@aws-sdk/client-kms 3.288.0 → 3.290.0

package/dist-types/commands/CancelKeyDeletionCommand.d.ts

@@ -41,6 +41,57 @@ export interface CancelKeyDeletionCommandOutput extends CancelKeyDeletionRespons
  * @see {@link CancelKeyDeletionCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To cancel deletion of a KMS key
+ * ```javascript
+ * // The following example cancels deletion of the specified KMS key.
+ * const input = {
+ *   "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
+ * };
+ * const command = new CancelKeyDeletionCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+ * }
+ * *\/
+ * // example id: to-cancel-deletion-of-a-cmk-1477428535102
+ * ```
+ *
  */
 export declare class CancelKeyDeletionCommand extends $Command<CancelKeyDeletionCommandInput, CancelKeyDeletionCommandOutput, KMSClientResolvedConfig> {
     readonly input: CancelKeyDeletionCommandInput;

package/dist-types/commands/ConnectCustomKeyStoreCommand.d.ts

@@ -115,6 +115,102 @@ export interface ConnectCustomKeyStoreCommandOutput extends ConnectCustomKeyStor
  * @see {@link ConnectCustomKeyStoreCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link CloudHsmClusterInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the associated CloudHSM cluster did not meet the
+ *       configuration requirements for an CloudHSM key store.</p>
+ *          <ul>
+ *             <li>
+ *                <p>The CloudHSM cluster must be configured with private subnets in at least two different
+ *           Availability Zones in the Region.</p>
+ *             </li>
+ *             <li>
+ *                <p>The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for
+ *             the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must
+ *           include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
+ *             <b>Source</b> in the inbound rules and the <b>Destination</b> in the outbound rules must match the security group
+ *           ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
+ *           change them. To get information about a particular security group, use the <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html">DescribeSecurityGroups</a> operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add
+ *           HSMs, use the CloudHSM <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation.</p>
+ *                <p>For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the CloudHSM cluster must have at least two
+ *           active HSMs, each in a different Availability Zone. For the <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active
+ *           HSM.</p>
+ *             </li>
+ *          </ul>
+ *          <p>For information about the requirements for an CloudHSM cluster that is associated with an
+ *       CloudHSM key store, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the Prerequisites</a>
+ *       in the <i>Key Management Service Developer Guide</i>. For information about creating a private subnet for an CloudHSM cluster,
+ *       see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private
+ *         Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see
+ *         <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default Security
+ *         Group</a> in the <i>
+ *                <i>CloudHSM User Guide</i>
+ *             </i>. </p>
+ *
+ * @throws {@link CloudHsmClusterNotActiveException} (client fault)
+ *  <p>The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is
+ *       not active. Initialize and activate the cluster and try the command again. For detailed
+ *       instructions, see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting
+ *         Started</a> in the <i>CloudHSM User Guide</i>.</p>
+ *
+ * @throws {@link CustomKeyStoreInvalidStateException} (client fault)
+ *  <p>The request was rejected because of the <code>ConnectionState</code> of the custom key
+ *       store. To get the <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p>
+ *          <p>This exception is thrown under the following conditions:</p>
+ *          <ul>
+ *             <li>
+ *                <p>You requested the <a>ConnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>FAILED</code>. This operation is valid for all other <code>ConnectionState</code>
+ *           values. To reconnect a custom key store in a <code>FAILED</code> state, disconnect it
+ *             (<a>DisconnectCustomKeyStore</a>), then connect it
+ *             (<code>ConnectCustomKeyStore</code>).</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>CreateKey</a> operation in a custom key store that is
+ *           not connected. This operations is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>DISCONNECTED</code>. This operation is valid for all other
+ *             <code>ConnectionState</code> values.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key store that is not
+ *           disconnected. This operation is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>DISCONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>GenerateRandom</a> operation in an CloudHSM key store
+ *           that is not connected. This operation is valid only when the CloudHSM key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>. </p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link CustomKeyStoreNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find a custom key store with the specified
+ *       key store name or ID.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ *
+ * @example To connect a custom key store
+ * ```javascript
+ * // This example connects an AWS KMS custom key store to its backing key store. For an AWS CloudHSM key store, it connects the key store to its AWS CloudHSM cluster. For an external key store, it connects the key store to the external key store proxy that communicates with your external key manager. This operation does not return any data. To verify that the custom key store is connected, use the <code>DescribeCustomKeyStores</code> operation.
+ * const input = {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0"
+ * };
+ * const command = new ConnectCustomKeyStoreCommand(input);
+ * await client.send(command);
+ * // example id: to-connect-a-custom-key-store-1628626947750
+ * ```
+ *
  */
 export declare class ConnectCustomKeyStoreCommand extends $Command<ConnectCustomKeyStoreCommandInput, ConnectCustomKeyStoreCommandOutput, KMSClientResolvedConfig> {
     readonly input: ConnectCustomKeyStoreCommandInput;

package/dist-types/commands/CreateAliasCommand.d.ts

@@ -85,6 +85,60 @@ export interface CreateAliasCommandOutput extends __MetadataBearer {
  * @see {@link CreateAliasCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link AlreadyExistsException} (client fault)
+ *  <p>The request was rejected because it attempted to create a resource that already
+ *       exists.</p>
+ *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link InvalidAliasNameException} (client fault)
+ *  <p>The request was rejected because the specified alias name is not valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To create an alias
+ * ```javascript
+ * // The following example creates an alias for the specified KMS key.
+ * const input = {
+ *   "AliasName": "alias/ExampleAlias",
+ *   "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
+ * };
+ * const command = new CreateAliasCommand(input);
+ * await client.send(command);
+ * // example id: to-create-an-alias-1477505685119
+ * ```
+ *
  */
 export declare class CreateAliasCommand extends $Command<CreateAliasCommandInput, CreateAliasCommandOutput, KMSClientResolvedConfig> {
     readonly input: CreateAliasCommandInput;

package/dist-types/commands/CreateCustomKeyStoreCommand.d.ts

@@ -116,6 +116,199 @@ export interface CreateCustomKeyStoreCommandOutput extends CreateCustomKeyStoreR
  * @see {@link CreateCustomKeyStoreCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link CloudHsmClusterInUseException} (client fault)
+ *  <p>The request was rejected because the specified CloudHSM cluster is already associated with an
+ *       CloudHSM key store in the account, or it shares a backup history with an CloudHSM key store in the
+ *       account. Each CloudHSM key store in the account must be associated with a different CloudHSM
+ *       cluster.</p>
+ *          <p>CloudHSM clusters that share a backup history have the same cluster certificate. To view the
+ *       cluster certificate of an CloudHSM cluster, use the <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html">DescribeClusters</a> operation.</p>
+ *
+ * @throws {@link CloudHsmClusterInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the associated CloudHSM cluster did not meet the
+ *       configuration requirements for an CloudHSM key store.</p>
+ *          <ul>
+ *             <li>
+ *                <p>The CloudHSM cluster must be configured with private subnets in at least two different
+ *           Availability Zones in the Region.</p>
+ *             </li>
+ *             <li>
+ *                <p>The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for
+ *             the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must
+ *           include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
+ *             <b>Source</b> in the inbound rules and the <b>Destination</b> in the outbound rules must match the security group
+ *           ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
+ *           change them. To get information about a particular security group, use the <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html">DescribeSecurityGroups</a> operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add
+ *           HSMs, use the CloudHSM <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation.</p>
+ *                <p>For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the CloudHSM cluster must have at least two
+ *           active HSMs, each in a different Availability Zone. For the <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active
+ *           HSM.</p>
+ *             </li>
+ *          </ul>
+ *          <p>For information about the requirements for an CloudHSM cluster that is associated with an
+ *       CloudHSM key store, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the Prerequisites</a>
+ *       in the <i>Key Management Service Developer Guide</i>. For information about creating a private subnet for an CloudHSM cluster,
+ *       see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private
+ *         Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see
+ *         <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default Security
+ *         Group</a> in the <i>
+ *                <i>CloudHSM User Guide</i>
+ *             </i>. </p>
+ *
+ * @throws {@link CloudHsmClusterNotActiveException} (client fault)
+ *  <p>The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is
+ *       not active. Initialize and activate the cluster and try the command again. For detailed
+ *       instructions, see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting
+ *         Started</a> in the <i>CloudHSM User Guide</i>.</p>
+ *
+ * @throws {@link CloudHsmClusterNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find the CloudHSM cluster with the specified
+ *       cluster ID. Retry the request with a different cluster ID.</p>
+ *
+ * @throws {@link CustomKeyStoreNameInUseException} (client fault)
+ *  <p>The request was rejected because the specified custom key store name is already assigned
+ *       to another custom key store in the account. Try again with a custom key store name that is
+ *       unique in the account.</p>
+ *
+ * @throws {@link IncorrectTrustAnchorException} (client fault)
+ *  <p>The request was rejected because the trust anchor certificate in the request to create an
+ *       CloudHSM key store is not the trust anchor certificate for the specified CloudHSM cluster.</p>
+ *          <p>When you <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr">initialize the CloudHSM cluster</a>, you create the trust anchor certificate and save it
+ *       in the <code>customerCA.crt</code> file.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link XksProxyIncorrectAuthenticationCredentialException} (client fault)
+ *  <p>The request was rejected because the proxy credentials failed to authenticate to the
+ *       specified external key store proxy. The specified external key store proxy rejected a status
+ *       request from KMS due to invalid credentials. This can indicate an error in the credentials
+ *       or in the identification of the external key store proxy.</p>
+ *
+ * @throws {@link XksProxyInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the Amazon VPC endpoint service configuration does not fulfill
+ *       the requirements for an external key store proxy. For details, see the exception
+ *       message.</p>
+ *
+ * @throws {@link XksProxyInvalidResponseException} (client fault)
+ *  <p></p>
+ *          <p>KMS cannot interpret the response it received from the external key store proxy. The
+ *       problem might be a poorly constructed response, but it could also be a transient network
+ *       issue. If you see this error repeatedly, report it to the proxy vendor.</p>
+ *
+ * @throws {@link XksProxyUriEndpointInUseException} (client fault)
+ *  <p>The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code>
+ *       is already associated with an external key store in the Amazon Web Services account and Region. Each
+ *       external key store in an account and Region must use a unique external key store proxy
+ *       address.</p>
+ *
+ * @throws {@link XksProxyUriInUseException} (client fault)
+ *  <p>The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code>
+ *       and <code>XksProxyUriPath</code> is already associated with an external key store in the
+ *       Amazon Web Services account and Region. Each external key store in an account and Region must use a unique
+ *       external key store proxy API address.</p>
+ *
+ * @throws {@link XksProxyUriUnreachableException} (client fault)
+ *  <p>KMS was unable to reach the specified <code>XksProxyUriPath</code>. The path must be
+ *       reachable before you create the external key store or update its settings.</p>
+ *          <p>This exception is also thrown when the external key store proxy response to a <code>GetHealthStatus</code>
+ *       request indicates that all external key manager instances are unavailable.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceInUseException} (client fault)
+ *  <p>The request was rejected because the specified Amazon VPC endpoint service is already
+ *       associated with an external key store in the Amazon Web Services account and Region. Each external key store
+ *       in an Amazon Web Services account and Region must use a different Amazon VPC endpoint service.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the Amazon VPC endpoint service configuration does not fulfill
+ *       the requirements for an external key store proxy. For details, see the exception message and
+ *         <a href="kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements">review the requirements</a> for Amazon VPC endpoint service connectivity for an external key
+ *       store.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS could not find the specified VPC endpoint service.
+ *       Use <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service name for the
+ *       external key store. Also, confirm that the <code>Allow principals</code> list for the VPC
+ *       endpoint service includes the KMS service principal for the Region, such as
+ *         <code>cks.kms.us-east-1.amazonaws.com</code>.</p>
+ *
+ *
+ * @example To create an AWS CloudHSM key store
+ * ```javascript
+ * // This example creates a custom key store that is associated with an AWS CloudHSM cluster.
+ * const input = {
+ *   "CloudHsmClusterId": "cluster-1a23b4cdefg",
+ *   "CustomKeyStoreName": "ExampleKeyStore",
+ *   "KeyStorePassword": "kmsPswd",
+ *   "TrustAnchorCertificate": "<certificate-goes-here>"
+ * };
+ * const command = new CreateCustomKeyStoreCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0"
+ * }
+ * *\/
+ * // example id: to-create-an-aws-cloudhsm-custom-key-store-1
+ * ```
+ *
+ * @example To create an external key store with VPC endpoint service connectivity
+ * ```javascript
+ * // This example creates an external key store that uses an Amazon VPC endpoint service to communicate with AWS KMS.
+ * const input = {
+ *   "CustomKeyStoreName": "ExampleVPCEndpointKeyStore",
+ *   "CustomKeyStoreType": "EXTERNAL_KEY_STORE",
+ *   "XksProxyAuthenticationCredential": {
+ *     "AccessKeyId": "ABCDE12345670EXAMPLE",
+ *     "RawSecretAccessKey": "DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo="
+ *   },
+ *   "XksProxyConnectivity": "VPC_ENDPOINT_SERVICE",
+ *   "XksProxyUriEndpoint": "https://myproxy-private.xks.example.com",
+ *   "XksProxyUriPath": "/example-prefix/kms/xks/v1",
+ *   "XksProxyVpcEndpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-example1"
+ * };
+ * const command = new CreateCustomKeyStoreCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0"
+ * }
+ * *\/
+ * // example id: to-create-an-external-custom-key-store-with-vpc-connectivity-2
+ * ```
+ *
+ * @example To create an external key store with public endpoint connectivity
+ * ```javascript
+ * // This example creates an external key store with public endpoint connectivity.
+ * const input = {
+ *   "CustomKeyStoreName": "ExamplePublicEndpointKeyStore",
+ *   "CustomKeyStoreType": "EXTERNAL_KEY_STORE",
+ *   "XksProxyAuthenticationCredential": {
+ *     "AccessKeyId": "ABCDE12345670EXAMPLE",
+ *     "RawSecretAccessKey": "DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo="
+ *   },
+ *   "XksProxyConnectivity": "PUBLIC_ENDPOINT",
+ *   "XksProxyUriEndpoint": "https://myproxy.xks.example.com",
+ *   "XksProxyUriPath": "/kms/xks/v1"
+ * };
+ * const command = new CreateCustomKeyStoreCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "CustomKeyStoreId": "cks-987654321abcdef0"
+ * }
+ * *\/
+ * // example id: to-create-an-external-custom-key-store-with-a-public-endpoint-3
+ * ```
+ *
  */
 export declare class CreateCustomKeyStoreCommand extends $Command<CreateCustomKeyStoreCommandInput, CreateCustomKeyStoreCommandOutput, KMSClientResolvedConfig> {
     readonly input: CreateCustomKeyStoreCommandInput;

package/dist-types/commands/CreateGrantCommand.d.ts

@@ -90,6 +90,73 @@ export interface CreateGrantCommandOutput extends CreateGrantResponse, __Metadat
  * @see {@link CreateGrantCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link DisabledException} (client fault)
+ *  <p>The request was rejected because the specified KMS key is not enabled.</p>
+ *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link InvalidGrantTokenException} (client fault)
+ *  <p>The request was rejected because the specified grant token is not valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To create a grant
+ * ```javascript
+ * // The following example creates a grant that allows the specified IAM role to encrypt data with the specified KMS key.
+ * const input = {
+ *   "GranteePrincipal": "arn:aws:iam::111122223333:role/ExampleRole",
+ *   "KeyId": "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *   "Operations": [
+ *     "Encrypt",
+ *     "Decrypt"
+ *   ]
+ * };
+ * const command = new CreateGrantCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "GrantId": "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60",
+ *   "GrantToken": "AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW__MSrqnre1HIN0Grt00ViSSuUjhqOC8OT3YAAADfMIHcBgkqhkiG9w0BBwaggc4wgcsCAQAwgcUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmqLyBTAegIn9XlK5AgEQgIGXZQjkBcl1dykDdqZBUQ6L1OfUivQy7JVYO2-ZJP7m6f1g8GzV47HX5phdtONAP7K_HQIflcgpkoCqd_fUnE114mSmiagWkbQ5sqAVV3ov-VeqgrvMe5ZFEWLMSluvBAqdjHEdMIkHMlhlj4ENZbzBfo9Wxk8b8SnwP4kc4gGivedzFXo-dwN8fxjjq_ZZ9JFOj2ijIbj5FyogDCN0drOfi8RORSEuCEmPvjFRMFAwcmwFkN2NPp89amA"
+ * }
+ * *\/
+ * // example id: to-create-a-grant-1477972226782
+ * ```
+ *
  */
 export declare class CreateGrantCommand extends $Command<CreateGrantCommandInput, CreateGrantCommandOutput, KMSClientResolvedConfig> {
     readonly input: CreateGrantCommandInput;