aws-sdk-kms 1.76.0 → 1.91.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +75 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +793 -118
- data/lib/aws-sdk-kms/client_api.rb +130 -2
- data/lib/aws-sdk-kms/endpoints.rb +83 -200
- data/lib/aws-sdk-kms/errors.rb +16 -0
- data/lib/aws-sdk-kms/plugins/endpoints.rb +17 -1
- data/lib/aws-sdk-kms/types.rb +472 -36
- data/lib/aws-sdk-kms.rb +1 -1
- data/sig/client.rbs +803 -0
- data/sig/errors.rbs +160 -0
- data/sig/resource.rbs +82 -0
- data/sig/types.rbs +1036 -0
- data/sig/waiters.rbs +13 -0
- metadata +15 -10
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -22,6 +22,7 @@ require 'aws-sdk-core/plugins/endpoint_pattern.rb'
|
|
22
22
|
require 'aws-sdk-core/plugins/response_paging.rb'
|
23
23
|
require 'aws-sdk-core/plugins/stub_responses.rb'
|
24
24
|
require 'aws-sdk-core/plugins/idempotency_token.rb'
|
25
|
+
require 'aws-sdk-core/plugins/invocation_id.rb'
|
25
26
|
require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
|
26
27
|
require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
|
27
28
|
require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
@@ -31,6 +32,7 @@ require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
|
31
32
|
require 'aws-sdk-core/plugins/request_compression.rb'
|
32
33
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
33
34
|
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
35
|
+
require 'aws-sdk-core/plugins/telemetry.rb'
|
34
36
|
require 'aws-sdk-core/plugins/sign.rb'
|
35
37
|
require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
|
36
38
|
|
@@ -72,6 +74,7 @@ module Aws::KMS
|
|
72
74
|
add_plugin(Aws::Plugins::ResponsePaging)
|
73
75
|
add_plugin(Aws::Plugins::StubResponses)
|
74
76
|
add_plugin(Aws::Plugins::IdempotencyToken)
|
77
|
+
add_plugin(Aws::Plugins::InvocationId)
|
75
78
|
add_plugin(Aws::Plugins::JsonvalueConverter)
|
76
79
|
add_plugin(Aws::Plugins::ClientMetricsPlugin)
|
77
80
|
add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
|
@@ -81,12 +84,18 @@ module Aws::KMS
|
|
81
84
|
add_plugin(Aws::Plugins::RequestCompression)
|
82
85
|
add_plugin(Aws::Plugins::DefaultsMode)
|
83
86
|
add_plugin(Aws::Plugins::RecursionDetection)
|
87
|
+
add_plugin(Aws::Plugins::Telemetry)
|
84
88
|
add_plugin(Aws::Plugins::Sign)
|
85
89
|
add_plugin(Aws::Plugins::Protocols::JsonRpc)
|
86
90
|
add_plugin(Aws::KMS::Plugins::Endpoints)
|
87
91
|
|
88
92
|
# @overload initialize(options)
|
89
93
|
# @param [Hash] options
|
94
|
+
#
|
95
|
+
# @option options [Array<Seahorse::Client::Plugin>] :plugins ([]])
|
96
|
+
# A list of plugins to apply to the client. Each plugin is either a
|
97
|
+
# class name or an instance of a plugin class.
|
98
|
+
#
|
90
99
|
# @option options [required, Aws::CredentialProvider] :credentials
|
91
100
|
# Your AWS credentials. This can be an instance of any one of the
|
92
101
|
# following classes:
|
@@ -196,10 +205,16 @@ module Aws::KMS
|
|
196
205
|
# When set to 'true' the request body will not be compressed
|
197
206
|
# for supported operations.
|
198
207
|
#
|
199
|
-
# @option options [String] :endpoint
|
200
|
-
#
|
201
|
-
#
|
202
|
-
#
|
208
|
+
# @option options [String, URI::HTTPS, URI::HTTP] :endpoint
|
209
|
+
# Normally you should not configure the `:endpoint` option
|
210
|
+
# directly. This is normally constructed from the `:region`
|
211
|
+
# option. Configuring `:endpoint` is normally reserved for
|
212
|
+
# connecting to test or custom endpoints. The endpoint should
|
213
|
+
# be a URI formatted like:
|
214
|
+
#
|
215
|
+
# 'http://example.com'
|
216
|
+
# 'https://example.com'
|
217
|
+
# 'http://example.com:123'
|
203
218
|
#
|
204
219
|
# @option options [Integer] :endpoint_cache_max_entries (1000)
|
205
220
|
# Used for the maximum size limit of the LRU cache storing endpoints data
|
@@ -289,25 +304,31 @@ module Aws::KMS
|
|
289
304
|
# throttling. This is a provisional mode that may change behavior
|
290
305
|
# in the future.
|
291
306
|
#
|
292
|
-
#
|
293
307
|
# @option options [String] :sdk_ua_app_id
|
294
308
|
# A unique and opaque application ID that is appended to the
|
295
|
-
# User-Agent header as app
|
296
|
-
# maximum length of 50.
|
309
|
+
# User-Agent header as app/sdk_ua_app_id. It should have a
|
310
|
+
# maximum length of 50. This variable is sourced from environment
|
311
|
+
# variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.
|
297
312
|
#
|
298
313
|
# @option options [String] :secret_access_key
|
299
314
|
#
|
300
315
|
# @option options [String] :session_token
|
301
316
|
#
|
317
|
+
# @option options [Array] :sigv4a_signing_region_set
|
318
|
+
# A list of regions that should be signed with SigV4a signing. When
|
319
|
+
# not passed, a default `:sigv4a_signing_region_set` is searched for
|
320
|
+
# in the following locations:
|
321
|
+
#
|
322
|
+
# * `Aws.config[:sigv4a_signing_region_set]`
|
323
|
+
# * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
|
324
|
+
# * `~/.aws/config`
|
325
|
+
#
|
302
326
|
# @option options [Boolean] :simple_json (false)
|
303
327
|
# Disables request parameter conversion, validation, and formatting.
|
304
|
-
# Also
|
305
|
-
#
|
306
|
-
#
|
307
|
-
# structures.
|
308
|
-
#
|
309
|
-
# When `:simple_json` is enabled, the request parameters hash must
|
310
|
-
# be formatted exactly as the DynamoDB API expects.
|
328
|
+
# Also disables response data type conversions. The request parameters
|
329
|
+
# hash must be formatted exactly as the API expects.This option is useful
|
330
|
+
# when you want to ensure the highest level of performance by avoiding
|
331
|
+
# overhead of walking request parameters and response data structures.
|
311
332
|
#
|
312
333
|
# @option options [Boolean] :stub_responses (false)
|
313
334
|
# Causes the client to return stubbed responses. By default
|
@@ -318,6 +339,16 @@ module Aws::KMS
|
|
318
339
|
# ** Please note ** When response stubbing is enabled, no HTTP
|
319
340
|
# requests are made, and retries are disabled.
|
320
341
|
#
|
342
|
+
# @option options [Aws::Telemetry::TelemetryProviderBase] :telemetry_provider (Aws::Telemetry::NoOpTelemetryProvider)
|
343
|
+
# Allows you to provide a telemetry provider, which is used to
|
344
|
+
# emit telemetry data. By default, uses `NoOpTelemetryProvider` which
|
345
|
+
# will not record or emit any telemetry data. The SDK supports the
|
346
|
+
# following telemetry providers:
|
347
|
+
#
|
348
|
+
# * OpenTelemetry (OTel) - To use the OTel provider, install and require the
|
349
|
+
# `opentelemetry-sdk` gem and then, pass in an instance of a
|
350
|
+
# `Aws::Telemetry::OTelProvider` for telemetry provider.
|
351
|
+
#
|
321
352
|
# @option options [Aws::TokenProvider] :token_provider
|
322
353
|
# A Bearer Token Provider. This can be an instance of any one of the
|
323
354
|
# following classes:
|
@@ -347,50 +378,71 @@ module Aws::KMS
|
|
347
378
|
# @option options [Aws::KMS::EndpointProvider] :endpoint_provider
|
348
379
|
# The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::KMS::EndpointParameters`
|
349
380
|
#
|
350
|
-
# @option options [
|
351
|
-
#
|
352
|
-
#
|
353
|
-
#
|
354
|
-
#
|
355
|
-
#
|
356
|
-
#
|
357
|
-
#
|
358
|
-
#
|
359
|
-
#
|
360
|
-
#
|
361
|
-
# @option options [Float] :
|
362
|
-
#
|
363
|
-
#
|
364
|
-
#
|
365
|
-
#
|
366
|
-
#
|
367
|
-
#
|
368
|
-
#
|
369
|
-
#
|
370
|
-
#
|
371
|
-
#
|
381
|
+
# @option options [Float] :http_continue_timeout (1)
|
382
|
+
# The number of seconds to wait for a 100-continue response before sending the
|
383
|
+
# request body. This option has no effect unless the request has "Expect"
|
384
|
+
# header set to "100-continue". Defaults to `nil` which disables this
|
385
|
+
# behaviour. This value can safely be set per request on the session.
|
386
|
+
#
|
387
|
+
# @option options [Float] :http_idle_timeout (5)
|
388
|
+
# The number of seconds a connection is allowed to sit idle before it
|
389
|
+
# is considered stale. Stale connections are closed and removed from the
|
390
|
+
# pool before making a request.
|
391
|
+
#
|
392
|
+
# @option options [Float] :http_open_timeout (15)
|
393
|
+
# The default number of seconds to wait for response data.
|
394
|
+
# This value can safely be set per-request on the session.
|
395
|
+
#
|
396
|
+
# @option options [URI::HTTP,String] :http_proxy
|
397
|
+
# A proxy to send requests through. Formatted like 'http://proxy.com:123'.
|
398
|
+
#
|
399
|
+
# @option options [Float] :http_read_timeout (60)
|
400
|
+
# The default number of seconds to wait for response data.
|
401
|
+
# This value can safely be set per-request on the session.
|
402
|
+
#
|
403
|
+
# @option options [Boolean] :http_wire_trace (false)
|
404
|
+
# When `true`, HTTP debug output will be sent to the `:logger`.
|
405
|
+
#
|
406
|
+
# @option options [Proc] :on_chunk_received
|
407
|
+
# When a Proc object is provided, it will be used as callback when each chunk
|
408
|
+
# of the response body is received. It provides three arguments: the chunk,
|
409
|
+
# the number of bytes received, and the total number of
|
410
|
+
# bytes in the response (or nil if the server did not send a `content-length`).
|
411
|
+
#
|
412
|
+
# @option options [Proc] :on_chunk_sent
|
413
|
+
# When a Proc object is provided, it will be used as callback when each chunk
|
414
|
+
# of the request body is sent. It provides three arguments: the chunk,
|
415
|
+
# the number of bytes read from the body, and the total number of
|
416
|
+
# bytes in the body.
|
417
|
+
#
|
418
|
+
# @option options [Boolean] :raise_response_errors (true)
|
419
|
+
# When `true`, response errors are raised.
|
420
|
+
#
|
421
|
+
# @option options [String] :ssl_ca_bundle
|
422
|
+
# Full path to the SSL certificate authority bundle file that should be used when
|
423
|
+
# verifying peer certificates. If you do not pass `:ssl_ca_bundle` or
|
424
|
+
# `:ssl_ca_directory` the the system default will be used if available.
|
425
|
+
#
|
426
|
+
# @option options [String] :ssl_ca_directory
|
427
|
+
# Full path of the directory that contains the unbundled SSL certificate
|
428
|
+
# authority files for verifying peer certificates. If you do
|
429
|
+
# not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the system
|
430
|
+
# default will be used if available.
|
372
431
|
#
|
373
|
-
# @option options [
|
374
|
-
#
|
432
|
+
# @option options [String] :ssl_ca_store
|
433
|
+
# Sets the X509::Store to verify peer certificate.
|
375
434
|
#
|
376
|
-
# @option options [
|
377
|
-
#
|
435
|
+
# @option options [OpenSSL::X509::Certificate] :ssl_cert
|
436
|
+
# Sets a client certificate when creating http connections.
|
378
437
|
#
|
379
|
-
# @option options [
|
380
|
-
#
|
381
|
-
# connection.
|
438
|
+
# @option options [OpenSSL::PKey] :ssl_key
|
439
|
+
# Sets a client key when creating http connections.
|
382
440
|
#
|
383
|
-
# @option options [
|
384
|
-
#
|
385
|
-
# verifying peer certificates. If you do not pass
|
386
|
-
# `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default
|
387
|
-
# will be used if available.
|
441
|
+
# @option options [Float] :ssl_timeout
|
442
|
+
# Sets the SSL timeout in seconds
|
388
443
|
#
|
389
|
-
# @option options [
|
390
|
-
#
|
391
|
-
# authority files for verifying peer certificates. If you do
|
392
|
-
# not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the
|
393
|
-
# system default will be used if available.
|
444
|
+
# @option options [Boolean] :ssl_verify_peer (true)
|
445
|
+
# When `true`, SSL peer certificates are verified when establishing a connection.
|
394
446
|
#
|
395
447
|
def initialize(*args)
|
396
448
|
super
|
@@ -1396,7 +1448,7 @@ module Aws::KMS
|
|
1396
1448
|
# key_id: "KeyIdType", # required
|
1397
1449
|
# grantee_principal: "PrincipalIdType", # required
|
1398
1450
|
# retiring_principal: "PrincipalIdType",
|
1399
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
|
1451
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac, DeriveSharedSecret
|
1400
1452
|
# constraints: {
|
1401
1453
|
# encryption_context_subset: {
|
1402
1454
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
@@ -1483,12 +1535,17 @@ module Aws::KMS
|
|
1483
1535
|
# key pair, or an SM2 key pair (China Regions only). The private key
|
1484
1536
|
# in an asymmetric KMS key never leaves KMS unencrypted. However, you
|
1485
1537
|
# can use the GetPublicKey operation to download the public key so it
|
1486
|
-
# can be used outside of KMS. KMS
|
1487
|
-
#
|
1488
|
-
#
|
1489
|
-
#
|
1490
|
-
#
|
1491
|
-
#
|
1538
|
+
# can be used outside of KMS. Each KMS key can have only one key
|
1539
|
+
# usage. KMS keys with RSA key pairs can be used to encrypt and
|
1540
|
+
# decrypt data or sign and verify messages (but not both). KMS keys
|
1541
|
+
# with NIST-recommended ECC key pairs can be used to sign and verify
|
1542
|
+
# messages or derive shared secrets (but not both). KMS keys with
|
1543
|
+
# `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS
|
1544
|
+
# keys with SM2 key pairs (China Regions only) can be used to either
|
1545
|
+
# encrypt and decrypt data, sign and verify messages, or derive shared
|
1546
|
+
# secrets (you must choose one key usage type). For information about
|
1547
|
+
# asymmetric KMS keys, see [Asymmetric KMS keys][3] in the *Key
|
1548
|
+
# Management Service Developer Guide*.
|
1492
1549
|
#
|
1493
1550
|
#
|
1494
1551
|
#
|
@@ -1710,14 +1767,17 @@ module Aws::KMS
|
|
1710
1767
|
#
|
1711
1768
|
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
1712
1769
|
#
|
1713
|
-
# * For asymmetric KMS keys with RSA key
|
1770
|
+
# * For asymmetric KMS keys with RSA key pairs, specify
|
1714
1771
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
1715
1772
|
#
|
1716
|
-
# * For asymmetric KMS keys with
|
1773
|
+
# * For asymmetric KMS keys with NIST-recommended elliptic curve key
|
1774
|
+
# pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
|
1775
|
+
#
|
1776
|
+
# * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
|
1717
1777
|
# `SIGN_VERIFY`.
|
1718
1778
|
#
|
1719
|
-
# * For asymmetric KMS keys with SM2 key
|
1720
|
-
# specify `ENCRYPT_DECRYPT` or `
|
1779
|
+
# * For asymmetric KMS keys with SM2 key pairs (China Regions only),
|
1780
|
+
# specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
|
1721
1781
|
#
|
1722
1782
|
#
|
1723
1783
|
#
|
@@ -1770,7 +1830,8 @@ module Aws::KMS
|
|
1770
1830
|
#
|
1771
1831
|
# * `HMAC_512`
|
1772
1832
|
#
|
1773
|
-
# * Asymmetric RSA key pairs
|
1833
|
+
# * Asymmetric RSA key pairs (encryption and decryption -or- signing and
|
1834
|
+
# verification)
|
1774
1835
|
#
|
1775
1836
|
# * `RSA_2048`
|
1776
1837
|
#
|
@@ -1778,7 +1839,8 @@ module Aws::KMS
|
|
1778
1839
|
#
|
1779
1840
|
# * `RSA_4096`
|
1780
1841
|
#
|
1781
|
-
# * Asymmetric NIST-recommended elliptic curve key pairs
|
1842
|
+
# * Asymmetric NIST-recommended elliptic curve key pairs (signing and
|
1843
|
+
# verification -or- deriving shared secrets)
|
1782
1844
|
#
|
1783
1845
|
# * `ECC_NIST_P256` (secp256r1)
|
1784
1846
|
#
|
@@ -1786,15 +1848,16 @@ module Aws::KMS
|
|
1786
1848
|
#
|
1787
1849
|
# * `ECC_NIST_P521` (secp521r1)
|
1788
1850
|
#
|
1789
|
-
# * Other asymmetric elliptic curve key pairs
|
1851
|
+
# * Other asymmetric elliptic curve key pairs (signing and verification)
|
1790
1852
|
#
|
1791
1853
|
# * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
|
1792
1854
|
#
|
1793
1855
|
# ^
|
1794
1856
|
#
|
1795
|
-
# * SM2 key pairs (
|
1857
|
+
# * SM2 key pairs (encryption and decryption -or- signing and
|
1858
|
+
# verification -or- deriving shared secrets)
|
1796
1859
|
#
|
1797
|
-
# * `SM2`
|
1860
|
+
# * `SM2` (China Regions only)
|
1798
1861
|
#
|
1799
1862
|
# ^
|
1800
1863
|
#
|
@@ -2258,7 +2321,7 @@ module Aws::KMS
|
|
2258
2321
|
# resp = client.create_key({
|
2259
2322
|
# policy: "PolicyType",
|
2260
2323
|
# description: "DescriptionType",
|
2261
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
2324
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT
|
2262
2325
|
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
2263
2326
|
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
2264
2327
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
|
@@ -2282,7 +2345,7 @@ module Aws::KMS
|
|
2282
2345
|
# resp.key_metadata.creation_date #=> Time
|
2283
2346
|
# resp.key_metadata.enabled #=> Boolean
|
2284
2347
|
# resp.key_metadata.description #=> String
|
2285
|
-
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
2348
|
+
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
|
2286
2349
|
# resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
2287
2350
|
# resp.key_metadata.deletion_date #=> Time
|
2288
2351
|
# resp.key_metadata.valid_to #=> Time
|
@@ -2297,6 +2360,8 @@ module Aws::KMS
|
|
2297
2360
|
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
2298
2361
|
# resp.key_metadata.signing_algorithms #=> Array
|
2299
2362
|
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
2363
|
+
# resp.key_metadata.key_agreement_algorithms #=> Array
|
2364
|
+
# resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
|
2300
2365
|
# resp.key_metadata.multi_region #=> Boolean
|
2301
2366
|
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
2302
2367
|
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
@@ -2893,6 +2958,270 @@ module Aws::KMS
|
|
2893
2958
|
req.send_request(options)
|
2894
2959
|
end
|
2895
2960
|
|
2961
|
+
# Derives a shared secret using a key agreement algorithm.
|
2962
|
+
#
|
2963
|
+
# <note markdown="1"> You must use an asymmetric NIST-recommended elliptic curve (ECC) or
|
2964
|
+
# SM2 (China Regions only) KMS key pair with a `KeyUsage` value of
|
2965
|
+
# `KEY_AGREEMENT` to call DeriveSharedSecret.
|
2966
|
+
#
|
2967
|
+
# </note>
|
2968
|
+
#
|
2969
|
+
# DeriveSharedSecret uses the [Elliptic Curve Cryptography Cofactor
|
2970
|
+
# Diffie-Hellman Primitive][1] (ECDH) to establish a key agreement
|
2971
|
+
# between two peers by deriving a shared secret from their elliptic
|
2972
|
+
# curve public-private key pairs. You can use the raw shared secret that
|
2973
|
+
# DeriveSharedSecret returns to derive a symmetric key that can encrypt
|
2974
|
+
# and decrypt data that is sent between the two peers, or that can
|
2975
|
+
# generate and verify HMACs. KMS recommends that you follow [NIST
|
2976
|
+
# recommendations for key derivation][2] when using the raw shared
|
2977
|
+
# secret to derive a symmetric key.
|
2978
|
+
#
|
2979
|
+
# The following workflow demonstrates how to establish key agreement
|
2980
|
+
# over an insecure communication channel using DeriveSharedSecret.
|
2981
|
+
#
|
2982
|
+
# 1. **Alice** calls CreateKey to create an asymmetric KMS key pair
|
2983
|
+
# with a `KeyUsage` value of `KEY_AGREEMENT`.
|
2984
|
+
#
|
2985
|
+
# The asymmetric KMS key must use a NIST-recommended elliptic curve
|
2986
|
+
# (ECC) or SM2 (China Regions only) key spec.
|
2987
|
+
#
|
2988
|
+
# 2. **Bob** creates an elliptic curve key pair.
|
2989
|
+
#
|
2990
|
+
# Bob can call CreateKey to create an asymmetric KMS key pair or
|
2991
|
+
# generate a key pair outside of KMS. Bob's key pair must use the
|
2992
|
+
# same NIST-recommended elliptic curve (ECC) or SM2 (China Regions
|
2993
|
+
# ony) curve as Alice.
|
2994
|
+
#
|
2995
|
+
# 3. Alice and Bob **exchange their public keys** through an insecure
|
2996
|
+
# communication channel (like the internet).
|
2997
|
+
#
|
2998
|
+
# Use GetPublicKey to download the public key of your asymmetric KMS
|
2999
|
+
# key pair.
|
3000
|
+
#
|
3001
|
+
# <note markdown="1"> KMS strongly recommends verifying that the public key you receive
|
3002
|
+
# came from the expected party before using it to derive a shared
|
3003
|
+
# secret.
|
3004
|
+
#
|
3005
|
+
# </note>
|
3006
|
+
#
|
3007
|
+
# 4. **Alice** calls DeriveSharedSecret.
|
3008
|
+
#
|
3009
|
+
# KMS uses the private key from the KMS key pair generated in **Step
|
3010
|
+
# 1**, Bob's public key, and the Elliptic Curve Cryptography
|
3011
|
+
# Cofactor Diffie-Hellman Primitive to derive the shared secret. The
|
3012
|
+
# private key in your KMS key pair never leaves KMS unencrypted.
|
3013
|
+
# DeriveSharedSecret returns the raw shared secret.
|
3014
|
+
#
|
3015
|
+
# 5. **Bob** uses the Elliptic Curve Cryptography Cofactor
|
3016
|
+
# Diffie-Hellman Primitive to calculate the same raw secret using
|
3017
|
+
# his private key and Alice's public key.
|
3018
|
+
#
|
3019
|
+
# To derive a shared secret you must provide a key agreement algorithm,
|
3020
|
+
# the private key of the caller's asymmetric NIST-recommended elliptic
|
3021
|
+
# curve or SM2 (China Regions only) KMS key pair, and the public key
|
3022
|
+
# from your peer's NIST-recommended elliptic curve or SM2 (China
|
3023
|
+
# Regions only) key pair. The public key can be from another asymmetric
|
3024
|
+
# KMS key pair or from a key pair generated outside of KMS, but both key
|
3025
|
+
# pairs must be on the same elliptic curve.
|
3026
|
+
#
|
3027
|
+
# The KMS key that you use for this operation must be in a compatible
|
3028
|
+
# key state. For details, see [Key states of KMS keys][3] in the *Key
|
3029
|
+
# Management Service Developer Guide*.
|
3030
|
+
#
|
3031
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
3032
|
+
# in a different Amazon Web Services account, specify the key ARN or
|
3033
|
+
# alias ARN in the value of the `KeyId` parameter.
|
3034
|
+
#
|
3035
|
+
# **Required permissions**: [kms:DeriveSharedSecret][4] (key policy)
|
3036
|
+
#
|
3037
|
+
# **Related operations:**
|
3038
|
+
#
|
3039
|
+
# * CreateKey
|
3040
|
+
#
|
3041
|
+
# * GetPublicKey
|
3042
|
+
#
|
3043
|
+
# * DescribeKey
|
3044
|
+
#
|
3045
|
+
# **Eventual consistency**: The KMS API follows an eventual consistency
|
3046
|
+
# model. For more information, see [KMS eventual consistency][5].
|
3047
|
+
#
|
3048
|
+
#
|
3049
|
+
#
|
3050
|
+
# [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60
|
3051
|
+
# [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
|
3052
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3053
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
3054
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
|
3055
|
+
#
|
3056
|
+
# @option params [required, String] :key_id
|
3057
|
+
# Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
|
3058
|
+
# only) KMS key. KMS uses the private key in the specified key pair to
|
3059
|
+
# derive the shared secret. The key usage of the KMS key must be
|
3060
|
+
# `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
|
3061
|
+
# DescribeKey operation.
|
3062
|
+
#
|
3063
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
3064
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify a
|
3065
|
+
# KMS key in a different Amazon Web Services account, you must use the
|
3066
|
+
# key ARN or alias ARN.
|
3067
|
+
#
|
3068
|
+
# For example:
|
3069
|
+
#
|
3070
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
3071
|
+
#
|
3072
|
+
# * Key ARN:
|
3073
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3074
|
+
#
|
3075
|
+
# * Alias name: `alias/ExampleAlias`
|
3076
|
+
#
|
3077
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
3078
|
+
#
|
3079
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
3080
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
3081
|
+
#
|
3082
|
+
# @option params [required, String] :key_agreement_algorithm
|
3083
|
+
# Specifies the key agreement algorithm used to derive the shared
|
3084
|
+
# secret. The only valid value is `ECDH`.
|
3085
|
+
#
|
3086
|
+
# @option params [required, String, StringIO, File] :public_key
|
3087
|
+
# Specifies the public key in your peer's NIST-recommended elliptic
|
3088
|
+
# curve (ECC) or SM2 (China Regions only) key pair.
|
3089
|
+
#
|
3090
|
+
# The public key must be a DER-encoded X.509 public key, also known as
|
3091
|
+
# `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
|
3092
|
+
#
|
3093
|
+
# GetPublicKey returns the public key of an asymmetric KMS key pair in
|
3094
|
+
# the required DER-encoded format.
|
3095
|
+
#
|
3096
|
+
# <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
|
3097
|
+
# the DER-encoded X.509 public key in a file. Otherwise, the Amazon Web
|
3098
|
+
# Services CLI Base64-encodes the public key a second time, resulting in
|
3099
|
+
# a `ValidationException`.
|
3100
|
+
#
|
3101
|
+
# </note>
|
3102
|
+
#
|
3103
|
+
# You can specify the public key as binary data in a file using fileb
|
3104
|
+
# (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
|
3105
|
+
#
|
3106
|
+
#
|
3107
|
+
#
|
3108
|
+
# [1]: https://tools.ietf.org/html/rfc5280
|
3109
|
+
# [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
|
3110
|
+
#
|
3111
|
+
# @option params [Array<String>] :grant_tokens
|
3112
|
+
# A list of grant tokens.
|
3113
|
+
#
|
3114
|
+
# Use a grant token when your permission to call this operation comes
|
3115
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
3116
|
+
# more information, see [Grant token][1] and [Using a grant token][2] in
|
3117
|
+
# the *Key Management Service Developer Guide*.
|
3118
|
+
#
|
3119
|
+
#
|
3120
|
+
#
|
3121
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
3122
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
3123
|
+
#
|
3124
|
+
# @option params [Boolean] :dry_run
|
3125
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
3126
|
+
# parameter.
|
3127
|
+
#
|
3128
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
3129
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
3130
|
+
#
|
3131
|
+
#
|
3132
|
+
#
|
3133
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
3134
|
+
#
|
3135
|
+
# @option params [Types::RecipientInfo] :recipient
|
3136
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
3137
|
+
# enclave and the encryption algorithm to use with the enclave's public
|
3138
|
+
# key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
|
3139
|
+
#
|
3140
|
+
# This parameter only supports attestation documents for Amazon Web
|
3141
|
+
# Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
|
3142
|
+
# Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
|
3143
|
+
# SDK][2] to generate the attestation document and then use the
|
3144
|
+
# Recipient parameter from any Amazon Web Services SDK to provide the
|
3145
|
+
# attestation document for the enclave.
|
3146
|
+
#
|
3147
|
+
# When you use this parameter, instead of returning a plaintext copy of
|
3148
|
+
# the shared secret, KMS encrypts the plaintext shared secret under the
|
3149
|
+
# public key in the attestation document, and returns the resulting
|
3150
|
+
# ciphertext in the `CiphertextForRecipient` field in the response. This
|
3151
|
+
# ciphertext can be decrypted only with the private key in the enclave.
|
3152
|
+
# The `CiphertextBlob` field in the response contains the encrypted
|
3153
|
+
# shared secret derived from the KMS key specified by the `KeyId`
|
3154
|
+
# parameter and public key specified by the `PublicKey` parameter. The
|
3155
|
+
# `SharedSecret` field in the response is null or empty.
|
3156
|
+
#
|
3157
|
+
# For information about the interaction between KMS and Amazon Web
|
3158
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
3159
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
3160
|
+
#
|
3161
|
+
#
|
3162
|
+
#
|
3163
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
3164
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
3165
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
3166
|
+
#
|
3167
|
+
# @return [Types::DeriveSharedSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
3168
|
+
#
|
3169
|
+
# * {Types::DeriveSharedSecretResponse#key_id #key_id} => String
|
3170
|
+
# * {Types::DeriveSharedSecretResponse#shared_secret #shared_secret} => String
|
3171
|
+
# * {Types::DeriveSharedSecretResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
|
3172
|
+
# * {Types::DeriveSharedSecretResponse#key_agreement_algorithm #key_agreement_algorithm} => String
|
3173
|
+
# * {Types::DeriveSharedSecretResponse#key_origin #key_origin} => String
|
3174
|
+
#
|
3175
|
+
#
|
3176
|
+
# @example Example: To derive a shared secret
|
3177
|
+
#
|
3178
|
+
# # The following example derives a shared secret using a key agreement algorithm.
|
3179
|
+
#
|
3180
|
+
# resp = client.derive_shared_secret({
|
3181
|
+
# key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret. The only valid value is ECDH.
|
3182
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The key identifier for an asymmetric KMS key pair. The private key in the specified key pair is used to derive the shared secret.
|
3183
|
+
# public_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH3Yj0wbkLEpUl95Cv1cJVjsVNSjwGq3tCLnzXfhVwVvmzGN8pYj3U8nKwgouaHbBWNJYjP5VutbbkKS4Kv4GojwZBJyHN17kmxo8yTjRmjR15SKIQ8cqRA2uaERMLnpztIXdZp232PQPbWGxDyXYJ0aJ5EFSag", # The public key in your peer's asymmetric key pair.
|
3184
|
+
# })
|
3185
|
+
#
|
3186
|
+
# resp.to_h outputs the following:
|
3187
|
+
# {
|
3188
|
+
# key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret.
|
3189
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The asymmetric KMS key pair used to derive the shared secret.
|
3190
|
+
# key_origin: "AWS_KMS", # The source of the key material for the specified KMS key.
|
3191
|
+
# shared_secret: "MEYCIQCKZLWyTk5runarx6XiAkU9gv3lbwPO/pHa+DXFehzdDwIhANwpsIV2g/9SPWLLsF6p/hiSskuIXMTRwqrMdVKWTMHG", # The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.
|
3192
|
+
# }
|
3193
|
+
#
|
3194
|
+
# @example Request syntax with placeholder values
|
3195
|
+
#
|
3196
|
+
# resp = client.derive_shared_secret({
|
3197
|
+
# key_id: "KeyIdType", # required
|
3198
|
+
# key_agreement_algorithm: "ECDH", # required, accepts ECDH
|
3199
|
+
# public_key: "data", # required
|
3200
|
+
# grant_tokens: ["GrantTokenType"],
|
3201
|
+
# dry_run: false,
|
3202
|
+
# recipient: {
|
3203
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
|
3204
|
+
# attestation_document: "data",
|
3205
|
+
# },
|
3206
|
+
# })
|
3207
|
+
#
|
3208
|
+
# @example Response structure
|
3209
|
+
#
|
3210
|
+
# resp.key_id #=> String
|
3211
|
+
# resp.shared_secret #=> String
|
3212
|
+
# resp.ciphertext_for_recipient #=> String
|
3213
|
+
# resp.key_agreement_algorithm #=> String, one of "ECDH"
|
3214
|
+
# resp.key_origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM", "EXTERNAL_KEY_STORE"
|
3215
|
+
#
|
3216
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret AWS API Documentation
|
3217
|
+
#
|
3218
|
+
# @overload derive_shared_secret(params = {})
|
3219
|
+
# @param [Hash] params ({})
|
3220
|
+
def derive_shared_secret(params = {}, options = {})
|
3221
|
+
req = build_request(:derive_shared_secret, params)
|
3222
|
+
req.send_request(options)
|
3223
|
+
end
|
3224
|
+
|
2896
3225
|
# Gets information about [custom key stores][1] in the account and
|
2897
3226
|
# Region.
|
2898
3227
|
#
|
@@ -3477,7 +3806,7 @@ module Aws::KMS
|
|
3477
3806
|
# resp.key_metadata.creation_date #=> Time
|
3478
3807
|
# resp.key_metadata.enabled #=> Boolean
|
3479
3808
|
# resp.key_metadata.description #=> String
|
3480
|
-
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
3809
|
+
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
|
3481
3810
|
# resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
3482
3811
|
# resp.key_metadata.deletion_date #=> Time
|
3483
3812
|
# resp.key_metadata.valid_to #=> Time
|
@@ -3492,6 +3821,8 @@ module Aws::KMS
|
|
3492
3821
|
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
3493
3822
|
# resp.key_metadata.signing_algorithms #=> Array
|
3494
3823
|
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
3824
|
+
# resp.key_metadata.key_agreement_algorithms #=> Array
|
3825
|
+
# resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
|
3495
3826
|
# resp.key_metadata.multi_region #=> Boolean
|
3496
3827
|
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
3497
3828
|
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
@@ -3619,6 +3950,10 @@ module Aws::KMS
|
|
3619
3950
|
#
|
3620
3951
|
# * GetKeyRotationStatus
|
3621
3952
|
#
|
3953
|
+
# * ListKeyRotations
|
3954
|
+
#
|
3955
|
+
# * RotateKeyOnDemand
|
3956
|
+
#
|
3622
3957
|
# **Eventual consistency**: The KMS API follows an eventual consistency
|
3623
3958
|
# model. For more information, see [KMS eventual consistency][12].
|
3624
3959
|
#
|
@@ -3851,12 +4186,20 @@ module Aws::KMS
|
|
3851
4186
|
# Enables [automatic rotation of the key material][1] of the specified
|
3852
4187
|
# symmetric encryption KMS key.
|
3853
4188
|
#
|
3854
|
-
#
|
3855
|
-
# KMS rotates the key material of the KMS key one year
|
3856
|
-
# 365 days) from the enable date and every year
|
3857
|
-
#
|
3858
|
-
#
|
3859
|
-
#
|
4189
|
+
# By default, when you enable automatic rotation of a [customer managed
|
4190
|
+
# KMS key][2], KMS rotates the key material of the KMS key one year
|
4191
|
+
# (approximately 365 days) from the enable date and every year
|
4192
|
+
# thereafter. You can use the optional `RotationPeriodInDays` parameter
|
4193
|
+
# to specify a custom rotation period when you enable key rotation, or
|
4194
|
+
# you can use `RotationPeriodInDays` to modify the rotation period of a
|
4195
|
+
# key that you previously enabled automatic key rotation on.
|
4196
|
+
#
|
4197
|
+
# You can monitor rotation of the key material for your KMS keys in
|
4198
|
+
# CloudTrail and Amazon CloudWatch. To disable rotation of the key
|
4199
|
+
# material in a customer managed KMS key, use the DisableKeyRotation
|
4200
|
+
# operation. You can use the GetKeyRotationStatus operation to identify
|
4201
|
+
# any in progress rotations. You can use the ListKeyRotations operation
|
4202
|
+
# to view the details of completed rotations.
|
3860
4203
|
#
|
3861
4204
|
# Automatic key rotation is supported only on [symmetric encryption KMS
|
3862
4205
|
# keys][3]. You cannot enable automatic rotation of [asymmetric KMS
|
@@ -3865,10 +4208,11 @@ module Aws::KMS
|
|
3865
4208
|
# disable automatic rotation of a set of related [multi-Region keys][8],
|
3866
4209
|
# set the property on the primary key.
|
3867
4210
|
#
|
3868
|
-
# You cannot enable or disable automatic rotation [Amazon Web
|
3869
|
-
# managed KMS keys][9]. KMS always rotates the key material of
|
3870
|
-
# Web Services managed keys every year. Rotation of [Amazon Web
|
3871
|
-
# owned KMS keys][10]
|
4211
|
+
# You cannot enable or disable automatic rotation of [Amazon Web
|
4212
|
+
# Services managed KMS keys][9]. KMS always rotates the key material of
|
4213
|
+
# Amazon Web Services managed keys every year. Rotation of [Amazon Web
|
4214
|
+
# Services owned KMS keys][10] is managed by the Amazon Web Services
|
4215
|
+
# service that owns the key.
|
3872
4216
|
#
|
3873
4217
|
# <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
|
3874
4218
|
# managed keys from every three years (approximately 1,095 days) to
|
@@ -3897,12 +4241,22 @@ module Aws::KMS
|
|
3897
4241
|
#
|
3898
4242
|
# * GetKeyRotationStatus
|
3899
4243
|
#
|
4244
|
+
# * ListKeyRotations
|
4245
|
+
#
|
4246
|
+
# * RotateKeyOnDemand
|
4247
|
+
#
|
4248
|
+
# <note markdown="1"> You can perform on-demand (RotateKeyOnDemand) rotation of the key
|
4249
|
+
# material in customer managed KMS keys, regardless of whether or not
|
4250
|
+
# automatic key rotation is enabled.
|
4251
|
+
#
|
4252
|
+
# </note>
|
4253
|
+
#
|
3900
4254
|
# **Eventual consistency**: The KMS API follows an eventual consistency
|
3901
4255
|
# model. For more information, see [KMS eventual consistency][13].
|
3902
4256
|
#
|
3903
4257
|
#
|
3904
4258
|
#
|
3905
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
4259
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
|
3906
4260
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
3907
4261
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
|
3908
4262
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
@@ -3943,21 +4297,42 @@ module Aws::KMS
|
|
3943
4297
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3944
4298
|
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
3945
4299
|
#
|
4300
|
+
# @option params [Integer] :rotation_period_in_days
|
4301
|
+
# Use this parameter to specify a custom period of time between each
|
4302
|
+
# rotation date. If no value is specified, the default value is 365
|
4303
|
+
# days.
|
4304
|
+
#
|
4305
|
+
# The rotation period defines the number of days after you enable
|
4306
|
+
# automatic key rotation that KMS will rotate your key material, and the
|
4307
|
+
# number of days between each automatic rotation thereafter.
|
4308
|
+
#
|
4309
|
+
# You can use the [ `kms:RotationPeriodInDays` ][1] condition key to
|
4310
|
+
# further constrain the values that principals can specify in the
|
4311
|
+
# `RotationPeriodInDays` parameter.
|
4312
|
+
#
|
4313
|
+
#
|
4314
|
+
#
|
4315
|
+
#
|
4316
|
+
#
|
4317
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days
|
4318
|
+
#
|
3946
4319
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
3947
4320
|
#
|
3948
4321
|
#
|
3949
4322
|
# @example Example: To enable automatic rotation of key material
|
3950
4323
|
#
|
3951
|
-
# # The following example enables automatic
|
4324
|
+
# # The following example enables automatic rotation with a rotation period of 365 days for the specified KMS key.
|
3952
4325
|
#
|
3953
4326
|
# resp = client.enable_key_rotation({
|
3954
|
-
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material will be rotated
|
4327
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material will be automatically rotated. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
4328
|
+
# rotation_period_in_days: 365, # The number of days between each rotation date. Specify a value between 9 and 2560. If no value is specified, the default value is 365 days.
|
3955
4329
|
# })
|
3956
4330
|
#
|
3957
4331
|
# @example Request syntax with placeholder values
|
3958
4332
|
#
|
3959
4333
|
# resp = client.enable_key_rotation({
|
3960
4334
|
# key_id: "KeyIdType", # required
|
4335
|
+
# rotation_period_in_days: 1,
|
3961
4336
|
# })
|
3962
4337
|
#
|
3963
4338
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation AWS API Documentation
|
@@ -4714,8 +5089,11 @@ module Aws::KMS
|
|
4714
5089
|
# key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
|
4715
5090
|
#
|
4716
5091
|
# This parameter only supports attestation documents for Amazon Web
|
4717
|
-
# Services Nitro Enclaves. To
|
4718
|
-
#
|
5092
|
+
# Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
|
5093
|
+
# Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
|
5094
|
+
# SDK][2] to generate the attestation document and then use the
|
5095
|
+
# Recipient parameter from any Amazon Web Services SDK to provide the
|
5096
|
+
# attestation document for the enclave.
|
4719
5097
|
#
|
4720
5098
|
# When you use this parameter, instead of returning a plaintext copy of
|
4721
5099
|
# the private data key, KMS encrypts the plaintext private data key
|
@@ -5583,13 +5961,15 @@ module Aws::KMS
|
|
5583
5961
|
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
5584
5962
|
# DescribeKey.
|
5585
5963
|
#
|
5586
|
-
# @option params [
|
5587
|
-
# Specifies the name of the key policy.
|
5588
|
-
# `default`.
|
5964
|
+
# @option params [String] :policy_name
|
5965
|
+
# Specifies the name of the key policy. If no policy name is specified,
|
5966
|
+
# the default value is `default`. The only valid name is `default`. To
|
5967
|
+
# get the names of key policies, use ListKeyPolicies.
|
5589
5968
|
#
|
5590
5969
|
# @return [Types::GetKeyPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
5591
5970
|
#
|
5592
5971
|
# * {Types::GetKeyPolicyResponse#policy #policy} => String
|
5972
|
+
# * {Types::GetKeyPolicyResponse#policy_name #policy_name} => String
|
5593
5973
|
#
|
5594
5974
|
#
|
5595
5975
|
# @example Example: To retrieve a key policy
|
@@ -5610,12 +5990,13 @@ module Aws::KMS
|
|
5610
5990
|
#
|
5611
5991
|
# resp = client.get_key_policy({
|
5612
5992
|
# key_id: "KeyIdType", # required
|
5613
|
-
# policy_name: "PolicyNameType",
|
5993
|
+
# policy_name: "PolicyNameType",
|
5614
5994
|
# })
|
5615
5995
|
#
|
5616
5996
|
# @example Response structure
|
5617
5997
|
#
|
5618
5998
|
# resp.policy #=> String
|
5999
|
+
# resp.policy_name #=> String
|
5619
6000
|
#
|
5620
6001
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy AWS API Documentation
|
5621
6002
|
#
|
@@ -5626,14 +6007,10 @@ module Aws::KMS
|
|
5626
6007
|
req.send_request(options)
|
5627
6008
|
end
|
5628
6009
|
|
5629
|
-
#
|
5630
|
-
# key material][1] is
|
5631
|
-
#
|
5632
|
-
#
|
5633
|
-
# KMS rotates the key material of the KMS key one year (approximately
|
5634
|
-
# 365 days) from the enable date and every year thereafter. You can
|
5635
|
-
# monitor rotation of the key material for your KMS keys in CloudTrail
|
5636
|
-
# and Amazon CloudWatch.
|
6010
|
+
# Provides detailed information about the rotation status for a KMS key,
|
6011
|
+
# including whether [automatic rotation of the key material][1] is
|
6012
|
+
# enabled for the specified KMS key, the [rotation period][2], and the
|
6013
|
+
# next scheduled rotation date.
|
5637
6014
|
#
|
5638
6015
|
# Automatic key rotation is supported only on [symmetric encryption KMS
|
5639
6016
|
# keys][3]. You cannot enable automatic rotation of [asymmetric KMS
|
@@ -5649,6 +6026,13 @@ module Aws::KMS
|
|
5649
6026
|
# Services managed KMS keys every year. The key rotation status for
|
5650
6027
|
# Amazon Web Services managed KMS keys is always `true`.
|
5651
6028
|
#
|
6029
|
+
# You can perform on-demand (RotateKeyOnDemand) rotation of the key
|
6030
|
+
# material in customer managed KMS keys, regardless of whether or not
|
6031
|
+
# automatic key rotation is enabled. You can use GetKeyRotationStatus to
|
6032
|
+
# identify the date and time that an in progress on-demand rotation was
|
6033
|
+
# initiated. You can use ListKeyRotations to view the details of
|
6034
|
+
# completed rotations.
|
6035
|
+
#
|
5652
6036
|
# <note markdown="1"> In May 2022, KMS changed the rotation schedule for Amazon Web Services
|
5653
6037
|
# managed keys from every three years to every year. For details, see
|
5654
6038
|
# EnableKeyRotation.
|
@@ -5685,13 +6069,17 @@ module Aws::KMS
|
|
5685
6069
|
#
|
5686
6070
|
# * EnableKeyRotation
|
5687
6071
|
#
|
6072
|
+
# * ListKeyRotations
|
6073
|
+
#
|
6074
|
+
# * RotateKeyOnDemand
|
6075
|
+
#
|
5688
6076
|
# **Eventual consistency**: The KMS API follows an eventual consistency
|
5689
6077
|
# model. For more information, see [KMS eventual consistency][12].
|
5690
6078
|
#
|
5691
6079
|
#
|
5692
6080
|
#
|
5693
6081
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
5694
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
6082
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotation-period
|
5695
6083
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
|
5696
6084
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
5697
6085
|
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
@@ -5722,11 +6110,16 @@ module Aws::KMS
|
|
5722
6110
|
# @return [Types::GetKeyRotationStatusResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
5723
6111
|
#
|
5724
6112
|
# * {Types::GetKeyRotationStatusResponse#key_rotation_enabled #key_rotation_enabled} => Boolean
|
6113
|
+
# * {Types::GetKeyRotationStatusResponse#key_id #key_id} => String
|
6114
|
+
# * {Types::GetKeyRotationStatusResponse#rotation_period_in_days #rotation_period_in_days} => Integer
|
6115
|
+
# * {Types::GetKeyRotationStatusResponse#next_rotation_date #next_rotation_date} => Time
|
6116
|
+
# * {Types::GetKeyRotationStatusResponse#on_demand_rotation_start_date #on_demand_rotation_start_date} => Time
|
5725
6117
|
#
|
5726
6118
|
#
|
5727
6119
|
# @example Example: To retrieve the rotation status for a KMS key
|
5728
6120
|
#
|
5729
|
-
# # The following example retrieves
|
6121
|
+
# # The following example retrieves detailed information about the rotation status for a KMS key, including whether
|
6122
|
+
# # automatic key rotation is enabled for the specified KMS key, the rotation period, and the next scheduled rotation date.
|
5730
6123
|
#
|
5731
6124
|
# resp = client.get_key_rotation_status({
|
5732
6125
|
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material rotation status you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
@@ -5734,7 +6127,11 @@ module Aws::KMS
|
|
5734
6127
|
#
|
5735
6128
|
# resp.to_h outputs the following:
|
5736
6129
|
# {
|
5737
|
-
#
|
6130
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # Identifies the specified symmetric encryption KMS key.
|
6131
|
+
# key_rotation_enabled: true, # A boolean that indicates the key material rotation status. Returns true when automatic rotation of the key material is enabled, or false when it is not.
|
6132
|
+
# next_rotation_date: Time.parse("2024-04-05T15:14:47.757000+00:00"), # The next date that the key material will be automatically rotated.
|
6133
|
+
# on_demand_rotation_start_date: Time.parse("2024-03-02T10:11:36.564000+00:00"), # Identifies the date and time that an in progress on-demand rotation was initiated.
|
6134
|
+
# rotation_period_in_days: 365, # The number of days between each automatic rotation. The default value is 365 days.
|
5738
6135
|
# }
|
5739
6136
|
#
|
5740
6137
|
# @example Request syntax with placeholder values
|
@@ -5746,6 +6143,10 @@ module Aws::KMS
|
|
5746
6143
|
# @example Response structure
|
5747
6144
|
#
|
5748
6145
|
# resp.key_rotation_enabled #=> Boolean
|
6146
|
+
# resp.key_id #=> String
|
6147
|
+
# resp.rotation_period_in_days #=> Integer
|
6148
|
+
# resp.next_rotation_date #=> Time
|
6149
|
+
# resp.on_demand_rotation_start_date #=> Time
|
5749
6150
|
#
|
5750
6151
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus AWS API Documentation
|
5751
6152
|
#
|
@@ -5996,8 +6397,8 @@ module Aws::KMS
|
|
5996
6397
|
#
|
5997
6398
|
# resp = client.get_parameters_for_import({
|
5998
6399
|
# key_id: "KeyIdType", # required
|
5999
|
-
# wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256
|
6000
|
-
# wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096
|
6400
|
+
# wrapping_algorithm: "RSAES_PKCS1_V1_5", # required, accepts RSAES_PKCS1_V1_5, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256, RSA_AES_KEY_WRAP_SHA_1, RSA_AES_KEY_WRAP_SHA_256, SM2PKE
|
6401
|
+
# wrapping_key_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, SM2
|
6001
6402
|
# })
|
6002
6403
|
#
|
6003
6404
|
# @example Response structure
|
@@ -6039,7 +6440,8 @@ module Aws::KMS
|
|
6039
6440
|
# * [KeySpec][2]: The type of key material in the public key, such as
|
6040
6441
|
# `RSA_4096` or `ECC_NIST_P521`.
|
6041
6442
|
#
|
6042
|
-
# * [KeyUsage][3]: Whether the key is used for encryption or
|
6443
|
+
# * [KeyUsage][3]: Whether the key is used for encryption, signing, or
|
6444
|
+
# deriving a shared secret.
|
6043
6445
|
#
|
6044
6446
|
# * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]: A list of the
|
6045
6447
|
# encryption algorithms or the signing algorithms for the key.
|
@@ -6128,6 +6530,7 @@ module Aws::KMS
|
|
6128
6530
|
# * {Types::GetPublicKeyResponse#key_usage #key_usage} => String
|
6129
6531
|
# * {Types::GetPublicKeyResponse#encryption_algorithms #encryption_algorithms} => Array<String>
|
6130
6532
|
# * {Types::GetPublicKeyResponse#signing_algorithms #signing_algorithms} => Array<String>
|
6533
|
+
# * {Types::GetPublicKeyResponse#key_agreement_algorithms #key_agreement_algorithms} => Array<String>
|
6131
6534
|
#
|
6132
6535
|
#
|
6133
6536
|
# @example Example: To download the public key of an asymmetric KMS key
|
@@ -6165,11 +6568,13 @@ module Aws::KMS
|
|
6165
6568
|
# resp.public_key #=> String
|
6166
6569
|
# resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
6167
6570
|
# resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
6168
|
-
# resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
6571
|
+
# resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
|
6169
6572
|
# resp.encryption_algorithms #=> Array
|
6170
6573
|
# resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
6171
6574
|
# resp.signing_algorithms #=> Array
|
6172
6575
|
# resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
6576
|
+
# resp.key_agreement_algorithms #=> Array
|
6577
|
+
# resp.key_agreement_algorithms[0] #=> String, one of "ECDH"
|
6173
6578
|
#
|
6174
6579
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
|
6175
6580
|
#
|
@@ -6196,9 +6601,7 @@ module Aws::KMS
|
|
6196
6601
|
# import different key material. You might reimport key material to
|
6197
6602
|
# replace key material that expired or key material that you deleted.
|
6198
6603
|
# You might also reimport key material to change the expiration model or
|
6199
|
-
# expiration date of the key material.
|
6200
|
-
# if necessary, call DeleteImportedKeyMaterial to delete the current
|
6201
|
-
# imported key material.
|
6604
|
+
# expiration date of the key material.
|
6202
6605
|
#
|
6203
6606
|
# Each time you import key material into KMS, you can determine whether
|
6204
6607
|
# (`ExpirationModel`) and when (`ValidTo`) the key material expires. To
|
@@ -6774,7 +7177,7 @@ module Aws::KMS
|
|
6774
7177
|
# resp.grants[0].retiring_principal #=> String
|
6775
7178
|
# resp.grants[0].issuing_account #=> String
|
6776
7179
|
# resp.grants[0].operations #=> Array
|
6777
|
-
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
|
7180
|
+
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
|
6778
7181
|
# resp.grants[0].constraints.encryption_context_subset #=> Hash
|
6779
7182
|
# resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
|
6780
7183
|
# resp.grants[0].constraints.encryption_context_equals #=> Hash
|
@@ -6896,6 +7299,129 @@ module Aws::KMS
|
|
6896
7299
|
req.send_request(options)
|
6897
7300
|
end
|
6898
7301
|
|
7302
|
+
# Returns information about all completed key material rotations for the
|
7303
|
+
# specified KMS key.
|
7304
|
+
#
|
7305
|
+
# You must specify the KMS key in all requests. You can refine the key
|
7306
|
+
# rotations list by limiting the number of rotations returned.
|
7307
|
+
#
|
7308
|
+
# For detailed information about automatic and on-demand key rotations,
|
7309
|
+
# see [Rotating KMS keys][1] in the *Key Management Service Developer
|
7310
|
+
# Guide*.
|
7311
|
+
#
|
7312
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
7313
|
+
# key in a different Amazon Web Services account.
|
7314
|
+
#
|
7315
|
+
# **Required permissions**: [kms:ListKeyRotations][2] (key policy)
|
7316
|
+
#
|
7317
|
+
# **Related operations:**
|
7318
|
+
#
|
7319
|
+
# * EnableKeyRotation
|
7320
|
+
#
|
7321
|
+
# * DisableKeyRotation
|
7322
|
+
#
|
7323
|
+
# * GetKeyRotationStatus
|
7324
|
+
#
|
7325
|
+
# * RotateKeyOnDemand
|
7326
|
+
#
|
7327
|
+
# **Eventual consistency**: The KMS API follows an eventual consistency
|
7328
|
+
# model. For more information, see [KMS eventual consistency][3].
|
7329
|
+
#
|
7330
|
+
#
|
7331
|
+
#
|
7332
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
7333
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
7334
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
|
7335
|
+
#
|
7336
|
+
# @option params [required, String] :key_id
|
7337
|
+
# Gets the key rotations for the specified KMS key.
|
7338
|
+
#
|
7339
|
+
# Specify the key ID or key ARN of the KMS key.
|
7340
|
+
#
|
7341
|
+
# For example:
|
7342
|
+
#
|
7343
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
7344
|
+
#
|
7345
|
+
# * Key ARN:
|
7346
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
7347
|
+
#
|
7348
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
7349
|
+
# DescribeKey.
|
7350
|
+
#
|
7351
|
+
# @option params [Integer] :limit
|
7352
|
+
# Use this parameter to specify the maximum number of items to return.
|
7353
|
+
# When this value is present, KMS does not return more than the
|
7354
|
+
# specified number of items, but it might return fewer.
|
7355
|
+
#
|
7356
|
+
# This value is optional. If you include a value, it must be between 1
|
7357
|
+
# and 1000, inclusive. If you do not include a value, it defaults to
|
7358
|
+
# 100.
|
7359
|
+
#
|
7360
|
+
# @option params [String] :marker
|
7361
|
+
# Use this parameter in a subsequent request after you receive a
|
7362
|
+
# response with truncated results. Set it to the value of `NextMarker`
|
7363
|
+
# from the truncated response you just received.
|
7364
|
+
#
|
7365
|
+
# @return [Types::ListKeyRotationsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
7366
|
+
#
|
7367
|
+
# * {Types::ListKeyRotationsResponse#rotations #rotations} => Array<Types::RotationsListEntry>
|
7368
|
+
# * {Types::ListKeyRotationsResponse#next_marker #next_marker} => String
|
7369
|
+
# * {Types::ListKeyRotationsResponse#truncated #truncated} => Boolean
|
7370
|
+
#
|
7371
|
+
# The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
|
7372
|
+
#
|
7373
|
+
#
|
7374
|
+
# @example Example: To retrieve information about all completed key material rotations
|
7375
|
+
#
|
7376
|
+
# # The following example returns information about all completed key material rotations for the specified KMS key.
|
7377
|
+
#
|
7378
|
+
# resp = client.list_key_rotations({
|
7379
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
|
7380
|
+
# })
|
7381
|
+
#
|
7382
|
+
# resp.to_h outputs the following:
|
7383
|
+
# {
|
7384
|
+
# rotations: [
|
7385
|
+
# {
|
7386
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
|
7387
|
+
# rotation_date: Time.parse("2024-03-02T10:11:36.564000+00:00"),
|
7388
|
+
# rotation_type: "AUTOMATIC",
|
7389
|
+
# },
|
7390
|
+
# {
|
7391
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab",
|
7392
|
+
# rotation_date: Time.parse("2024-04-05T15:14:47.757000+00:00"),
|
7393
|
+
# rotation_type: "ON_DEMAND",
|
7394
|
+
# },
|
7395
|
+
# ], # A list of key rotations.
|
7396
|
+
# truncated: false, # A flag that indicates whether there are more items in the list. When the value is true, the list in this response is truncated. To get more items, pass the value of the NextMarker element in this response to the Marker parameter in a subsequent request.
|
7397
|
+
# }
|
7398
|
+
#
|
7399
|
+
# @example Request syntax with placeholder values
|
7400
|
+
#
|
7401
|
+
# resp = client.list_key_rotations({
|
7402
|
+
# key_id: "KeyIdType", # required
|
7403
|
+
# limit: 1,
|
7404
|
+
# marker: "MarkerType",
|
7405
|
+
# })
|
7406
|
+
#
|
7407
|
+
# @example Response structure
|
7408
|
+
#
|
7409
|
+
# resp.rotations #=> Array
|
7410
|
+
# resp.rotations[0].key_id #=> String
|
7411
|
+
# resp.rotations[0].rotation_date #=> Time
|
7412
|
+
# resp.rotations[0].rotation_type #=> String, one of "AUTOMATIC", "ON_DEMAND"
|
7413
|
+
# resp.next_marker #=> String
|
7414
|
+
# resp.truncated #=> Boolean
|
7415
|
+
#
|
7416
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyRotations AWS API Documentation
|
7417
|
+
#
|
7418
|
+
# @overload list_key_rotations(params = {})
|
7419
|
+
# @param [Hash] params ({})
|
7420
|
+
def list_key_rotations(params = {}, options = {})
|
7421
|
+
req = build_request(:list_key_rotations, params)
|
7422
|
+
req.send_request(options)
|
7423
|
+
end
|
7424
|
+
|
6899
7425
|
# Gets a list of all KMS keys in the caller's Amazon Web Services
|
6900
7426
|
# account and Region.
|
6901
7427
|
#
|
@@ -7273,7 +7799,7 @@ module Aws::KMS
|
|
7273
7799
|
# resp.grants[0].retiring_principal #=> String
|
7274
7800
|
# resp.grants[0].issuing_account #=> String
|
7275
7801
|
# resp.grants[0].operations #=> Array
|
7276
|
-
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
|
7802
|
+
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
|
7277
7803
|
# resp.grants[0].constraints.encryption_context_subset #=> Hash
|
7278
7804
|
# resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
|
7279
7805
|
# resp.grants[0].constraints.encryption_context_equals #=> Hash
|
@@ -7333,8 +7859,9 @@ module Aws::KMS
|
|
7333
7859
|
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
7334
7860
|
# DescribeKey.
|
7335
7861
|
#
|
7336
|
-
# @option params [
|
7337
|
-
# The name of the key policy.
|
7862
|
+
# @option params [String] :policy_name
|
7863
|
+
# The name of the key policy. If no policy name is specified, the
|
7864
|
+
# default value is `default`. The only valid value is `default`.
|
7338
7865
|
#
|
7339
7866
|
# @option params [required, String] :policy
|
7340
7867
|
# The key policy to attach to the KMS key.
|
@@ -7416,7 +7943,7 @@ module Aws::KMS
|
|
7416
7943
|
#
|
7417
7944
|
# resp = client.put_key_policy({
|
7418
7945
|
# key_id: "KeyIdType", # required
|
7419
|
-
# policy_name: "PolicyNameType",
|
7946
|
+
# policy_name: "PolicyNameType",
|
7420
7947
|
# policy: "PolicyType", # required
|
7421
7948
|
# bypass_policy_lockout_safety_check: false,
|
7422
7949
|
# })
|
@@ -8110,7 +8637,7 @@ module Aws::KMS
|
|
8110
8637
|
# resp.replica_key_metadata.creation_date #=> Time
|
8111
8638
|
# resp.replica_key_metadata.enabled #=> Boolean
|
8112
8639
|
# resp.replica_key_metadata.description #=> String
|
8113
|
-
# resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
8640
|
+
# resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
|
8114
8641
|
# resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
8115
8642
|
# resp.replica_key_metadata.deletion_date #=> Time
|
8116
8643
|
# resp.replica_key_metadata.valid_to #=> Time
|
@@ -8125,6 +8652,8 @@ module Aws::KMS
|
|
8125
8652
|
# resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
8126
8653
|
# resp.replica_key_metadata.signing_algorithms #=> Array
|
8127
8654
|
# resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
8655
|
+
# resp.replica_key_metadata.key_agreement_algorithms #=> Array
|
8656
|
+
# resp.replica_key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
|
8128
8657
|
# resp.replica_key_metadata.multi_region #=> Boolean
|
8129
8658
|
# resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
8130
8659
|
# resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
|
@@ -8302,7 +8831,7 @@ module Aws::KMS
|
|
8302
8831
|
#
|
8303
8832
|
#
|
8304
8833
|
#
|
8305
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
8834
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete
|
8306
8835
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency
|
8307
8836
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
8308
8837
|
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html
|
@@ -8370,6 +8899,147 @@ module Aws::KMS
|
|
8370
8899
|
req.send_request(options)
|
8371
8900
|
end
|
8372
8901
|
|
8902
|
+
# Immediately initiates rotation of the key material of the specified
|
8903
|
+
# symmetric encryption KMS key.
|
8904
|
+
#
|
8905
|
+
# You can perform [on-demand rotation][1] of the key material in
|
8906
|
+
# customer managed KMS keys, regardless of whether or not [automatic key
|
8907
|
+
# rotation][2] is enabled. On-demand rotations do not change existing
|
8908
|
+
# automatic rotation schedules. For example, consider a KMS key that has
|
8909
|
+
# automatic key rotation enabled with a rotation period of 730 days. If
|
8910
|
+
# the key is scheduled to automatically rotate on April 14, 2024, and
|
8911
|
+
# you perform an on-demand rotation on April 10, 2024, the key will
|
8912
|
+
# automatically rotate, as scheduled, on April 14, 2024 and every 730
|
8913
|
+
# days thereafter.
|
8914
|
+
#
|
8915
|
+
# <note markdown="1"> You can perform on-demand key rotation a **maximum of 10 times** per
|
8916
|
+
# KMS key. You can use the KMS console to view the number of remaining
|
8917
|
+
# on-demand rotations available for a KMS key.
|
8918
|
+
#
|
8919
|
+
# </note>
|
8920
|
+
#
|
8921
|
+
# You can use GetKeyRotationStatus to identify any in progress on-demand
|
8922
|
+
# rotations. You can use ListKeyRotations to identify the date that
|
8923
|
+
# completed on-demand rotations were performed. You can monitor rotation
|
8924
|
+
# of the key material for your KMS keys in CloudTrail and Amazon
|
8925
|
+
# CloudWatch.
|
8926
|
+
#
|
8927
|
+
# On-demand key rotation is supported only on [symmetric encryption KMS
|
8928
|
+
# keys][3]. You cannot perform on-demand rotation of [asymmetric KMS
|
8929
|
+
# keys][4], [HMAC KMS keys][5], KMS keys with [imported key
|
8930
|
+
# material][6], or KMS keys in a [custom key store][7]. To perform
|
8931
|
+
# on-demand rotation of a set of related [multi-Region keys][8], invoke
|
8932
|
+
# the on-demand rotation on the primary key.
|
8933
|
+
#
|
8934
|
+
# You cannot initiate on-demand rotation of [Amazon Web Services managed
|
8935
|
+
# KMS keys][9]. KMS always rotates the key material of Amazon Web
|
8936
|
+
# Services managed keys every year. Rotation of [Amazon Web Services
|
8937
|
+
# owned KMS keys][10] is managed by the Amazon Web Services service that
|
8938
|
+
# owns the key.
|
8939
|
+
#
|
8940
|
+
# The KMS key that you use for this operation must be in a compatible
|
8941
|
+
# key state. For details, see [Key states of KMS keys][11] in the *Key
|
8942
|
+
# Management Service Developer Guide*.
|
8943
|
+
#
|
8944
|
+
# **Cross-account use**: No. You cannot perform this operation on a KMS
|
8945
|
+
# key in a different Amazon Web Services account.
|
8946
|
+
#
|
8947
|
+
# **Required permissions**: [kms:RotateKeyOnDemand][12] (key policy)
|
8948
|
+
#
|
8949
|
+
# **Related operations:**
|
8950
|
+
#
|
8951
|
+
# * EnableKeyRotation
|
8952
|
+
#
|
8953
|
+
# * DisableKeyRotation
|
8954
|
+
#
|
8955
|
+
# * GetKeyRotationStatus
|
8956
|
+
#
|
8957
|
+
# * ListKeyRotations
|
8958
|
+
#
|
8959
|
+
# **Eventual consistency**: The KMS API follows an eventual consistency
|
8960
|
+
# model. For more information, see [KMS eventual consistency][13].
|
8961
|
+
#
|
8962
|
+
#
|
8963
|
+
#
|
8964
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand
|
8965
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable
|
8966
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks
|
8967
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
8968
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
8969
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
8970
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
8971
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
8972
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
8973
|
+
# [10]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
8974
|
+
# [11]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
8975
|
+
# [12]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
8976
|
+
# [13]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
|
8977
|
+
#
|
8978
|
+
# @option params [required, String] :key_id
|
8979
|
+
# Identifies a symmetric encryption KMS key. You cannot perform
|
8980
|
+
# on-demand rotation of [asymmetric KMS keys][1], [HMAC KMS keys][2],
|
8981
|
+
# KMS keys with [imported key material][3], or KMS keys in a [custom key
|
8982
|
+
# store][4]. To perform on-demand rotation of a set of related
|
8983
|
+
# [multi-Region keys][5], invoke the on-demand rotation on the primary
|
8984
|
+
# key.
|
8985
|
+
#
|
8986
|
+
# Specify the key ID or key ARN of the KMS key.
|
8987
|
+
#
|
8988
|
+
# For example:
|
8989
|
+
#
|
8990
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
8991
|
+
#
|
8992
|
+
# * Key ARN:
|
8993
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
8994
|
+
#
|
8995
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
8996
|
+
# DescribeKey.
|
8997
|
+
#
|
8998
|
+
#
|
8999
|
+
#
|
9000
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
9001
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html
|
9002
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
9003
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
9004
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate
|
9005
|
+
#
|
9006
|
+
# @return [Types::RotateKeyOnDemandResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
9007
|
+
#
|
9008
|
+
# * {Types::RotateKeyOnDemandResponse#key_id #key_id} => String
|
9009
|
+
#
|
9010
|
+
#
|
9011
|
+
# @example Example: To perform on-demand rotation of key material
|
9012
|
+
#
|
9013
|
+
# # The following example immediately initiates rotation of the key material for the specified KMS key.
|
9014
|
+
#
|
9015
|
+
# resp = client.rotate_key_on_demand({
|
9016
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose key material you want to initiate on-demand rotation on. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
|
9017
|
+
# })
|
9018
|
+
#
|
9019
|
+
# resp.to_h outputs the following:
|
9020
|
+
# {
|
9021
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The KMS key that you initiated on-demand rotation on.
|
9022
|
+
# }
|
9023
|
+
#
|
9024
|
+
# @example Request syntax with placeholder values
|
9025
|
+
#
|
9026
|
+
# resp = client.rotate_key_on_demand({
|
9027
|
+
# key_id: "KeyIdType", # required
|
9028
|
+
# })
|
9029
|
+
#
|
9030
|
+
# @example Response structure
|
9031
|
+
#
|
9032
|
+
# resp.key_id #=> String
|
9033
|
+
#
|
9034
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RotateKeyOnDemand AWS API Documentation
|
9035
|
+
#
|
9036
|
+
# @overload rotate_key_on_demand(params = {})
|
9037
|
+
# @param [Hash] params ({})
|
9038
|
+
def rotate_key_on_demand(params = {}, options = {})
|
9039
|
+
req = build_request(:rotate_key_on_demand, params)
|
9040
|
+
req.send_request(options)
|
9041
|
+
end
|
9042
|
+
|
8373
9043
|
# Schedules the deletion of a KMS key. By default, KMS applies a waiting
|
8374
9044
|
# period of 30 days, but you can specify a waiting period of 7-30 days.
|
8375
9045
|
# When this operation is successful, the key state of the KMS key
|
@@ -10096,14 +10766,19 @@ module Aws::KMS
|
|
10096
10766
|
# @api private
|
10097
10767
|
def build_request(operation_name, params = {})
|
10098
10768
|
handlers = @handlers.for(operation_name)
|
10769
|
+
tracer = config.telemetry_provider.tracer_provider.tracer(
|
10770
|
+
Aws::Telemetry.module_to_tracer_name('Aws::KMS')
|
10771
|
+
)
|
10099
10772
|
context = Seahorse::Client::RequestContext.new(
|
10100
10773
|
operation_name: operation_name,
|
10101
10774
|
operation: config.api.operation(operation_name),
|
10102
10775
|
client: self,
|
10103
10776
|
params: params,
|
10104
|
-
config: config
|
10777
|
+
config: config,
|
10778
|
+
tracer: tracer
|
10779
|
+
)
|
10105
10780
|
context[:gem_name] = 'aws-sdk-kms'
|
10106
|
-
context[:gem_version] = '1.
|
10781
|
+
context[:gem_version] = '1.91.0'
|
10107
10782
|
Seahorse::Client::Request.new(handlers, context)
|
10108
10783
|
end
|
10109
10784
|
|