aws-sdk-kms 1.79.0 → 1.91.0

data/lib/aws-sdk-kms/plugins/endpoints.rb

@@ -40,11 +40,20 @@ module Aws::KMS
           context[:auth_scheme] =
             Aws::Endpoints.resolve_auth_scheme(context, endpoint)
 
-          @handler.call(context)
+          with_metrics(context) { @handler.call(context) }
         end
 
         private
 
+        def with_metrics(context, &block)
+          metrics = []
+          metrics << 'ENDPOINT_OVERRIDE' unless context.config.regional_endpoint
+          if context[:auth_scheme] && context[:auth_scheme]['name'] == 'sigv4a'
+            metrics << 'SIGV4A_SIGNING'
+          end
+          Aws::Plugins::UserAgent.metric(*metrics, &block)
+        end
+
         def apply_endpoint_headers(context, headers)
           headers.each do |key, values|
             value = values
@@ -78,6 +87,8 @@ module Aws::KMS
             Aws::KMS::Endpoints::DeleteCustomKeyStore.build(context)
           when :delete_imported_key_material
             Aws::KMS::Endpoints::DeleteImportedKeyMaterial.build(context)
+          when :derive_shared_secret
+            Aws::KMS::Endpoints::DeriveSharedSecret.build(context)
           when :describe_custom_key_stores
             Aws::KMS::Endpoints::DescribeCustomKeyStores.build(context)
           when :describe_key

data/lib/aws-sdk-kms/types.rb

@@ -841,14 +841,17 @@ module Aws::KMS
     #
     #   * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
     #
-    #   * For asymmetric KMS keys with RSA key material, specify
+    #   * For asymmetric KMS keys with RSA key pairs, specify
     #     `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
     #
-    #   * For asymmetric KMS keys with ECC key material, specify
+    #   * For asymmetric KMS keys with NIST-recommended elliptic curve key
+    #     pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
+    #
+    #   * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
     #     `SIGN_VERIFY`.
     #
-    #   * For asymmetric KMS keys with SM2 key material (China Regions
-    #     only), specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #   * For asymmetric KMS keys with SM2 key pairs (China Regions only),
+    #     specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
     #
     #
     #
@@ -904,7 +907,8 @@ module Aws::KMS
     #
     #     * `HMAC_512`
     #
-    #   * Asymmetric RSA key pairs
+    #   * Asymmetric RSA key pairs (encryption and decryption -or- signing
+    #     and verification)
     #
     #     * `RSA_2048`
     #
@@ -912,7 +916,8 @@ module Aws::KMS
     #
     #     * `RSA_4096`
     #
-    #   * Asymmetric NIST-recommended elliptic curve key pairs
+    #   * Asymmetric NIST-recommended elliptic curve key pairs (signing and
+    #     verification -or- deriving shared secrets)
     #
     #     * `ECC_NIST_P256` (secp256r1)
     #
@@ -920,16 +925,18 @@ module Aws::KMS
     #
     #     * `ECC_NIST_P521` (secp521r1)
     #
-    #   * Other asymmetric elliptic curve key pairs
+    #   * Other asymmetric elliptic curve key pairs (signing and
+    #     verification)
     #
     #     * `ECC_SECG_P256K1` (secp256k1), commonly used for
     #       cryptocurrencies.
     #
     #     ^
     #
-    #   * SM2 key pairs (China Regions only)
+    #   * SM2 key pairs (encryption and decryption -or- signing and
+    #     verification -or- deriving shared secrets)
     #
-    #     * `SM2`
+    #     * `SM2` (China Regions only)
     #
     #     ^
     #
@@ -1761,6 +1768,195 @@ module Aws::KMS
       include Aws::Structure
     end
 
+    # @!attribute [rw] key_id
+    #   Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
+    #   only) KMS key. KMS uses the private key in the specified key pair to
+    #   derive the shared secret. The key usage of the KMS key must be
+    #   `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
+    #   DescribeKey operation.
+    #
+    #   To specify a KMS key, use its key ID, key ARN, alias name, or alias
+    #   ARN. When using an alias name, prefix it with `"alias/"`. To specify
+    #   a KMS key in a different Amazon Web Services account, you must use
+    #   the key ARN or alias ARN.
+    #
+    #   For example:
+    #
+    #   * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Key ARN:
+    #     `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
+    #
+    #   * Alias name: `alias/ExampleAlias`
+    #
+    #   * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
+    #
+    #   To get the key ID and key ARN for a KMS key, use ListKeys or
+    #   DescribeKey. To get the alias name and alias ARN, use ListAliases.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_agreement_algorithm
+    #   Specifies the key agreement algorithm used to derive the shared
+    #   secret. The only valid value is `ECDH`.
+    #   @return [String]
+    #
+    # @!attribute [rw] public_key
+    #   Specifies the public key in your peer's NIST-recommended elliptic
+    #   curve (ECC) or SM2 (China Regions only) key pair.
+    #
+    #   The public key must be a DER-encoded X.509 public key, also known as
+    #   `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
+    #
+    #   GetPublicKey returns the public key of an asymmetric KMS key pair in
+    #   the required DER-encoded format.
+    #
+    #   <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
+    #   the DER-encoded X.509 public key in a file. Otherwise, the Amazon
+    #   Web Services CLI Base64-encodes the public key a second time,
+    #   resulting in a `ValidationException`.
+    #
+    #    </note>
+    #
+    #   You can specify the public key as binary data in a file using fileb
+    #   (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc5280
+    #   [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_tokens
+    #   A list of grant tokens.
+    #
+    #   Use a grant token when your permission to call this operation comes
+    #   from a new grant that has not yet achieved *eventual consistency*.
+    #   For more information, see [Grant token][1] and [Using a grant
+    #   token][2] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] dry_run
+    #   Checks if your request will succeed. `DryRun` is an optional
+    #   parameter.
+    #
+    #   To learn more about how to use this parameter, see [Testing your KMS
+    #   API calls][1] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] recipient
+    #   A signed [attestation document][1] from an Amazon Web Services Nitro
+    #   enclave and the encryption algorithm to use with the enclave's
+    #   public key. The only valid encryption algorithm is
+    #   `RSAES_OAEP_SHA_256`.
+    #
+    #   This parameter only supports attestation documents for Amazon Web
+    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
+    #   Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
+    #   Enclaves SDK][2] to generate the attestation document and then use
+    #   the Recipient parameter from any Amazon Web Services SDK to provide
+    #   the attestation document for the enclave.
+    #
+    #   When you use this parameter, instead of returning a plaintext copy
+    #   of the shared secret, KMS encrypts the plaintext shared secret under
+    #   the public key in the attestation document, and returns the
+    #   resulting ciphertext in the `CiphertextForRecipient` field in the
+    #   response. This ciphertext can be decrypted only with the private key
+    #   in the enclave. The `CiphertextBlob` field in the response contains
+    #   the encrypted shared secret derived from the KMS key specified by
+    #   the `KeyId` parameter and public key specified by the `PublicKey`
+    #   parameter. The `SharedSecret` field in the response is null or
+    #   empty.
+    #
+    #   For information about the interaction between KMS and Amazon Web
+    #   Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
+    #   uses KMS][3] in the *Key Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
+    #   [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
+    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [Types::RecipientInfo]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretRequest AWS API Documentation
+    #
+    class DeriveSharedSecretRequest < Struct.new(
+      :key_id,
+      :key_agreement_algorithm,
+      :public_key,
+      :grant_tokens,
+      :dry_run,
+      :recipient)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] key_id
+    #   Identifies the KMS key used to derive the shared secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] shared_secret
+    #   The raw secret derived from the specified key agreement algorithm,
+    #   private key in the asymmetric KMS key, and your peer's public key.
+    #
+    #   If the response includes the `CiphertextForRecipient` field, the
+    #   `SharedSecret` field is null or empty.
+    #   @return [String]
+    #
+    # @!attribute [rw] ciphertext_for_recipient
+    #   The plaintext shared secret encrypted with the public key in the
+    #   attestation document.
+    #
+    #   This field is included in the response only when the `Recipient`
+    #   parameter in the request includes a valid attestation document from
+    #   an Amazon Web Services Nitro enclave. For information about the
+    #   interaction between KMS and Amazon Web Services Nitro Enclaves, see
+    #   [How Amazon Web Services Nitro Enclaves uses KMS][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
+    #   @return [String]
+    #
+    # @!attribute [rw] key_agreement_algorithm
+    #   Identifies the key agreement algorithm used to derive the shared
+    #   secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] key_origin
+    #   The source of the key material for the specified KMS key.
+    #
+    #   When this value is `AWS_KMS`, KMS created the key material. When
+    #   this value is `EXTERNAL`, the key material was imported or the KMS
+    #   key doesn't have any key material.
+    #
+    #   The only valid values for DeriveSharedSecret are `AWS_KMS` and
+    #   `EXTERNAL`. DeriveSharedSecret does not support KMS keys with a
+    #   `KeyOrigin` value of `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecretResponse AWS API Documentation
+    #
+    class DeriveSharedSecretResponse < Struct.new(
+      :key_id,
+      :shared_secret,
+      :ciphertext_for_recipient,
+      :key_agreement_algorithm,
+      :key_origin)
+      SENSITIVE = [:shared_secret]
+      include Aws::Structure
+    end
+
     # @!attribute [rw] custom_key_store_id
     #   Gets only information about the specified custom key store. Enter
     #   the key store ID.
@@ -2317,8 +2513,11 @@ module Aws::KMS
     #   `RSAES_OAEP_SHA_256`.
     #
     #   This parameter only supports attestation documents for Amazon Web
-    #   Services Nitro Enclaves. To include this parameter, use the [Amazon
-    #   Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
+    #   Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon
+    #   Web Services Nitro Enclaves, use the [Amazon Web Services Nitro
+    #   Enclaves SDK][2] to generate the attestation document and then use
+    #   the Recipient parameter from any Amazon Web Services SDK to provide
+    #   the attestation document for the enclave.
     #
     #   When you use this parameter, instead of returning a plaintext copy
     #   of the private data key, KMS encrypts the plaintext private data key
@@ -3388,12 +3587,12 @@ module Aws::KMS
     #   @return [String]
     #
     # @!attribute [rw] key_usage
-    #   The permitted use of the public key. Valid values are
-    #   `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
+    #   The permitted use of the public key. Valid values for asymmetric key
+    #   pairs are `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, and `KEY_AGREEMENT`.
     #
-    #   This information is critical. If a public key with `SIGN_VERIFY` key
-    #   usage encrypts data outside of KMS, the ciphertext cannot be
-    #   decrypted.
+    #   This information is critical. For example, if a public key with
+    #   `SIGN_VERIFY` key usage encrypts data outside of KMS, the ciphertext
+    #   cannot be decrypted.
     #   @return [String]
     #
     # @!attribute [rw] encryption_algorithms
@@ -3414,6 +3613,12 @@ module Aws::KMS
     #   public key is `SIGN_VERIFY`.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] key_agreement_algorithms
+    #   The key agreement algorithm used to derive a shared secret. This
+    #   field is present only when the KMS key has a `KeyUsage` value of
+    #   `KEY_AGREEMENT`.
+    #   @return [Array<String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKeyResponse AWS API Documentation
     #
     class GetPublicKeyResponse < Struct.new(
@@ -3423,7 +3628,8 @@ module Aws::KMS
       :key_spec,
       :key_usage,
       :encryption_algorithms,
-      :signing_algorithms)
+      :signing_algorithms,
+      :key_agreement_algorithms)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3811,8 +4017,9 @@ module Aws::KMS
     # the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying
     # messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and
     # verifying message authentication codes (MACs), the `KeyUsage` must be
-    # `GENERATE_VERIFY_MAC`. To find the `KeyUsage` of a KMS key, use the
-    # DescribeKey operation.
+    # `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the
+    # `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS
+    # key, use the DescribeKey operation.
     #
     # To find the encryption or signing algorithms supported for a
     # particular KMS key, use the DescribeKey operation.
@@ -4091,6 +4298,10 @@ module Aws::KMS
     #   `SIGN_VERIFY`.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] key_agreement_algorithms
+    #   The key agreement algorithm used to derive a shared secret.
+    #   @return [Array<String>]
+    #
     # @!attribute [rw] multi_region
     #   Indicates whether the KMS key is a multi-Region (`True`) or regional
     #   (`False`) key. This value is `True` for multi-Region primary and
@@ -4184,6 +4395,7 @@ module Aws::KMS
       :key_spec,
       :encryption_algorithms,
       :signing_algorithms,
+      :key_agreement_algorithms,
       :multi_region,
       :multi_region_configuration,
       :pending_deletion_window_in_days,

data/lib/aws-sdk-kms.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-kms/customizations'
 # @!group service
 module Aws::KMS
 
-  GEM_VERSION = '1.79.0'
+  GEM_VERSION = '1.91.0'
 
 end

data/sig/client.rbs

@@ -48,8 +48,10 @@ module Aws
                       ?sdk_ua_app_id: String,
                       ?secret_access_key: String,
                       ?session_token: String,
+                      ?sigv4a_signing_region_set: Array[String],
                       ?simple_json: bool,
                       ?stub_responses: untyped,
+                      ?telemetry_provider: Aws::Telemetry::TelemetryProviderBase,
                       ?token_provider: untyped,
                       ?use_dualstack_endpoint: bool,
                       ?use_fips_endpoint: bool,
@@ -131,7 +133,7 @@ module Aws
                           key_id: ::String,
                           grantee_principal: ::String,
                           ?retiring_principal: ::String,
-                          operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac")],
+                          operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac" | "DeriveSharedSecret")],
                           ?constraints: {
                             encryption_context_subset: Hash[::String, ::String]?,
                             encryption_context_equals: Hash[::String, ::String]?
@@ -150,7 +152,7 @@ module Aws
       def create_key: (
                         ?policy: ::String,
                         ?description: ::String,
-                        ?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC"),
+                        ?key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT"),
                         ?customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
                         ?key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2"),
                         ?origin: ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE"),
@@ -210,6 +212,28 @@ module Aws
                                         ) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
                                       | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
 
+      interface _DeriveSharedSecretResponseSuccess
+        include ::Seahorse::Client::_ResponseSuccess[Types::DeriveSharedSecretResponse]
+        def key_id: () -> ::String
+        def shared_secret: () -> ::String
+        def ciphertext_for_recipient: () -> ::String
+        def key_agreement_algorithm: () -> ("ECDH")
+        def key_origin: () -> ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE")
+      end
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#derive_shared_secret-instance_method
+      def derive_shared_secret: (
+                                  key_id: ::String,
+                                  key_agreement_algorithm: ("ECDH"),
+                                  public_key: ::String,
+                                  ?grant_tokens: Array[::String],
+                                  ?dry_run: bool,
+                                  ?recipient: {
+                                    key_encryption_algorithm: ("RSAES_OAEP_SHA_256")?,
+                                    attestation_document: ::String?
+                                  }
+                                ) -> _DeriveSharedSecretResponseSuccess
+                              | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _DeriveSharedSecretResponseSuccess
+
       interface _DescribeCustomKeyStoresResponseSuccess
         include ::Seahorse::Client::_ResponseSuccess[Types::DescribeCustomKeyStoresResponse]
         def custom_key_stores: () -> ::Array[Types::CustomKeyStoresListEntry]
@@ -433,8 +457,8 @@ module Aws
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#get_parameters_for_import-instance_method
       def get_parameters_for_import: (
                                        key_id: ::String,
-                                       wrapping_algorithm: ("RSAES_PKCS1_V1_5" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "RSA_AES_KEY_WRAP_SHA_1" | "RSA_AES_KEY_WRAP_SHA_256"),
-                                       wrapping_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096")
+                                       wrapping_algorithm: ("RSAES_PKCS1_V1_5" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "RSA_AES_KEY_WRAP_SHA_1" | "RSA_AES_KEY_WRAP_SHA_256" | "SM2PKE"),
+                                       wrapping_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "SM2")
                                      ) -> _GetParametersForImportResponseSuccess
                                    | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _GetParametersForImportResponseSuccess
 
@@ -444,9 +468,10 @@ module Aws
         def public_key: () -> ::String
         def customer_master_key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
         def key_spec: () -> ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
-        def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC")
+        def key_usage: () -> ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
         def encryption_algorithms: () -> ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
         def signing_algorithms: () -> ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
+        def key_agreement_algorithms: () -> ::Array[("ECDH")]
       end
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#get_public_key-instance_method
       def get_public_key: (

data/sig/resource.rbs

@@ -48,8 +48,10 @@ module Aws
                         ?sdk_ua_app_id: String,
                         ?secret_access_key: String,
                         ?session_token: String,
+                        ?sigv4a_signing_region_set: Array[String],
                         ?simple_json: bool,
                         ?stub_responses: untyped,
+                        ?telemetry_provider: Aws::Telemetry::TelemetryProviderBase,
                         ?token_provider: untyped,
                         ?use_dualstack_endpoint: bool,
                         ?use_fips_endpoint: bool,

data/sig/types.rbs

@@ -99,7 +99,7 @@ module Aws::KMS
       attr_accessor key_id: ::String
       attr_accessor grantee_principal: ::String
       attr_accessor retiring_principal: ::String
-      attr_accessor operations: ::Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac")]
+      attr_accessor operations: ::Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac" | "DeriveSharedSecret")]
       attr_accessor constraints: Types::GrantConstraints
       attr_accessor grant_tokens: ::Array[::String]
       attr_accessor name: ::String
@@ -116,7 +116,7 @@ module Aws::KMS
     class CreateKeyRequest
       attr_accessor policy: ::String
       attr_accessor description: ::String
-      attr_accessor key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC")
+      attr_accessor key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
       attr_accessor customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
       attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
       attr_accessor origin: ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE")
@@ -208,6 +208,25 @@ module Aws::KMS
       SENSITIVE: []
     end
 
+    class DeriveSharedSecretRequest
+      attr_accessor key_id: ::String
+      attr_accessor key_agreement_algorithm: ("ECDH")
+      attr_accessor public_key: ::String
+      attr_accessor grant_tokens: ::Array[::String]
+      attr_accessor dry_run: bool
+      attr_accessor recipient: Types::RecipientInfo
+      SENSITIVE: []
+    end
+
+    class DeriveSharedSecretResponse
+      attr_accessor key_id: ::String
+      attr_accessor shared_secret: ::String
+      attr_accessor ciphertext_for_recipient: ::String
+      attr_accessor key_agreement_algorithm: ("ECDH")
+      attr_accessor key_origin: ("AWS_KMS" | "EXTERNAL" | "AWS_CLOUDHSM" | "EXTERNAL_KEY_STORE")
+      SENSITIVE: [:shared_secret]
+    end
+
     class DescribeCustomKeyStoresRequest
       attr_accessor custom_key_store_id: ::String
       attr_accessor custom_key_store_name: ::String
@@ -424,8 +443,8 @@ module Aws::KMS
 
     class GetParametersForImportRequest
       attr_accessor key_id: ::String
-      attr_accessor wrapping_algorithm: ("RSAES_PKCS1_V1_5" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "RSA_AES_KEY_WRAP_SHA_1" | "RSA_AES_KEY_WRAP_SHA_256")
-      attr_accessor wrapping_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096")
+      attr_accessor wrapping_algorithm: ("RSAES_PKCS1_V1_5" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "RSA_AES_KEY_WRAP_SHA_1" | "RSA_AES_KEY_WRAP_SHA_256" | "SM2PKE")
+      attr_accessor wrapping_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "SM2")
       SENSITIVE: []
     end
 
@@ -448,9 +467,10 @@ module Aws::KMS
       attr_accessor public_key: ::String
       attr_accessor customer_master_key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
       attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
-      attr_accessor key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC")
+      attr_accessor key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
       attr_accessor encryption_algorithms: ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
       attr_accessor signing_algorithms: ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
+      attr_accessor key_agreement_algorithms: ::Array[("ECDH")]
       SENSITIVE: []
     end
 
@@ -468,7 +488,7 @@ module Aws::KMS
       attr_accessor grantee_principal: ::String
       attr_accessor retiring_principal: ::String
       attr_accessor issuing_account: ::String
-      attr_accessor operations: ::Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac")]
+      attr_accessor operations: ::Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac" | "DeriveSharedSecret")]
       attr_accessor constraints: Types::GrantConstraints
       SENSITIVE: []
     end
@@ -573,7 +593,7 @@ module Aws::KMS
       attr_accessor creation_date: ::Time
       attr_accessor enabled: bool
       attr_accessor description: ::String
-      attr_accessor key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC")
+      attr_accessor key_usage: ("SIGN_VERIFY" | "ENCRYPT_DECRYPT" | "GENERATE_VERIFY_MAC" | "KEY_AGREEMENT")
       attr_accessor key_state: ("Creating" | "Enabled" | "Disabled" | "PendingDeletion" | "PendingImport" | "PendingReplicaDeletion" | "Unavailable" | "Updating")
       attr_accessor deletion_date: ::Time
       attr_accessor valid_to: ::Time
@@ -586,6 +606,7 @@ module Aws::KMS
       attr_accessor key_spec: ("RSA_2048" | "RSA_3072" | "RSA_4096" | "ECC_NIST_P256" | "ECC_NIST_P384" | "ECC_NIST_P521" | "ECC_SECG_P256K1" | "SYMMETRIC_DEFAULT" | "HMAC_224" | "HMAC_256" | "HMAC_384" | "HMAC_512" | "SM2")
       attr_accessor encryption_algorithms: ::Array[("SYMMETRIC_DEFAULT" | "RSAES_OAEP_SHA_1" | "RSAES_OAEP_SHA_256" | "SM2PKE")]
       attr_accessor signing_algorithms: ::Array[("RSASSA_PSS_SHA_256" | "RSASSA_PSS_SHA_384" | "RSASSA_PSS_SHA_512" | "RSASSA_PKCS1_V1_5_SHA_256" | "RSASSA_PKCS1_V1_5_SHA_384" | "RSASSA_PKCS1_V1_5_SHA_512" | "ECDSA_SHA_256" | "ECDSA_SHA_384" | "ECDSA_SHA_512" | "SM2DSA")]
+      attr_accessor key_agreement_algorithms: ::Array[("ECDH")]
       attr_accessor multi_region: bool
       attr_accessor multi_region_configuration: Types::MultiRegionConfiguration
       attr_accessor pending_deletion_window_in_days: ::Integer

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.79.0
+  version: 1.91.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-04-12 00:00:00.000000000 Z
+date: 2024-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -19,7 +19,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.191.0
+        version: 3.205.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,21 +29,21 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.191.0
+        version: 3.205.0
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.5'
 description: Official AWS Ruby gem for AWS Key Management Service (KMS). This gem
   is part of the AWS SDK for Ruby.
 email: