aws-sdk-kms 1.82.0 → 1.88.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -89,6 +89,11 @@ module Aws::KMS
89
89
 
90
90
  # @overload initialize(options)
91
91
  # @param [Hash] options
92
+ #
93
+ # @option options [Array<Seahorse::Client::Plugin>] :plugins ([]])
94
+ # A list of plugins to apply to the client. Each plugin is either a
95
+ # class name or an instance of a plugin class.
96
+ #
92
97
  # @option options [required, Aws::CredentialProvider] :credentials
93
98
  # Your AWS credentials. This can be an instance of any one of the
94
99
  # following classes:
@@ -209,7 +214,6 @@ module Aws::KMS
209
214
  # 'https://example.com'
210
215
  # 'http://example.com:123'
211
216
  #
212
- #
213
217
  # @option options [Integer] :endpoint_cache_max_entries (1000)
214
218
  # Used for the maximum size limit of the LRU cache storing endpoints data
215
219
  # for endpoint discovery enabled operations. Defaults to 1000.
@@ -298,7 +302,6 @@ module Aws::KMS
298
302
  # throttling. This is a provisional mode that may change behavior
299
303
  # in the future.
300
304
  #
301
- #
302
305
  # @option options [String] :sdk_ua_app_id
303
306
  # A unique and opaque application ID that is appended to the
304
307
  # User-Agent header as app/sdk_ua_app_id. It should have a
@@ -309,15 +312,21 @@ module Aws::KMS
309
312
  #
310
313
  # @option options [String] :session_token
311
314
  #
315
+ # @option options [Array] :sigv4a_signing_region_set
316
+ # A list of regions that should be signed with SigV4a signing. When
317
+ # not passed, a default `:sigv4a_signing_region_set` is searched for
318
+ # in the following locations:
319
+ #
320
+ # * `Aws.config[:sigv4a_signing_region_set]`
321
+ # * `ENV['AWS_SIGV4A_SIGNING_REGION_SET']`
322
+ # * `~/.aws/config`
323
+ #
312
324
  # @option options [Boolean] :simple_json (false)
313
325
  # Disables request parameter conversion, validation, and formatting.
314
- # Also disable response data type conversions. This option is useful
315
- # when you want to ensure the highest level of performance by
316
- # avoiding overhead of walking request parameters and response data
317
- # structures.
318
- #
319
- # When `:simple_json` is enabled, the request parameters hash must
320
- # be formatted exactly as the DynamoDB API expects.
326
+ # Also disables response data type conversions. The request parameters
327
+ # hash must be formatted exactly as the API expects.This option is useful
328
+ # when you want to ensure the highest level of performance by avoiding
329
+ # overhead of walking request parameters and response data structures.
321
330
  #
322
331
  # @option options [Boolean] :stub_responses (false)
323
332
  # Causes the client to return stubbed responses. By default
@@ -1421,7 +1430,7 @@ module Aws::KMS
1421
1430
  # key_id: "KeyIdType", # required
1422
1431
  # grantee_principal: "PrincipalIdType", # required
1423
1432
  # retiring_principal: "PrincipalIdType",
1424
- # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac
1433
+ # operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac, DeriveSharedSecret
1425
1434
  # constraints: {
1426
1435
  # encryption_context_subset: {
1427
1436
  # "EncryptionContextKey" => "EncryptionContextValue",
@@ -1508,12 +1517,17 @@ module Aws::KMS
1508
1517
  # key pair, or an SM2 key pair (China Regions only). The private key
1509
1518
  # in an asymmetric KMS key never leaves KMS unencrypted. However, you
1510
1519
  # can use the GetPublicKey operation to download the public key so it
1511
- # can be used outside of KMS. KMS keys with RSA or SM2 key pairs can
1512
- # be used to encrypt or decrypt data or sign and verify messages (but
1513
- # not both). KMS keys with ECC key pairs can be used only to sign and
1514
- # verify messages. For information about asymmetric KMS keys, see
1515
- # [Asymmetric KMS keys][3] in the *Key Management Service Developer
1516
- # Guide*.
1520
+ # can be used outside of KMS. Each KMS key can have only one key
1521
+ # usage. KMS keys with RSA key pairs can be used to encrypt and
1522
+ # decrypt data or sign and verify messages (but not both). KMS keys
1523
+ # with NIST-recommended ECC key pairs can be used to sign and verify
1524
+ # messages or derive shared secrets (but not both). KMS keys with
1525
+ # `ECC_SECG_P256K1` can be used only to sign and verify messages. KMS
1526
+ # keys with SM2 key pairs (China Regions only) can be used to either
1527
+ # encrypt and decrypt data, sign and verify messages, or derive shared
1528
+ # secrets (you must choose one key usage type). For information about
1529
+ # asymmetric KMS keys, see [Asymmetric KMS keys][3] in the *Key
1530
+ # Management Service Developer Guide*.
1517
1531
  #
1518
1532
  #
1519
1533
  #
@@ -1735,14 +1749,17 @@ module Aws::KMS
1735
1749
  #
1736
1750
  # * For HMAC KMS keys (symmetric), specify `GENERATE_VERIFY_MAC`.
1737
1751
  #
1738
- # * For asymmetric KMS keys with RSA key material, specify
1752
+ # * For asymmetric KMS keys with RSA key pairs, specify
1739
1753
  # `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
1740
1754
  #
1741
- # * For asymmetric KMS keys with ECC key material, specify
1755
+ # * For asymmetric KMS keys with NIST-recommended elliptic curve key
1756
+ # pairs, specify `SIGN_VERIFY` or `KEY_AGREEMENT`.
1757
+ #
1758
+ # * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify
1742
1759
  # `SIGN_VERIFY`.
1743
1760
  #
1744
- # * For asymmetric KMS keys with SM2 key material (China Regions only),
1745
- # specify `ENCRYPT_DECRYPT` or `SIGN_VERIFY`.
1761
+ # * For asymmetric KMS keys with SM2 key pairs (China Regions only),
1762
+ # specify `ENCRYPT_DECRYPT`, `SIGN_VERIFY`, or `KEY_AGREEMENT`.
1746
1763
  #
1747
1764
  #
1748
1765
  #
@@ -1795,7 +1812,8 @@ module Aws::KMS
1795
1812
  #
1796
1813
  # * `HMAC_512`
1797
1814
  #
1798
- # * Asymmetric RSA key pairs
1815
+ # * Asymmetric RSA key pairs (encryption and decryption -or- signing and
1816
+ # verification)
1799
1817
  #
1800
1818
  # * `RSA_2048`
1801
1819
  #
@@ -1803,7 +1821,8 @@ module Aws::KMS
1803
1821
  #
1804
1822
  # * `RSA_4096`
1805
1823
  #
1806
- # * Asymmetric NIST-recommended elliptic curve key pairs
1824
+ # * Asymmetric NIST-recommended elliptic curve key pairs (signing and
1825
+ # verification -or- deriving shared secrets)
1807
1826
  #
1808
1827
  # * `ECC_NIST_P256` (secp256r1)
1809
1828
  #
@@ -1811,15 +1830,16 @@ module Aws::KMS
1811
1830
  #
1812
1831
  # * `ECC_NIST_P521` (secp521r1)
1813
1832
  #
1814
- # * Other asymmetric elliptic curve key pairs
1833
+ # * Other asymmetric elliptic curve key pairs (signing and verification)
1815
1834
  #
1816
1835
  # * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
1817
1836
  #
1818
1837
  # ^
1819
1838
  #
1820
- # * SM2 key pairs (China Regions only)
1839
+ # * SM2 key pairs (encryption and decryption -or- signing and
1840
+ # verification -or- deriving shared secrets)
1821
1841
  #
1822
- # * `SM2`
1842
+ # * `SM2` (China Regions only)
1823
1843
  #
1824
1844
  # ^
1825
1845
  #
@@ -2283,7 +2303,7 @@ module Aws::KMS
2283
2303
  # resp = client.create_key({
2284
2304
  # policy: "PolicyType",
2285
2305
  # description: "DescriptionType",
2286
- # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC
2306
+ # key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT
2287
2307
  # customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
2288
2308
  # key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2
2289
2309
  # origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE
@@ -2307,7 +2327,7 @@ module Aws::KMS
2307
2327
  # resp.key_metadata.creation_date #=> Time
2308
2328
  # resp.key_metadata.enabled #=> Boolean
2309
2329
  # resp.key_metadata.description #=> String
2310
- # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
2330
+ # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
2311
2331
  # resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
2312
2332
  # resp.key_metadata.deletion_date #=> Time
2313
2333
  # resp.key_metadata.valid_to #=> Time
@@ -2322,6 +2342,8 @@ module Aws::KMS
2322
2342
  # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
2323
2343
  # resp.key_metadata.signing_algorithms #=> Array
2324
2344
  # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
2345
+ # resp.key_metadata.key_agreement_algorithms #=> Array
2346
+ # resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
2325
2347
  # resp.key_metadata.multi_region #=> Boolean
2326
2348
  # resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
2327
2349
  # resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -2918,6 +2940,270 @@ module Aws::KMS
2918
2940
  req.send_request(options)
2919
2941
  end
2920
2942
 
2943
+ # Derives a shared secret using a key agreement algorithm.
2944
+ #
2945
+ # <note markdown="1"> You must use an asymmetric NIST-recommended elliptic curve (ECC) or
2946
+ # SM2 (China Regions only) KMS key pair with a `KeyUsage` value of
2947
+ # `KEY_AGREEMENT` to call DeriveSharedSecret.
2948
+ #
2949
+ # </note>
2950
+ #
2951
+ # DeriveSharedSecret uses the [Elliptic Curve Cryptography Cofactor
2952
+ # Diffie-Hellman Primitive][1] (ECDH) to establish a key agreement
2953
+ # between two peers by deriving a shared secret from their elliptic
2954
+ # curve public-private key pairs. You can use the raw shared secret that
2955
+ # DeriveSharedSecret returns to derive a symmetric key that can encrypt
2956
+ # and decrypt data that is sent between the two peers, or that can
2957
+ # generate and verify HMACs. KMS recommends that you follow [NIST
2958
+ # recommendations for key derivation][2] when using the raw shared
2959
+ # secret to derive a symmetric key.
2960
+ #
2961
+ # The following workflow demonstrates how to establish key agreement
2962
+ # over an insecure communication channel using DeriveSharedSecret.
2963
+ #
2964
+ # 1. **Alice** calls CreateKey to create an asymmetric KMS key pair
2965
+ # with a `KeyUsage` value of `KEY_AGREEMENT`.
2966
+ #
2967
+ # The asymmetric KMS key must use a NIST-recommended elliptic curve
2968
+ # (ECC) or SM2 (China Regions only) key spec.
2969
+ #
2970
+ # 2. **Bob** creates an elliptic curve key pair.
2971
+ #
2972
+ # Bob can call CreateKey to create an asymmetric KMS key pair or
2973
+ # generate a key pair outside of KMS. Bob's key pair must use the
2974
+ # same NIST-recommended elliptic curve (ECC) or SM2 (China Regions
2975
+ # ony) curve as Alice.
2976
+ #
2977
+ # 3. Alice and Bob **exchange their public keys** through an insecure
2978
+ # communication channel (like the internet).
2979
+ #
2980
+ # Use GetPublicKey to download the public key of your asymmetric KMS
2981
+ # key pair.
2982
+ #
2983
+ # <note markdown="1"> KMS strongly recommends verifying that the public key you receive
2984
+ # came from the expected party before using it to derive a shared
2985
+ # secret.
2986
+ #
2987
+ # </note>
2988
+ #
2989
+ # 4. **Alice** calls DeriveSharedSecret.
2990
+ #
2991
+ # KMS uses the private key from the KMS key pair generated in **Step
2992
+ # 1**, Bob's public key, and the Elliptic Curve Cryptography
2993
+ # Cofactor Diffie-Hellman Primitive to derive the shared secret. The
2994
+ # private key in your KMS key pair never leaves KMS unencrypted.
2995
+ # DeriveSharedSecret returns the raw shared secret.
2996
+ #
2997
+ # 5. **Bob** uses the Elliptic Curve Cryptography Cofactor
2998
+ # Diffie-Hellman Primitive to calculate the same raw secret using
2999
+ # his private key and Alice's public key.
3000
+ #
3001
+ # To derive a shared secret you must provide a key agreement algorithm,
3002
+ # the private key of the caller's asymmetric NIST-recommended elliptic
3003
+ # curve or SM2 (China Regions only) KMS key pair, and the public key
3004
+ # from your peer's NIST-recommended elliptic curve or SM2 (China
3005
+ # Regions only) key pair. The public key can be from another asymmetric
3006
+ # KMS key pair or from a key pair generated outside of KMS, but both key
3007
+ # pairs must be on the same elliptic curve.
3008
+ #
3009
+ # The KMS key that you use for this operation must be in a compatible
3010
+ # key state. For details, see [Key states of KMS keys][3] in the *Key
3011
+ # Management Service Developer Guide*.
3012
+ #
3013
+ # **Cross-account use**: Yes. To perform this operation with a KMS key
3014
+ # in a different Amazon Web Services account, specify the key ARN or
3015
+ # alias ARN in the value of the `KeyId` parameter.
3016
+ #
3017
+ # **Required permissions**: [kms:DeriveSharedSecret][4] (key policy)
3018
+ #
3019
+ # **Related operations:**
3020
+ #
3021
+ # * CreateKey
3022
+ #
3023
+ # * GetPublicKey
3024
+ #
3025
+ # * DescribeKey
3026
+ #
3027
+ # **Eventual consistency**: The KMS API follows an eventual consistency
3028
+ # model. For more information, see [KMS eventual consistency][5].
3029
+ #
3030
+ #
3031
+ #
3032
+ # [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60
3033
+ # [2]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
3034
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
3035
+ # [4]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
3036
+ # [5]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html
3037
+ #
3038
+ # @option params [required, String] :key_id
3039
+ # Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions
3040
+ # only) KMS key. KMS uses the private key in the specified key pair to
3041
+ # derive the shared secret. The key usage of the KMS key must be
3042
+ # `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the
3043
+ # DescribeKey operation.
3044
+ #
3045
+ # To specify a KMS key, use its key ID, key ARN, alias name, or alias
3046
+ # ARN. When using an alias name, prefix it with `"alias/"`. To specify a
3047
+ # KMS key in a different Amazon Web Services account, you must use the
3048
+ # key ARN or alias ARN.
3049
+ #
3050
+ # For example:
3051
+ #
3052
+ # * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
3053
+ #
3054
+ # * Key ARN:
3055
+ # `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
3056
+ #
3057
+ # * Alias name: `alias/ExampleAlias`
3058
+ #
3059
+ # * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
3060
+ #
3061
+ # To get the key ID and key ARN for a KMS key, use ListKeys or
3062
+ # DescribeKey. To get the alias name and alias ARN, use ListAliases.
3063
+ #
3064
+ # @option params [required, String] :key_agreement_algorithm
3065
+ # Specifies the key agreement algorithm used to derive the shared
3066
+ # secret. The only valid value is `ECDH`.
3067
+ #
3068
+ # @option params [required, String, StringIO, File] :public_key
3069
+ # Specifies the public key in your peer's NIST-recommended elliptic
3070
+ # curve (ECC) or SM2 (China Regions only) key pair.
3071
+ #
3072
+ # The public key must be a DER-encoded X.509 public key, also known as
3073
+ # `SubjectPublicKeyInfo` (SPKI), as defined in [RFC 5280][1].
3074
+ #
3075
+ # GetPublicKey returns the public key of an asymmetric KMS key pair in
3076
+ # the required DER-encoded format.
3077
+ #
3078
+ # <note markdown="1"> If you use [Amazon Web Services CLI version 1][2], you must provide
3079
+ # the DER-encoded X.509 public key in a file. Otherwise, the Amazon Web
3080
+ # Services CLI Base64-encodes the public key a second time, resulting in
3081
+ # a `ValidationException`.
3082
+ #
3083
+ # </note>
3084
+ #
3085
+ # You can specify the public key as binary data in a file using fileb
3086
+ # (`fileb://<path-to-file>`) or in-line using a Base64 encoded string.
3087
+ #
3088
+ #
3089
+ #
3090
+ # [1]: https://tools.ietf.org/html/rfc5280
3091
+ # [2]: https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html
3092
+ #
3093
+ # @option params [Array<String>] :grant_tokens
3094
+ # A list of grant tokens.
3095
+ #
3096
+ # Use a grant token when your permission to call this operation comes
3097
+ # from a new grant that has not yet achieved *eventual consistency*. For
3098
+ # more information, see [Grant token][1] and [Using a grant token][2] in
3099
+ # the *Key Management Service Developer Guide*.
3100
+ #
3101
+ #
3102
+ #
3103
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token
3104
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token
3105
+ #
3106
+ # @option params [Boolean] :dry_run
3107
+ # Checks if your request will succeed. `DryRun` is an optional
3108
+ # parameter.
3109
+ #
3110
+ # To learn more about how to use this parameter, see [Testing your KMS
3111
+ # API calls][1] in the *Key Management Service Developer Guide*.
3112
+ #
3113
+ #
3114
+ #
3115
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html
3116
+ #
3117
+ # @option params [Types::RecipientInfo] :recipient
3118
+ # A signed [attestation document][1] from an Amazon Web Services Nitro
3119
+ # enclave and the encryption algorithm to use with the enclave's public
3120
+ # key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
3121
+ #
3122
+ # This parameter only supports attestation documents for Amazon Web
3123
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
3124
+ # Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
3125
+ # SDK][2] to generate the attestation document and then use the
3126
+ # Recipient parameter from any Amazon Web Services SDK to provide the
3127
+ # attestation document for the enclave.
3128
+ #
3129
+ # When you use this parameter, instead of returning a plaintext copy of
3130
+ # the shared secret, KMS encrypts the plaintext shared secret under the
3131
+ # public key in the attestation document, and returns the resulting
3132
+ # ciphertext in the `CiphertextForRecipient` field in the response. This
3133
+ # ciphertext can be decrypted only with the private key in the enclave.
3134
+ # The `CiphertextBlob` field in the response contains the encrypted
3135
+ # shared secret derived from the KMS key specified by the `KeyId`
3136
+ # parameter and public key specified by the `PublicKey` parameter. The
3137
+ # `SharedSecret` field in the response is null or empty.
3138
+ #
3139
+ # For information about the interaction between KMS and Amazon Web
3140
+ # Services Nitro Enclaves, see [How Amazon Web Services Nitro Enclaves
3141
+ # uses KMS][3] in the *Key Management Service Developer Guide*.
3142
+ #
3143
+ #
3144
+ #
3145
+ # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc
3146
+ # [2]: https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk
3147
+ # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html
3148
+ #
3149
+ # @return [Types::DeriveSharedSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3150
+ #
3151
+ # * {Types::DeriveSharedSecretResponse#key_id #key_id} => String
3152
+ # * {Types::DeriveSharedSecretResponse#shared_secret #shared_secret} => String
3153
+ # * {Types::DeriveSharedSecretResponse#ciphertext_for_recipient #ciphertext_for_recipient} => String
3154
+ # * {Types::DeriveSharedSecretResponse#key_agreement_algorithm #key_agreement_algorithm} => String
3155
+ # * {Types::DeriveSharedSecretResponse#key_origin #key_origin} => String
3156
+ #
3157
+ #
3158
+ # @example Example: To derive a shared secret
3159
+ #
3160
+ # # The following example derives a shared secret using a key agreement algorithm.
3161
+ #
3162
+ # resp = client.derive_shared_secret({
3163
+ # key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret. The only valid value is ECDH.
3164
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The key identifier for an asymmetric KMS key pair. The private key in the specified key pair is used to derive the shared secret.
3165
+ # public_key: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH3Yj0wbkLEpUl95Cv1cJVjsVNSjwGq3tCLnzXfhVwVvmzGN8pYj3U8nKwgouaHbBWNJYjP5VutbbkKS4Kv4GojwZBJyHN17kmxo8yTjRmjR15SKIQ8cqRA2uaERMLnpztIXdZp232PQPbWGxDyXYJ0aJ5EFSag", # The public key in your peer's asymmetric key pair.
3166
+ # })
3167
+ #
3168
+ # resp.to_h outputs the following:
3169
+ # {
3170
+ # key_agreement_algorithm: "ECDH", # The key agreement algorithm used to derive the shared secret.
3171
+ # key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The asymmetric KMS key pair used to derive the shared secret.
3172
+ # key_origin: "AWS_KMS", # The source of the key material for the specified KMS key.
3173
+ # shared_secret: "MEYCIQCKZLWyTk5runarx6XiAkU9gv3lbwPO/pHa+DXFehzdDwIhANwpsIV2g/9SPWLLsF6p/hiSskuIXMTRwqrMdVKWTMHG", # The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.
3174
+ # }
3175
+ #
3176
+ # @example Request syntax with placeholder values
3177
+ #
3178
+ # resp = client.derive_shared_secret({
3179
+ # key_id: "KeyIdType", # required
3180
+ # key_agreement_algorithm: "ECDH", # required, accepts ECDH
3181
+ # public_key: "data", # required
3182
+ # grant_tokens: ["GrantTokenType"],
3183
+ # dry_run: false,
3184
+ # recipient: {
3185
+ # key_encryption_algorithm: "RSAES_OAEP_SHA_256", # accepts RSAES_OAEP_SHA_256
3186
+ # attestation_document: "data",
3187
+ # },
3188
+ # })
3189
+ #
3190
+ # @example Response structure
3191
+ #
3192
+ # resp.key_id #=> String
3193
+ # resp.shared_secret #=> String
3194
+ # resp.ciphertext_for_recipient #=> String
3195
+ # resp.key_agreement_algorithm #=> String, one of "ECDH"
3196
+ # resp.key_origin #=> String, one of "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM", "EXTERNAL_KEY_STORE"
3197
+ #
3198
+ # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret AWS API Documentation
3199
+ #
3200
+ # @overload derive_shared_secret(params = {})
3201
+ # @param [Hash] params ({})
3202
+ def derive_shared_secret(params = {}, options = {})
3203
+ req = build_request(:derive_shared_secret, params)
3204
+ req.send_request(options)
3205
+ end
3206
+
2921
3207
  # Gets information about [custom key stores][1] in the account and
2922
3208
  # Region.
2923
3209
  #
@@ -3502,7 +3788,7 @@ module Aws::KMS
3502
3788
  # resp.key_metadata.creation_date #=> Time
3503
3789
  # resp.key_metadata.enabled #=> Boolean
3504
3790
  # resp.key_metadata.description #=> String
3505
- # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
3791
+ # resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
3506
3792
  # resp.key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
3507
3793
  # resp.key_metadata.deletion_date #=> Time
3508
3794
  # resp.key_metadata.valid_to #=> Time
@@ -3517,6 +3803,8 @@ module Aws::KMS
3517
3803
  # resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
3518
3804
  # resp.key_metadata.signing_algorithms #=> Array
3519
3805
  # resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
3806
+ # resp.key_metadata.key_agreement_algorithms #=> Array
3807
+ # resp.key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
3520
3808
  # resp.key_metadata.multi_region #=> Boolean
3521
3809
  # resp.key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
3522
3810
  # resp.key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -4783,8 +5071,11 @@ module Aws::KMS
4783
5071
  # key. The only valid encryption algorithm is `RSAES_OAEP_SHA_256`.
4784
5072
  #
4785
5073
  # This parameter only supports attestation documents for Amazon Web
4786
- # Services Nitro Enclaves. To include this parameter, use the [Amazon
4787
- # Web Services Nitro Enclaves SDK][2] or any Amazon Web Services SDK.
5074
+ # Services Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web
5075
+ # Services Nitro Enclaves, use the [Amazon Web Services Nitro Enclaves
5076
+ # SDK][2] to generate the attestation document and then use the
5077
+ # Recipient parameter from any Amazon Web Services SDK to provide the
5078
+ # attestation document for the enclave.
4788
5079
  #
4789
5080
  # When you use this parameter, instead of returning a plaintext copy of
4790
5081
  # the private data key, KMS encrypts the plaintext private data key
@@ -5872,8 +6163,8 @@ module Aws::KMS
5872
6163
  # `GetParametersForImport` returns the items that you need to import
5873
6164
  # your key material.
5874
6165
  #
5875
- # * The public key (or "wrapping key") of an asymmetric key pair that
5876
- # KMS generates.
6166
+ # * The public key (or "wrapping key") of an RSA key pair that KMS
6167
+ # generates.
5877
6168
  #
5878
6169
  # You will use this public key to encrypt ("wrap") your key material
5879
6170
  # while it's in transit to KMS.
@@ -5951,28 +6242,20 @@ module Aws::KMS
5951
6242
  # DescribeKey.
5952
6243
  #
5953
6244
  # @option params [required, String] :wrapping_algorithm
5954
- # The algorithm you will use with the asymmetric public key
5955
- # (`PublicKey`) in the response to protect your key material during
5956
- # import. For more information, see [Select a wrapping
6245
+ # The algorithm you will use with the RSA public key (`PublicKey`) in
6246
+ # the response to protect your key material during import. For more
6247
+ # information, see [Select a wrapping
5957
6248
  # algorithm](kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
5958
6249
  # in the *Key Management Service Developer Guide*.
5959
6250
  #
5960
6251
  # For RSA\_AES wrapping algorithms, you encrypt your key material with
5961
6252
  # an AES key that you generate, then encrypt your AES key with the RSA
5962
6253
  # public key from KMS. For RSAES wrapping algorithms, you encrypt your
5963
- # key material directly with the RSA public key from KMS. For SM2PKE
5964
- # wrapping algorithms, you encrypt your key material directly with the
5965
- # SM2 public key from KMS.
6254
+ # key material directly with the RSA public key from KMS.
5966
6255
  #
5967
6256
  # The wrapping algorithms that you can use depend on the type of key
5968
6257
  # material that you are importing. To import an RSA private key, you
5969
- # must use an RSA\_AES wrapping algorithm, except in China Regions,
5970
- # where you must use the SM2PKE wrapping algorithm to import an RSA
5971
- # private key.
5972
- #
5973
- # The SM2PKE wrapping algorithm is available only in China Regions. The
5974
- # `RSA_AES_KEY_WRAP_SHA_256` and `RSA_AES_KEY_WRAP_SHA_1` wrapping
5975
- # algorithms are not supported in China Regions.
6258
+ # must use an RSA\_AES wrapping algorithm.
5976
6259
  #
5977
6260
  # * **RSA\_AES\_KEY\_WRAP\_SHA\_256** — Supported for wrapping RSA and
5978
6261
  # ECC key material.
@@ -5995,22 +6278,17 @@ module Aws::KMS
5995
6278
  # * **RSAES\_PKCS1\_V1\_5** (Deprecated) — As of October 10, 2023, KMS
5996
6279
  # does not support the RSAES\_PKCS1\_V1\_5 wrapping algorithm.
5997
6280
  #
5998
- # * **SM2PKE** (China Regions only) — supported for wrapping RSA, ECC,
5999
- # and SM2 key material.
6000
- #
6001
6281
  # @option params [required, String] :wrapping_key_spec
6002
- # The type of public key to return in the response. You will use this
6003
- # wrapping key with the specified wrapping algorithm to protect your key
6004
- # material during import.
6282
+ # The type of RSA public key to return in the response. You will use
6283
+ # this wrapping key with the specified wrapping algorithm to protect
6284
+ # your key material during import.
6005
6285
  #
6006
- # Use the longest wrapping key that is practical.
6286
+ # Use the longest RSA wrapping key that is practical.
6007
6287
  #
6008
6288
  # You cannot use an RSA\_2048 public key to directly wrap an
6009
6289
  # ECC\_NIST\_P521 private key. Instead, use an RSA\_AES wrapping
6010
6290
  # algorithm or choose a longer RSA public key.
6011
6291
  #
6012
- # The SM2 wrapping key spec is available only in China Regions.
6013
- #
6014
6292
  # @return [Types::GetParametersForImportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
6015
6293
  #
6016
6294
  # * {Types::GetParametersForImportResponse#key_id #key_id} => String
@@ -6144,7 +6422,8 @@ module Aws::KMS
6144
6422
  # * [KeySpec][2]: The type of key material in the public key, such as
6145
6423
  # `RSA_4096` or `ECC_NIST_P521`.
6146
6424
  #
6147
- # * [KeyUsage][3]: Whether the key is used for encryption or signing.
6425
+ # * [KeyUsage][3]: Whether the key is used for encryption, signing, or
6426
+ # deriving a shared secret.
6148
6427
  #
6149
6428
  # * [EncryptionAlgorithms][4] or [SigningAlgorithms][5]: A list of the
6150
6429
  # encryption algorithms or the signing algorithms for the key.
@@ -6233,6 +6512,7 @@ module Aws::KMS
6233
6512
  # * {Types::GetPublicKeyResponse#key_usage #key_usage} => String
6234
6513
  # * {Types::GetPublicKeyResponse#encryption_algorithms #encryption_algorithms} => Array&lt;String&gt;
6235
6514
  # * {Types::GetPublicKeyResponse#signing_algorithms #signing_algorithms} => Array&lt;String&gt;
6515
+ # * {Types::GetPublicKeyResponse#key_agreement_algorithms #key_agreement_algorithms} => Array&lt;String&gt;
6236
6516
  #
6237
6517
  #
6238
6518
  # @example Example: To download the public key of an asymmetric KMS key
@@ -6270,11 +6550,13 @@ module Aws::KMS
6270
6550
  # resp.public_key #=> String
6271
6551
  # resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
6272
6552
  # resp.key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2"
6273
- # resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
6553
+ # resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
6274
6554
  # resp.encryption_algorithms #=> Array
6275
6555
  # resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
6276
6556
  # resp.signing_algorithms #=> Array
6277
6557
  # resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
6558
+ # resp.key_agreement_algorithms #=> Array
6559
+ # resp.key_agreement_algorithms[0] #=> String, one of "ECDH"
6278
6560
  #
6279
6561
  # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
6280
6562
  #
@@ -6877,7 +7159,7 @@ module Aws::KMS
6877
7159
  # resp.grants[0].retiring_principal #=> String
6878
7160
  # resp.grants[0].issuing_account #=> String
6879
7161
  # resp.grants[0].operations #=> Array
6880
- # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
7162
+ # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
6881
7163
  # resp.grants[0].constraints.encryption_context_subset #=> Hash
6882
7164
  # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
6883
7165
  # resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -7499,7 +7781,7 @@ module Aws::KMS
7499
7781
  # resp.grants[0].retiring_principal #=> String
7500
7782
  # resp.grants[0].issuing_account #=> String
7501
7783
  # resp.grants[0].operations #=> Array
7502
- # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac"
7784
+ # resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac", "DeriveSharedSecret"
7503
7785
  # resp.grants[0].constraints.encryption_context_subset #=> Hash
7504
7786
  # resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
7505
7787
  # resp.grants[0].constraints.encryption_context_equals #=> Hash
@@ -8337,7 +8619,7 @@ module Aws::KMS
8337
8619
  # resp.replica_key_metadata.creation_date #=> Time
8338
8620
  # resp.replica_key_metadata.enabled #=> Boolean
8339
8621
  # resp.replica_key_metadata.description #=> String
8340
- # resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC"
8622
+ # resp.replica_key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC", "KEY_AGREEMENT"
8341
8623
  # resp.replica_key_metadata.key_state #=> String, one of "Creating", "Enabled", "Disabled", "PendingDeletion", "PendingImport", "PendingReplicaDeletion", "Unavailable", "Updating"
8342
8624
  # resp.replica_key_metadata.deletion_date #=> Time
8343
8625
  # resp.replica_key_metadata.valid_to #=> Time
@@ -8352,6 +8634,8 @@ module Aws::KMS
8352
8634
  # resp.replica_key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE"
8353
8635
  # resp.replica_key_metadata.signing_algorithms #=> Array
8354
8636
  # resp.replica_key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA"
8637
+ # resp.replica_key_metadata.key_agreement_algorithms #=> Array
8638
+ # resp.replica_key_metadata.key_agreement_algorithms[0] #=> String, one of "ECDH"
8355
8639
  # resp.replica_key_metadata.multi_region #=> Boolean
8356
8640
  # resp.replica_key_metadata.multi_region_configuration.multi_region_key_type #=> String, one of "PRIMARY", "REPLICA"
8357
8641
  # resp.replica_key_metadata.multi_region_configuration.primary_key.arn #=> String
@@ -10471,7 +10755,7 @@ module Aws::KMS
10471
10755
  params: params,
10472
10756
  config: config)
10473
10757
  context[:gem_name] = 'aws-sdk-kms'
10474
- context[:gem_version] = '1.82.0'
10758
+ context[:gem_version] = '1.88.0'
10475
10759
  Seahorse::Client::Request.new(handlers, context)
10476
10760
  end
10477
10761