@aws-sdk/client-kms 3.345.0 → 3.346.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist-cjs/models/models_0.js +4 -0
- package/dist-es/models/models_0.js +4 -0
- package/dist-types/commands/CreateKeyCommand.d.ts +9 -15
- package/dist-types/commands/DeleteImportedKeyMaterialCommand.d.ts +4 -5
- package/dist-types/commands/GetParametersForImportCommand.d.ts +54 -15
- package/dist-types/commands/ImportKeyMaterialCommand.d.ts +64 -25
- package/dist-types/commands/ScheduleKeyDeletionCommand.d.ts +4 -2
- package/dist-types/models/models_0.d.ts +68 -23
- package/dist-types/ts3.4/models/models_0.d.ts +4 -0
- package/package.json +1 -1
|
@@ -8,6 +8,8 @@ exports.AlgorithmSpec = {
|
|
|
8
8
|
RSAES_OAEP_SHA_1: "RSAES_OAEP_SHA_1",
|
|
9
9
|
RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256",
|
|
10
10
|
RSAES_PKCS1_V1_5: "RSAES_PKCS1_V1_5",
|
|
11
|
+
RSA_AES_KEY_WRAP_SHA_1: "RSA_AES_KEY_WRAP_SHA_1",
|
|
12
|
+
RSA_AES_KEY_WRAP_SHA_256: "RSA_AES_KEY_WRAP_SHA_256",
|
|
11
13
|
};
|
|
12
14
|
class AlreadyExistsException extends KMSServiceException_1.KMSServiceException {
|
|
13
15
|
constructor(opts) {
|
|
@@ -701,6 +703,8 @@ class ExpiredImportTokenException extends KMSServiceException_1.KMSServiceExcept
|
|
|
701
703
|
exports.ExpiredImportTokenException = ExpiredImportTokenException;
|
|
702
704
|
exports.WrappingKeySpec = {
|
|
703
705
|
RSA_2048: "RSA_2048",
|
|
706
|
+
RSA_3072: "RSA_3072",
|
|
707
|
+
RSA_4096: "RSA_4096",
|
|
704
708
|
};
|
|
705
709
|
class IncorrectKeyMaterialException extends KMSServiceException_1.KMSServiceException {
|
|
706
710
|
constructor(opts) {
|
|
@@ -4,6 +4,8 @@ export const AlgorithmSpec = {
|
|
|
4
4
|
RSAES_OAEP_SHA_1: "RSAES_OAEP_SHA_1",
|
|
5
5
|
RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256",
|
|
6
6
|
RSAES_PKCS1_V1_5: "RSAES_PKCS1_V1_5",
|
|
7
|
+
RSA_AES_KEY_WRAP_SHA_1: "RSA_AES_KEY_WRAP_SHA_1",
|
|
8
|
+
RSA_AES_KEY_WRAP_SHA_256: "RSA_AES_KEY_WRAP_SHA_256",
|
|
7
9
|
};
|
|
8
10
|
export class AlreadyExistsException extends __BaseException {
|
|
9
11
|
constructor(opts) {
|
|
@@ -656,6 +658,8 @@ export class ExpiredImportTokenException extends __BaseException {
|
|
|
656
658
|
}
|
|
657
659
|
export const WrappingKeySpec = {
|
|
658
660
|
RSA_2048: "RSA_2048",
|
|
661
|
+
RSA_3072: "RSA_3072",
|
|
662
|
+
RSA_4096: "RSA_4096",
|
|
659
663
|
};
|
|
660
664
|
export class IncorrectKeyMaterialException extends __BaseException {
|
|
661
665
|
constructor(opts) {
|
|
@@ -79,12 +79,6 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
|
|
|
79
79
|
* You can't change these properties after the KMS key is created.</p>
|
|
80
80
|
* <p>HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use
|
|
81
81
|
* HMAC keys to generate (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes.</p>
|
|
82
|
-
* <p>HMAC KMS keys are not supported in all Amazon Web Services Regions. If you try to create an HMAC
|
|
83
|
-
* KMS key in an Amazon Web Services Region in which HMAC keys are not supported, the
|
|
84
|
-
* <code>CreateKey</code> operation returns an
|
|
85
|
-
* <code>UnsupportedOperationException</code>. For a list of Regions in which HMAC KMS keys
|
|
86
|
-
* are supported, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in
|
|
87
|
-
* KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
|
|
88
82
|
* <p> </p>
|
|
89
83
|
* </dd>
|
|
90
84
|
* <dt>Multi-Region primary keys</dt>
|
|
@@ -107,17 +101,17 @@ export interface CreateKeyCommandOutput extends CreateKeyResponse, __MetadataBea
|
|
|
107
101
|
* <p> </p>
|
|
108
102
|
* </dd>
|
|
109
103
|
* <dd>
|
|
110
|
-
* <p>To import your own key material into a KMS key, begin by creating a
|
|
111
|
-
*
|
|
112
|
-
*
|
|
113
|
-
*
|
|
114
|
-
*
|
|
115
|
-
* step-by-step instructions, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
|
|
104
|
+
* <p>To import your own key material into a KMS key, begin by creating a KMS key with no
|
|
105
|
+
* key material. To do this, use the <code>Origin</code> parameter of
|
|
106
|
+
* <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use <a>GetParametersForImport</a> operation to get a public key and import token. Use
|
|
107
|
+
* the wrapping public key to encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. For step-by-step instructions, see
|
|
108
|
+
* <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
|
|
116
109
|
* <i>Key Management Service Developer Guide</i>
|
|
117
110
|
* </i>.</p>
|
|
118
|
-
* <p>
|
|
119
|
-
*
|
|
120
|
-
* key
|
|
111
|
+
* <p>You can import key material into KMS keys of all supported KMS key types: symmetric
|
|
112
|
+
* encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric
|
|
113
|
+
* signing KMS keys. You can also create multi-Region keys with imported key material.
|
|
114
|
+
* However, you can't import key material into a KMS key in a custom key store.</p>
|
|
121
115
|
* <p>To create a multi-Region primary key with imported key material, use the
|
|
122
116
|
* <code>Origin</code> parameter of <code>CreateKey</code> with a value of
|
|
123
117
|
* <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a value of
|
|
@@ -23,14 +23,13 @@ export interface DeleteImportedKeyMaterialCommandOutput extends __MetadataBearer
|
|
|
23
23
|
}
|
|
24
24
|
/**
|
|
25
25
|
* @public
|
|
26
|
-
* <p>Deletes key material that
|
|
27
|
-
* key unusable.
|
|
28
|
-
*
|
|
26
|
+
* <p>Deletes key material that was previously imported. This operation makes the specified KMS
|
|
27
|
+
* key temporarily unusable. To restore the usability of the KMS key, reimport the same key
|
|
28
|
+
* material. For more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
|
|
29
|
+
* in the <i>Key Management Service Developer Guide</i>.</p>
|
|
29
30
|
* <p>When the specified KMS key is in the <code>PendingDeletion</code> state, this operation
|
|
30
31
|
* does not change the KMS key's state. Otherwise, it changes the KMS key's state to
|
|
31
32
|
* <code>PendingImport</code>.</p>
|
|
32
|
-
* <p>After you delete key material, you can use <a>ImportKeyMaterial</a> to reimport
|
|
33
|
-
* the same key material into the KMS key.</p>
|
|
34
33
|
* <p>The KMS key that you use for this operation must be in a compatible key state. For
|
|
35
34
|
* details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
|
|
36
35
|
* <p>
|
|
@@ -23,19 +23,58 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
|
|
|
23
23
|
}
|
|
24
24
|
/**
|
|
25
25
|
* @public
|
|
26
|
-
* <p>Returns the
|
|
27
|
-
*
|
|
28
|
-
*
|
|
29
|
-
*
|
|
30
|
-
*
|
|
31
|
-
*
|
|
32
|
-
*
|
|
33
|
-
*
|
|
34
|
-
*
|
|
35
|
-
*
|
|
36
|
-
*
|
|
37
|
-
*
|
|
38
|
-
*
|
|
26
|
+
* <p>Returns the public key and an import token you need to import or reimport key material for
|
|
27
|
+
* a KMS key. </p>
|
|
28
|
+
* <p>By default, KMS keys are created with key material that KMS generates. This operation
|
|
29
|
+
* supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key
|
|
30
|
+
* material</a>, an advanced feature that lets you generate and import the cryptographic
|
|
31
|
+
* key material for a KMS key. For more information about importing key material into KMS, see
|
|
32
|
+
* <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key
|
|
33
|
+
* material</a> in the <i>Key Management Service Developer Guide</i>.</p>
|
|
34
|
+
* <p>Before calling <code>GetParametersForImport</code>, use the <a>CreateKey</a>
|
|
35
|
+
* operation with an <code>Origin</code> value of <code>EXTERNAL</code> to create a KMS key with
|
|
36
|
+
* no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,
|
|
37
|
+
* asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material
|
|
38
|
+
* into a <a href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of
|
|
39
|
+
* any supported type. However, you can't import key material into a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. You can also use
|
|
40
|
+
* <code>GetParametersForImport</code> to get a public key and import token to <a href="kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the original key material</a> into a KMS key whose key material expired or was
|
|
41
|
+
* deleted.</p>
|
|
42
|
+
* <p>
|
|
43
|
+
* <code>GetParametersForImport</code> returns the items that you need to import your key
|
|
44
|
+
* material.</p>
|
|
45
|
+
* <ul>
|
|
46
|
+
* <li>
|
|
47
|
+
* <p>The public key (or "wrapping key") of an RSA key pair that KMS generates.</p>
|
|
48
|
+
* <p>You will use this public key to encrypt ("wrap") your key material while it's in
|
|
49
|
+
* transit to KMS. </p>
|
|
50
|
+
* </li>
|
|
51
|
+
* <li>
|
|
52
|
+
* <p>A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key.</p>
|
|
53
|
+
* </li>
|
|
54
|
+
* </ul>
|
|
55
|
+
* <p>The public key and its import token are permanently linked and must be used together. Each
|
|
56
|
+
* public key and import token set is valid for 24 hours. The expiration date and time appear in
|
|
57
|
+
* the <code>ParametersValidTo</code> field in the <code>GetParametersForImport</code> response.
|
|
58
|
+
* You cannot use an expired public key or import token in an <a>ImportKeyMaterial</a>
|
|
59
|
+
* request. If your key and token expire, send another <code>GetParametersForImport</code>
|
|
60
|
+
* request.</p>
|
|
61
|
+
* <p>
|
|
62
|
+
* <code>GetParametersForImport</code> requires the following information:</p>
|
|
63
|
+
* <ul>
|
|
64
|
+
* <li>
|
|
65
|
+
* <p>The key ID of the KMS key for which you are importing the key material.</p>
|
|
66
|
+
* </li>
|
|
67
|
+
* <li>
|
|
68
|
+
* <p>The key spec of the public key ("wrapping key") that you will use to encrypt your key
|
|
69
|
+
* material during import.</p>
|
|
70
|
+
* </li>
|
|
71
|
+
* <li>
|
|
72
|
+
* <p>The wrapping algorithm that you will use with the public key to encrypt your key
|
|
73
|
+
* material.</p>
|
|
74
|
+
* </li>
|
|
75
|
+
* </ul>
|
|
76
|
+
* <p>You can use the same or a different public key spec and wrapping algorithm each time you
|
|
77
|
+
* import or reimport the same key material. </p>
|
|
39
78
|
* <p>The KMS key that you use for this operation must be in a compatible key state. For
|
|
40
79
|
* details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
|
|
41
80
|
* <p>
|
|
@@ -65,8 +104,8 @@ export interface GetParametersForImportCommandOutput extends GetParametersForImp
|
|
|
65
104
|
* const client = new KMSClient(config);
|
|
66
105
|
* const input = { // GetParametersForImportRequest
|
|
67
106
|
* KeyId: "STRING_VALUE", // required
|
|
68
|
-
* WrappingAlgorithm: "RSAES_PKCS1_V1_5" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256", // required
|
|
69
|
-
* WrappingKeySpec: "RSA_2048", // required
|
|
107
|
+
* WrappingAlgorithm: "RSAES_PKCS1_V1_5" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "RSA_AES_KEY_WRAP_SHA_1" || "RSA_AES_KEY_WRAP_SHA_256", // required
|
|
108
|
+
* WrappingKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096", // required
|
|
70
109
|
* };
|
|
71
110
|
* const command = new GetParametersForImportCommand(input);
|
|
72
111
|
* const response = await client.send(command);
|
|
@@ -23,29 +23,66 @@ export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialRespons
|
|
|
23
23
|
}
|
|
24
24
|
/**
|
|
25
25
|
* @public
|
|
26
|
-
* <p>Imports key material into an existing
|
|
27
|
-
*
|
|
28
|
-
*
|
|
29
|
-
*
|
|
30
|
-
*
|
|
31
|
-
*
|
|
32
|
-
*
|
|
33
|
-
*
|
|
34
|
-
*
|
|
35
|
-
*
|
|
36
|
-
*
|
|
37
|
-
*
|
|
26
|
+
* <p>Imports or reimports key material into an existing KMS key that was created without key
|
|
27
|
+
* material. <code>ImportKeyMaterial</code> also sets the expiration model and expiration date of
|
|
28
|
+
* the imported key material.</p>
|
|
29
|
+
* <p>By default, KMS keys are created with key material that KMS generates. This operation
|
|
30
|
+
* supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key
|
|
31
|
+
* material</a>, an advanced feature that lets you generate and import the cryptographic
|
|
32
|
+
* key material for a KMS key. For more information about importing key material into KMS, see
|
|
33
|
+
* <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key
|
|
34
|
+
* material</a> in the <i>Key Management Service Developer Guide</i>.</p>
|
|
35
|
+
* <p>After you successfully import key material into a KMS key, you can <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport
|
|
36
|
+
* the same key material</a> into that KMS key, but you cannot import different key
|
|
37
|
+
* material. You might reimport key material to replace key material that expired or key material
|
|
38
|
+
* that you deleted. You might also reimport key material to change the expiration model or
|
|
39
|
+
* expiration date of the key material. Before reimporting key material, if necessary, call <a>DeleteImportedKeyMaterial</a> to delete the current imported key material. </p>
|
|
40
|
+
* <p>Each time you import key material into KMS, you can determine whether
|
|
41
|
+
* (<code>ExpirationModel</code>) and when (<code>ValidTo</code>) the key material expires. To
|
|
42
|
+
* change the expiration of your key material, you must import it again, either by calling
|
|
43
|
+
* <code>ImportKeyMaterial</code> or using the <a href="kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console">import features</a> of the
|
|
44
|
+
* KMS console.</p>
|
|
45
|
+
* <p>Before calling <code>ImportKeyMaterial</code>:</p>
|
|
38
46
|
* <ul>
|
|
39
47
|
* <li>
|
|
40
|
-
* <p>
|
|
41
|
-
*
|
|
42
|
-
*
|
|
43
|
-
*
|
|
44
|
-
*
|
|
48
|
+
* <p>Create or identify a KMS key with no key material. The KMS key must have an
|
|
49
|
+
* <code>Origin</code> value of <code>EXTERNAL</code>, which indicates that the KMS key is
|
|
50
|
+
* designed for imported key material. </p>
|
|
51
|
+
* <p>To create an new KMS key for imported key material, call the <a>CreateKey</a> operation with an <code>Origin</code> value of <code>EXTERNAL</code>. You can create a
|
|
52
|
+
* symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric
|
|
53
|
+
* signing KMS key. You can also import key material into a <a href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of any
|
|
54
|
+
* supported type. However, you can't import key material into a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>.</p>
|
|
45
55
|
* </li>
|
|
46
56
|
* <li>
|
|
47
|
-
* <p>
|
|
48
|
-
* <
|
|
57
|
+
* <p>Use the <a>DescribeKey</a> operation to verify that the
|
|
58
|
+
* <code>KeyState</code> of the KMS key is <code>PendingImport</code>, which indicates that
|
|
59
|
+
* the KMS key has no key material. </p>
|
|
60
|
+
* <p>If you are reimporting the same key material into an existing KMS key, you might need
|
|
61
|
+
* to call the <a>DeleteImportedKeyMaterial</a> to delete its existing key
|
|
62
|
+
* material.</p>
|
|
63
|
+
* </li>
|
|
64
|
+
* <li>
|
|
65
|
+
* <p>Call the <a>GetParametersForImport</a> operation to get a public key and
|
|
66
|
+
* import token set for importing key material. </p>
|
|
67
|
+
* </li>
|
|
68
|
+
* <li>
|
|
69
|
+
* <p>Use the public key in the <a>GetParametersForImport</a> response to encrypt
|
|
70
|
+
* your key material.</p>
|
|
71
|
+
* </li>
|
|
72
|
+
* </ul>
|
|
73
|
+
* <p> Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key
|
|
74
|
+
* material and import token. When calling this operation, you must specify the following
|
|
75
|
+
* values:</p>
|
|
76
|
+
* <ul>
|
|
77
|
+
* <li>
|
|
78
|
+
* <p>The key ID or key ARN of the KMS key to associate with the imported key material. Its
|
|
79
|
+
* <code>Origin</code> must be <code>EXTERNAL</code> and its <code>KeyState</code> must be
|
|
80
|
+
* <code>PendingImport</code>. You cannot perform this operation on a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>, or on a KMS
|
|
81
|
+
* key in a different Amazon Web Services account. To get the <code>Origin</code> and <code>KeyState</code>
|
|
82
|
+
* of a KMS key, call <a>DescribeKey</a>.</p>
|
|
83
|
+
* </li>
|
|
84
|
+
* <li>
|
|
85
|
+
* <p>The encrypted key material. </p>
|
|
49
86
|
* </li>
|
|
50
87
|
* <li>
|
|
51
88
|
* <p>The import token that <a>GetParametersForImport</a> returned. You must use
|
|
@@ -53,15 +90,17 @@ export interface ImportKeyMaterialCommandOutput extends ImportKeyMaterialRespons
|
|
|
53
90
|
* </li>
|
|
54
91
|
* <li>
|
|
55
92
|
* <p>Whether the key material expires (<code>ExpirationModel</code>) and, if so, when
|
|
56
|
-
* (<code>ValidTo</code>).
|
|
57
|
-
*
|
|
58
|
-
*
|
|
59
|
-
*
|
|
60
|
-
*
|
|
93
|
+
* (<code>ValidTo</code>). For help with this choice, see <a href="https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration">Setting an expiration time</a> in the <i>Key Management Service Developer Guide</i>.</p>
|
|
94
|
+
* <p>If you set an expiration date, KMS deletes the key material from the KMS key on the
|
|
95
|
+
* specified date, making the KMS key unusable. To use the KMS key in cryptographic
|
|
96
|
+
* operations again, you must reimport the same key material. However, you can delete and
|
|
97
|
+
* reimport the key material at any time, including before the key material expires. Each
|
|
98
|
+
* time you reimport, you can eliminate or reset the expiration time.</p>
|
|
61
99
|
* </li>
|
|
62
100
|
* </ul>
|
|
63
101
|
* <p>When this operation is successful, the key state of the KMS key changes from
|
|
64
|
-
* <code>PendingImport</code> to <code>Enabled</code>, and you can use the KMS key
|
|
102
|
+
* <code>PendingImport</code> to <code>Enabled</code>, and you can use the KMS key in
|
|
103
|
+
* cryptographic operations.</p>
|
|
65
104
|
* <p>If this operation fails, use the exception to help determine the problem. If the error is
|
|
66
105
|
* related to the key material, the import token, or wrapping key, use <a>GetParametersForImport</a> to get a new public key and import token for the KMS key
|
|
67
106
|
* and repeat the import procedure. For help, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview">How To Import Key
|
|
@@ -34,8 +34,10 @@ export interface ScheduleKeyDeletionCommandOutput extends ScheduleKeyDeletionRes
|
|
|
34
34
|
* <important>
|
|
35
35
|
* <p>Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key
|
|
36
36
|
* is deleted, all data that was encrypted under the KMS key is unrecoverable. (The only
|
|
37
|
-
* exception is a multi-Region replica
|
|
38
|
-
*
|
|
37
|
+
* exception is a <a href="kms/latest/developerguide/multi-region-keys-delete.html">multi-Region replica
|
|
38
|
+
* key</a>, or an asymmetric or HMAC KMS key with imported key material[BUGBUG-link to
|
|
39
|
+
* importing-keys-managing.html#import-delete-key.) To prevent the use of a KMS key without
|
|
40
|
+
* deleting it, use <a>DisableKey</a>. </p>
|
|
39
41
|
* </important>
|
|
40
42
|
* <p>You can schedule the deletion of a multi-Region primary key and its replica keys at any
|
|
41
43
|
* time. However, KMS will not delete a multi-Region primary key with existing replica keys. If
|
|
@@ -8,6 +8,8 @@ export declare const AlgorithmSpec: {
|
|
|
8
8
|
readonly RSAES_OAEP_SHA_1: "RSAES_OAEP_SHA_1";
|
|
9
9
|
readonly RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256";
|
|
10
10
|
readonly RSAES_PKCS1_V1_5: "RSAES_PKCS1_V1_5";
|
|
11
|
+
readonly RSA_AES_KEY_WRAP_SHA_1: "RSA_AES_KEY_WRAP_SHA_1";
|
|
12
|
+
readonly RSA_AES_KEY_WRAP_SHA_256: "RSA_AES_KEY_WRAP_SHA_256";
|
|
11
13
|
};
|
|
12
14
|
/**
|
|
13
15
|
* @public
|
|
@@ -3313,6 +3315,8 @@ export interface GetKeyRotationStatusResponse {
|
|
|
3313
3315
|
*/
|
|
3314
3316
|
export declare const WrappingKeySpec: {
|
|
3315
3317
|
readonly RSA_2048: "RSA_2048";
|
|
3318
|
+
readonly RSA_3072: "RSA_3072";
|
|
3319
|
+
readonly RSA_4096: "RSA_4096";
|
|
3316
3320
|
};
|
|
3317
3321
|
/**
|
|
3318
3322
|
* @public
|
|
@@ -3323,8 +3327,10 @@ export type WrappingKeySpec = (typeof WrappingKeySpec)[keyof typeof WrappingKeyS
|
|
|
3323
3327
|
*/
|
|
3324
3328
|
export interface GetParametersForImportRequest {
|
|
3325
3329
|
/**
|
|
3326
|
-
* <p>The identifier of the
|
|
3327
|
-
*
|
|
3330
|
+
* <p>The identifier of the KMS key that will be associated with the imported key material. The
|
|
3331
|
+
* <code>Origin</code> of the KMS key must be <code>EXTERNAL</code>.</p>
|
|
3332
|
+
* <p>All KMS key types are supported, including multi-Region keys. However, you cannot import
|
|
3333
|
+
* key material into a KMS key in a custom key store.</p>
|
|
3328
3334
|
* <p>Specify the key ID or key ARN of the KMS key.</p>
|
|
3329
3335
|
* <p>For example:</p>
|
|
3330
3336
|
* <ul>
|
|
@@ -3341,19 +3347,50 @@ export interface GetParametersForImportRequest {
|
|
|
3341
3347
|
*/
|
|
3342
3348
|
KeyId: string | undefined;
|
|
3343
3349
|
/**
|
|
3344
|
-
* <p>The algorithm you will use
|
|
3345
|
-
*
|
|
3346
|
-
* <
|
|
3347
|
-
*
|
|
3348
|
-
*
|
|
3349
|
-
*
|
|
3350
|
-
*
|
|
3351
|
-
*
|
|
3350
|
+
* <p>The algorithm you will use with the RSA public key (<code>PublicKey</code>) in the
|
|
3351
|
+
* response to protect your key material during import. For more information, see <a href="kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm">Select a wrapping algorithm</a> in the <i>Key Management Service Developer Guide</i>.</p>
|
|
3352
|
+
* <p>For RSA_AES wrapping algorithms, you encrypt your key material with an AES key that you
|
|
3353
|
+
* generate, then encrypt your AES key with the RSA public key from KMS. For RSAES wrapping
|
|
3354
|
+
* algorithms, you encrypt your key material directly with the RSA public key from KMS.</p>
|
|
3355
|
+
* <p>The wrapping algorithms that you can use depend on the type of key material that you are
|
|
3356
|
+
* importing. To import an RSA private key, you must use an RSA_AES wrapping algorithm.</p>
|
|
3357
|
+
* <ul>
|
|
3358
|
+
* <li>
|
|
3359
|
+
* <p>
|
|
3360
|
+
* <b>RSA_AES_KEY_WRAP_SHA_256</b> — Supported for wrapping RSA and ECC key
|
|
3361
|
+
* material.</p>
|
|
3362
|
+
* </li>
|
|
3363
|
+
* <li>
|
|
3364
|
+
* <p>
|
|
3365
|
+
* <b>RSA_AES_KEY_WRAP_SHA_1</b> — Supported for wrapping RSA and ECC key material.</p>
|
|
3366
|
+
* </li>
|
|
3367
|
+
* <li>
|
|
3368
|
+
* <p>
|
|
3369
|
+
* <b>RSAES_OAEP_SHA_256</b> — Supported for all types of key material, except RSA key material (private key).</p>
|
|
3370
|
+
* <p>You cannot use the RSAES_OAEP_SHA_256 wrapping algorithm with the RSA_2048 wrapping key spec to wrap
|
|
3371
|
+
* ECC_NIST_P521 key material.</p>
|
|
3372
|
+
* </li>
|
|
3373
|
+
* <li>
|
|
3374
|
+
* <p>
|
|
3375
|
+
* <b>RSAES_OAEP_SHA_1</b> — Supported for all types of key material, except RSA key material (private
|
|
3376
|
+
* key).</p>
|
|
3377
|
+
* <p>You cannot use the RSAES_OAEP_SHA_1 wrapping algorithm with the RSA_2048 wrapping key spec to wrap
|
|
3378
|
+
* ECC_NIST_P521 key material.</p>
|
|
3379
|
+
* </li>
|
|
3380
|
+
* <li>
|
|
3381
|
+
* <p>
|
|
3382
|
+
* <b>RSAES_PKCS1_V1_5</b> (Deprecated) — Supported only for symmetric encryption key
|
|
3383
|
+
* material (and only in legacy mode).</p>
|
|
3384
|
+
* </li>
|
|
3385
|
+
* </ul>
|
|
3352
3386
|
*/
|
|
3353
3387
|
WrappingAlgorithm: AlgorithmSpec | string | undefined;
|
|
3354
3388
|
/**
|
|
3355
|
-
* <p>The type of
|
|
3356
|
-
*
|
|
3389
|
+
* <p>The type of RSA public key to return in the response. You will use this wrapping key with
|
|
3390
|
+
* the specified wrapping algorithm to protect your key material during import. </p>
|
|
3391
|
+
* <p>Use the longest RSA wrapping key that is practical. </p>
|
|
3392
|
+
* <p>You cannot use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private key.
|
|
3393
|
+
* Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public key.</p>
|
|
3357
3394
|
*/
|
|
3358
3395
|
WrappingKeySpec: WrappingKeySpec | string | undefined;
|
|
3359
3396
|
}
|
|
@@ -3523,12 +3560,15 @@ export interface GrantListEntry {
|
|
|
3523
3560
|
*/
|
|
3524
3561
|
export interface ImportKeyMaterialRequest {
|
|
3525
3562
|
/**
|
|
3526
|
-
* <p>The identifier of the
|
|
3527
|
-
*
|
|
3528
|
-
*
|
|
3529
|
-
*
|
|
3530
|
-
*
|
|
3531
|
-
*
|
|
3563
|
+
* <p>The identifier of the KMS key that will be associated with the imported key material. This
|
|
3564
|
+
* must be the same KMS key specified in the <code>KeyID</code> parameter of the corresponding
|
|
3565
|
+
* <a>GetParametersForImport</a> request. The <code>Origin</code> of the KMS key
|
|
3566
|
+
* must be <code>EXTERNAL</code> and its <code>KeyState</code> must be
|
|
3567
|
+
* <code>PendingImport</code>. </p>
|
|
3568
|
+
* <p>The KMS key can be a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS
|
|
3569
|
+
* key, or asymmetric signing KMS key, including a <a href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of any supported
|
|
3570
|
+
* type. You cannot perform this operation on a KMS key in a custom key store, or on a KMS key in
|
|
3571
|
+
* a different Amazon Web Services account.</p>
|
|
3532
3572
|
* <p>Specify the key ID or key ARN of the KMS key.</p>
|
|
3533
3573
|
* <p>For example:</p>
|
|
3534
3574
|
* <ul>
|
|
@@ -3550,7 +3590,7 @@ export interface ImportKeyMaterialRequest {
|
|
|
3550
3590
|
*/
|
|
3551
3591
|
ImportToken: Uint8Array | undefined;
|
|
3552
3592
|
/**
|
|
3553
|
-
* <p>The encrypted key material to import. The key material must be encrypted
|
|
3593
|
+
* <p>The encrypted key material to import. The key material must be encrypted under the public
|
|
3554
3594
|
* wrapping key that <a>GetParametersForImport</a> returned, using the wrapping
|
|
3555
3595
|
* algorithm that you specified in the same <code>GetParametersForImport</code> request.</p>
|
|
3556
3596
|
*/
|
|
@@ -3570,13 +3610,14 @@ export interface ImportKeyMaterialRequest {
|
|
|
3570
3610
|
ValidTo?: Date;
|
|
3571
3611
|
/**
|
|
3572
3612
|
* <p>Specifies whether the key material expires. The default is
|
|
3573
|
-
* <code>KEY_MATERIAL_EXPIRES</code>.</p>
|
|
3613
|
+
* <code>KEY_MATERIAL_EXPIRES</code>. For help with this choice, see <a href="https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration">Setting an expiration time</a> in the <i>Key Management Service Developer Guide</i>.</p>
|
|
3574
3614
|
* <p>When the value of <code>ExpirationModel</code> is <code>KEY_MATERIAL_EXPIRES</code>, you
|
|
3575
3615
|
* must specify a value for the <code>ValidTo</code> parameter. When value is
|
|
3576
3616
|
* <code>KEY_MATERIAL_DOES_NOT_EXPIRE</code>, you must omit the <code>ValidTo</code>
|
|
3577
3617
|
* parameter.</p>
|
|
3578
3618
|
* <p>You cannot change the <code>ExpirationModel</code> or <code>ValidTo</code> values for the
|
|
3579
|
-
* current import after the request completes. To change either value, you must
|
|
3619
|
+
* current import after the request completes. To change either value, you must reimport the key
|
|
3620
|
+
* material.</p>
|
|
3580
3621
|
*/
|
|
3581
3622
|
ExpirationModel?: ExpirationModelType | string;
|
|
3582
3623
|
}
|
|
@@ -4454,7 +4495,11 @@ export interface ScheduleKeyDeletionRequest {
|
|
|
4454
4495
|
* when the last of its replica keys is deleted. Otherwise, the waiting period begins
|
|
4455
4496
|
* immediately.</p>
|
|
4456
4497
|
* <p>This value is optional. If you include a value, it must be between 7 and 30, inclusive. If
|
|
4457
|
-
* you do not include a value, it defaults to 30
|
|
4498
|
+
* you do not include a value, it defaults to 30. You can use the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-pending-deletion-window">
|
|
4499
|
+
* <code>kms:ScheduleKeyDeletionPendingWindowInDays</code>
|
|
4500
|
+
* </a>
|
|
4501
|
+
* condition key to further constrain the values that principals can specify in the
|
|
4502
|
+
* <code>PendingWindowInDays</code> parameter.</p>
|
|
4458
4503
|
*/
|
|
4459
4504
|
PendingWindowInDays?: number;
|
|
4460
4505
|
}
|
|
@@ -4592,7 +4637,7 @@ export interface SignResponse {
|
|
|
4592
4637
|
* <li>
|
|
4593
4638
|
* <p>When used with the <code>ECDSA_SHA_256</code>, <code>ECDSA_SHA_384</code>, or
|
|
4594
4639
|
* <code>ECDSA_SHA_512</code> signing algorithms, this value is a DER-encoded object as
|
|
4595
|
-
* defined by
|
|
4640
|
+
* defined by ANSI X9.62–2005 and <a href="https://tools.ietf.org/html/rfc3279#section-2.2.3">RFC 3279 Section 2.2.3</a>.
|
|
4596
4641
|
* This is the most commonly used signature format and is appropriate for most uses.
|
|
4597
4642
|
* </p>
|
|
4598
4643
|
* </li>
|
|
@@ -4,6 +4,8 @@ export declare const AlgorithmSpec: {
|
|
|
4
4
|
readonly RSAES_OAEP_SHA_1: "RSAES_OAEP_SHA_1";
|
|
5
5
|
readonly RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256";
|
|
6
6
|
readonly RSAES_PKCS1_V1_5: "RSAES_PKCS1_V1_5";
|
|
7
|
+
readonly RSA_AES_KEY_WRAP_SHA_1: "RSA_AES_KEY_WRAP_SHA_1";
|
|
8
|
+
readonly RSA_AES_KEY_WRAP_SHA_256: "RSA_AES_KEY_WRAP_SHA_256";
|
|
7
9
|
};
|
|
8
10
|
export type AlgorithmSpec = (typeof AlgorithmSpec)[keyof typeof AlgorithmSpec];
|
|
9
11
|
export interface AliasListEntry {
|
|
@@ -822,6 +824,8 @@ export interface GetKeyRotationStatusResponse {
|
|
|
822
824
|
}
|
|
823
825
|
export declare const WrappingKeySpec: {
|
|
824
826
|
readonly RSA_2048: "RSA_2048";
|
|
827
|
+
readonly RSA_3072: "RSA_3072";
|
|
828
|
+
readonly RSA_4096: "RSA_4096";
|
|
825
829
|
};
|
|
826
830
|
export type WrappingKeySpec =
|
|
827
831
|
(typeof WrappingKeySpec)[keyof typeof WrappingKeySpec];
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@aws-sdk/client-kms",
|
|
3
3
|
"description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
|
|
4
|
-
"version": "3.
|
|
4
|
+
"version": "3.346.0",
|
|
5
5
|
"scripts": {
|
|
6
6
|
"build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
|
|
7
7
|
"build:cjs": "tsc -p tsconfig.cjs.json",
|