@aws-sdk/client-kms 3.990.0 → 3.992.0

package/dist-cjs/index.js

@@ -1009,6 +1009,9 @@ const DataKeySpec = {
     AES_128: "AES_128",
     AES_256: "AES_256",
 };
+const DryRunModifierType = {
+    IGNORE_CIPHERTEXT: "IGNORE_CIPHERTEXT",
+};
 const KeyEncryptionMechanism = {
     RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256",
 };
@@ -1081,6 +1084,7 @@ exports.DescribeKeyCommand = DescribeKeyCommand;
 exports.DisableKeyCommand = DisableKeyCommand;
 exports.DisableKeyRotationCommand = DisableKeyRotationCommand;
 exports.DisconnectCustomKeyStoreCommand = DisconnectCustomKeyStoreCommand;
+exports.DryRunModifierType = DryRunModifierType;
 exports.EnableKeyCommand = EnableKeyCommand;
 exports.EnableKeyRotationCommand = EnableKeyRotationCommand;
 exports.EncryptCommand = EncryptCommand;

package/dist-cjs/schemas/schemas_0.js

@@ -88,6 +88,7 @@ const _DKRi = "DisableKeyRequest";
 const _DKRis = "DisableKeyRotation";
 const _DKi = "DisableKey";
 const _DR = "DryRun";
+const _DRM = "DryRunModifiers";
 const _DROE = "DryRunOperationException";
 const _DRe = "DecryptRequest";
 const _DRec = "DecryptResponse";
@@ -741,8 +742,8 @@ exports.CustomKeyStoresListEntry$ = [3, n0, _CKSLE,
 ];
 exports.DecryptRequest$ = [3, n0, _DRe,
     0,
-    [_CB, _EC, _GT, _KI, _EA, _R, _DR],
-    [21, 128 | 0, 64 | 0, 0, 0, () => exports.RecipientInfo$, 2], 1
+    [_CB, _EC, _GT, _KI, _EA, _R, _DR, _DRM],
+    [21, 128 | 0, 64 | 0, 0, 0, () => exports.RecipientInfo$, 2, 64 | 0]
 ];
 exports.DecryptResponse$ = [3, n0, _DRec,
     0,
@@ -1061,8 +1062,8 @@ exports.RecipientInfo$ = [3, n0, _RI,
 ];
 exports.ReEncryptRequest$ = [3, n0, _RER,
     0,
-    [_CB, _DKI, _SEC, _SKI, _DEC, _SEA, _DEA, _GT, _DR],
-    [21, 0, 128 | 0, 0, 128 | 0, 0, 0, 64 | 0, 2], 2
+    [_DKI, _CB, _SEC, _SKI, _DEC, _SEA, _DEA, _GT, _DR, _DRM],
+    [0, 21, 128 | 0, 0, 128 | 0, 0, 0, 64 | 0, 2, 64 | 0], 1
 ];
 exports.ReEncryptResponse$ = [3, n0, _RERe,
     0,
@@ -1207,6 +1208,7 @@ var CustomKeyStoresList = [1, n0, _CKSL,
     0, [() => exports.CustomKeyStoresListEntry$,
         0]
 ];
+var DryRunModifierList = 64 | 0;
 var EncryptionAlgorithmSpecList = 64 | 0;
 var GrantList = [1, n0, _GL,
     0, () => exports.GrantListEntry$

package/dist-es/models/enums.js

@@ -173,6 +173,9 @@ export const DataKeySpec = {
     AES_128: "AES_128",
     AES_256: "AES_256",
 };
+export const DryRunModifierType = {
+    IGNORE_CIPHERTEXT: "IGNORE_CIPHERTEXT",
+};
 export const KeyEncryptionMechanism = {
     RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256",
 };

package/dist-es/schemas/schemas_0.js

@@ -81,6 +81,7 @@ const _DKRi = "DisableKeyRequest";
 const _DKRis = "DisableKeyRotation";
 const _DKi = "DisableKey";
 const _DR = "DryRun";
+const _DRM = "DryRunModifiers";
 const _DROE = "DryRunOperationException";
 const _DRe = "DecryptRequest";
 const _DRec = "DecryptResponse";
@@ -734,8 +735,8 @@ export var CustomKeyStoresListEntry$ = [3, n0, _CKSLE,
 ];
 export var DecryptRequest$ = [3, n0, _DRe,
     0,
-    [_CB, _EC, _GT, _KI, _EA, _R, _DR],
-    [21, 128 | 0, 64 | 0, 0, 0, () => RecipientInfo$, 2], 1
+    [_CB, _EC, _GT, _KI, _EA, _R, _DR, _DRM],
+    [21, 128 | 0, 64 | 0, 0, 0, () => RecipientInfo$, 2, 64 | 0]
 ];
 export var DecryptResponse$ = [3, n0, _DRec,
     0,
@@ -1054,8 +1055,8 @@ export var RecipientInfo$ = [3, n0, _RI,
 ];
 export var ReEncryptRequest$ = [3, n0, _RER,
     0,
-    [_CB, _DKI, _SEC, _SKI, _DEC, _SEA, _DEA, _GT, _DR],
-    [21, 0, 128 | 0, 0, 128 | 0, 0, 0, 64 | 0, 2], 2
+    [_DKI, _CB, _SEC, _SKI, _DEC, _SEA, _DEA, _GT, _DR, _DRM],
+    [0, 21, 128 | 0, 0, 128 | 0, 0, 0, 64 | 0, 2, 64 | 0], 1
 ];
 export var ReEncryptResponse$ = [3, n0, _RERe,
     0,
@@ -1200,6 +1201,7 @@ var CustomKeyStoresList = [1, n0, _CKSL,
     0, [() => CustomKeyStoresListEntry$,
         0]
 ];
+var DryRunModifierList = 64 | 0;
 var EncryptionAlgorithmSpecList = 64 | 0;
 var GrantList = [1, n0, _GL,
     0, () => GrantListEntry$

package/dist-types/KMS.d.ts

@@ -94,6 +94,7 @@ export interface KMS {
     /**
      * @see {@link DecryptCommand}
      */
+    decrypt(): Promise<DecryptCommandOutput>;
     decrypt(args: DecryptCommandInput, options?: __HttpHandlerOptions): Promise<DecryptCommandOutput>;
     decrypt(args: DecryptCommandInput, cb: (err: any, data?: DecryptCommandOutput) => void): void;
     decrypt(args: DecryptCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: DecryptCommandOutput) => void): void;

package/dist-types/commands/CreateKeyCommand.d.ts

@@ -93,7 +93,6 @@ declare const CreateKeyCommand_base: {
  *                <p> </p>
  *             </dd>
  *             <dt>Multi-Region primary keys</dt>
- *             <dt>Imported key material</dt>
  *             <dd>
  *                <p>To create a multi-Region <i>primary key</i> in the local Amazon Web Services Region,
  *             use the <code>MultiRegion</code> parameter with a value of <code>True</code>. To create
@@ -111,6 +110,7 @@ declare const CreateKeyCommand_base: {
  *       it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>
  *                <p> </p>
  *             </dd>
+ *             <dt>Imported key material</dt>
  *             <dd>
  *                <p>To import your own key material into a KMS key, begin by creating a KMS key with no
  *             key material. To do this, use the <code>Origin</code> parameter of

package/dist-types/commands/DecryptCommand.d.ts

@@ -23,7 +23,7 @@ export interface DecryptCommandOutput extends DecryptResponse, __MetadataBearer
 }
 declare const DecryptCommand_base: {
     new (input: DecryptCommandInput): import("@smithy/smithy-client").CommandImpl<DecryptCommandInput, DecryptCommandOutput, KMSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
-    new (input: DecryptCommandInput): import("@smithy/smithy-client").CommandImpl<DecryptCommandInput, DecryptCommandOutput, KMSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    new (...[input]: [] | [DecryptCommandInput]): import("@smithy/smithy-client").CommandImpl<DecryptCommandInput, DecryptCommandOutput, KMSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
     getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
 };
 /**
@@ -133,7 +133,7 @@ declare const DecryptCommand_base: {
  * const config = {}; // type is KMSClientConfig
  * const client = new KMSClient(config);
  * const input = { // DecryptRequest
- *   CiphertextBlob: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")   // required
+ *   CiphertextBlob: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")
  *   EncryptionContext: { // EncryptionContextType
  *     "<keys>": "STRING_VALUE",
  *   },
@@ -147,6 +147,9 @@ declare const DecryptCommand_base: {
  *     AttestationDocument: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")
  *   },
  *   DryRun: true || false,
+ *   DryRunModifiers: [ // DryRunModifierList
+ *     "IGNORE_CIPHERTEXT",
+ *   ],
  * };
  * const command = new DecryptCommand(input);
  * const response = await client.send(command);

package/dist-types/commands/ReEncryptCommand.d.ts

@@ -131,7 +131,7 @@ declare const ReEncryptCommand_base: {
  * const config = {}; // type is KMSClientConfig
  * const client = new KMSClient(config);
  * const input = { // ReEncryptRequest
- *   CiphertextBlob: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")   // required
+ *   CiphertextBlob: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")
  *   SourceEncryptionContext: { // EncryptionContextType
  *     "<keys>": "STRING_VALUE",
  *   },
@@ -146,6 +146,9 @@ declare const ReEncryptCommand_base: {
  *     "STRING_VALUE",
  *   ],
  *   DryRun: true || false,
+ *   DryRunModifiers: [ // DryRunModifierList
+ *     "IGNORE_CIPHERTEXT",
+ *   ],
  * };
  * const command = new ReEncryptCommand(input);
  * const response = await client.send(command);

package/dist-types/commands/RotateKeyOnDemandCommand.d.ts

@@ -37,7 +37,7 @@ declare const RotateKeyOnDemandCommand_base: {
  *       2024, and you perform an on-demand rotation on April 10, 2024, the key will automatically
  *       rotate, as scheduled, on April 14, 2024 and every 730 days thereafter.</p>
  *          <note>
- *             <p>You can perform on-demand key rotation a <b>maximum of 10
+ *             <p>You can perform on-demand key rotation a <b>maximum of 25
  *           times</b> per KMS key. You can use the KMS console to view the number of
  *         remaining on-demand rotations available for a KMS key.</p>
  *          </note>

package/dist-types/models/enums.d.ts

@@ -333,6 +333,17 @@ export declare const DataKeySpec: {
  * @public
  */
 export type DataKeySpec = (typeof DataKeySpec)[keyof typeof DataKeySpec];
+/**
+ * @public
+ * @enum
+ */
+export declare const DryRunModifierType: {
+    readonly IGNORE_CIPHERTEXT: "IGNORE_CIPHERTEXT";
+};
+/**
+ * @public
+ */
+export type DryRunModifierType = (typeof DryRunModifierType)[keyof typeof DryRunModifierType];
 /**
  * @public
  * @enum

package/dist-types/models/models_0.d.ts

@@ -1,4 +1,4 @@
-import { AlgorithmSpec, ConnectionErrorCodeType, ConnectionStateType, CustomerMasterKeySpec, CustomKeyStoreType, DataKeyPairSpec, DataKeySpec, EncryptionAlgorithmSpec, ExpirationModelType, GrantOperation, ImportState, ImportType, IncludeKeyMaterial, KeyAgreementAlgorithmSpec, KeyEncryptionMechanism, KeyManagerType, KeyMaterialState, KeySpec, KeyState, KeyUsageType, MacAlgorithmSpec, MessageType, MultiRegionKeyType, OriginType, RotationType, SigningAlgorithmSpec, WrappingKeySpec, XksProxyConnectivityType } from "./enums";
+import { AlgorithmSpec, ConnectionErrorCodeType, ConnectionStateType, CustomerMasterKeySpec, CustomKeyStoreType, DataKeyPairSpec, DataKeySpec, DryRunModifierType, EncryptionAlgorithmSpec, ExpirationModelType, GrantOperation, ImportState, ImportType, IncludeKeyMaterial, KeyAgreementAlgorithmSpec, KeyEncryptionMechanism, KeyManagerType, KeyMaterialState, KeySpec, KeyState, KeyUsageType, MacAlgorithmSpec, MessageType, MultiRegionKeyType, OriginType, RotationType, SigningAlgorithmSpec, WrappingKeySpec, XksProxyConnectivityType } from "./enums";
 /**
  * <p>Contains information about an alias.</p>
  * @public
@@ -1539,9 +1539,10 @@ export interface RecipientInfo {
 export interface DecryptRequest {
     /**
      * <p>Ciphertext to be decrypted. The blob includes metadata.</p>
+     *          <p>This parameter is required in all cases except when <code>DryRun</code> is <code>true</code> and <code>DryRunModifiers</code> is set to <code>IGNORE_CIPHERTEXT</code>.</p>
      * @public
      */
-    CiphertextBlob: Uint8Array | undefined;
+    CiphertextBlob?: Uint8Array | undefined;
     /**
      * <p>Specifies the encryption context to use when decrypting the data.
      *       An encryption context is valid only for <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations">cryptographic operations</a> with a symmetric encryption KMS key. The standard asymmetric encryption algorithms and HMAC algorithms that KMS uses do not support an encryption context.</p>
@@ -1566,7 +1567,7 @@ export interface DecryptRequest {
      *       different KMS key, the <code>Decrypt</code> operation throws an
      *         <code>IncorrectKeyException</code>.</p>
      *          <p>This parameter is required only when the ciphertext was encrypted under an asymmetric KMS
-     *       key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that
+     *       key or when <code>DryRun</code> is <code>true</code> and <code>DryRunModifiers</code> is set to <code>IGNORE_CIPHERTEXT</code>. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that
      *       it adds to the symmetric ciphertext blob. However, it is always recommended as a best
      *       practice. This practice ensures that you use the KMS key that you intend.</p>
      *          <p>To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with <code>"alias/"</code>. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.</p>
@@ -1625,6 +1626,16 @@ export interface DecryptRequest {
      * @public
      */
     DryRun?: boolean | undefined;
+    /**
+     * <p>Specifies the modifiers to apply to the dry run operation. <code>DryRunModifiers</code> is an optional parameter that only applies when <code>DryRun</code> is
+     *         set to <code>true</code>.</p>
+     *          <p>When set to <code>IGNORE_CIPHERTEXT</code>, KMS performs only authorization validation without ciphertext validation. This allows you to test permissions
+     *         without requiring a valid ciphertext blob.</p>
+     *          <p>To learn more about how to use this parameter, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html">Testing your
+     *         permissions</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     * @public
+     */
+    DryRunModifiers?: DryRunModifierType[] | undefined;
 }
 /**
  * @public
@@ -3906,9 +3917,10 @@ export interface PutKeyPolicyRequest {
 export interface ReEncryptRequest {
     /**
      * <p>Ciphertext of the data to reencrypt.</p>
+     *          <p>This parameter is required in all cases except when <code>DryRun</code> is <code>true</code> and <code>DryRunModifiers</code> is set to <code>IGNORE_CIPHERTEXT</code>.</p>
      * @public
      */
-    CiphertextBlob: Uint8Array | undefined;
+    CiphertextBlob?: Uint8Array | undefined;
     /**
      * <p>Specifies the encryption context to use to decrypt the ciphertext. Enter the same
      *       encryption context that was used to encrypt the ciphertext.</p>
@@ -3927,8 +3939,9 @@ export interface ReEncryptRequest {
      *       different KMS key, the <code>ReEncrypt</code> operation throws an
      *         <code>IncorrectKeyException</code>.</p>
      *          <p>This parameter is required only when the ciphertext was encrypted under an asymmetric KMS
-     *       key. If you used a symmetric encryption KMS key, KMS can get the KMS key from metadata that
-     *       it adds to the symmetric ciphertext blob. However, it is always recommended as a best
+     *       key or when <code>DryRun</code> is <code>true</code> and <code>DryRunModifiers</code> is set to
+     *       <code>IGNORE_CIPHERTEXT</code>. If you used a symmetric encryption KMS key, KMS can get the KMS key
+     *       from metadata that it adds to the symmetric ciphertext blob. However, it is always recommended as a best
      *       practice. This practice ensures that you use the KMS key that you intend.</p>
      *          <p>To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with <code>"alias/"</code>. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.</p>
      *          <p>For example:</p>
@@ -4032,6 +4045,16 @@ export interface ReEncryptRequest {
      * @public
      */
     DryRun?: boolean | undefined;
+    /**
+     * <p>Specifies the modifiers to apply to the dry run operation. <code>DryRunModifiers</code> is an optional parameter that only applies when <code>DryRun</code> is
+     *         set to <code>true</code>.</p>
+     *          <p>When set to <code>IGNORE_CIPHERTEXT</code>, KMS performs only authorization validation without ciphertext validation. This allows you to test permissions
+     *         without requiring a valid ciphertext blob.</p>
+     *          <p>To learn more about how to use this parameter, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html">Testing your
+     *         permissions</a> in the <i>Key Management Service Developer Guide</i>.</p>
+     * @public
+     */
+    DryRunModifiers?: DryRunModifierType[] | undefined;
 }
 /**
  * @public

package/dist-types/ts3.4/KMS.d.ts

@@ -293,6 +293,7 @@ export interface KMS {
     options: __HttpHandlerOptions,
     cb: (err: any, data?: CreateKeyCommandOutput) => void
   ): void;
+  decrypt(): Promise<DecryptCommandOutput>;
   decrypt(
     args: DecryptCommandInput,
     options?: __HttpHandlerOptions

package/dist-types/ts3.4/commands/DecryptCommand.d.ts

@@ -20,7 +20,9 @@ declare const DecryptCommand_base: {
     ServiceInputTypes,
     ServiceOutputTypes
   >;
-  new (input: DecryptCommandInput): import("@smithy/smithy-client").CommandImpl<
+  new (
+    ...[input]: [] | [DecryptCommandInput]
+  ): import("@smithy/smithy-client").CommandImpl<
     DecryptCommandInput,
     DecryptCommandOutput,
     KMSClientResolvedConfig,

package/dist-types/ts3.4/models/enums.d.ts

@@ -207,6 +207,11 @@ export declare const DataKeySpec: {
   readonly AES_256: "AES_256";
 };
 export type DataKeySpec = (typeof DataKeySpec)[keyof typeof DataKeySpec];
+export declare const DryRunModifierType: {
+  readonly IGNORE_CIPHERTEXT: "IGNORE_CIPHERTEXT";
+};
+export type DryRunModifierType =
+  (typeof DryRunModifierType)[keyof typeof DryRunModifierType];
 export declare const KeyEncryptionMechanism: {
   readonly RSAES_OAEP_SHA_256: "RSAES_OAEP_SHA_256";
 };

package/dist-types/ts3.4/models/models_0.d.ts

@@ -6,6 +6,7 @@ import {
   CustomKeyStoreType,
   DataKeyPairSpec,
   DataKeySpec,
+  DryRunModifierType,
   EncryptionAlgorithmSpec,
   ExpirationModelType,
   GrantOperation,
@@ -173,13 +174,14 @@ export interface RecipientInfo {
   AttestationDocument?: Uint8Array | undefined;
 }
 export interface DecryptRequest {
-  CiphertextBlob: Uint8Array | undefined;
+  CiphertextBlob?: Uint8Array | undefined;
   EncryptionContext?: Record<string, string> | undefined;
   GrantTokens?: string[] | undefined;
   KeyId?: string | undefined;
   EncryptionAlgorithm?: EncryptionAlgorithmSpec | undefined;
   Recipient?: RecipientInfo | undefined;
   DryRun?: boolean | undefined;
+  DryRunModifiers?: DryRunModifierType[] | undefined;
 }
 export interface DecryptResponse {
   KeyId?: string | undefined;
@@ -504,7 +506,7 @@ export interface PutKeyPolicyRequest {
   BypassPolicyLockoutSafetyCheck?: boolean | undefined;
 }
 export interface ReEncryptRequest {
-  CiphertextBlob: Uint8Array | undefined;
+  CiphertextBlob?: Uint8Array | undefined;
   SourceEncryptionContext?: Record<string, string> | undefined;
   SourceKeyId?: string | undefined;
   DestinationKeyId: string | undefined;
@@ -513,6 +515,7 @@ export interface ReEncryptRequest {
   DestinationEncryptionAlgorithm?: EncryptionAlgorithmSpec | undefined;
   GrantTokens?: string[] | undefined;
   DryRun?: boolean | undefined;
+  DryRunModifiers?: DryRunModifierType[] | undefined;
 }
 export interface ReEncryptResponse {
   CiphertextBlob?: Uint8Array | undefined;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-kms",
   "description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
-  "version": "3.990.0",
+  "version": "3.992.0",
   "scripts": {
     "build": "concurrently 'yarn:build:types' 'yarn:build:es' && yarn build:cjs",
     "build:cjs": "node ../../scripts/compilation/inline client-kms",
@@ -31,7 +31,7 @@
     "@aws-sdk/middleware-user-agent": "^3.972.10",
     "@aws-sdk/region-config-resolver": "^3.972.3",
     "@aws-sdk/types": "^3.973.1",
-    "@aws-sdk/util-endpoints": "3.990.0",
+    "@aws-sdk/util-endpoints": "3.992.0",
     "@aws-sdk/util-user-agent-browser": "^3.972.3",
     "@aws-sdk/util-user-agent-node": "^3.972.8",
     "@smithy/config-resolver": "^4.4.6",