about
|
1494
|
-
# multi-Region keys, see [Multi-Region keys in KMS][
|
1487
|
+
# multi-Region keys, see [Multi-Region keys in KMS][4] in the *Key
|
1495
1488
|
# Management Service Developer Guide*.
|
1496
1489
|
#
|
1497
1490
|
#
|
1498
1491
|
#
|
1499
1492
|
# : To import your own key material into a KMS key, begin by creating a
|
1500
|
-
#
|
1501
|
-
#
|
1502
|
-
#
|
1503
|
-
#
|
1493
|
+
# KMS key with no key material. To do this, use the `Origin` parameter
|
1494
|
+
# of `CreateKey` with a value of `EXTERNAL`. Next, use
|
1495
|
+
# GetParametersForImport operation to get a public key and import
|
1496
|
+
# token. Use the wrapping public key to encrypt your key material.
|
1504
1497
|
# Then, use ImportKeyMaterial with your import token to import the key
|
1505
1498
|
# material. For step-by-step instructions, see [Importing Key
|
1506
|
-
# Material][
|
1499
|
+
# Material][5] in the <i> <i>Key Management Service Developer
|
1507
1500
|
# Guide</i> </i>.
|
1508
1501
|
#
|
1509
|
-
#
|
1510
|
-
#
|
1511
|
-
#
|
1502
|
+
# You can import key material into KMS keys of all supported KMS key
|
1503
|
+
# types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric
|
1504
|
+
# encryption KMS keys, and asymmetric signing KMS keys. You can also
|
1505
|
+
# create multi-Region keys with imported key material. However, you
|
1506
|
+
# can't import key material into a KMS key in a custom key store.
|
1512
1507
|
#
|
1513
1508
|
# To create a multi-Region primary key with imported key material, use
|
1514
1509
|
# the `Origin` parameter of `CreateKey` with a value of `EXTERNAL` and
|
1515
1510
|
# the `MultiRegion` parameter with a value of `True`. To create
|
1516
1511
|
# replicas of the multi-Region primary key, use the ReplicateKey
|
1517
1512
|
# operation. For instructions, see [Importing key material into
|
1518
|
-
# multi-Region keys][
|
1519
|
-
# see [Multi-Region keys in KMS][
|
1513
|
+
# multi-Region keys][6]. For more information about multi-Region keys,
|
1514
|
+
# see [Multi-Region keys in KMS][4] in the *Key Management Service
|
1520
1515
|
# Developer Guide*.
|
1521
1516
|
#
|
1522
1517
|
#
|
1523
1518
|
#
|
1524
1519
|
# Custom key store
|
1525
1520
|
#
|
1526
|
-
# : A [custom key store][
|
1521
|
+
# : A [custom key store][7] lets you protect your Amazon Web Services
|
1527
1522
|
# resources using keys in a backing key store that you own and manage.
|
1528
1523
|
# When you request a cryptographic operation with a KMS key in a
|
1529
1524
|
# custom key store, the operation is performed in the backing key
|
1530
1525
|
# store using its cryptographic keys.
|
1531
1526
|
#
|
1532
|
-
# KMS supports [CloudHSM key stores][
|
1533
|
-
# and [external key stores][
|
1527
|
+
# KMS supports [CloudHSM key stores][8] backed by an CloudHSM cluster
|
1528
|
+
# and [external key stores][9] backed by an external key manager
|
1534
1529
|
# outside of Amazon Web Services. When you create a KMS key in an
|
1535
1530
|
# CloudHSM key store, KMS generates an encryption key in the CloudHSM
|
1536
1531
|
# cluster and associates it with the KMS key. When you create a KMS
|
@@ -1555,13 +1550,13 @@ module Aws::KMS
|
|
1555
1550
|
# `ENCRYPT_DECRYPT` to create a symmetric encryption key. No other key
|
1556
1551
|
# type is supported in a custom key store.
|
1557
1552
|
#
|
1558
|
-
# To create a KMS key in an [CloudHSM key store][
|
1553
|
+
# To create a KMS key in an [CloudHSM key store][8], use the `Origin`
|
1559
1554
|
# parameter with a value of `AWS_CLOUDHSM`. The CloudHSM cluster that
|
1560
1555
|
# is associated with the custom key store must have at least two
|
1561
1556
|
# active HSMs in different Availability Zones in the Amazon Web
|
1562
1557
|
# Services Region.
|
1563
1558
|
#
|
1564
|
-
# To create a KMS key in an [external key store][
|
1559
|
+
# To create a KMS key in an [external key store][9], use the `Origin`
|
1565
1560
|
# parameter with a value of `EXTERNAL_KEY_STORE` and an `XksKeyId`
|
1566
1561
|
# parameter that identifies an existing external key.
|
1567
1562
|
#
|
@@ -1574,10 +1569,10 @@ module Aws::KMS
|
|
1574
1569
|
# **Cross-account use**: No. You cannot use this operation to create a
|
1575
1570
|
# KMS key in a different Amazon Web Services account.
|
1576
1571
|
#
|
1577
|
-
# **Required permissions**: [kms:CreateKey][
|
1578
|
-
# `Tags` parameter, [kms:TagResource][
|
1572
|
+
# **Required permissions**: [kms:CreateKey][10] (IAM policy). To use the
|
1573
|
+
# `Tags` parameter, [kms:TagResource][10] (IAM policy). For examples and
|
1579
1574
|
# information about related permissions, see [Allow a user to create KMS
|
1580
|
-
# keys][
|
1575
|
+
# keys][11] in the *Key Management Service Developer Guide*.
|
1581
1576
|
#
|
1582
1577
|
# **Related operations:**
|
1583
1578
|
#
|
@@ -1592,15 +1587,14 @@ module Aws::KMS
|
|
1592
1587
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys
|
1593
1588
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html
|
1594
1589
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
1595
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1596
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1597
|
-
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1598
|
-
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1599
|
-
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1600
|
-
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-
|
1601
|
-
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1602
|
-
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
1603
|
-
# [12]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
1590
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
|
1591
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1592
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html
|
1593
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1594
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html
|
1595
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html
|
1596
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
1597
|
+
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key
|
1604
1598
|
#
|
1605
1599
|
# @option params [String] :policy
|
1606
1600
|
# The key policy to attach to the KMS key.
|
@@ -2105,8 +2099,8 @@ module Aws::KMS
|
|
2105
2099
|
#
|
2106
2100
|
# @example Example: To create a KMS key for imported key material
|
2107
2101
|
#
|
2108
|
-
# # This example creates a KMS key with no key material. When the operation is complete, you can import your own
|
2109
|
-
# # material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
|
2102
|
+
# # This example creates a symmetric KMS key with no key material. When the operation is complete, you can import your own
|
2103
|
+
# # key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.
|
2110
2104
|
#
|
2111
2105
|
# resp = client.create_key({
|
2112
2106
|
# origin: "EXTERNAL", # The source of the key material for the KMS key.
|
@@ -2745,18 +2739,16 @@ module Aws::KMS
|
|
2745
2739
|
req.send_request(options)
|
2746
2740
|
end
|
2747
2741
|
|
2748
|
-
# Deletes key material that
|
2749
|
-
# makes the specified KMS key unusable.
|
2750
|
-
#
|
2751
|
-
#
|
2742
|
+
# Deletes key material that was previously imported. This operation
|
2743
|
+
# makes the specified KMS key temporarily unusable. To restore the
|
2744
|
+
# usability of the KMS key, reimport the same key material. For more
|
2745
|
+
# information about importing key material into KMS, see [Importing Key
|
2746
|
+
# Material][1] in the *Key Management Service Developer Guide*.
|
2752
2747
|
#
|
2753
2748
|
# When the specified KMS key is in the `PendingDeletion` state, this
|
2754
2749
|
# operation does not change the KMS key's state. Otherwise, it changes
|
2755
2750
|
# the KMS key's state to `PendingImport`.
|
2756
2751
|
#
|
2757
|
-
# After you delete key material, you can use ImportKeyMaterial to
|
2758
|
-
# reimport the same key material into the KMS key.
|
2759
|
-
#
|
2760
2752
|
# The KMS key that you use for this operation must be in a compatible
|
2761
2753
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
2762
2754
|
# Management Service Developer Guide*.
|
@@ -5547,29 +5539,63 @@ module Aws::KMS
|
|
5547
5539
|
req.send_request(options)
|
5548
5540
|
end
|
5549
5541
|
|
5550
|
-
# Returns the
|
5551
|
-
#
|
5552
|
-
#
|
5553
|
-
#
|
5542
|
+
# Returns the public key and an import token you need to import or
|
5543
|
+
# reimport key material for a KMS key.
|
5544
|
+
#
|
5545
|
+
# By default, KMS keys are created with key material that KMS generates.
|
5546
|
+
# This operation supports [Importing key material][1], an advanced
|
5547
|
+
# feature that lets you generate and import the cryptographic key
|
5548
|
+
# material for a KMS key. For more information about importing key
|
5549
|
+
# material into KMS, see [Importing key material][1] in the *Key
|
5550
|
+
# Management Service Developer Guide*.
|
5554
5551
|
#
|
5555
|
-
#
|
5556
|
-
#
|
5557
|
-
#
|
5558
|
-
#
|
5559
|
-
#
|
5560
|
-
#
|
5561
|
-
#
|
5562
|
-
#
|
5563
|
-
#
|
5564
|
-
#
|
5565
|
-
#
|
5566
|
-
#
|
5567
|
-
#
|
5568
|
-
#
|
5569
|
-
#
|
5570
|
-
#
|
5571
|
-
#
|
5572
|
-
#
|
5552
|
+
# Before calling `GetParametersForImport`, use the CreateKey operation
|
5553
|
+
# with an `Origin` value of `EXTERNAL` to create a KMS key with no key
|
5554
|
+
# material. You can import key material for a symmetric encryption KMS
|
5555
|
+
# key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric
|
5556
|
+
# signing KMS key. You can also import key material into a [multi-Region
|
5557
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of any
|
5558
|
+
# supported type. However, you can't import key material into a KMS key
|
5559
|
+
# in a [custom key
|
5560
|
+
# store](kms/latest/developerguide/custom-key-store-overview.html). You
|
5561
|
+
# can also use `GetParametersForImport` to get a public key and import
|
5562
|
+
# token to [reimport the original key
|
5563
|
+
# material](kms/latest/developerguide/importing-keys.html#reimport-key-material)
|
5564
|
+
# into a KMS key whose key material expired or was deleted.
|
5565
|
+
#
|
5566
|
+
# `GetParametersForImport` returns the items that you need to import
|
5567
|
+
# your key material.
|
5568
|
+
#
|
5569
|
+
# * The public key (or "wrapping key") of an RSA key pair that KMS
|
5570
|
+
# generates.
|
5571
|
+
#
|
5572
|
+
# You will use this public key to encrypt ("wrap") your key material
|
5573
|
+
# while it's in transit to KMS.
|
5574
|
+
#
|
5575
|
+
# * A import token that ensures that KMS can decrypt your key material
|
5576
|
+
# and associate it with the correct KMS key.
|
5577
|
+
#
|
5578
|
+
# The public key and its import token are permanently linked and must be
|
5579
|
+
# used together. Each public key and import token set is valid for 24
|
5580
|
+
# hours. The expiration date and time appear in the `ParametersValidTo`
|
5581
|
+
# field in the `GetParametersForImport` response. You cannot use an
|
5582
|
+
# expired public key or import token in an ImportKeyMaterial request. If
|
5583
|
+
# your key and token expire, send another `GetParametersForImport`
|
5584
|
+
# request.
|
5585
|
+
#
|
5586
|
+
# `GetParametersForImport` requires the following information:
|
5587
|
+
#
|
5588
|
+
# * The key ID of the KMS key for which you are importing the key
|
5589
|
+
# material.
|
5590
|
+
#
|
5591
|
+
# * The key spec of the public key ("wrapping key") that you will use
|
5592
|
+
# to encrypt your key material during import.
|
5593
|
+
#
|
5594
|
+
# * The wrapping algorithm that you will use with the public key to
|
5595
|
+
# encrypt your key material.
|
5596
|
+
#
|
5597
|
+
# You can use the same or a different public key spec and wrapping
|
5598
|
+
# algorithm each time you import or reimport the same key material.
|
5573
5599
|
#
|
5574
5600
|
# The KMS key that you use for this operation must be in a compatible
|
5575
5601
|
# key state. For details, see [Key states of KMS keys][2] in the *Key
|
@@ -5593,8 +5619,11 @@ module Aws::KMS
|
|
5593
5619
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5594
5620
|
#
|
5595
5621
|
# @option params [required, String] :key_id
|
5596
|
-
# The identifier of the
|
5597
|
-
#
|
5622
|
+
# The identifier of the KMS key that will be associated with the
|
5623
|
+
# imported key material. The `Origin` of the KMS key must be `EXTERNAL`.
|
5624
|
+
#
|
5625
|
+
# All KMS key types are supported, including multi-Region keys. However,
|
5626
|
+
# you cannot import key material into a KMS key in a custom key store.
|
5598
5627
|
#
|
5599
5628
|
# Specify the key ID or key ARN of the KMS key.
|
5600
5629
|
#
|
@@ -5609,25 +5638,52 @@ module Aws::KMS
|
|
5609
5638
|
# DescribeKey.
|
5610
5639
|
#
|
5611
5640
|
# @option params [required, String] :wrapping_algorithm
|
5612
|
-
# The algorithm you will use
|
5613
|
-
# the
|
5614
|
-
# see [
|
5615
|
-
#
|
5641
|
+
# The algorithm you will use with the RSA public key (`PublicKey`) in
|
5642
|
+
# the response to protect your key material during import. For more
|
5643
|
+
# information, see [Select a wrapping
|
5644
|
+
# algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
|
5645
|
+
# in the *Key Management Service Developer Guide*.
|
5646
|
+
#
|
5647
|
+
# For RSA\_AES wrapping algorithms, you encrypt your key material with
|
5648
|
+
# an AES key that you generate, then encrypt your AES key with the RSA
|
5649
|
+
# public key from KMS. For RSAES wrapping algorithms, you encrypt your
|
5650
|
+
# key material directly with the RSA public key from KMS.
|
5651
|
+
#
|
5652
|
+
# The wrapping algorithms that you can use depend on the type of key
|
5653
|
+
# material that you are importing. To import an RSA private key, you
|
5654
|
+
# must use an RSA\_AES wrapping algorithm.
|
5655
|
+
#
|
5656
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
|
5657
|
+
# ECC key material.
|
5658
|
+
#
|
5659
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and ECC
|
5660
|
+
# key material.
|
5661
|
+
#
|
5662
|
+
# * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key material,
|
5663
|
+
# except RSA key material (private key).
|
5616
5664
|
#
|
5617
|
-
#
|
5618
|
-
#
|
5619
|
-
# will end support for `RSAES_PKCS1_V1_5` by October 1, 2023 pursuant to
|
5620
|
-
# [cryptographic key management guidance][2] from the National Institute
|
5621
|
-
# of Standards and Technology (NIST).
|
5665
|
+
# You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with the
|
5666
|
+
# RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
|
5622
5667
|
#
|
5668
|
+
# * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
|
5669
|
+
# except RSA key material (private key).
|
5623
5670
|
#
|
5671
|
+
# You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
|
5672
|
+
# RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
|
5624
5673
|
#
|
5625
|
-
#
|
5626
|
-
#
|
5674
|
+
# * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for symmetric
|
5675
|
+
# encryption key material (and only in legacy mode).
|
5627
5676
|
#
|
5628
5677
|
# @option params [required, String] :wrapping_key_spec
|
5629
|
-
# The type of
|
5630
|
-
#
|
5678
|
+
# The type of RSA public key to return in the response. You will use
|
5679
|
+
# this wrapping key with the specified wrapping algorithm to protect
|
5680
|
+
# your key material during import.
|
5681
|
+
#
|
5682
|
+
# Use the longest RSA wrapping key that is practical.
|
5683
|
+
#
|
5684
|
+
# You cannot use an RSA\_2048 public key to directly wrap an
|
5685
|
+
# ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
|
5686
|
+
# algorithm or choose a longer RSA public key.
|
5631
5687
|
#
|
5632
5688
|
# @return [Types::GetParametersForImportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
5633
5689
|
#
|
@@ -5637,12 +5693,13 @@ module Aws::KMS
|
|
5637
5693
|
# * {Types::GetParametersForImportResponse#parameters_valid_to #parameters_valid_to} => Time
|
5638
5694
|
#
|
5639
5695
|
#
|
5640
|
-
# @example Example: To
|
5696
|
+
# @example Example: To download the public key and import token for a symmetric encryption KMS key
|
5641
5697
|
#
|
5642
|
-
# # The following example
|
5698
|
+
# # The following example downloads a public key and import token to import symmetric encryption key material. It uses the
|
5699
|
+
# # default wrapping key spec and the RSAES_OAEP_SHA_256 wrapping algorithm.
|
5643
5700
|
#
|
5644
5701
|
# resp = client.get_parameters_for_import({
|
5645
|
-
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key
|
5702
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
5646
5703
|
# wrapping_algorithm: "RSAES_OAEP_SHA_1", # The algorithm that you will use to encrypt the key material before importing it.
|
5647
5704
|
# wrapping_key_spec: "RSA_2048", # The type of wrapping key (public key) to return in the response.
|
5648
5705
|
# })
|
@@ -5650,8 +5707,67 @@ module Aws::KMS
|
|
5650
5707
|
# resp.to_h outputs the following:
|
5651
5708
|
# {
|
5652
5709
|
# import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
|
5653
|
-
# key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key
|
5654
|
-
# parameters_valid_to: Time.parse("
|
5710
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
|
5711
|
+
# parameters_valid_to: Time.parse("2023-02-01T14:52:17-08:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
|
5712
|
+
# public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
|
5713
|
+
# }
|
5714
|
+
#
|
5715
|
+
# @example Example: To download the public key and import token for an RSA asymmetric KMS key
|
5716
|
+
#
|
5717
|
+
# # The following example downloads a public key and import token to import an RSA private key. It uses a required RSA_AES
|
5718
|
+
# # wrapping algorithm and the largest supported private key.
|
5719
|
+
#
|
5720
|
+
# resp = client.get_parameters_for_import({
|
5721
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
5722
|
+
# wrapping_algorithm: "RSA_AES_KEY_WRAP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
|
5723
|
+
# wrapping_key_spec: "RSA_4096", # The type of wrapping key (public key) to return in the response.
|
5724
|
+
# })
|
5725
|
+
#
|
5726
|
+
# resp.to_h outputs the following:
|
5727
|
+
# {
|
5728
|
+
# import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
|
5729
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
|
5730
|
+
# parameters_valid_to: Time.parse("2023-03-08T13:02:02-07:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
|
5731
|
+
# public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
|
5732
|
+
# }
|
5733
|
+
#
|
5734
|
+
# @example Example: To download the public key and import token for an elliptic curve (ECC) asymmetric KMS key
|
5735
|
+
#
|
5736
|
+
# # The following example downloads a public key and import token to import an ECC_NIST_P521 (secp521r1) private key. You
|
5737
|
+
# # cannot directly wrap this ECC key under an RSA_2048 public key, although you can use an RSA_2048 public key with an
|
5738
|
+
# # RSA_AES wrapping algorithm to wrap any supported key material. This example requests an RSA_3072 public key for use with
|
5739
|
+
# # the RSAES_OAEP_SHA_256.
|
5740
|
+
#
|
5741
|
+
# resp = client.get_parameters_for_import({
|
5742
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
5743
|
+
# wrapping_algorithm: "RSAES_OAEP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
|
5744
|
+
# wrapping_key_spec: "RSA_3072", # The type of wrapping key (public key) to return in the response.
|
5745
|
+
# })
|
5746
|
+
#
|
5747
|
+
# resp.to_h outputs the following:
|
5748
|
+
# {
|
5749
|
+
# import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
|
5750
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
|
5751
|
+
# parameters_valid_to: Time.parse("2023-09-12T03:15:01-20:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
|
5752
|
+
# public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
|
5753
|
+
# }
|
5754
|
+
#
|
5755
|
+
# @example Example: To download the public key and import token for an HMAC KMS key
|
5756
|
+
#
|
5757
|
+
# # The following example downloads a public key and import token to import an HMAC key. It uses the RSAES_OAEP_SHA_256
|
5758
|
+
# # wrapping algorithm and an RSA_4096 private key.
|
5759
|
+
#
|
5760
|
+
# resp = client.get_parameters_for_import({
|
5761
|
+
# key_id: "2468abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
5762
|
+
# wrapping_algorithm: "RSAES_OAEP_SHA_256", # The algorithm that you will use to encrypt the key material before importing it.
|
5763
|
+
# wrapping_key_spec: "RSA_4096", # The type of wrapping key (public key) to return in the response.
|
5764
|
+
# })
|
5765
|
+
#
|
5766
|
+
# resp.to_h outputs the following:
|
5767
|
+
# {
|
5768
|
+
# import_token: "<binary data>", # The import token to send with a subsequent ImportKeyMaterial request.
|
5769
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/2468abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the KMS key that will be associated with the imported key material.
|
5770
|
+
# parameters_valid_to: Time.parse("2023-04-02T13:02:02-07:00"), # The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
|
5655
5771
|
# public_key: "<binary data>", # The public key to use to encrypt the key material before importing it.
|
5656
5772
|
# }
|
5657
5773
|
#
|
@@ -5659,8 +5775,8 @@ module Aws::KMS
|
|
5659
5775
|
#
|
5660
5776
|
# resp = client.get_parameters_for_import({
|
5661
5777
|
# key_id: "KeyIdType", # required
|
5662
|
-
# wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
5663
|
-
# wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048
|
5778
|
+
# wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256
|
5779
|
+
# wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096
|
5664
5780
|
# })
|
5665
5781
|
#
|
5666
5782
|
# @example Response structure
|
@@ -5839,66 +5955,112 @@ module Aws::KMS
|
|
5839
5955
|
req.send_request(options)
|
5840
5956
|
end
|
5841
5957
|
|
5842
|
-
# Imports key material into an existing
|
5843
|
-
#
|
5844
|
-
#
|
5845
|
-
#
|
5846
|
-
# material.
|
5847
|
-
#
|
5848
|
-
#
|
5849
|
-
#
|
5850
|
-
#
|
5851
|
-
#
|
5852
|
-
# *Key Management Service Developer Guide*.
|
5853
|
-
#
|
5854
|
-
# Before using this operation, call GetParametersForImport. Its response
|
5855
|
-
# includes a public key and an import token. Use the public key to
|
5856
|
-
# encrypt the key material. Then, submit the import token from the same
|
5857
|
-
# `GetParametersForImport` response.
|
5858
|
-
#
|
5859
|
-
# When calling this operation, you must specify the following values:
|
5860
|
-
#
|
5861
|
-
# * The key ID or key ARN of a KMS key with no key material. Its
|
5862
|
-
# `Origin` must be `EXTERNAL`.
|
5863
|
-
#
|
5864
|
-
# To create a KMS key with no key material, call CreateKey and set the
|
5865
|
-
# value of its `Origin` parameter to `EXTERNAL`. To get the `Origin`
|
5866
|
-
# of a KMS key, call DescribeKey.)
|
5958
|
+
# Imports or reimports key material into an existing KMS key that was
|
5959
|
+
# created without key material. `ImportKeyMaterial` also sets the
|
5960
|
+
# expiration model and expiration date of the imported key material.
|
5961
|
+
#
|
5962
|
+
# By default, KMS keys are created with key material that KMS generates.
|
5963
|
+
# This operation supports [Importing key material][1], an advanced
|
5964
|
+
# feature that lets you generate and import the cryptographic key
|
5965
|
+
# material for a KMS key. For more information about importing key
|
5966
|
+
# material into KMS, see [Importing key material][1] in the *Key
|
5967
|
+
# Management Service Developer Guide*.
|
5867
5968
|
#
|
5868
|
-
#
|
5869
|
-
#
|
5969
|
+
# After you successfully import key material into a KMS key, you can
|
5970
|
+
# [reimport the same key material][2] into that KMS key, but you cannot
|
5971
|
+
# import different key material. You might reimport key material to
|
5972
|
+
# replace key material that expired or key material that you deleted.
|
5973
|
+
# You might also reimport key material to change the expiration model or
|
5974
|
+
# expiration date of the key material. Before reimporting key material,
|
5975
|
+
# if necessary, call DeleteImportedKeyMaterial to delete the current
|
5976
|
+
# imported key material.
|
5977
|
+
#
|
5978
|
+
# Each time you import key material into KMS, you can determine whether
|
5979
|
+
# (`ExpirationModel`) and when (`ValidTo`) the key material expires. To
|
5980
|
+
# change the expiration of your key material, you must import it again,
|
5981
|
+
# either by calling `ImportKeyMaterial` or using the [import
|
5982
|
+
# features](kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console)
|
5983
|
+
# of the KMS console.
|
5984
|
+
#
|
5985
|
+
# Before calling `ImportKeyMaterial`:
|
5986
|
+
#
|
5987
|
+
# * Create or identify a KMS key with no key material. The KMS key must
|
5988
|
+
# have an `Origin` value of `EXTERNAL`, which indicates that the KMS
|
5989
|
+
# key is designed for imported key material.
|
5990
|
+
#
|
5991
|
+
# To create an new KMS key for imported key material, call the
|
5992
|
+
# CreateKey operation with an `Origin` value of `EXTERNAL`. You can
|
5993
|
+
# create a symmetric encryption KMS key, HMAC KMS key, asymmetric
|
5994
|
+
# encryption KMS key, or asymmetric signing KMS key. You can also
|
5995
|
+
# import key material into a [multi-Region
|
5996
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of
|
5997
|
+
# any supported type. However, you can't import key material into a
|
5998
|
+
# KMS key in a [custom key
|
5999
|
+
# store](kms/latest/developerguide/custom-key-store-overview.html).
|
6000
|
+
#
|
6001
|
+
# * Use the DescribeKey operation to verify that the `KeyState` of the
|
6002
|
+
# KMS key is `PendingImport`, which indicates that the KMS key has no
|
6003
|
+
# key material.
|
6004
|
+
#
|
6005
|
+
# If you are reimporting the same key material into an existing KMS
|
6006
|
+
# key, you might need to call the DeleteImportedKeyMaterial to delete
|
6007
|
+
# its existing key material.
|
6008
|
+
#
|
6009
|
+
# * Call the GetParametersForImport operation to get a public key and
|
6010
|
+
# import token set for importing key material.
|
6011
|
+
#
|
6012
|
+
# * Use the public key in the GetParametersForImport response to encrypt
|
6013
|
+
# your key material.
|
6014
|
+
#
|
6015
|
+
# Then, in an `ImportKeyMaterial` request, you submit your encrypted key
|
6016
|
+
# material and import token. When calling this operation, you must
|
6017
|
+
# specify the following values:
|
6018
|
+
#
|
6019
|
+
# * The key ID or key ARN of the KMS key to associate with the imported
|
6020
|
+
# key material. Its `Origin` must be `EXTERNAL` and its `KeyState`
|
6021
|
+
# must be `PendingImport`. You cannot perform this operation on a KMS
|
6022
|
+
# key in a [custom key
|
6023
|
+
# store](kms/latest/developerguide/custom-key-store-overview.html), or
|
6024
|
+
# on a KMS key in a different Amazon Web Services account. To get the
|
6025
|
+
# `Origin` and `KeyState` of a KMS key, call DescribeKey.
|
6026
|
+
#
|
6027
|
+
# * The encrypted key material.
|
5870
6028
|
#
|
5871
6029
|
# * The import token that GetParametersForImport returned. You must use
|
5872
6030
|
# a public key and token from the same `GetParametersForImport`
|
5873
6031
|
# response.
|
5874
6032
|
#
|
5875
6033
|
# * Whether the key material expires (`ExpirationModel`) and, if so,
|
5876
|
-
# when (`ValidTo`).
|
5877
|
-
#
|
5878
|
-
#
|
5879
|
-
# you
|
5880
|
-
#
|
5881
|
-
#
|
6034
|
+
# when (`ValidTo`). For help with this choice, see [Setting an
|
6035
|
+
# expiration time][3] in the *Key Management Service Developer Guide*.
|
6036
|
+
#
|
6037
|
+
# If you set an expiration date, KMS deletes the key material from the
|
6038
|
+
# KMS key on the specified date, making the KMS key unusable. To use
|
6039
|
+
# the KMS key in cryptographic operations again, you must reimport the
|
6040
|
+
# same key material. However, you can delete and reimport the key
|
6041
|
+
# material at any time, including before the key material expires.
|
6042
|
+
# Each time you reimport, you can eliminate or reset the expiration
|
6043
|
+
# time.
|
5882
6044
|
#
|
5883
6045
|
# When this operation is successful, the key state of the KMS key
|
5884
|
-
# changes from `PendingImport` to `Enabled`, and you can use the KMS
|
5885
|
-
#
|
6046
|
+
# changes from `PendingImport` to `Enabled`, and you can use the KMS key
|
6047
|
+
# in cryptographic operations.
|
5886
6048
|
#
|
5887
6049
|
# If this operation fails, use the exception to help determine the
|
5888
6050
|
# problem. If the error is related to the key material, the import
|
5889
6051
|
# token, or wrapping key, use GetParametersForImport to get a new public
|
5890
6052
|
# key and import token for the KMS key and repeat the import procedure.
|
5891
|
-
# For help, see [How To Import Key Material][
|
6053
|
+
# For help, see [How To Import Key Material][4] in the *Key Management
|
5892
6054
|
# Service Developer Guide*.
|
5893
6055
|
#
|
5894
6056
|
# The KMS key that you use for this operation must be in a compatible
|
5895
|
-
# key state. For details, see [Key states of KMS keys][
|
6057
|
+
# key state. For details, see [Key states of KMS keys][5] in the *Key
|
5896
6058
|
# Management Service Developer Guide*.
|
5897
6059
|
#
|
5898
6060
|
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
5899
6061
|
# key in a different Amazon Web Services account.
|
5900
6062
|
#
|
5901
|
-
# **Required permissions**: [kms:ImportKeyMaterial][
|
6063
|
+
# **Required permissions**: [kms:ImportKeyMaterial][6] (key policy)
|
5902
6064
|
#
|
5903
6065
|
# **Related operations:**
|
5904
6066
|
#
|
@@ -5908,20 +6070,27 @@ module Aws::KMS
|
|
5908
6070
|
#
|
5909
6071
|
#
|
5910
6072
|
#
|
5911
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
5912
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
5913
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-
|
5914
|
-
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
5915
|
-
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
6073
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
6074
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
|
6075
|
+
# [3]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
|
6076
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
|
6077
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
6078
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
5916
6079
|
#
|
5917
6080
|
# @option params [required, String] :key_id
|
5918
|
-
# The identifier of the
|
6081
|
+
# The identifier of the KMS key that will be associated with the
|
5919
6082
|
# imported key material. This must be the same KMS key specified in the
|
5920
6083
|
# `KeyID` parameter of the corresponding GetParametersForImport request.
|
5921
|
-
# The `Origin` of the KMS key must be `EXTERNAL
|
5922
|
-
#
|
5923
|
-
#
|
5924
|
-
#
|
6084
|
+
# The `Origin` of the KMS key must be `EXTERNAL` and its `KeyState` must
|
6085
|
+
# be `PendingImport`.
|
6086
|
+
#
|
6087
|
+
# The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
|
6088
|
+
# asymmetric encryption KMS key, or asymmetric signing KMS key,
|
6089
|
+
# including a [multi-Region
|
6090
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of any
|
6091
|
+
# supported type. You cannot perform this operation on a KMS key in a
|
6092
|
+
# custom key store, or on a KMS key in a different Amazon Web Services
|
6093
|
+
# account.
|
5925
6094
|
#
|
5926
6095
|
# Specify the key ID or key ARN of the KMS key.
|
5927
6096
|
#
|
@@ -5942,7 +6111,7 @@ module Aws::KMS
|
|
5942
6111
|
#
|
5943
6112
|
# @option params [required, String, StringIO, File] :encrypted_key_material
|
5944
6113
|
# The encrypted key material to import. The key material must be
|
5945
|
-
# encrypted
|
6114
|
+
# encrypted under the public wrapping key that GetParametersForImport
|
5946
6115
|
# returned, using the wrapping algorithm that you specified in the same
|
5947
6116
|
# `GetParametersForImport` request.
|
5948
6117
|
#
|
@@ -5966,7 +6135,8 @@ module Aws::KMS
|
|
5966
6135
|
#
|
5967
6136
|
# @option params [String] :expiration_model
|
5968
6137
|
# Specifies whether the key material expires. The default is
|
5969
|
-
# `KEY_MATERIAL_EXPIRES`.
|
6138
|
+
# `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
|
6139
|
+
# expiration time][1] in the *Key Management Service Developer Guide*.
|
5970
6140
|
#
|
5971
6141
|
# When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
|
5972
6142
|
# must specify a value for the `ValidTo` parameter. When value is
|
@@ -5974,8 +6144,11 @@ module Aws::KMS
|
|
5974
6144
|
#
|
5975
6145
|
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
5976
6146
|
# current import after the request completes. To change either value,
|
5977
|
-
# you must
|
5978
|
-
#
|
6147
|
+
# you must reimport the key material.
|
6148
|
+
#
|
6149
|
+
#
|
6150
|
+
#
|
6151
|
+
# [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
|
5979
6152
|
#
|
5980
6153
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
5981
6154
|
#
|
@@ -5991,6 +6164,19 @@ module Aws::KMS
|
|
5991
6164
|
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
5992
6165
|
# })
|
5993
6166
|
#
|
6167
|
+
# @example Example: To import key material into a KMS key
|
6168
|
+
#
|
6169
|
+
# # The following example imports key material that expires in 3 days. It might be part of an application that frequently
|
6170
|
+
# # reimports the same key material to comply with business rules or regulations.
|
6171
|
+
#
|
6172
|
+
# resp = client.import_key_material({
|
6173
|
+
# encrypted_key_material: "<binary data>", # The encrypted key material to import.
|
6174
|
+
# expiration_model: "KEY_MATERIAL_EXPIRES", # A value that specifies whether the key material expires.
|
6175
|
+
# import_token: "<binary data>", # The import token that you received in the response to a previous GetParametersForImport request.
|
6176
|
+
# key_id: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to import the key material into. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
6177
|
+
# valid_to: Time.parse("2023-09-30T00:00:00-00:00"), # Specifies the date and time when the imported key material expires.
|
6178
|
+
# })
|
6179
|
+
#
|
5994
6180
|
# @example Request syntax with placeholder values
|
5995
6181
|
#
|
5996
6182
|
# resp = client.import_key_material({
|
@@ -7875,8 +8061,11 @@ module Aws::KMS
|
|
7875
8061
|
# Deleting a KMS key is a destructive and potentially dangerous
|
7876
8062
|
# operation. When a KMS key is deleted, all data that was encrypted
|
7877
8063
|
# under the KMS key is unrecoverable. (The only exception is a
|
7878
|
-
# multi-Region replica
|
7879
|
-
#
|
8064
|
+
# [multi-Region replica
|
8065
|
+
# key](kms/latest/developerguide/multi-region-keys-delete.html), or an
|
8066
|
+
# asymmetric or HMAC KMS key with imported key material\[BUGBUG-link to
|
8067
|
+
# importing-keys-managing.html#import-delete-key.) To prevent the use of
|
8068
|
+
# a KMS key without deleting it, use DisableKey.
|
7880
8069
|
#
|
7881
8070
|
# You can schedule the deletion of a multi-Region primary key and its
|
7882
8071
|
# replica keys at any time. However, KMS will not delete a multi-Region
|
@@ -7954,6 +8143,13 @@ module Aws::KMS
|
|
7954
8143
|
#
|
7955
8144
|
# This value is optional. If you include a value, it must be between 7
|
7956
8145
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
8146
|
+
# You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
|
8147
|
+
# condition key to further constrain the values that principals can
|
8148
|
+
# specify in the `PendingWindowInDays` parameter.
|
8149
|
+
#
|
8150
|
+
#
|
8151
|
+
#
|
8152
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-pending-deletion-window
|
7957
8153
|
#
|
7958
8154
|
# @return [Types::ScheduleKeyDeletionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
7959
8155
|
#
|
@@ -9509,7 +9705,7 @@ module Aws::KMS
|
|
9509
9705
|
params: params,
|
9510
9706
|
config: config)
|
9511
9707
|
context[:gem_name] = 'aws-sdk-kms'
|
9512
|
-
context[:gem_version] = '1.
|
9708
|
+
context[:gem_version] = '1.67.0'
|
9513
9709
|
Seahorse::Client::Request.new(handlers, context)
|
9514
9710
|
end
|
9515
9711
|
|
data/lib/aws-sdk-kms/types.rb
CHANGED
@@ -2994,10 +2994,14 @@ module Aws::KMS
|
|
2994
2994
|
end
|
2995
2995
|
|
2996
2996
|
# @!attribute [rw] key_id
|
2997
|
-
# The identifier of the
|
2998
|
-
#
|
2997
|
+
# The identifier of the KMS key that will be associated with the
|
2998
|
+
# imported key material. The `Origin` of the KMS key must be
|
2999
2999
|
# `EXTERNAL`.
|
3000
3000
|
#
|
3001
|
+
# All KMS key types are supported, including multi-Region keys.
|
3002
|
+
# However, you cannot import key material into a KMS key in a custom
|
3003
|
+
# key store.
|
3004
|
+
#
|
3001
3005
|
# Specify the key ID or key ARN of the KMS key.
|
3002
3006
|
#
|
3003
3007
|
# For example:
|
@@ -3012,26 +3016,54 @@ module Aws::KMS
|
|
3012
3016
|
# @return [String]
|
3013
3017
|
#
|
3014
3018
|
# @!attribute [rw] wrapping_algorithm
|
3015
|
-
# The algorithm you will use
|
3016
|
-
# the
|
3017
|
-
# see [
|
3018
|
-
#
|
3019
|
+
# The algorithm you will use with the RSA public key (`PublicKey`) in
|
3020
|
+
# the response to protect your key material during import. For more
|
3021
|
+
# information, see [Select a wrapping
|
3022
|
+
# algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
|
3023
|
+
# in the *Key Management Service Developer Guide*.
|
3024
|
+
#
|
3025
|
+
# For RSA\_AES wrapping algorithms, you encrypt your key material with
|
3026
|
+
# an AES key that you generate, then encrypt your AES key with the RSA
|
3027
|
+
# public key from KMS. For RSAES wrapping algorithms, you encrypt your
|
3028
|
+
# key material directly with the RSA public key from KMS.
|
3029
|
+
#
|
3030
|
+
# The wrapping algorithms that you can use depend on the type of key
|
3031
|
+
# material that you are importing. To import an RSA private key, you
|
3032
|
+
# must use an RSA\_AES wrapping algorithm.
|
3033
|
+
#
|
3034
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
|
3035
|
+
# ECC key material.
|
3019
3036
|
#
|
3020
|
-
#
|
3021
|
-
#
|
3022
|
-
# immediately. KMS will end support for `RSAES_PKCS1_V1_5` by October
|
3023
|
-
# 1, 2023 pursuant to [cryptographic key management guidance][2] from
|
3024
|
-
# the National Institute of Standards and Technology (NIST).
|
3037
|
+
# * **RSA\_AES\_KEY\_WRAP\_SHA\_1** — Supported for wrapping RSA and
|
3038
|
+
# ECC key material.
|
3025
3039
|
#
|
3040
|
+
# * **RSAES\_OAEP\_SHA\_256** — Supported for all types of key
|
3041
|
+
# material, except RSA key material (private key).
|
3026
3042
|
#
|
3043
|
+
# You cannot use the RSAES\_OAEP\_SHA\_256 wrapping algorithm with
|
3044
|
+
# the RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key
|
3045
|
+
# material.
|
3027
3046
|
#
|
3028
|
-
#
|
3029
|
-
#
|
3047
|
+
# * **RSAES\_OAEP\_SHA\_1** — Supported for all types of key material,
|
3048
|
+
# except RSA key material (private key).
|
3049
|
+
#
|
3050
|
+
# You cannot use the RSAES\_OAEP\_SHA\_1 wrapping algorithm with the
|
3051
|
+
# RSA\_2048 wrapping key spec to wrap ECC\_NIST\_P521 key material.
|
3052
|
+
#
|
3053
|
+
# * **RSAES\_PKCS1\_V1\_5** (Deprecated) — Supported only for
|
3054
|
+
# symmetric encryption key material (and only in legacy mode).
|
3030
3055
|
# @return [String]
|
3031
3056
|
#
|
3032
3057
|
# @!attribute [rw] wrapping_key_spec
|
3033
|
-
# The type of
|
3034
|
-
#
|
3058
|
+
# The type of RSA public key to return in the response. You will use
|
3059
|
+
# this wrapping key with the specified wrapping algorithm to protect
|
3060
|
+
# your key material during import.
|
3061
|
+
#
|
3062
|
+
# Use the longest RSA wrapping key that is practical.
|
3063
|
+
#
|
3064
|
+
# You cannot use an RSA\_2048 public key to directly wrap an
|
3065
|
+
# ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
|
3066
|
+
# algorithm or choose a longer RSA public key.
|
3035
3067
|
# @return [String]
|
3036
3068
|
#
|
3037
3069
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImportRequest AWS API Documentation
|
@@ -3338,13 +3370,19 @@ module Aws::KMS
|
|
3338
3370
|
end
|
3339
3371
|
|
3340
3372
|
# @!attribute [rw] key_id
|
3341
|
-
# The identifier of the
|
3373
|
+
# The identifier of the KMS key that will be associated with the
|
3342
3374
|
# imported key material. This must be the same KMS key specified in
|
3343
3375
|
# the `KeyID` parameter of the corresponding GetParametersForImport
|
3344
|
-
# request. The `Origin` of the KMS key must be `EXTERNAL
|
3345
|
-
#
|
3346
|
-
#
|
3347
|
-
#
|
3376
|
+
# request. The `Origin` of the KMS key must be `EXTERNAL` and its
|
3377
|
+
# `KeyState` must be `PendingImport`.
|
3378
|
+
#
|
3379
|
+
# The KMS key can be a symmetric encryption KMS key, HMAC KMS key,
|
3380
|
+
# asymmetric encryption KMS key, or asymmetric signing KMS key,
|
3381
|
+
# including a [multi-Region
|
3382
|
+
# key](kms/latest/developerguide/multi-region-keys-overview.html) of
|
3383
|
+
# any supported type. You cannot perform this operation on a KMS key
|
3384
|
+
# in a custom key store, or on a KMS key in a different Amazon Web
|
3385
|
+
# Services account.
|
3348
3386
|
#
|
3349
3387
|
# Specify the key ID or key ARN of the KMS key.
|
3350
3388
|
#
|
@@ -3368,7 +3406,7 @@ module Aws::KMS
|
|
3368
3406
|
#
|
3369
3407
|
# @!attribute [rw] encrypted_key_material
|
3370
3408
|
# The encrypted key material to import. The key material must be
|
3371
|
-
# encrypted
|
3409
|
+
# encrypted under the public wrapping key that GetParametersForImport
|
3372
3410
|
# returned, using the wrapping algorithm that you specified in the
|
3373
3411
|
# same `GetParametersForImport` request.
|
3374
3412
|
# @return [String]
|
@@ -3394,7 +3432,8 @@ module Aws::KMS
|
|
3394
3432
|
#
|
3395
3433
|
# @!attribute [rw] expiration_model
|
3396
3434
|
# Specifies whether the key material expires. The default is
|
3397
|
-
# `KEY_MATERIAL_EXPIRES`.
|
3435
|
+
# `KEY_MATERIAL_EXPIRES`. For help with this choice, see [Setting an
|
3436
|
+
# expiration time][1] in the *Key Management Service Developer Guide*.
|
3398
3437
|
#
|
3399
3438
|
# When the value of `ExpirationModel` is `KEY_MATERIAL_EXPIRES`, you
|
3400
3439
|
# must specify a value for the `ValidTo` parameter. When value is
|
@@ -3403,8 +3442,11 @@ module Aws::KMS
|
|
3403
3442
|
#
|
3404
3443
|
# You cannot change the `ExpirationModel` or `ValidTo` values for the
|
3405
3444
|
# current import after the request completes. To change either value,
|
3406
|
-
# you must
|
3407
|
-
#
|
3445
|
+
# you must reimport the key material.
|
3446
|
+
#
|
3447
|
+
#
|
3448
|
+
#
|
3449
|
+
# [1]: https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration
|
3408
3450
|
# @return [String]
|
3409
3451
|
#
|
3410
3452
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterialRequest AWS API Documentation
|
@@ -5145,6 +5187,13 @@ module Aws::KMS
|
|
5145
5187
|
#
|
5146
5188
|
# This value is optional. If you include a value, it must be between 7
|
5147
5189
|
# and 30, inclusive. If you do not include a value, it defaults to 30.
|
5190
|
+
# You can use the [ `kms:ScheduleKeyDeletionPendingWindowInDays` ][1]
|
5191
|
+
# condition key to further constrain the values that principals can
|
5192
|
+
# specify in the `PendingWindowInDays` parameter.
|
5193
|
+
#
|
5194
|
+
#
|
5195
|
+
#
|
5196
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-pending-deletion-window
|
5148
5197
|
# @return [Integer]
|
5149
5198
|
#
|
5150
5199
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletionRequest AWS API Documentation
|
@@ -5335,7 +5384,7 @@ module Aws::KMS
|
|
5335
5384
|
#
|
5336
5385
|
# * When used with the `ECDSA_SHA_256`, `ECDSA_SHA_384`, or
|
5337
5386
|
# `ECDSA_SHA_512` signing algorithms, this value is a DER-encoded
|
5338
|
-
# object as defined by
|
5387
|
+
# object as defined by ANSI X9.62–2005 and [RFC 3279 Section
|
5339
5388
|
# 2.2.3][2]. This is the most commonly used signature format and is
|
5340
5389
|
# appropriate for most uses.
|
5341
5390
|
#
|
data/lib/aws-sdk-kms.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-kms
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.67.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-06-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-core
|