@aws-sdk/client-kms 3.36.0 → 3.39.0

package/dist-cjs/commands/EncryptCommand.js

@@ -5,159 +5,11 @@ const middleware_serde_1 = require("@aws-sdk/middleware-serde");
 const smithy_client_1 = require("@aws-sdk/smithy-client");
 const models_0_1 = require("../models/models_0");
 const Aws_json1_1_1 = require("../protocols/Aws_json1_1");
-/**
- * <p>Encrypts plaintext into ciphertext by using a KMS key. The <code>Encrypt</code> operation
- *       has two primary use cases:</p>
- *          <ul>
- *             <li>
- *                <p>You can encrypt small amounts of arbitrary data, such as a personal identifier or
- *           database password, or other sensitive information. </p>
- *             </li>
- *             <li>
- *                <p>You can use the <code>Encrypt</code> operation to move encrypted data from one Amazon Web Services
- *           Region to another. For example, in Region A, generate a data key and use the plaintext key
- *           to encrypt your data. Then, in Region A, use the <code>Encrypt</code> operation to encrypt
- *           the plaintext data key under a KMS key in Region B. Now, you can move the encrypted data
- *           and the encrypted data key to Region B. When necessary, you can decrypt the encrypted data
- *           key and the encrypted data entirely within in Region B.</p>
- *             </li>
- *          </ul>
- *
- *          <p>You don't need to use the <code>Encrypt</code> operation to encrypt a data key. The <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a> operations return a
- *       plaintext data key and an encrypted copy of that data key.</p>
- *
- *          <p>When you encrypt data, you must specify a symmetric or asymmetric KMS key to use in the
- *       encryption operation. The KMS key must have a <code>KeyUsage</code> value of
- *         <code>ENCRYPT_DECRYPT.</code> To find the <code>KeyUsage</code> of a KMS key, use the <a>DescribeKey</a> operation. </p>
- *
- *          <p>If you use a symmetric KMS key, you can use an encryption context to add additional
- *       security to your encryption operation. If you specify an <code>EncryptionContext</code> when
- *       encrypting data, you must specify the same encryption context (a case-sensitive exact match)
- *       when decrypting the data. Otherwise, the request to decrypt fails with an
- *         <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption
- *         Context</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The
- *       algorithm must be compatible with the KMS key type.</p>
- *          <important>
- *             <p>When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.</p>
- *             <p>You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.</p>
- *          </important>
- *
- *
- *          <p>The maximum size of the data that you can encrypt varies with the type of KMS key and the
- *       encryption algorithm that you choose.</p>
- *          <ul>
- *             <li>
- *                <p>Symmetric KMS keys</p>
- *                <ul>
- *                   <li>
- *                      <p>
- *                         <code>SYMMETRIC_DEFAULT</code>: 4096 bytes</p>
- *                   </li>
- *                </ul>
- *             </li>
- *             <li>
- *                <p>
- *                   <code>RSA_2048</code>
- *                </p>
- *                <ul>
- *                   <li>
- *                      <p>
- *                         <code>RSAES_OAEP_SHA_1</code>: 214 bytes</p>
- *                   </li>
- *                   <li>
- *                      <p>
- *                         <code>RSAES_OAEP_SHA_256</code>: 190 bytes</p>
- *                   </li>
- *                </ul>
- *             </li>
- *             <li>
- *                <p>
- *                   <code>RSA_3072</code>
- *                </p>
- *                <ul>
- *                   <li>
- *                      <p>
- *                         <code>RSAES_OAEP_SHA_1</code>: 342 bytes</p>
- *                   </li>
- *                   <li>
- *                      <p>
- *                         <code>RSAES_OAEP_SHA_256</code>: 318 bytes</p>
- *                   </li>
- *                </ul>
- *             </li>
- *             <li>
- *                <p>
- *                   <code>RSA_4096</code>
- *                </p>
- *                <ul>
- *                   <li>
- *                      <p>
- *                         <code>RSAES_OAEP_SHA_1</code>: 470 bytes</p>
- *                   </li>
- *                   <li>
- *                      <p>
- *                         <code>RSAES_OAEP_SHA_256</code>: 446 bytes</p>
- *                   </li>
- *                </ul>
- *             </li>
- *          </ul>
- *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>
- *             <b>Cross-account use</b>: Yes.
- *       To perform this operation with a KMS key in a different Amazon Web Services account, specify
- *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
- *          <p>
- *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Encrypt</a> (key policy)</p>
- *          <p>
- *             <b>Related operations:</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>
- *                   <a>Decrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKey</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyPair</a>
- *                </p>
- *             </li>
- *          </ul>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { KMSClient, EncryptCommand } from "@aws-sdk/client-kms"; // ES Modules import
- * // const { KMSClient, EncryptCommand } = require("@aws-sdk/client-kms"); // CommonJS import
- * const client = new KMSClient(config);
- * const command = new EncryptCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link EncryptCommandInput} for command's `input` shape.
- * @see {@link EncryptCommandOutput} for command's `response` shape.
- * @see {@link KMSClientResolvedConfig | config} for command's `input` shape.
- *
- */
 class EncryptCommand extends smithy_client_1.Command {
-    // Start section: command_properties
-    // End section: command_properties
     constructor(input) {
-        // Start section: command_constructor
         super();
         this.input = input;
-        // End section: command_constructor
     }
-    /**
-     * @internal
-     */
     resolveMiddleware(clientStack, configuration, options) {
         this.middlewareStack.use(middleware_serde_1.getSerdePlugin(configuration, this.serialize, this.deserialize));
         const stack = clientStack.concat(this.middlewareStack);

package/dist-cjs/commands/GenerateDataKeyCommand.js

@@ -5,132 +5,11 @@ const middleware_serde_1 = require("@aws-sdk/middleware-serde");
 const smithy_client_1 = require("@aws-sdk/smithy-client");
 const models_0_1 = require("../models/models_0");
 const Aws_json1_1_1 = require("../protocols/Aws_json1_1");
-/**
- * <p>Generates a unique symmetric data key for client-side encryption. This operation returns a
- *       plaintext copy of the data key and a copy that is encrypted under a KMS key that you specify.
- *       You can use the plaintext key to encrypt your data outside of KMS and store the encrypted
- *       data key with the encrypted data.</p>
- *
- *          <p>
- *             <code>GenerateDataKey</code> returns a unique data key for each request. The bytes in the
- *       plaintext key are not related to the caller or the KMS key.</p>
- *
- *          <p>To generate a data key, specify the symmetric KMS key that will be used to encrypt the
- *       data key. You cannot use an asymmetric KMS key to generate data keys. To get the type of your
- *       KMS key, use the <a>DescribeKey</a> operation. You must also specify the length of
- *       the data key. Use either the <code>KeySpec</code> or <code>NumberOfBytes</code> parameters
- *       (but not both). For 128-bit and 256-bit data keys, use the <code>KeySpec</code> parameter. </p>
- *
- *          <p>To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an asymmetric data key pair, use
- *       the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> operation. To get a cryptographically secure
- *       random byte string, use <a>GenerateRandom</a>.</p>
- *
- *          <p>You can use the optional encryption context to add additional security to the encryption
- *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
- *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
- *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
- *       <i>Key Management Service Developer Guide</i>.</p>
- *          <p>Applications in Amazon Web Services Nitro Enclaves can call this operation by using the <a href="https://github.com/aws/aws-nitro-enclaves-sdk-c">Amazon Web Services Nitro Enclaves Development Kit</a>. For information about the supporting parameters, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services Nitro Enclaves use KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>
- *             <b>How to use your data
- *         key</b>
- *          </p>
- *          <p>We recommend that you use the following pattern to encrypt data locally in your
- *       application. You can write your own code or use a client-side encryption library, such as the
- *         <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a>, the
- *         <a href="https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/">Amazon DynamoDB Encryption Client</a>,
- *       or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3
- *         client-side encryption</a> to do these tasks for you.</p>
- *          <p>To encrypt data outside of KMS:</p>
- *          <ol>
- *             <li>
- *                <p>Use the <code>GenerateDataKey</code> operation to get a data key.</p>
- *             </li>
- *             <li>
- *                <p>Use the plaintext data key (in the <code>Plaintext</code> field of the response) to
- *           encrypt your data outside of KMS. Then erase the plaintext data key from memory.</p>
- *             </li>
- *             <li>
- *                <p>Store the encrypted data key (in the <code>CiphertextBlob</code> field of the
- *           response) with the encrypted data.</p>
- *             </li>
- *          </ol>
- *          <p>To decrypt data outside of KMS:</p>
- *          <ol>
- *             <li>
- *                <p>Use the <a>Decrypt</a> operation to decrypt the encrypted data key. The
- *           operation returns a plaintext copy of the data key.</p>
- *             </li>
- *             <li>
- *                <p>Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext
- *           data key from memory.</p>
- *             </li>
- *          </ol>
- *          <p>
- *             <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
- *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
- *          <p>
- *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GenerateDataKey</a> (key policy)</p>
- *          <p>
- *             <b>Related operations:</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>
- *                   <a>Decrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>Encrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyPair</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyPairWithoutPlaintext</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyWithoutPlaintext</a>
- *                </p>
- *             </li>
- *          </ul>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { KMSClient, GenerateDataKeyCommand } from "@aws-sdk/client-kms"; // ES Modules import
- * // const { KMSClient, GenerateDataKeyCommand } = require("@aws-sdk/client-kms"); // CommonJS import
- * const client = new KMSClient(config);
- * const command = new GenerateDataKeyCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link GenerateDataKeyCommandInput} for command's `input` shape.
- * @see {@link GenerateDataKeyCommandOutput} for command's `response` shape.
- * @see {@link KMSClientResolvedConfig | config} for command's `input` shape.
- *
- */
 class GenerateDataKeyCommand extends smithy_client_1.Command {
-    // Start section: command_properties
-    // End section: command_properties
     constructor(input) {
-        // Start section: command_constructor
         super();
         this.input = input;
-        // End section: command_constructor
     }
-    /**
-     * @internal
-     */
     resolveMiddleware(clientStack, configuration, options) {
         this.middlewareStack.use(middleware_serde_1.getSerdePlugin(configuration, this.serialize, this.deserialize));
         const stack = clientStack.concat(this.middlewareStack);

package/dist-cjs/commands/GenerateDataKeyPairCommand.js

@@ -5,111 +5,11 @@ const middleware_serde_1 = require("@aws-sdk/middleware-serde");
 const smithy_client_1 = require("@aws-sdk/smithy-client");
 const models_0_1 = require("../models/models_0");
 const Aws_json1_1_1 = require("../protocols/Aws_json1_1");
-/**
- * <p>Generates a unique asymmetric data key pair. The <code>GenerateDataKeyPair</code>
- *       operation returns a plaintext public key, a plaintext private key, and a copy of the private
- *       key that is encrypted under the symmetric KMS key you specify. You can use the data key pair
- *       to perform asymmetric cryptography and implement digital signatures outside of KMS.</p>
- *
- *          <p>You can use the public key that <code>GenerateDataKeyPair</code> returns to encrypt data
- *       or verify a signature outside of KMS. Then, store the encrypted private key with the data.
- *       When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
- *
- *          <p>To generate a data key pair, you must specify a symmetric KMS key to encrypt the private
- *       key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key
- *       store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
- *       operation. </p>
- *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
- *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
- *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
- *       the use of data key pairs outside of KMS.</p>
- *
- *          <p>If you are using the data key pair to encrypt data, or for any operation where you don't
- *       immediately need a private key, consider using the <a>GenerateDataKeyPairWithoutPlaintext</a> operation.
- *         <code>GenerateDataKeyPairWithoutPlaintext</code> returns a plaintext public key and an
- *       encrypted private key, but omits the plaintext private key that you need only to decrypt
- *       ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use
- *       the <a>Decrypt</a> operation to decrypt the encrypted private key in the data key
- *       pair.</p>
- *
- *          <p>
- *             <code>GenerateDataKeyPair</code> returns a unique data key pair for each request. The
- *       bytes in the keys are not related to the caller or the KMS key that is used to encrypt the
- *       private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in
- *         <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>. The private key is a
- *       DER-encoded PKCS8 PrivateKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>.</p>
- *
- *          <p>You can use the optional encryption context to add additional security to the encryption
- *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
- *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
- *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
- *       <i>Key Management Service Developer Guide</i>.</p>
- *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>
- *             <b>Cross-account
- *         use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
- *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
- *          <p>
- *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GenerateDataKeyPair</a> (key policy)</p>
- *          <p>
- *             <b>Related operations:</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>
- *                   <a>Decrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>Encrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKey</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyPairWithoutPlaintext</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyWithoutPlaintext</a>
- *                </p>
- *             </li>
- *          </ul>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { KMSClient, GenerateDataKeyPairCommand } from "@aws-sdk/client-kms"; // ES Modules import
- * // const { KMSClient, GenerateDataKeyPairCommand } = require("@aws-sdk/client-kms"); // CommonJS import
- * const client = new KMSClient(config);
- * const command = new GenerateDataKeyPairCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link GenerateDataKeyPairCommandInput} for command's `input` shape.
- * @see {@link GenerateDataKeyPairCommandOutput} for command's `response` shape.
- * @see {@link KMSClientResolvedConfig | config} for command's `input` shape.
- *
- */
 class GenerateDataKeyPairCommand extends smithy_client_1.Command {
-    // Start section: command_properties
-    // End section: command_properties
     constructor(input) {
-        // Start section: command_constructor
         super();
         this.input = input;
-        // End section: command_constructor
     }
-    /**
-     * @internal
-     */
     resolveMiddleware(clientStack, configuration, options) {
         this.middlewareStack.use(middleware_serde_1.getSerdePlugin(configuration, this.serialize, this.deserialize));
         const stack = clientStack.concat(this.middlewareStack);

package/dist-cjs/commands/GenerateDataKeyPairWithoutPlaintextCommand.js

@@ -5,101 +5,11 @@ const middleware_serde_1 = require("@aws-sdk/middleware-serde");
 const smithy_client_1 = require("@aws-sdk/smithy-client");
 const models_0_1 = require("../models/models_0");
 const Aws_json1_1_1 = require("../protocols/Aws_json1_1");
-/**
- * <p>Generates a unique asymmetric data key pair. The
- *         <code>GenerateDataKeyPairWithoutPlaintext</code> operation returns a plaintext public key
- *       and a copy of the private key that is encrypted under the symmetric KMS key you specify.
- *       Unlike <a>GenerateDataKeyPair</a>, this operation does not return a plaintext
- *       private key. </p>
- *          <p>You can use the public key that <code>GenerateDataKeyPairWithoutPlaintext</code> returns
- *       to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key
- *       with the data. When you are ready to decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key.</p>
- *          <p>To generate a data key pair, you must specify a symmetric KMS key to encrypt the private
- *       key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key
- *       store. To get the type and origin of your KMS key, use the <a>DescribeKey</a>
- *       operation. </p>
- *          <p>Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data
- *       key pair. KMS recommends that your use ECC key pairs for signing, and use RSA key pairs for
- *       either encryption or signing, but not both. However, KMS cannot enforce any restrictions on
- *       the use of data key pairs outside of KMS.</p>
- *          <p>
- *             <code>GenerateDataKeyPairWithoutPlaintext</code> returns a unique data key pair for each
- *       request. The bytes in the key are not related to the caller or KMS key that is used to encrypt
- *       the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in
- *         <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>.</p>
- *
- *          <p>You can use the optional encryption context to add additional security to the encryption
- *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
- *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
- *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
- *       <i>Key Management Service Developer Guide</i>.</p>
- *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>
- *             <b>Cross-account
- *         use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
- *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
- *          <p>
- *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GenerateDataKeyPairWithoutPlaintext</a> (key
- *       policy)</p>
- *          <p>
- *             <b>Related operations:</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>
- *                   <a>Decrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>Encrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKey</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyPair</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyWithoutPlaintext</a>
- *                </p>
- *             </li>
- *          </ul>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { KMSClient, GenerateDataKeyPairWithoutPlaintextCommand } from "@aws-sdk/client-kms"; // ES Modules import
- * // const { KMSClient, GenerateDataKeyPairWithoutPlaintextCommand } = require("@aws-sdk/client-kms"); // CommonJS import
- * const client = new KMSClient(config);
- * const command = new GenerateDataKeyPairWithoutPlaintextCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link GenerateDataKeyPairWithoutPlaintextCommandInput} for command's `input` shape.
- * @see {@link GenerateDataKeyPairWithoutPlaintextCommandOutput} for command's `response` shape.
- * @see {@link KMSClientResolvedConfig | config} for command's `input` shape.
- *
- */
 class GenerateDataKeyPairWithoutPlaintextCommand extends smithy_client_1.Command {
-    // Start section: command_properties
-    // End section: command_properties
     constructor(input) {
-        // Start section: command_constructor
         super();
         this.input = input;
-        // End section: command_constructor
     }
-    /**
-     * @internal
-     */
     resolveMiddleware(clientStack, configuration, options) {
         this.middlewareStack.use(middleware_serde_1.getSerdePlugin(configuration, this.serialize, this.deserialize));
         const stack = clientStack.concat(this.middlewareStack);

package/dist-cjs/commands/GenerateDataKeyWithoutPlaintextCommand.js

@@ -5,106 +5,11 @@ const middleware_serde_1 = require("@aws-sdk/middleware-serde");
 const smithy_client_1 = require("@aws-sdk/smithy-client");
 const models_0_1 = require("../models/models_0");
 const Aws_json1_1_1 = require("../protocols/Aws_json1_1");
-/**
- * <p>Generates a unique symmetric data key. This operation returns a data key that is encrypted
- *       under a KMS key that you specify. To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a>
- *       operations.</p>
- *          <p>
- *             <code>GenerateDataKeyWithoutPlaintext</code> is identical to the <a>GenerateDataKey</a> operation except that returns only the encrypted copy of the
- *       data key. This operation is useful for systems that need to encrypt data at some point, but
- *       not immediately. When you need to encrypt the data, you call the <a>Decrypt</a>
- *       operation on the encrypted copy of the key. </p>
- *          <p>It's also useful in distributed systems with different levels of trust. For example, you
- *       might store encrypted data in containers. One component of your system creates new containers
- *       and stores an encrypted data key with each container. Then, a different component puts the
- *       data into the containers. That component first decrypts the data key, uses the plaintext data
- *       key to encrypt data, puts the encrypted data into the container, and then destroys the
- *       plaintext data key. In this system, the component that creates the containers never sees the
- *       plaintext data key.</p>
- *          <p>
- *             <code>GenerateDataKeyWithoutPlaintext</code> returns a unique data key for each request.
- *       The bytes in the keys are not related to the caller or KMS key that is used to encrypt the
- *       private key.</p>
- *
- *          <p>To generate a data key, you must specify the symmetric KMS key that is used to encrypt the
- *       data key. You cannot use an asymmetric KMS key to generate a data key. To get the type of your
- *       KMS key, use the <a>DescribeKey</a> operation.</p>
- *
- *          <p>If the operation succeeds, you will find the encrypted copy of the data key in the
- *         <code>CiphertextBlob</code> field.</p>
- *
- *          <p>You can use the optional encryption context to add additional security to the encryption
- *       operation. If you specify an <code>EncryptionContext</code>, you must specify the same
- *       encryption context (a case-sensitive exact match) when decrypting the encrypted data key.
- *       Otherwise, the request to decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> in the
- *       <i>Key Management Service Developer Guide</i>.</p>
- *          <p>The KMS key that you use for this operation must be in a compatible key state. For
- * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key state: Effect on your KMS key</a> in the <i>Key Management Service Developer Guide</i>.</p>
- *          <p>
- *             <b>Cross-account
- *         use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
- *   the key ARN or alias ARN in the value of the <code>KeyId</code> parameter.</p>
- *
- *          <p>
- *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:GenerateDataKeyWithoutPlaintext</a> (key
- *       policy)</p>
- *          <p>
- *             <b>Related operations:</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>
- *                   <a>Decrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>Encrypt</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKey</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyPair</a>
- *                </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a>GenerateDataKeyPairWithoutPlaintext</a>
- *                </p>
- *             </li>
- *          </ul>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { KMSClient, GenerateDataKeyWithoutPlaintextCommand } from "@aws-sdk/client-kms"; // ES Modules import
- * // const { KMSClient, GenerateDataKeyWithoutPlaintextCommand } = require("@aws-sdk/client-kms"); // CommonJS import
- * const client = new KMSClient(config);
- * const command = new GenerateDataKeyWithoutPlaintextCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link GenerateDataKeyWithoutPlaintextCommandInput} for command's `input` shape.
- * @see {@link GenerateDataKeyWithoutPlaintextCommandOutput} for command's `response` shape.
- * @see {@link KMSClientResolvedConfig | config} for command's `input` shape.
- *
- */
 class GenerateDataKeyWithoutPlaintextCommand extends smithy_client_1.Command {
-    // Start section: command_properties
-    // End section: command_properties
     constructor(input) {
-        // Start section: command_constructor
         super();
         this.input = input;
-        // End section: command_constructor
     }
-    /**
-     * @internal
-     */
     resolveMiddleware(clientStack, configuration, options) {
         this.middlewareStack.use(middleware_serde_1.getSerdePlugin(configuration, this.serialize, this.deserialize));
         const stack = clientStack.concat(this.middlewareStack);