aws-sdk-kms 1.82.0 → 1.88.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +30 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-kms/client.rb +344 -60
- data/lib/aws-sdk-kms/client_api.rb +41 -0
- data/lib/aws-sdk-kms/endpoints.rb +14 -0
- data/lib/aws-sdk-kms/plugins/endpoints.rb +2 -0
- data/lib/aws-sdk-kms/types.rb +240 -41
- data/lib/aws-sdk-kms.rb +1 -1
- data/sig/client.rbs +27 -3
- data/sig/resource.rbs +1 -0
- data/sig/types.rbs +26 -5
- metadata +6 -6
data/lib/aws-sdk-kms/client.rb
CHANGED
|
@@ -89,6 +89,11 @@ module Aws::KMS
|
|
|
89
89
|
|
|
90
90
|
# @overload initialize(options)
|
|
91
91
|
# @param [Hash] options
|
|
92
|
+
#
|
|
93
|
+
# @option options [Array<Seahorse::Client::Plugin>] :plugins ([]])
|
|
94
|
+
# A list of plugins to apply to the client. Each plugin is either a
|
|
95
|
+
# class name or an instance of a plugin class.
|
|
96
|
+
#
|
|
92
97
|
# @option options [required, Aws::CredentialProvider] :credentials
|
|
93
98
|
# Your AWS credentials. This can be an instance of any one of the
|
|
94
99
|
# following classes:
|
|
@@ -209,7 +214,6 @@ module Aws::KMS
|
|
|
209
214
|
# 'https://example.com'
|
|
210
215
|
# 'http://example.com:123'
|
|
211
216
|
#
|
|
212
|
-
#
|
|
213
217
|
# @option options [Integer] :endpoint_cache_max_entries (1000)
|
|
214
218
|
# Used for the maximum size limit of the LRU cache storing endpoints data
|
|
215
219
|
# for endpoint discovery enabled operations. Defaults to 1000.
|
|
@@ -298,7 +302,6 @@ module Aws::KMS
|
|
|
298
302
|
# throttling. This is a provisional mode that may change behavior
|
|
299
303
|
# in the future.
|
|
300
304
|
#
|
|
301
|
-
#
|
|
302
305
|
# @option options [String] :sdk_ua_app_id
|
|
303
306
|
# A unique and opaque application ID that is appended to the
|
|
304
307
|
# User-Agent header as app/sdk_ua_app_id. It should have a
|
|
@@ -309,15 +312,21 @@ module Aws::KMS
|
|
|
309
312
|
#
|
|
310
313
|
# @option options [String] :session_token
|
|
311
314
|
#
|
|
315
|
+
# @option options [Array] :sigv4a_signing_region_set
|
|
316
|
+
# A list of regions that should be signed with SigV4a signing. When
|
|
317
|
+
# not passed, a default `:sigv4a_signing_region_set` is searched for
|
|
318
|
+
# in the following locations:
|
|
319
|
+
#
|
|
320
|
+
# * `Aws.config[:sigv4a_signing_region_set]`
|
|
321
|
+
# * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
|
|
322
|
+
# * `~/.aws/config`
|
|
323
|
+
#
|
|
312
324
|
# @option options [Boolean] :simple_json (false)
|
|
313
325
|
# Disables request parameter conversion, validation, and formatting.
|
|
314
|
-
# Also
|
|
315
|
-
#
|
|
316
|
-
#
|
|
317
|
-
# structures.
|
|
318
|
-
#
|
|
319
|
-
# When `:simple_json` is enabled, the request parameters hash must
|
|
320
|
-
# be formatted exactly as the DynamoDB API expects.
|
|
326
|
+
# Also disables response data type conversions. The request parameters
|
|
327
|
+
# hash must be formatted exactly as the API expects.This option is useful
|
|
328
|
+
# when you want to ensure the highest level of performance by avoiding
|
|
329
|
+
# overhead of walking request parameters and response data structures.
|
|
321
330
|
#
|
|
322
331
|
# @option options [Boolean] :stub_responses (false)
|
|
323
332
|
# Causes the client to return stubbed responses. By default
|
|
@@ -1421,7 +1430,7 @@ module Aws::KMS
|
|
|
1421
1430
|
# key_id: "KeyIdType", # required
|
|
1422
1431
|
# grantee_principal: "PrincipalIdType", # required
|
|
1423
1432
|
# retiring_principal: "PrincipalIdType",
|
|
1424
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
|
|
1433
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac, DeriveSharedSecret
|
|
1425
1434
|
# constraints: {
|
|
1426
1435
|
# encryption_context_subset: {
|
|
1427
1436
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
|
@@ -1508,12 +1517,17 @@ module Aws::KMS
|
|
|
1508
1517
|
# key pair, or an SM2 key pair (China Regions only). The private key
|
|
1509
1518
|
# in an asymmetric KMS key never leaves KMS unencrypted. However, you
|
|
1510
1519
|
# can use the GetPublicKey operation to download the public key so it
|
|
1511
|
-
# can be used outside of KMS. KMS
|
|
1512
|
-
#
|
|
1513
|
-
#
|
|
1514
|
-
#
|
|
1515
|
-
#
|
|
1516
|
-
#
|
|
1520
|
+
# can be used outside of KMS. Each KMS key can have only one key
|
|
1521
|
+
# usage. KMS keys with RSA key pairs can be used to encrypt and
|
|
1522
|
+
# decrypt data or sign and verify messages (but not both). KMS keys
|
|
1523
|
+
# with NIST-recommended ECC key pairs can be used to sign and verify
|
|
1524
|
+
# messages or derive shared secrets (but not both). KMS keys with
|
|
1525
|
+
# `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS
|
|
1526
|
+
# keys with SM2 key pairs (China Regions only) can be used to either
|
|
1527
|
+
# encrypt and decrypt data, sign and verify messages, or derive shared
|
|
1528
|
+
# secrets (you must choose one key usage type). For information about
|
|
1529
|
+
# asymmetric KMS keys, see [Asymmetric KMS keys][3] in the *Key
|
|
1530
|
+
# Management Service Developer Guide*.
|
|
1517
1531
|
#
|
|
1518
1532
|
#
|
|
1519
1533
|
#
|
|
@@ -1735,14 +1749,17 @@ module Aws::KMS
|
|
|
1735
1749
|
#
|
|
1736
1750
|
# * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
|
|
1737
1751
|
#
|
|
1738
|
-
# * For asymmetric KMS keys with RSA key
|
|
1752
|
+
# * For asymmetric KMS keys with RSA key pairs, specify
|
|
1739
1753
|
# `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
|
|
1740
1754
|
#
|
|
1741
|
-
# * For asymmetric KMS keys with
|
|
1755
|
+
# * For asymmetric KMS keys with NIST-recommended elliptic curve key
|
|
1756
|
+
# pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
|
|
1757
|
+
#
|
|
1758
|
+
# * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
|
|
1742
1759
|
# `SIGN_VERIFY`.
|
|
1743
1760
|
#
|
|
1744
|
-
# * For asymmetric KMS keys with SM2 key
|
|
1745
|
-
# specify `ENCRYPT_DECRYPT` or `
|
|
1761
|
+
# * For asymmetric KMS keys with SM2 key pairs (China Regions only),
|
|
1762
|
+
# specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
|
|
1746
1763
|
#
|
|
1747
1764
|
#
|
|
1748
1765
|
#
|
|
@@ -1795,7 +1812,8 @@ module Aws::KMS
|
|
|
1795
1812
|
#
|
|
1796
1813
|
# * `HMAC_512`
|
|
1797
1814
|
#
|
|
1798
|
-
# * Asymmetric RSA key pairs
|
|
1815
|
+
# * Asymmetric RSA key pairs (encryption and decryption -or- signing and
|
|
1816
|
+
# verification)
|
|
1799
1817
|
#
|
|
1800
1818
|
# * `RSA_2048`
|
|
1801
1819
|
#
|
|
@@ -1803,7 +1821,8 @@ module Aws::KMS
|
|
|
1803
1821
|
#
|
|
1804
1822
|
# * `RSA_4096`
|
|
1805
1823
|
#
|
|
1806
|
-
# * Asymmetric NIST-recommended elliptic curve key pairs
|
|
1824
|
+
# * Asymmetric NIST-recommended elliptic curve key pairs (signing and
|
|
1825
|
+
# verification -or- deriving shared secrets)
|
|
1807
1826
|
#
|
|
1808
1827
|
# * `ECC_NIST_P256` (secp256r1)
|
|
1809
1828
|
#
|
|
@@ -1811,15 +1830,16 @@ module Aws::KMS
|
|
|
1811
1830
|
#
|
|
1812
1831
|
# * `ECC_NIST_P521` (secp521r1)
|
|
1813
1832
|
#
|
|
1814
|
-
# * Other asymmetric elliptic curve key pairs
|
|
1833
|
+
# * Other asymmetric elliptic curve key pairs (signing and verification)
|
|
1815
1834
|
#
|
|
1816
1835
|
# * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
|
|
1817
1836
|
#
|
|
1818
1837
|
# ^
|
|
1819
1838
|
#
|
|
1820
|
-
# * SM2 key pairs (
|
|
1839
|
+
# * SM2 key pairs (encryption and decryption -or- signing and
|
|
1840
|
+
# verification -or- deriving shared secrets)
|
|
1821
1841
|
#
|
|
1822
|
-
# * `SM2`
|
|
1842
|
+
# * `SM2` (China Regions only)
|
|
1823
1843
|
#
|
|
1824
1844
|
# ^
|
|
1825
1845
|
#
|
|
@@ -2283,7 +2303,7 @@ module Aws::KMS
|
|
|
2283
2303
|
# resp = client.create_key({
|
|
2284
2304
|
# policy: "PolicyType",
|
|
2285
2305
|
# description: "DescriptionType",
|
|
2286
|
-
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
|
|
2306
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT
|
|
2287
2307
|
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
2288
2308
|
# key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
|
|
2289
2309
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
|
|
@@ -2307,7 +2327,7 @@ module Aws::KMS
|
|
|
2307
2327
|
# resp.key_metadata.creation_date #=> Time
|
|
2308
2328
|
# resp.key_metadata.enabled #=> Boolean
|
|
2309
2329
|
# resp.key_metadata.description #=> String
|
|
2310
|
-
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
|
2330
|
+
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
|
|
2311
2331
|
# resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
|
2312
2332
|
# resp.key_metadata.deletion_date #=> Time
|
|
2313
2333
|
# resp.key_metadata.valid_to #=> Time
|
|
@@ -2322,6 +2342,8 @@ module Aws::KMS
|
|
|
2322
2342
|
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
2323
2343
|
# resp.key_metadata.signing_algorithms #=> Array
|
|
2324
2344
|
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
2345
|
+
# resp.key_metadata.key_agreement_algorithms #=> Array
|
|
2346
|
+
# resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
|
|
2325
2347
|
# resp.key_metadata.multi_region #=> Boolean
|
|
2326
2348
|
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
|
2327
2349
|
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
|
@@ -2918,6 +2940,270 @@ module Aws::KMS
|
|
|
2918
2940
|
req.send_request(options)
|
|
2919
2941
|
end
|
|
2920
2942
|
|
|
2943
|
+
# Derives a shared secret using a key agreement algorithm.
|
|
2944
|
+
#
|
|
2945
|
+
# <note markdown="1"> You must use an asymmetric NIST-recommended elliptic curve (ECC) or
|
|
2946
|
+
# SM2 (China Regions only) KMS key pair with a `KeyUsage` value of
|
|
2947
|
+
# `KEY_AGREEMENT` to call DeriveSharedSecret.
|
|
2948
|
+
#
|
|
2949
|
+
# </note>
|
|
2950
|
+
#
|
|
2951
|
+
# DeriveSharedSecret uses the [Elliptic Curve Cryptography Cofactor
|
|
2952
|
+
# Diffie-Hellman Primitive][1] (ECDH) to establish a key agreement
|
|
2953
|
+
# between two peers by deriving a shared secret from their elliptic
|
|
2954
|
+
# curve public-private key pairs. You can use the raw shared secret that
|
|
2955
|
+
# DeriveSharedSecret returns to derive a symmetric key that can encrypt
|
|
2956
|
+
# and decrypt data that is sent between the two peers, or that can
|
|
2957
|
+
# generate and verify HMACs. KMS recommends that you follow [NIST
|
|
2958
|
+
# recommendations for key derivation][2] when using the raw shared
|
|
2959
|
+
# secret to derive a symmetric key.
|
|
2960
|
+
#
|
|
2961
|
+
# The following workflow demonstrates how to establish key agreement
|
|
2962
|
+
# over an insecure communication channel using DeriveSharedSecret.
|
|
2963
|
+
#
|
|
2964
|
+
# 1. **Alice** calls CreateKey to create an asymmetric KMS key pair
|
|
2965
|
+
# with a `KeyUsage` value of `KEY_AGREEMENT`.
|
|
2966
|
+
#
|
|
2967
|
+
# The asymmetric KMS key must use a NIST-recommended elliptic curve
|
|
2968
|
+
# (ECC) or SM2 (China Regions only) key spec.
|
|
2969
|
+
#
|
|
2970
|
+
# 2. **Bob** creates an elliptic curve key pair.
|
|
2971
|
+
#
|
|
2972
|
+
# Bob can call CreateKey to create an asymmetric KMS key pair or
|
|
2973
|
+
# generate a key pair outside of KMS. Bob's key pair must use the
|
|
2974
|
+
# same NIST-recommended elliptic curve (ECC) or SM2 (China Regions
|
|
2975
|
+
# ony) curve as Alice.
|
|
2976
|
+
#
|
|
2977
|
+
# 3. Alice and Bob **exchange their public keys** through an insecure
|
|
2978
|
+
# communication channel (like the internet).
|
|
2979
|
+
#
|
|
2980
|
+
# Use GetPublicKey to download the public key of your asymmetric KMS
|
|
2981
|
+
# key pair.
|
|
2982
|
+
#
|
|
2983
|
+
# <note markdown="1"> KMS strongly recommends verifying that the public key you receive
|
|
2984
|
+
# came from the expected party before using it to derive a shared
|
|
2985
|
+
# secret.
|
|
2986
|
+
#
|
|
2987
|
+
# </note>
|
|
2988
|
+
#
|
|
2989
|
+
# 4. **Alice** calls DeriveSharedSecret.
|
|
2990
|
+
#
|
|
2991
|
+
# KMS uses the private key from the KMS key pair generated in **Step
|
|
2992
|
+
# 1**, Bob's public key, and the Elliptic Curve Cryptography
|
|
2993
|
+
# Cofactor Diffie-Hellman Primitive to derive the shared secret. The
|
|
2994
|
+
# private key in your KMS key pair never leaves KMS unencrypted.
|
|
2995
|
+
# DeriveSharedSecret returns the raw shared secret.
|
|
2996
|
+
#
|
|
2997
|
+
# 5. **Bob** uses the Elliptic Curve Cryptography Cofactor
|
|
2998
|
+
# Diffie-Hellman Primitive to calculate the same raw secret using
|
|
2999
|
+
# his private key and Alice's public key.
|
|
3000
|
+
#
|
|
3001
|
+
# To derive a shared secret you must provide a key agreement algorithm,
|
|
3002
|
+
# the private key of the caller's asymmetric NIST-recommended elliptic
|
|
3003
|
+
# curve or SM2 (China Regions only) KMS key pair, and the public key
|
|
3004
|
+
# from your peer's NIST-recommended elliptic curve or SM2 (China
|
|
3005
|
+
# Regions only) key pair. The public key can be from another asymmetric
|
|
3006
|
+
# KMS key pair or from a key pair generated outside of KMS, but both key
|
|
3007
|
+
# pairs must be on the same elliptic curve.
|
|
3008
|
+
#
|
|
3009
|
+
# The KMS key that you use for this operation must be in a compatible
|
|
3010
|
+
# key state. For details, see [Key states of KMS keys][3] in the *Key
|
|
3011
|
+
# Management Service Developer Guide*.
|
|
3012
|
+
#
|
|
3013
|
+
# **Cross-account use**: Yes. To perform this operation with a KMS key
|
|
3014
|
+
# in a different Amazon Web Services account, specify the key ARN or
|
|
3015
|
+
# alias ARN in the value of the `KeyId` parameter.
|
|
3016
|
+
#
|
|
3017
|
+
# **Required permissions**: [kms:DeriveSharedSecret][4] (key policy)
|
|
3018
|
+
#
|
|
3019
|
+
# **Related operations:**
|
|
3020
|
+
#
|
|
3021
|
+
# * CreateKey
|
|
3022
|
+
#
|
|
3023
|
+
# * GetPublicKey
|
|
3024
|
+
#
|
|
3025
|
+
# * DescribeKey
|
|
3026
|
+
#
|
|
3027
|
+
# **Eventual consistency**: The KMS API follows an eventual consistency
|
|
3028
|
+
# model. For more information, see [KMS eventual consistency][5].
|
|
3029
|
+
#
|
|
3030
|
+
#
|
|
3031
|
+
#
|
|
3032
|
+
# [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60
|
|
3033
|
+
# [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
|
|
3034
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
|
3035
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
|
|
3036
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
|
|
3037
|
+
#
|
|
3038
|
+
# @option params [required, String] :key_id
|
|
3039
|
+
# Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
|
|
3040
|
+
# only) KMS key. KMS uses the private key in the specified key pair to
|
|
3041
|
+
# derive the shared secret. The key usage of the KMS key must be
|
|
3042
|
+
# `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
|
|
3043
|
+
# DescribeKey operation.
|
|
3044
|
+
#
|
|
3045
|
+
# To specify a KMS key, use its key ID, key ARN, alias name, or alias
|
|
3046
|
+
# ARN. When using an alias name, prefix it with `"alias/"`. To specify a
|
|
3047
|
+
# KMS key in a different Amazon Web Services account, you must use the
|
|
3048
|
+
# key ARN or alias ARN.
|
|
3049
|
+
#
|
|
3050
|
+
# For example:
|
|
3051
|
+
#
|
|
3052
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
3053
|
+
#
|
|
3054
|
+
# * Key ARN:
|
|
3055
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
|
3056
|
+
#
|
|
3057
|
+
# * Alias name: `alias/ExampleAlias`
|
|
3058
|
+
#
|
|
3059
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
|
3060
|
+
#
|
|
3061
|
+
# To get the key ID and key ARN for a KMS key, use ListKeys or
|
|
3062
|
+
# DescribeKey. To get the alias name and alias ARN, use ListAliases.
|
|
3063
|
+
#
|
|
3064
|
+
# @option params [required, String] :key_agreement_algorithm
|
|
3065
|
+
# Specifies the key agreement algorithm used to derive the shared
|
|
3066
|
+
# secret. The only valid value is `ECDH`.
|
|
3067
|
+
#
|
|
3068
|
+
# @option params [required, String, StringIO, File] :public_key
|
|
3069
|
+
# Specifies the public key in your peer's NIST-recommended elliptic
|
|
3070
|
+
# curve (ECC) or SM2 (China Regions only) key pair.
|
|
3071
|
+
#
|
|
3072
|
+
# The public key must be a DER-encoded X.509 public key, also known as
|
|
3073
|
+
# `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
|
|
3074
|
+
#
|
|
3075
|
+
# GetPublicKey returns the public key of an asymmetric KMS key pair in
|
|
3076
|
+
# the required DER-encoded format.
|
|
3077
|
+
#
|
|
3078
|
+
# <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
|
|
3079
|
+
# the DER-encoded X.509 public key in a file. Otherwise, the Amazon Web
|
|
3080
|
+
# Services CLI Base64-encodes the public key a second time, resulting in
|
|
3081
|
+
# a `ValidationException`.
|
|
3082
|
+
#
|
|
3083
|
+
# </note>
|
|
3084
|
+
#
|
|
3085
|
+
# You can specify the public key as binary data in a file using fileb
|
|
3086
|
+
# (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
|
|
3087
|
+
#
|
|
3088
|
+
#
|
|
3089
|
+
#
|
|
3090
|
+
# [1]: https://tools.ietf.org/html/rfc5280
|
|
3091
|
+
# [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
|
|
3092
|
+
#
|
|
3093
|
+
# @option params [Array<String>] :grant_tokens
|
|
3094
|
+
# A list of grant tokens.
|
|
3095
|
+
#
|
|
3096
|
+
# Use a grant token when your permission to call this operation comes
|
|
3097
|
+
# from a new grant that has not yet achieved *eventual consistency*. For
|
|
3098
|
+
# more information, see [Grant token][1] and [Using a grant token][2] in
|
|
3099
|
+
# the *Key Management Service Developer Guide*.
|
|
3100
|
+
#
|
|
3101
|
+
#
|
|
3102
|
+
#
|
|
3103
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
|
|
3104
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
|
|
3105
|
+
#
|
|
3106
|
+
# @option params [Boolean] :dry_run
|
|
3107
|
+
# Checks if your request will succeed. `DryRun` is an optional
|
|
3108
|
+
# parameter.
|
|
3109
|
+
#
|
|
3110
|
+
# To learn more about how to use this parameter, see [Testing your KMS
|
|
3111
|
+
# API calls][1] in the *Key Management Service Developer Guide*.
|
|
3112
|
+
#
|
|
3113
|
+
#
|
|
3114
|
+
#
|
|
3115
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
|
|
3116
|
+
#
|
|
3117
|
+
# @option params [Types::RecipientInfo] :recipient
|
|
3118
|
+
# A signed [attestation document][1] from an Amazon Web Services Nitro
|
|
3119
|
+
# enclave and the encryption algorithm to use with the enclave's public
|
|
3120
|
+
# key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
|
|
3121
|
+
#
|
|
3122
|
+
# This parameter only supports attestation documents for Amazon Web
|
|
3123
|
+
# Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
|
|
3124
|
+
# Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
|
|
3125
|
+
# SDK][2] to generate the attestation document and then use the
|
|
3126
|
+
# Recipient parameter from any Amazon Web Services SDK to provide the
|
|
3127
|
+
# attestation document for the enclave.
|
|
3128
|
+
#
|
|
3129
|
+
# When you use this parameter, instead of returning a plaintext copy of
|
|
3130
|
+
# the shared secret, KMS encrypts the plaintext shared secret under the
|
|
3131
|
+
# public key in the attestation document, and returns the resulting
|
|
3132
|
+
# ciphertext in the `CiphertextForRecipient` field in the response. This
|
|
3133
|
+
# ciphertext can be decrypted only with the private key in the enclave.
|
|
3134
|
+
# The `CiphertextBlob` field in the response contains the encrypted
|
|
3135
|
+
# shared secret derived from the KMS key specified by the `KeyId`
|
|
3136
|
+
# parameter and public key specified by the `PublicKey` parameter. The
|
|
3137
|
+
# `SharedSecret` field in the response is null or empty.
|
|
3138
|
+
#
|
|
3139
|
+
# For information about the interaction between KMS and Amazon Web
|
|
3140
|
+
# Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
|
|
3141
|
+
# uses KMS][3] in the *Key Management Service Developer Guide*.
|
|
3142
|
+
#
|
|
3143
|
+
#
|
|
3144
|
+
#
|
|
3145
|
+
# [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
|
|
3146
|
+
# [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
|
|
3147
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
|
|
3148
|
+
#
|
|
3149
|
+
# @return [Types::DeriveSharedSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
3150
|
+
#
|
|
3151
|
+
# * {Types::DeriveSharedSecretResponse#key_id #key_id} => String
|
|
3152
|
+
# * {Types::DeriveSharedSecretResponse#shared_secret #shared_secret} => String
|
|
3153
|
+
# * {Types::DeriveSharedSecretResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
|
|
3154
|
+
# * {Types::DeriveSharedSecretResponse#key_agreement_algorithm #key_agreement_algorithm} => String
|
|
3155
|
+
# * {Types::DeriveSharedSecretResponse#key_origin #key_origin} => String
|
|
3156
|
+
#
|
|
3157
|
+
#
|
|
3158
|
+
# @example Example: To derive a shared secret
|
|
3159
|
+
#
|
|
3160
|
+
# # The following example derives a shared secret using a key agreement algorithm.
|
|
3161
|
+
#
|
|
3162
|
+
# resp = client.derive_shared_secret({
|
|
3163
|
+
# key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret. The only valid value is ECDH.
|
|
3164
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The key identifier for an asymmetric KMS key pair. The private key in the specified key pair is used to derive the shared secret.
|
|
3165
|
+
# public_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH3Yj0wbkLEpUl95Cv1cJVjsVNSjwGq3tCLnzXfhVwVvmzGN8pYj3U8nKwgouaHbBWNJYjP5VutbbkKS4Kv4GojwZBJyHN17kmxo8yTjRmjR15SKIQ8cqRA2uaERMLnpztIXdZp232PQPbWGxDyXYJ0aJ5EFSag", # The public key in your peer's asymmetric key pair.
|
|
3166
|
+
# })
|
|
3167
|
+
#
|
|
3168
|
+
# resp.to_h outputs the following:
|
|
3169
|
+
# {
|
|
3170
|
+
# key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret.
|
|
3171
|
+
# key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The asymmetric KMS key pair used to derive the shared secret.
|
|
3172
|
+
# key_origin: "AWS_KMS", # The source of the key material for the specified KMS key.
|
|
3173
|
+
# shared_secret: "MEYCIQCKZLWyTk5runarx6XiAkU9gv3lbwPO/pHa+DXFehzdDwIhANwpsIV2g/9SPWLLsF6p/hiSskuIXMTRwqrMdVKWTMHG", # The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.
|
|
3174
|
+
# }
|
|
3175
|
+
#
|
|
3176
|
+
# @example Request syntax with placeholder values
|
|
3177
|
+
#
|
|
3178
|
+
# resp = client.derive_shared_secret({
|
|
3179
|
+
# key_id: "KeyIdType", # required
|
|
3180
|
+
# key_agreement_algorithm: "ECDH", # required, accepts ECDH
|
|
3181
|
+
# public_key: "data", # required
|
|
3182
|
+
# grant_tokens: ["GrantTokenType"],
|
|
3183
|
+
# dry_run: false,
|
|
3184
|
+
# recipient: {
|
|
3185
|
+
# key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
|
|
3186
|
+
# attestation_document: "data",
|
|
3187
|
+
# },
|
|
3188
|
+
# })
|
|
3189
|
+
#
|
|
3190
|
+
# @example Response structure
|
|
3191
|
+
#
|
|
3192
|
+
# resp.key_id #=> String
|
|
3193
|
+
# resp.shared_secret #=> String
|
|
3194
|
+
# resp.ciphertext_for_recipient #=> String
|
|
3195
|
+
# resp.key_agreement_algorithm #=> String, one of "ECDH"
|
|
3196
|
+
# resp.key_origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM", "EXTERNAL_KEY_STORE"
|
|
3197
|
+
#
|
|
3198
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret AWS API Documentation
|
|
3199
|
+
#
|
|
3200
|
+
# @overload derive_shared_secret(params = {})
|
|
3201
|
+
# @param [Hash] params ({})
|
|
3202
|
+
def derive_shared_secret(params = {}, options = {})
|
|
3203
|
+
req = build_request(:derive_shared_secret, params)
|
|
3204
|
+
req.send_request(options)
|
|
3205
|
+
end
|
|
3206
|
+
|
|
2921
3207
|
# Gets information about [custom key stores][1] in the account and
|
|
2922
3208
|
# Region.
|
|
2923
3209
|
#
|
|
@@ -3502,7 +3788,7 @@ module Aws::KMS
|
|
|
3502
3788
|
# resp.key_metadata.creation_date #=> Time
|
|
3503
3789
|
# resp.key_metadata.enabled #=> Boolean
|
|
3504
3790
|
# resp.key_metadata.description #=> String
|
|
3505
|
-
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
|
3791
|
+
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
|
|
3506
3792
|
# resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
|
3507
3793
|
# resp.key_metadata.deletion_date #=> Time
|
|
3508
3794
|
# resp.key_metadata.valid_to #=> Time
|
|
@@ -3517,6 +3803,8 @@ module Aws::KMS
|
|
|
3517
3803
|
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
3518
3804
|
# resp.key_metadata.signing_algorithms #=> Array
|
|
3519
3805
|
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
3806
|
+
# resp.key_metadata.key_agreement_algorithms #=> Array
|
|
3807
|
+
# resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
|
|
3520
3808
|
# resp.key_metadata.multi_region #=> Boolean
|
|
3521
3809
|
# resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
|
3522
3810
|
# resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
|
|
@@ -4783,8 +5071,11 @@ module Aws::KMS
|
|
|
4783
5071
|
# key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
|
|
4784
5072
|
#
|
|
4785
5073
|
# This parameter only supports attestation documents for Amazon Web
|
|
4786
|
-
# Services Nitro Enclaves. To
|
|
4787
|
-
#
|
|
5074
|
+
# Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
|
|
5075
|
+
# Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
|
|
5076
|
+
# SDK][2] to generate the attestation document and then use the
|
|
5077
|
+
# Recipient parameter from any Amazon Web Services SDK to provide the
|
|
5078
|
+
# attestation document for the enclave.
|
|
4788
5079
|
#
|
|
4789
5080
|
# When you use this parameter, instead of returning a plaintext copy of
|
|
4790
5081
|
# the private data key, KMS encrypts the plaintext private data key
|
|
@@ -5872,8 +6163,8 @@ module Aws::KMS
|
|
|
5872
6163
|
# `GetParametersForImport` returns the items that you need to import
|
|
5873
6164
|
# your key material.
|
|
5874
6165
|
#
|
|
5875
|
-
# * The public key (or "wrapping key") of an
|
|
5876
|
-
#
|
|
6166
|
+
# * The public key (or "wrapping key") of an RSA key pair that KMS
|
|
6167
|
+
# generates.
|
|
5877
6168
|
#
|
|
5878
6169
|
# You will use this public key to encrypt ("wrap") your key material
|
|
5879
6170
|
# while it's in transit to KMS.
|
|
@@ -5951,28 +6242,20 @@ module Aws::KMS
|
|
|
5951
6242
|
# DescribeKey.
|
|
5952
6243
|
#
|
|
5953
6244
|
# @option params [required, String] :wrapping_algorithm
|
|
5954
|
-
# The algorithm you will use with the
|
|
5955
|
-
#
|
|
5956
|
-
#
|
|
6245
|
+
# The algorithm you will use with the RSA public key (`PublicKey`) in
|
|
6246
|
+
# the response to protect your key material during import. For more
|
|
6247
|
+
# information, see [Select a wrapping
|
|
5957
6248
|
# algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
|
|
5958
6249
|
# in the *Key Management Service Developer Guide*.
|
|
5959
6250
|
#
|
|
5960
6251
|
# For RSA\_AES wrapping algorithms, you encrypt your key material with
|
|
5961
6252
|
# an AES key that you generate, then encrypt your AES key with the RSA
|
|
5962
6253
|
# public key from KMS. For RSAES wrapping algorithms, you encrypt your
|
|
5963
|
-
# key material directly with the RSA public key from KMS.
|
|
5964
|
-
# wrapping algorithms, you encrypt your key material directly with the
|
|
5965
|
-
# SM2 public key from KMS.
|
|
6254
|
+
# key material directly with the RSA public key from KMS.
|
|
5966
6255
|
#
|
|
5967
6256
|
# The wrapping algorithms that you can use depend on the type of key
|
|
5968
6257
|
# material that you are importing. To import an RSA private key, you
|
|
5969
|
-
# must use an RSA\_AES wrapping algorithm
|
|
5970
|
-
# where you must use the SM2PKE wrapping algorithm to import an RSA
|
|
5971
|
-
# private key.
|
|
5972
|
-
#
|
|
5973
|
-
# The SM2PKE wrapping algorithm is available only in China Regions. The
|
|
5974
|
-
# `RSA_AES_KEY_WRAP_SHA_256` and `RSA_AES_KEY_WRAP_SHA_1` wrapping
|
|
5975
|
-
# algorithms are not supported in China Regions.
|
|
6258
|
+
# must use an RSA\_AES wrapping algorithm.
|
|
5976
6259
|
#
|
|
5977
6260
|
# * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
|
|
5978
6261
|
# ECC key material.
|
|
@@ -5995,22 +6278,17 @@ module Aws::KMS
|
|
|
5995
6278
|
# * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
|
|
5996
6279
|
# does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
|
|
5997
6280
|
#
|
|
5998
|
-
# * **SM2PKE** (China Regions only) — supported for wrapping RSA, ECC,
|
|
5999
|
-
# and SM2 key material.
|
|
6000
|
-
#
|
|
6001
6281
|
# @option params [required, String] :wrapping_key_spec
|
|
6002
|
-
# The type of public key to return in the response. You will use
|
|
6003
|
-
# wrapping key with the specified wrapping algorithm to protect
|
|
6004
|
-
# material during import.
|
|
6282
|
+
# The type of RSA public key to return in the response. You will use
|
|
6283
|
+
# this wrapping key with the specified wrapping algorithm to protect
|
|
6284
|
+
# your key material during import.
|
|
6005
6285
|
#
|
|
6006
|
-
# Use the longest wrapping key that is practical.
|
|
6286
|
+
# Use the longest RSA wrapping key that is practical.
|
|
6007
6287
|
#
|
|
6008
6288
|
# You cannot use an RSA\_2048 public key to directly wrap an
|
|
6009
6289
|
# ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
|
|
6010
6290
|
# algorithm or choose a longer RSA public key.
|
|
6011
6291
|
#
|
|
6012
|
-
# The SM2 wrapping key spec is available only in China Regions.
|
|
6013
|
-
#
|
|
6014
6292
|
# @return [Types::GetParametersForImportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
6015
6293
|
#
|
|
6016
6294
|
# * {Types::GetParametersForImportResponse#key_id #key_id} => String
|
|
@@ -6144,7 +6422,8 @@ module Aws::KMS
|
|
|
6144
6422
|
# * [KeySpec][2]: The type of key material in the public key, such as
|
|
6145
6423
|
# `RSA_4096` or `ECC_NIST_P521`.
|
|
6146
6424
|
#
|
|
6147
|
-
# * [KeyUsage][3]: Whether the key is used for encryption or
|
|
6425
|
+
# * [KeyUsage][3]: Whether the key is used for encryption, signing, or
|
|
6426
|
+
# deriving a shared secret.
|
|
6148
6427
|
#
|
|
6149
6428
|
# * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]: A list of the
|
|
6150
6429
|
# encryption algorithms or the signing algorithms for the key.
|
|
@@ -6233,6 +6512,7 @@ module Aws::KMS
|
|
|
6233
6512
|
# * {Types::GetPublicKeyResponse#key_usage #key_usage} => String
|
|
6234
6513
|
# * {Types::GetPublicKeyResponse#encryption_algorithms #encryption_algorithms} => Array<String>
|
|
6235
6514
|
# * {Types::GetPublicKeyResponse#signing_algorithms #signing_algorithms} => Array<String>
|
|
6515
|
+
# * {Types::GetPublicKeyResponse#key_agreement_algorithms #key_agreement_algorithms} => Array<String>
|
|
6236
6516
|
#
|
|
6237
6517
|
#
|
|
6238
6518
|
# @example Example: To download the public key of an asymmetric KMS key
|
|
@@ -6270,11 +6550,13 @@ module Aws::KMS
|
|
|
6270
6550
|
# resp.public_key #=> String
|
|
6271
6551
|
# resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
6272
6552
|
# resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
|
|
6273
|
-
# resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
|
6553
|
+
# resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
|
|
6274
6554
|
# resp.encryption_algorithms #=> Array
|
|
6275
6555
|
# resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
6276
6556
|
# resp.signing_algorithms #=> Array
|
|
6277
6557
|
# resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
6558
|
+
# resp.key_agreement_algorithms #=> Array
|
|
6559
|
+
# resp.key_agreement_algorithms[0] #=> String, one of "ECDH"
|
|
6278
6560
|
#
|
|
6279
6561
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
|
|
6280
6562
|
#
|
|
@@ -6877,7 +7159,7 @@ module Aws::KMS
|
|
|
6877
7159
|
# resp.grants[0].retiring_principal #=> String
|
|
6878
7160
|
# resp.grants[0].issuing_account #=> String
|
|
6879
7161
|
# resp.grants[0].operations #=> Array
|
|
6880
|
-
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
|
|
7162
|
+
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
|
|
6881
7163
|
# resp.grants[0].constraints.encryption_context_subset #=> Hash
|
|
6882
7164
|
# resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
|
|
6883
7165
|
# resp.grants[0].constraints.encryption_context_equals #=> Hash
|
|
@@ -7499,7 +7781,7 @@ module Aws::KMS
|
|
|
7499
7781
|
# resp.grants[0].retiring_principal #=> String
|
|
7500
7782
|
# resp.grants[0].issuing_account #=> String
|
|
7501
7783
|
# resp.grants[0].operations #=> Array
|
|
7502
|
-
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
|
|
7784
|
+
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
|
|
7503
7785
|
# resp.grants[0].constraints.encryption_context_subset #=> Hash
|
|
7504
7786
|
# resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
|
|
7505
7787
|
# resp.grants[0].constraints.encryption_context_equals #=> Hash
|
|
@@ -8337,7 +8619,7 @@ module Aws::KMS
|
|
|
8337
8619
|
# resp.replica_key_metadata.creation_date #=> Time
|
|
8338
8620
|
# resp.replica_key_metadata.enabled #=> Boolean
|
|
8339
8621
|
# resp.replica_key_metadata.description #=> String
|
|
8340
|
-
# resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
|
|
8622
|
+
# resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
|
|
8341
8623
|
# resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
|
|
8342
8624
|
# resp.replica_key_metadata.deletion_date #=> Time
|
|
8343
8625
|
# resp.replica_key_metadata.valid_to #=> Time
|
|
@@ -8352,6 +8634,8 @@ module Aws::KMS
|
|
|
8352
8634
|
# resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
|
|
8353
8635
|
# resp.replica_key_metadata.signing_algorithms #=> Array
|
|
8354
8636
|
# resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
|
|
8637
|
+
# resp.replica_key_metadata.key_agreement_algorithms #=> Array
|
|
8638
|
+
# resp.replica_key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
|
|
8355
8639
|
# resp.replica_key_metadata.multi_region #=> Boolean
|
|
8356
8640
|
# resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
|
|
8357
8641
|
# resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
|
|
@@ -10471,7 +10755,7 @@ module Aws::KMS
|
|
|
10471
10755
|
params: params,
|
|
10472
10756
|
config: config)
|
|
10473
10757
|
context[:gem_name] = 'aws-sdk-kms'
|
|
10474
|
-
context[:gem_version] = '1.
|
|
10758
|
+
context[:gem_version] = '1.88.0'
|
|
10475
10759
|
Seahorse::Client::Request.new(handlers, context)
|
|
10476
10760
|
end
|
|
10477
10761
|
|