@aws-sdk/client-kms 3.288.0 → 3.290.0

package/dist-types/commands/ScheduleKeyDeletionCommand.d.ts

@@ -84,6 +84,59 @@ export interface ScheduleKeyDeletionCommandOutput extends ScheduleKeyDeletionRes
  * @see {@link ScheduleKeyDeletionCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To schedule a KMS key for deletion
+ * ```javascript
+ * // The following example schedules the specified KMS key for deletion.
+ * const input = {
+ *   "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *   "PendingWindowInDays": 7
+ * };
+ * const command = new ScheduleKeyDeletionCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "DeletionDate": "2016-12-17T16:00:00-08:00",
+ *   "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+ * }
+ * *\/
+ * // example id: to-schedule-a-cmk-for-deletion-1481331111094
+ * ```
+ *
  */
 export declare class ScheduleKeyDeletionCommand extends $Command<ScheduleKeyDeletionCommandInput, ScheduleKeyDeletionCommandOutput, KMSClientResolvedConfig> {
     readonly input: ScheduleKeyDeletionCommandInput;

package/dist-types/commands/SignCommand.d.ts

@@ -80,6 +80,110 @@ export interface SignCommandOutput extends SignResponse, __MetadataBearer {
  * @see {@link SignCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link DisabledException} (client fault)
+ *  <p>The request was rejected because the specified KMS key is not enabled.</p>
+ *
+ * @throws {@link InvalidGrantTokenException} (client fault)
+ *  <p>The request was rejected because the specified grant token is not valid.</p>
+ *
+ * @throws {@link InvalidKeyUsageException} (client fault)
+ *  <p>The request was rejected for one of the following reasons: </p>
+ *          <ul>
+ *             <li>
+ *                <p>The <code>KeyUsage</code> value of the KMS key is incompatible with the API
+ *           operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The encryption algorithm or signing algorithm specified for the operation is
+ *           incompatible with the type of key material in the KMS key <code>(KeySpec</code>).</p>
+ *             </li>
+ *          </ul>
+ *          <p>For encrypting, decrypting, re-encrypting, and generating data keys, the
+ *         <code>KeyUsage</code> must be <code>ENCRYPT_DECRYPT</code>. For signing and verifying
+ *       messages, the <code>KeyUsage</code> must be <code>SIGN_VERIFY</code>. For generating and
+ *       verifying message authentication codes (MACs), the <code>KeyUsage</code> must be
+ *         <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a KMS key, use the
+ *         <a>DescribeKey</a> operation.</p>
+ *          <p>To find the encryption or signing algorithms supported for a particular KMS key, use the
+ *         <a>DescribeKey</a> operation.</p>
+ *
+ * @throws {@link KeyUnavailableException} (server fault)
+ *  <p>The request was rejected because the specified KMS key was not available. You can retry
+ *       the request.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To digitally sign a message with an asymmetric KMS key.
+ * ```javascript
+ * // This operation uses the private key in an asymmetric elliptic curve (ECC) KMS key to generate a digital signature for a given message.
+ * const input = {
+ *   "KeyId": "alias/ECC_signing_key",
+ *   "Message": "<message to be signed>",
+ *   "MessageType": "RAW",
+ *   "SigningAlgorithm": "ECDSA_SHA_384"
+ * };
+ * const command = new SignCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *   "Signature": "<binary data>",
+ *   "SigningAlgorithm": "ECDSA_SHA_384"
+ * }
+ * *\/
+ * // example id: to-digitally-sign-a-message-with-an-asymmetric-kms-key-1
+ * ```
+ *
+ * @example To digitally sign a message digest with an asymmetric KMS key.
+ * ```javascript
+ * // This operation uses the private key in an asymmetric RSA signing KMS key to generate a digital signature for a message digest. In this example, a large message was hashed and the resulting digest is provided in the Message parameter. To tell KMS not to hash the message again, the MessageType field is set to DIGEST
+ * const input = {
+ *   "KeyId": "alias/RSA_signing_key",
+ *   "Message": "<message digest to be signed>",
+ *   "MessageType": "DIGEST",
+ *   "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256"
+ * };
+ * const command = new SignCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "KeyId": "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
+ *   "Signature": "<binary data>",
+ *   "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256"
+ * }
+ * *\/
+ * // example id: to-digitally-sign-a-message-digest-with-an-asymmetric-kms-key-2
+ * ```
+ *
  */
 export declare class SignCommand extends $Command<SignCommandInput, SignCommandOutput, KMSClientResolvedConfig> {
     readonly input: SignCommandInput;

package/dist-types/commands/TagResourceCommand.d.ts

@@ -75,6 +75,61 @@ export interface TagResourceCommandOutput extends __MetadataBearer {
  * @see {@link TagResourceCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ * @throws {@link TagException} (client fault)
+ *  <p>The request was rejected because one or more tags are not valid.</p>
+ *
+ *
+ * @example To tag a KMS key
+ * ```javascript
+ * // The following example tags a KMS key.
+ * const input = {
+ *   "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *   "Tags": [
+ *     {
+ *       "TagKey": "Purpose",
+ *       "TagValue": "Test"
+ *     }
+ *   ]
+ * };
+ * const command = new TagResourceCommand(input);
+ * await client.send(command);
+ * // example id: to-tag-a-cmk-1483997246518
+ * ```
+ *
  */
 export declare class TagResourceCommand extends $Command<TagResourceCommandInput, TagResourceCommandOutput, KMSClientResolvedConfig> {
     readonly input: TagResourceCommandInput;

package/dist-types/commands/UntagResourceCommand.d.ts

@@ -70,6 +70,55 @@ export interface UntagResourceCommandOutput extends __MetadataBearer {
  * @see {@link UntagResourceCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ * @throws {@link TagException} (client fault)
+ *  <p>The request was rejected because one or more tags are not valid.</p>
+ *
+ *
+ * @example To remove tags from a KMS key
+ * ```javascript
+ * // The following example removes tags from a KMS key.
+ * const input = {
+ *   "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
+ *   "TagKeys": [
+ *     "Purpose",
+ *     "CostCenter"
+ *   ]
+ * };
+ * const command = new UntagResourceCommand(input);
+ * await client.send(command);
+ * // example id: to-remove-tags-from-a-cmk-1483997590962
+ * ```
+ *
  */
 export declare class UntagResourceCommand extends $Command<UntagResourceCommandInput, UntagResourceCommandOutput, KMSClientResolvedConfig> {
     readonly input: UntagResourceCommandInput;

package/dist-types/commands/UpdateAliasCommand.d.ts

@@ -91,6 +91,53 @@ export interface UpdateAliasCommandOutput extends __MetadataBearer {
  * @see {@link UpdateAliasCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>The request was rejected because a quota was exceeded. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the
+ *       <i>Key Management Service Developer Guide</i>.</p>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To update an alias
+ * ```javascript
+ * // The following example updates the specified alias to refer to the specified KMS key.
+ * const input = {
+ *   "AliasName": "alias/ExampleAlias",
+ *   "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
+ * };
+ * const command = new UpdateAliasCommand(input);
+ * await client.send(command);
+ * // example id: to-update-an-alias-1481572726920
+ * ```
+ *
  */
 export declare class UpdateAliasCommand extends $Command<UpdateAliasCommandInput, UpdateAliasCommandOutput, KMSClientResolvedConfig> {
     readonly input: UpdateAliasCommandInput;

package/dist-types/commands/UpdateCustomKeyStoreCommand.d.ts

@@ -121,6 +121,240 @@ export interface UpdateCustomKeyStoreCommandOutput extends UpdateCustomKeyStoreR
  * @see {@link UpdateCustomKeyStoreCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link CloudHsmClusterInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the associated CloudHSM cluster did not meet the
+ *       configuration requirements for an CloudHSM key store.</p>
+ *          <ul>
+ *             <li>
+ *                <p>The CloudHSM cluster must be configured with private subnets in at least two different
+ *           Availability Zones in the Region.</p>
+ *             </li>
+ *             <li>
+ *                <p>The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for
+ *             the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must
+ *           include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
+ *             <b>Source</b> in the inbound rules and the <b>Destination</b> in the outbound rules must match the security group
+ *           ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
+ *           change them. To get information about a particular security group, use the <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html">DescribeSecurityGroups</a> operation.</p>
+ *             </li>
+ *             <li>
+ *                <p>The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add
+ *           HSMs, use the CloudHSM <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation.</p>
+ *                <p>For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the CloudHSM cluster must have at least two
+ *           active HSMs, each in a different Availability Zone. For the <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active
+ *           HSM.</p>
+ *             </li>
+ *          </ul>
+ *          <p>For information about the requirements for an CloudHSM cluster that is associated with an
+ *       CloudHSM key store, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the Prerequisites</a>
+ *       in the <i>Key Management Service Developer Guide</i>. For information about creating a private subnet for an CloudHSM cluster,
+ *       see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private
+ *         Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see
+ *         <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default Security
+ *         Group</a> in the <i>
+ *                <i>CloudHSM User Guide</i>
+ *             </i>. </p>
+ *
+ * @throws {@link CloudHsmClusterNotActiveException} (client fault)
+ *  <p>The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is
+ *       not active. Initialize and activate the cluster and try the command again. For detailed
+ *       instructions, see <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting
+ *         Started</a> in the <i>CloudHSM User Guide</i>.</p>
+ *
+ * @throws {@link CloudHsmClusterNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find the CloudHSM cluster with the specified
+ *       cluster ID. Retry the request with a different cluster ID.</p>
+ *
+ * @throws {@link CloudHsmClusterNotRelatedException} (client fault)
+ *  <p>The request was rejected because the specified CloudHSM cluster has a different cluster
+ *       certificate than the original cluster. You cannot use the operation to specify an unrelated
+ *       cluster for an CloudHSM key store.</p>
+ *          <p>Specify an CloudHSM cluster that shares a backup history with the original cluster. This
+ *       includes clusters that were created from a backup of the current cluster, and clusters that
+ *       were created from the same backup that produced the current cluster.</p>
+ *          <p>CloudHSM clusters that share a backup history have the same cluster certificate. To view the
+ *       cluster certificate of an CloudHSM cluster, use the <a href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html">DescribeClusters</a> operation.</p>
+ *
+ * @throws {@link CustomKeyStoreInvalidStateException} (client fault)
+ *  <p>The request was rejected because of the <code>ConnectionState</code> of the custom key
+ *       store. To get the <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p>
+ *          <p>This exception is thrown under the following conditions:</p>
+ *          <ul>
+ *             <li>
+ *                <p>You requested the <a>ConnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>FAILED</code>. This operation is valid for all other <code>ConnectionState</code>
+ *           values. To reconnect a custom key store in a <code>FAILED</code> state, disconnect it
+ *             (<a>DisconnectCustomKeyStore</a>), then connect it
+ *             (<code>ConnectCustomKeyStore</code>).</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>CreateKey</a> operation in a custom key store that is
+ *           not connected. This operations is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key
+ *           store with a <code>ConnectionState</code> of <code>DISCONNECTING</code> or
+ *             <code>DISCONNECTED</code>. This operation is valid for all other
+ *             <code>ConnectionState</code> values.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key store that is not
+ *           disconnected. This operation is valid only when the custom key store
+ *             <code>ConnectionState</code> is <code>DISCONNECTED</code>.</p>
+ *             </li>
+ *             <li>
+ *                <p>You requested the <a>GenerateRandom</a> operation in an CloudHSM key store
+ *           that is not connected. This operation is valid only when the CloudHSM key store
+ *             <code>ConnectionState</code> is <code>CONNECTED</code>. </p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link CustomKeyStoreNameInUseException} (client fault)
+ *  <p>The request was rejected because the specified custom key store name is already assigned
+ *       to another custom key store in the account. Try again with a custom key store name that is
+ *       unique in the account.</p>
+ *
+ * @throws {@link CustomKeyStoreNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS cannot find a custom key store with the specified
+ *       key store name or ID.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link XksProxyIncorrectAuthenticationCredentialException} (client fault)
+ *  <p>The request was rejected because the proxy credentials failed to authenticate to the
+ *       specified external key store proxy. The specified external key store proxy rejected a status
+ *       request from KMS due to invalid credentials. This can indicate an error in the credentials
+ *       or in the identification of the external key store proxy.</p>
+ *
+ * @throws {@link XksProxyInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the Amazon VPC endpoint service configuration does not fulfill
+ *       the requirements for an external key store proxy. For details, see the exception
+ *       message.</p>
+ *
+ * @throws {@link XksProxyInvalidResponseException} (client fault)
+ *  <p></p>
+ *          <p>KMS cannot interpret the response it received from the external key store proxy. The
+ *       problem might be a poorly constructed response, but it could also be a transient network
+ *       issue. If you see this error repeatedly, report it to the proxy vendor.</p>
+ *
+ * @throws {@link XksProxyUriEndpointInUseException} (client fault)
+ *  <p>The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code>
+ *       is already associated with an external key store in the Amazon Web Services account and Region. Each
+ *       external key store in an account and Region must use a unique external key store proxy
+ *       address.</p>
+ *
+ * @throws {@link XksProxyUriInUseException} (client fault)
+ *  <p>The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code>
+ *       and <code>XksProxyUriPath</code> is already associated with an external key store in the
+ *       Amazon Web Services account and Region. Each external key store in an account and Region must use a unique
+ *       external key store proxy API address.</p>
+ *
+ * @throws {@link XksProxyUriUnreachableException} (client fault)
+ *  <p>KMS was unable to reach the specified <code>XksProxyUriPath</code>. The path must be
+ *       reachable before you create the external key store or update its settings.</p>
+ *          <p>This exception is also thrown when the external key store proxy response to a <code>GetHealthStatus</code>
+ *       request indicates that all external key manager instances are unavailable.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceInUseException} (client fault)
+ *  <p>The request was rejected because the specified Amazon VPC endpoint service is already
+ *       associated with an external key store in the Amazon Web Services account and Region. Each external key store
+ *       in an Amazon Web Services account and Region must use a different Amazon VPC endpoint service.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceInvalidConfigurationException} (client fault)
+ *  <p>The request was rejected because the Amazon VPC endpoint service configuration does not fulfill
+ *       the requirements for an external key store proxy. For details, see the exception message and
+ *         <a href="kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements">review the requirements</a> for Amazon VPC endpoint service connectivity for an external key
+ *       store.</p>
+ *
+ * @throws {@link XksProxyVpcEndpointServiceNotFoundException} (client fault)
+ *  <p>The request was rejected because KMS could not find the specified VPC endpoint service.
+ *       Use <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service name for the
+ *       external key store. Also, confirm that the <code>Allow principals</code> list for the VPC
+ *       endpoint service includes the KMS service principal for the Region, such as
+ *         <code>cks.kms.us-east-1.amazonaws.com</code>.</p>
+ *
+ *
+ * @example To edit the friendly name of a custom key store
+ * ```javascript
+ * // This example changes the friendly name of the AWS KMS custom key store to the name that you specify. This operation does not return any data. To verify that the operation worked, use the DescribeCustomKeyStores operation.
+ * const input = {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0",
+ *   "NewCustomKeyStoreName": "DevelopmentKeys"
+ * };
+ * const command = new UpdateCustomKeyStoreCommand(input);
+ * await client.send(command);
+ * // example id: to-edit-the-friendly-name-of-a-custom-key-store-1
+ * ```
+ *
+ * @example To edit the password of an AWS CloudHSM key store
+ * ```javascript
+ * // This example tells AWS KMS the password for the kmsuser crypto user in the AWS CloudHSM cluster that is associated with the AWS KMS custom key store. (It does not change the password in the CloudHSM cluster.) This operation does not return any data.
+ * const input = {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0",
+ *   "KeyStorePassword": "ExamplePassword"
+ * };
+ * const command = new UpdateCustomKeyStoreCommand(input);
+ * await client.send(command);
+ * // example id: to-edit-the-properties-of-an-aws-cloudhsm-key-store-2
+ * ```
+ *
+ * @example To associate the custom key store with a different, but related, AWS CloudHSM cluster.
+ * ```javascript
+ * // This example changes the AWS CloudHSM cluster that is associated with an AWS CloudHSM key store to a related cluster, such as a different backup of the same cluster. This operation does not return any data. To verify that the operation worked, use the DescribeCustomKeyStores operation.
+ * const input = {
+ *   "CloudHsmClusterId": "cluster-1a23b4cdefg",
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0"
+ * };
+ * const command = new UpdateCustomKeyStoreCommand(input);
+ * await client.send(command);
+ * // example id: to-associate-the-custom-key-store-with-a-different-but-related-aws-cloudhsm-cluster-3
+ * ```
+ *
+ * @example To update the proxy authentication credential of an external key store
+ * ```javascript
+ * // To update the proxy authentication credential for your external key store, specify both the <code>RawSecretAccessKey</code> and the <code>AccessKeyId</code>, even if you are changing only one of the values. You can use this feature to fix an invalid credential or to change the credential when the external key store proxy rotates it.
+ * const input = {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0",
+ *   "XksProxyAuthenticationCredential": {
+ *     "AccessKeyId": "ABCDE12345670EXAMPLE",
+ *     "RawSecretAccessKey": "DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo="
+ *   }
+ * };
+ * const command = new UpdateCustomKeyStoreCommand(input);
+ * await client.send(command);
+ * // example id: to-update-the-proxy-authentication-credential-of-an-external-key-store-4
+ * ```
+ *
+ * @example To edit the proxy URI path of an external key store.
+ * ```javascript
+ * // This example updates the proxy URI path for an external key store
+ * const input = {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0",
+ *   "XksProxyUriPath": "/new-path/kms/xks/v1"
+ * };
+ * const command = new UpdateCustomKeyStoreCommand(input);
+ * await client.send(command);
+ * // example id: to-update-the-xks-proxy-api-path-of-an-external-key-store-5
+ * ```
+ *
+ * @example To update the proxy connectivity of an external key store to VPC_ENDPOINT_SERVICE
+ * ```javascript
+ * // To change the external key store proxy connectivity option from public endpoint connectivity to VPC endpoint service connectivity, in addition to changing the <code>XksProxyConnectivity</code> value, you must change the <code>XksProxyUriEndpoint</code> value to reflect the private DNS name associated with the VPC endpoint service. You must also add an <code>XksProxyVpcEndpointServiceName</code> value.
+ * const input = {
+ *   "CustomKeyStoreId": "cks-1234567890abcdef0",
+ *   "XksProxyConnectivity": "VPC_ENDPOINT_SERVICE",
+ *   "XksProxyUriEndpoint": "https://myproxy-private.xks.example.com",
+ *   "XksProxyVpcEndpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-example"
+ * };
+ * const command = new UpdateCustomKeyStoreCommand(input);
+ * await client.send(command);
+ * // example id: to-update-the-proxy-connectivity-of-an-external-key-store-to-vpc_endpoint_service-6
+ * ```
+ *
  */
 export declare class UpdateCustomKeyStoreCommand extends $Command<UpdateCustomKeyStoreCommandInput, UpdateCustomKeyStoreCommandOutput, KMSClientResolvedConfig> {
     readonly input: UpdateCustomKeyStoreCommandInput;

package/dist-types/commands/UpdateKeyDescriptionCommand.d.ts

@@ -50,6 +50,53 @@ export interface UpdateKeyDescriptionCommandOutput extends __MetadataBearer {
  * @see {@link UpdateKeyDescriptionCommandOutput} for command's `response` shape.
  * @see {@link KMSClientResolvedConfig | config} for KMSClient's `config` shape.
  *
+ * @throws {@link DependencyTimeoutException} (server fault)
+ *  <p>The system timed out while trying to fulfill the request. You can retry the
+ *       request.</p>
+ *
+ * @throws {@link InvalidArnException} (client fault)
+ *  <p>The request was rejected because a specified ARN, or an ARN in a key policy, is not
+ *       valid.</p>
+ *
+ * @throws {@link KMSInternalException} (server fault)
+ *  <p>The request was rejected because an internal exception occurred. The request can be
+ *       retried.</p>
+ *
+ * @throws {@link KMSInvalidStateException} (client fault)
+ *  <p>The request was rejected because the state of the specified resource is not valid for this
+ *       request.</p>
+ *          <p>This exceptions means one of the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The key state of the KMS key is not compatible with the operation. </p>
+ *                <p>To find the key state, use the <a>DescribeKey</a> operation. For more
+ *           information about which key states are compatible with each KMS operation, see
+ *           <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>
+ *                      <i>Key Management Service Developer Guide</i>
+ *                   </i>.</p>
+ *             </li>
+ *             <li>
+ *                <p>For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link NotFoundException} (client fault)
+ *  <p>The request was rejected because the specified entity or resource could not be
+ *       found.</p>
+ *
+ *
+ * @example To update the description of a KMS key
+ * ```javascript
+ * // The following example updates the description of the specified KMS key.
+ * const input = {
+ *   "Description": "Example description that indicates the intended use of this KMS key.",
+ *   "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
+ * };
+ * const command = new UpdateKeyDescriptionCommand(input);
+ * await client.send(command);
+ * // example id: to-update-the-description-of-a-cmk-1481574808619
+ * ```
+ *
  */
 export declare class UpdateKeyDescriptionCommand extends $Command<UpdateKeyDescriptionCommandInput, UpdateKeyDescriptionCommandOutput, KMSClientResolvedConfig> {
     readonly input: UpdateKeyDescriptionCommandInput;